| Message ID | 20260128163827.386933-1-valentin.boudevin@gmail.com |
|---|---|
| Headers | show |
| Series | improve_kernel_cve_report: Add a bbclass support | expand |
Hello Valentin, I have tested this new series and while it seems to run the bbclass, I think it is using a cve-summary file that doesn't have the kernel on it, and therefore it doesn't get updated. I'm using in an offline build INHERIT += "vex" And a core-image-minimal.bbappend inherit improve_kernel_cve_report You might want to mention in your commit that if you want a more detailed list of vulnerabilities, you need to add: SPDX_INCLUDE_COMPILED_SOURCES:pn-linux-yocto = "1" Image VEX JSON report stored in: yocto-master/build/tmp/work/qemuarm64-poky-linux/core-image-minimal/1.0/deploy-core-image-minimal-image-complete/core-image-minimal-qemuarm64.rootfs-20260129103343.json improve_kernel_cve: Using SPDX file for extra kernel vulnerabilities scouting: yocto-master/build/tmp/work/qemuarm64-poky-linux/core-image-minimal/1.0/spdx/3.0.1/image-deploy/core-image-minimal-qemuarm64.rootfs.spdx.json Improve CVE report with extra kernel cves: yocto-master/build/tmp/deploy/images/qemuarm64/core-image-minimal-qemuarm64.rootfs-20260129103343.scouted.json The file generated in /build/tmp/log/cve/cve-summary.json should have the kernel in question. The ones connected with the image doesn't have the kernel on it. Best regards, Daniel > -----Original Message----- > From: ValentinBoudevin <valentin.boudevin@gmail.com> > Sent: Wednesday, 28 January 2026 17:38 > To: openembedded-core@lists.openembedded.org > Cc: Daniel Turull <daniel.turull@ericsson.com>; > jerome.oufella@savoirfairelinux.com; ValentinBoudevin > <valentin.boudevin@gmail.com> > Subject: [PATCH v5 0/2] improve_kernel_cve_report: Add a bbclass support > > Changes since v4: > - Add a new commit which contains a new recipe "vulns-native" to clone the > Linux Security Vulns Repo. > - Remove the tasks do_clone_kernel_cve which is now done by the new vulns- > native recipe. > - Update the do_scout_extra_kernel_vulns task to use the new vulns-native > repository path. > - Remove variables IMPROVE_KERNEL_CVE_SRC_URI, > IMPROVE_KERNEL_CVE_SRCREV, IMPROVE_KERNEL_CVE_NETWORK, > IMPROVE_KERNEL_CVE_WORKDIR, and IMPROVE_KERNEL_CVE_DESTSUFFIX. > - Modify __anonymous function to not set SRC_URI and SRCREV. > - Update __anonymous function to use bb.data.inherits_class. > - Update the commit message to reflect these changes. > - Move improve_kernel_cve_report.bbclass to improve_kernel_cve_report-spdx- > 3.0.bbclass. > - New improve_kernel_cve_report.bbclass to include the appropriate spdx > version bbclass. > > Changes since v3: > -Avoid code duplication with a new bbclass "improve_kernel_cve_report- > base.bbclass". > -Remove direct set of SRC_URI and SRCREV for offline mode. > -Use new __anonymous function to set SRC_URI, SRCREV and task schedule > do_scout_extra_kernel_vulns based on SPDX version used. > -improve_kernel_cve_report-spdx-2.2.bbclass and improve_kernel_cve_report- > spdx.bbclass are only used to define IMPROVE_KERNEL_PREFERRED_PROVIDER > and IMPROVE_KERNEL_SPDX_FILE > > Changes since v2: > - Fixed SRC_URI:append syntax (a space was missing with the append operator). > - Removed unused variable debug_source_path > > Changes since v1: > - IMPROVE_KERNEL_CVE_SRC_URI and IMPROVE_KERNEL_CVE_SRCREV can be > used to set a different source repository or a deterministic revision. > - IMPROVE_KERNEL_CVE_NETWORK variable can be used to use this repo offline > based on existing fetch repo in DL_DIR. > - Add support for SPDX2.2 with a new bbclass improve_kernel_cve_report-spdx- > 2.2.bbclass. > > ValentinBoudevin (2): > vulns: add a new recipe > improve_kernel_cve_report: Add a bbclass support > > .../improve_kernel_cve_report-base.bbclass | 60 +++++++++++++++++++ > ...improve_kernel_cve_report-spdx-2.2.bbclass | 4 ++ > ...improve_kernel_cve_report-spdx-3.0.bbclass | 4 ++ > .../classes/improve_kernel_cve_report.bbclass | 3 + > .../vulns-native/vulns-native_git.bb | 24 ++++++++ > 5 files changed, 95 insertions(+) > create mode 100644 meta/classes/improve_kernel_cve_report-base.bbclass > create mode 100644 meta/classes/improve_kernel_cve_report-spdx-2.2.bbclass > create mode 100644 meta/classes/improve_kernel_cve_report-spdx-3.0.bbclass > create mode 100644 meta/classes/improve_kernel_cve_report.bbclass > create mode 100644 meta/recipes-kernel/vulns-native/vulns-native_git.bb
Hello Daniel, I made some tests with the new vex class. I may be wrong, but it doesn't seem like an issue linked with improve_kernel_cve_report bbclass. I tried to clean the build, remove "inherit improve_kernel_cve_report", and keep "INHERIT += "vex"" . But, the cve-summary file is still empty after the rebuild. If I change back to "cve-check" (still without improve_kernel_cve_report class) cve-summary seems correct and not empty. It looks more like a vex class issue. Also, VEX does not seem to recreate a new .json file at every build, which is strange.
Hello, Please take into account that the VEX class is using the same file names for results as the cve-check. The reason was to avoid duplication of all intermediary files, and also the final files. This was a design decision, as not many people are expected to switch between cve-check and vex classes, instead keep one. Kind regards, Marta On Thu, Jan 29, 2026 at 5:34 PM vboudevin via lists.openembedded.org <valentin.boudevin=gmail.com@lists.openembedded.org> wrote: > Hello Daniel, > > I made some tests with the new vex class. I may be wrong, but it doesn't > seem like an issue linked with improve_kernel_cve_report bbclass. > > I tried to clean the build, remove "inherit improve_kernel_cve_report", > and keep "INHERIT += "vex"" . But, the cve-summary file is still empty > after the rebuild. > > If I change back to "cve-check" (still without improve_kernel_cve_report > class) cve-summary seems correct and not empty. > > It looks more like a vex class issue. Also, VEX does not seem to recreate > a new .json file at every build, which is strange. > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#230139): > https://lists.openembedded.org/g/openembedded-core/message/230139 > Mute This Topic: https://lists.openembedded.org/mt/117510774/5827677 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [ > rybczynska@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- > >