[v7,0/4] generate-cve-exclusions: Add a .bbclass

Message ID	20260202205231.2134908-1-valentin.boudevin@gmail.com
Headers	show Return-Path: <valentin.boudevin@gmail.com> ip: 209.85.219.68, mailfrom: valentin.boudevin@gmail.com) From: ValentinBoudevin <valentin.boudevin@gmail.com> To: openembedded-core@lists.openembedded.org Cc: daniel.turull@ericsson.com, jerome.oufella@savoirfairelinux.com, ValentinBoudevinSFL <valentin.boudevin@savoirfairelinux.com> Subject: [PATCH v7 0/4] generate-cve-exclusions: Add a .bbclass Date: Mon, 2 Feb 2026 15:52:26 -0500 Message-ID: <20260202205231.2134908-1-valentin.boudevin@gmail.com> In-Reply-To: <188B4BEFFC6C387A.3271208@lists.openembedded.org> References: <188B4BEFFC6C387A.3271208@lists.openembedded.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	generate-cve-exclusions: Add a .bbclass \| expand [v7,0/4] generate-cve-exclusions: Add a .bbclass [v7,1/4] generate-cve-exclusions: Add output format option [v7,2/4] cvelistv5: add a new recipe [v7,3/4] kernel-generate-cve-exclusions: Add a .bbclass [v7,4/4] generate-cve-exclusions: Move python script

Message ID

20260202205231.2134908-1-valentin.boudevin@gmail.com

Headers

From: ValentinBoudevin <valentin.boudevin@gmail.com>
To: openembedded-core@lists.openembedded.org
Cc: daniel.turull@ericsson.com,
	jerome.oufella@savoirfairelinux.com,
	ValentinBoudevinSFL <valentin.boudevin@savoirfairelinux.com>
Subject: [PATCH v7 0/4] generate-cve-exclusions: Add a .bbclass
Date: Mon,  2 Feb 2026 15:52:26 -0500
Message-ID: <20260202205231.2134908-1-valentin.boudevin@gmail.com>
In-Reply-To: <188B4BEFFC6C387A.3271208@lists.openembedded.org>
References: <188B4BEFFC6C387A.3271208@lists.openembedded.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

generate-cve-exclusions: Add a .bbclass | expand

Message

ValentinBoudevin Feb. 2, 2026, 8:52 p.m. UTC

From: ValentinBoudevinSFL <valentin.boudevin@savoirfairelinux.com>

Changes since v6:
- Update the maintainers.inc file to add new maintainer for the
  cvelistv5-native recipe.
- Update cvelistv5-native recipe to remove the variables CVELISTV5_DEFAULT_SRCREV and CVELISTV5_USE_AUTOREV for a fixed
  SRCREV usage (AUTOREV will be recommended in the documentation if the user wants to use the latest available commit).

Changes since v5:
- Add a new commit to add a new recipe cvelistv5-native to clone the
  cvelistv5 repository.
- Update the script generate-cve-exclusions.py to use provide the JSON
  format output with the INC output at the same time using --output-json-file and
  --output-inc-file options.
- Update the .bbclass to use the new cvelistv5-native recipe.
- Remove tasks and variables from the .bbclass to simplify the code:
  * Remove the do_clone_cvelistV5 task.
  * Remove __anonymous function to setup SRC_URI and SRCREV.
  * Remove the variables GENERATE_CVE_EXCLUSIONS_SRC_URI,
    GENERATE_CVE_EXCLUSIONS_SRCREV, GENERATE_CVE_EXCLUSIONS_NETWORK, GENERATE_CVE_EXCLUSIONS_WORKDIR,
    GENERATE_CVE_EXCLUSIONS_DESTSUFFIX, and GENERATE_CVE_EXCLUSIONS_UNPACK_DIR
    since they are not needed anymore.
- Remove direct inclusion in linux-yocto.inc and let the user include the
  bbclass in their kernel recipe if they want to use it.
  Using ENABLE_KERNEL_CVE_EXCLUSIONS variable to enable/disable the feature is
  not needed anymore. Including the bbclass is a cleaner implementation compare to set a variable
  to enable/disable the feature.
- Add the variables:
  *GENERATE_CVE_EXCLUSIONS_OUTPUT_JSON
  *GENERATE_CVE_EXCLUSIONS_OUTPUT_INC
  to customize the output paths of the generated files.

Changes since v4:
- Patch 2/4:
  * Renamed the bbclass to kernel-generate-cve-exclusions.bbclass to better reflect its purpose.
  * Add new variable ENABLE_KERNEL_CVE_EXCLUSIONS to enable/disable the
  feature.
  By default, the feature is disabled to avoid unexpected behavior on
  existing builds with linux-yocto.
  * Add new "__anonymous" python function to setup the variables SRC_URI and SRCREV only if
  this feature is enabled with ENABLE_KERNEL_CVE_EXCLUSIONS.
  Also prevent from modifying SRC_URI and SRCREV variables in the default linux-yocto usecase.
  Now, the recipe does not have any impact on the basic "linux-yocto" recipe if the feature is disabled.
  * Add new variables GENERATE_CVE_EXCLUSIONS_DESTSUFFIX and
  GENERATE_CVE_EXCLUSIONS_UNPACK_DIR to customize the working directory path of the
  class.
- Patch 4/4:
  * Update the inherit statement in linux-yocto.inc to reflect the new name of the bbclass with
  "kernel-generate-cve-exclusions".

Changes since v3:
- Patch 2/4:
  * Add variables to control offline mode, source URI and
  SRCREV for deterministic testing (GENERATE_CVE_EXCLUSIONS_SRC_URI,
  GENERATE_CVE_EXCLUSIONS_SRCREV, GENERATE_CVE_EXCLUSIONS_NETWORK).
  * Updated generate_cve_exclusions task scheduling to be executed before
  do_cve_check.

Changes since v2:
- Patch 4/4: Inherit the new bbclass in linux-yocto.inc instead of
  individual recipes.

Changes since v1:
- Patch 2/4: Removed the mandatory execution of the
  generate-cve-exclusions class on every build. It now needs to be
  manually run using:
    bitbake -c generate-cve-exclusions <kernel-recipe>

ValentinBoudevin (4):
  generate-cve-exclusions: Add output format option
  cvelistv5: add a new recipe
  kernel-generate-cve-exclusions: Add a .bbclass
  generate-cve-exclusions: Move python script

 .../kernel-generate-cve-exclusions.bbclass    |  46 ++++++++
 meta/conf/distro/include/maintainers.inc      |   1 +
 .../cvelistv5-native/cvelistv5-native_git.bb  |  19 ++++
 .../contrib}/generate-cve-exclusions.py       | 107 +++++++++++++++---
 4 files changed, 156 insertions(+), 17 deletions(-)
 create mode 100644 meta/classes/kernel-generate-cve-exclusions.bbclass
 create mode 100644 meta/recipes-kernel/cvelistv5-native/cvelistv5-native_git.bb
 rename {meta/recipes-kernel/linux => scripts/contrib}/generate-cve-exclusions.py (55%)