diff mbox series

[2/3] linux: cve-exclusions: Fix false negatives

Message ID 20250526092927.2588577-2-niko.mauno@vaisala.com
State Accepted, archived
Commit b1a5939535d67b9c0e6d8c2729cff9749a0ebaae
Headers show
Series [1/3] cve-exclusion_6.12.inc: Update using current cvelistV5 | expand

Commit Message

Niko Mauno May 26, 2025, 9:29 a.m. UTC 
Amend the generate-cve-exclusions.py checking logic in part of the code
responsible for iterating the "affected" defaultStatus part of the JSON
structure in order to mitigate occurrences of false negatives in the
generated output, as well as occurrences of wrong reason for negative
result in case where the reason is actually that the checked kernel
version is in backport fix scope.

In tandem we regenerate the content of cve-exclusion_6.12.inc using
https://github.com/CVEProject/cvelistV5.git repository main branch at
git hash b20d0043711588b6409ae3118bc0510ab888c316 to keep the content
in sync with the script.

Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
---
 .../linux/cve-exclusion_6.12.inc              | 70 +++++++++----------
 .../linux/generate-cve-exclusions.py          |  4 +-
 2 files changed, 38 insertions(+), 36 deletions(-)
diff mbox series

Patch

diff --git a/meta/recipes-kernel/linux/cve-exclusion_6.12.inc b/meta/recipes-kernel/linux/cve-exclusion_6.12.inc
index 49d8bfcf0c..c03ad19a3d 100644
--- a/meta/recipes-kernel/linux/cve-exclusion_6.12.inc
+++ b/meta/recipes-kernel/linux/cve-exclusion_6.12.inc
@@ -1,6 +1,6 @@ 
 
 # Auto-generated CVE metadata, DO NOT EDIT BY HAND.
-# Generated at 2025-05-24 07:35:37.850677+00:00 for version 6.12.27
+# Generated at 2025-05-24 12:02:58.590640+00:00 for version 6.12.27
 
 python check_kernel_cve_status_version() {
     this_version = "6.12.27"
@@ -11234,7 +11234,7 @@  CVE_STATUS[CVE-2024-57975] = "cpe-stable-backport: Backported in 6.12.13"
 
 CVE_STATUS[CVE-2024-57977] = "cpe-stable-backport: Backported in 6.12.13"
 
-CVE_STATUS[CVE-2024-57978] = "fixed-version: only affects 6.13 onwards"
+CVE_STATUS[CVE-2024-57978] = "cpe-stable-backport: Backported in 6.12.13"
 
 CVE_STATUS[CVE-2024-57979] = "cpe-stable-backport: Backported in 6.12.13"
 
@@ -11296,7 +11296,7 @@  CVE_STATUS[CVE-2024-58007] = "cpe-stable-backport: Backported in 6.12.14"
 
 CVE_STATUS[CVE-2024-58008] = "cpe-stable-backport: Backported in 6.12.14"
 
-CVE_STATUS[CVE-2024-58009] = "fixed-version: only affects 6.13 onwards"
+CVE_STATUS[CVE-2024-58009] = "cpe-stable-backport: Backported in 6.12.14"
 
 CVE_STATUS[CVE-2024-58010] = "cpe-stable-backport: Backported in 6.12.14"
 
@@ -11542,7 +11542,7 @@  CVE_STATUS[CVE-2025-21685] = "cpe-stable-backport: Backported in 6.12.11"
 
 CVE_STATUS[CVE-2025-21687] = "cpe-stable-backport: Backported in 6.12.12"
 
-CVE_STATUS[CVE-2025-21688] = "fixed-version: only affects 6.13 onwards"
+CVE_STATUS[CVE-2025-21688] = "cpe-stable-backport: Backported in 6.12.12"
 
 CVE_STATUS[CVE-2025-21689] = "cpe-stable-backport: Backported in 6.12.12"
 
@@ -11570,7 +11570,7 @@  CVE_STATUS[CVE-2025-21701] = "cpe-stable-backport: Backported in 6.12.13"
 
 CVE_STATUS[CVE-2025-21702] = "cpe-stable-backport: Backported in 6.12.14"
 
-CVE_STATUS[CVE-2025-21703] = "fixed-version: only affects 6.13 onwards"
+CVE_STATUS[CVE-2025-21703] = "cpe-stable-backport: Backported in 6.12.14"
 
 CVE_STATUS[CVE-2025-21704] = "cpe-stable-backport: Backported in 6.12.16"
 
@@ -11784,7 +11784,7 @@  CVE_STATUS[CVE-2025-21811] = "cpe-stable-backport: Backported in 6.12.13"
 
 CVE_STATUS[CVE-2025-21812] = "cpe-stable-backport: Backported in 6.12.13"
 
-CVE_STATUS[CVE-2025-21813] = "fixed-version: only affects 6.13 onwards"
+CVE_STATUS[CVE-2025-21813] = "cpe-stable-backport: Backported in 6.12.14"
 
 CVE_STATUS[CVE-2025-21814] = "cpe-stable-backport: Backported in 6.12.14"
 
@@ -11794,7 +11794,7 @@  CVE_STATUS[CVE-2025-21816] = "cpe-stable-backport: Backported in 6.12.14"
 
 # CVE-2025-21817 needs backporting (fixed from 6.14)
 
-CVE_STATUS[CVE-2025-21819] = "fixed-version: only affects 6.13 onwards"
+CVE_STATUS[CVE-2025-21819] = "cpe-stable-backport: Backported in 6.12.14"
 
 CVE_STATUS[CVE-2025-21820] = "cpe-stable-backport: Backported in 6.12.14"
 
@@ -11884,7 +11884,7 @@  CVE_STATUS[CVE-2025-21863] = "cpe-stable-backport: Backported in 6.12.17"
 
 CVE_STATUS[CVE-2025-21864] = "cpe-stable-backport: Backported in 6.12.17"
 
-CVE_STATUS[CVE-2025-21865] = "fixed-version: only affects 6.13 onwards"
+CVE_STATUS[CVE-2025-21865] = "cpe-stable-backport: Backported in 6.12.17"
 
 CVE_STATUS[CVE-2025-21866] = "cpe-stable-backport: Backported in 6.12.17"
 
@@ -11958,7 +11958,7 @@  CVE_STATUS[CVE-2025-21900] = "cpe-stable-backport: Backported in 6.12.18"
 
 CVE_STATUS[CVE-2025-21901] = "cpe-stable-backport: Backported in 6.12.18"
 
-CVE_STATUS[CVE-2025-21902] = "fixed-version: only affects 6.13 onwards"
+CVE_STATUS[CVE-2025-21902] = "cpe-stable-backport: Backported in 6.12.19"
 
 CVE_STATUS[CVE-2025-21903] = "cpe-stable-backport: Backported in 6.12.19"
 
@@ -12212,11 +12212,11 @@  CVE_STATUS[CVE-2025-22027] = "cpe-stable-backport: Backported in 6.12.23"
 
 CVE_STATUS[CVE-2025-22028] = "cpe-stable-backport: Backported in 6.12.23"
 
-CVE_STATUS[CVE-2025-22030] = "fixed-version: only affects 6.13 onwards"
+CVE_STATUS[CVE-2025-22030] = "cpe-stable-backport: Backported in 6.12.23"
 
 CVE_STATUS[CVE-2025-22031] = "fixed-version: only affects 6.13 onwards"
 
-CVE_STATUS[CVE-2025-22032] = "fixed-version: only affects 6.14 onwards"
+CVE_STATUS[CVE-2025-22032] = "cpe-stable-backport: Backported in 6.12.23"
 
 CVE_STATUS[CVE-2025-22033] = "cpe-stable-backport: Backported in 6.12.23"
 
@@ -12246,9 +12246,9 @@  CVE_STATUS[CVE-2025-22045] = "cpe-stable-backport: Backported in 6.12.23"
 
 CVE_STATUS[CVE-2025-22046] = "cpe-stable-backport: Backported in 6.12.23"
 
-CVE_STATUS[CVE-2025-22047] = "fixed-version: only affects 6.14 onwards"
+CVE_STATUS[CVE-2025-22047] = "cpe-stable-backport: Backported in 6.12.23"
 
-CVE_STATUS[CVE-2025-22048] = "fixed-version: only affects 6.13 onwards"
+CVE_STATUS[CVE-2025-22048] = "cpe-stable-backport: Backported in 6.12.23"
 
 CVE_STATUS[CVE-2025-22049] = "cpe-stable-backport: Backported in 6.12.23"
 
@@ -12300,13 +12300,13 @@  CVE_STATUS[CVE-2025-22072] = "cpe-stable-backport: Backported in 6.12.23"
 
 CVE_STATUS[CVE-2025-22073] = "cpe-stable-backport: Backported in 6.12.23"
 
-CVE_STATUS[CVE-2025-22074] = "fixed-version: only affects 6.14 onwards"
+CVE_STATUS[CVE-2025-22074] = "cpe-stable-backport: Backported in 6.12.23"
 
 CVE_STATUS[CVE-2025-22075] = "cpe-stable-backport: Backported in 6.12.23"
 
 CVE_STATUS[CVE-2025-22076] = "cpe-stable-backport: Backported in 6.12.23"
 
-CVE_STATUS[CVE-2025-22077] = "fixed-version: only affects 6.13 onwards"
+CVE_STATUS[CVE-2025-22077] = "cpe-stable-backport: Backported in 6.12.25"
 
 CVE_STATUS[CVE-2025-22078] = "cpe-stable-backport: Backported in 6.12.23"
 
@@ -12338,7 +12338,7 @@  CVE_STATUS[CVE-2025-22091] = "cpe-stable-backport: Backported in 6.12.23"
 
 CVE_STATUS[CVE-2025-22092] = "fixed-version: only affects 6.13 onwards"
 
-CVE_STATUS[CVE-2025-22093] = "fixed-version: only affects 6.13 onwards"
+CVE_STATUS[CVE-2025-22093] = "cpe-stable-backport: Backported in 6.12.23"
 
 CVE_STATUS[CVE-2025-22094] = "fixed-version: only affects 6.13 onwards"
 
@@ -12392,7 +12392,7 @@  CVE_STATUS[CVE-2025-22118] = "fixed-version: only affects 6.13 onwards"
 
 CVE_STATUS[CVE-2025-22119] = "fixed-version: only affects 6.14 onwards"
 
-CVE_STATUS[CVE-2025-22120] = "fixed-version: only affects 6.13 onwards"
+CVE_STATUS[CVE-2025-22120] = "cpe-stable-backport: Backported in 6.12.26"
 
 # CVE-2025-22121 needs backporting (fixed from 6.15rc1)
 
@@ -12506,7 +12506,7 @@  CVE_STATUS[CVE-2025-37750] = "cpe-stable-backport: Backported in 6.12.24"
 
 CVE_STATUS[CVE-2025-37751] = "fixed-version: only affects 6.14 onwards"
 
-CVE_STATUS[CVE-2025-37752] = "fixed-version: only affects 6.14 onwards"
+CVE_STATUS[CVE-2025-37752] = "cpe-stable-backport: Backported in 6.12.24"
 
 CVE_STATUS[CVE-2025-37753] = "fixed-version: only affects 6.15rc1 onwards"
 
@@ -12522,7 +12522,7 @@  CVE_STATUS[CVE-2025-37758] = "cpe-stable-backport: Backported in 6.12.24"
 
 CVE_STATUS[CVE-2025-37759] = "cpe-stable-backport: Backported in 6.12.24"
 
-CVE_STATUS[CVE-2025-37760] = "fixed-version: only affects 6.14 onwards"
+CVE_STATUS[CVE-2025-37760] = "cpe-stable-backport: Backported in 6.12.25"
 
 CVE_STATUS[CVE-2025-37761] = "cpe-stable-backport: Backported in 6.12.25"
 
@@ -12570,7 +12570,7 @@  CVE_STATUS[CVE-2025-37782] = "cpe-stable-backport: Backported in 6.12.25"
 
 CVE_STATUS[CVE-2025-37783] = "fixed-version: only affects 6.14 onwards"
 
-CVE_STATUS[CVE-2025-37784] = "fixed-version: only affects 6.13 onwards"
+CVE_STATUS[CVE-2025-37784] = "cpe-stable-backport: Backported in 6.12.25"
 
 CVE_STATUS[CVE-2025-37785] = "cpe-stable-backport: Backported in 6.12.23"
 
@@ -12620,15 +12620,15 @@  CVE_STATUS[CVE-2025-37809] = "cpe-stable-backport: Backported in 6.12.26"
 
 CVE_STATUS[CVE-2025-37810] = "cpe-stable-backport: Backported in 6.12.26"
 
-CVE_STATUS[CVE-2025-37811] = "fixed-version: only affects 6.13 onwards"
+CVE_STATUS[CVE-2025-37811] = "cpe-stable-backport: Backported in 6.12.26"
 
 CVE_STATUS[CVE-2025-37812] = "cpe-stable-backport: Backported in 6.12.26"
 
-CVE_STATUS[CVE-2025-37813] = "fixed-version: only affects 6.13 onwards"
+CVE_STATUS[CVE-2025-37813] = "cpe-stable-backport: Backported in 6.12.26"
 
-CVE_STATUS[CVE-2025-37814] = "fixed-version: only affects 6.14 onwards"
+CVE_STATUS[CVE-2025-37814] = "cpe-stable-backport: Backported in 6.12.26"
 
-CVE_STATUS[CVE-2025-37815] = "fixed-version: only affects 6.13 onwards"
+CVE_STATUS[CVE-2025-37815] = "cpe-stable-backport: Backported in 6.12.26"
 
 CVE_STATUS[CVE-2025-37816] = "cpe-stable-backport: Backported in 6.12.26"
 
@@ -12686,7 +12686,7 @@  CVE_STATUS[CVE-2025-37843] = "cpe-stable-backport: Backported in 6.12.24"
 
 CVE_STATUS[CVE-2025-37844] = "cpe-stable-backport: Backported in 6.12.24"
 
-CVE_STATUS[CVE-2025-37845] = "fixed-version: only affects 6.14 onwards"
+CVE_STATUS[CVE-2025-37845] = "cpe-stable-backport: Backported in 6.12.24"
 
 CVE_STATUS[CVE-2025-37846] = "cpe-stable-backport: Backported in 6.12.24"
 
@@ -12732,13 +12732,13 @@  CVE_STATUS[CVE-2025-37866] = "fixed-version: only affects 6.14 onwards"
 
 CVE_STATUS[CVE-2025-37867] = "cpe-stable-backport: Backported in 6.12.25"
 
-CVE_STATUS[CVE-2025-37868] = "fixed-version: only affects 6.14 onwards"
+CVE_STATUS[CVE-2025-37868] = "cpe-stable-backport: Backported in 6.12.25"
 
 CVE_STATUS[CVE-2025-37869] = "cpe-stable-backport: Backported in 6.12.25"
 
 CVE_STATUS[CVE-2025-37870] = "cpe-stable-backport: Backported in 6.12.25"
 
-CVE_STATUS[CVE-2025-37871] = "fixed-version: only affects 6.15rc1 onwards"
+CVE_STATUS[CVE-2025-37871] = "cpe-stable-backport: Backported in 6.12.25"
 
 CVE_STATUS[CVE-2025-37872] = "cpe-stable-backport: Backported in 6.12.25"
 
@@ -12786,7 +12786,7 @@  CVE_STATUS[CVE-2025-37893] = "cpe-stable-backport: Backported in 6.12.23"
 
 # CVE-2025-37894 needs backporting (fixed from 6.12.28)
 
-CVE_STATUS[CVE-2025-37895] = "fixed-version: only affects 6.13 onwards"
+# CVE-2025-37895 needs backporting (fixed from 6.12.28)
 
 CVE_STATUS[CVE-2025-37896] = "fixed-version: only affects 6.14 onwards"
 
@@ -12854,7 +12854,7 @@  CVE_STATUS[CVE-2025-37904] = "fixed-version: only affects 6.13 onwards"
 
 # CVE-2025-37928 needs backporting (fixed from 6.12.28)
 
-CVE_STATUS[CVE-2025-37929] = "fixed-version: only affects 6.15rc1 onwards"
+# CVE-2025-37929 needs backporting (fixed from 6.12.28)
 
 # CVE-2025-37930 needs backporting (fixed from 6.12.28)
 
@@ -12902,7 +12902,7 @@  CVE_STATUS[CVE-2025-37950] = "fixed-version: only affects 6.14 onwards"
 
 # CVE-2025-37952 needs backporting (fixed from 6.12.29)
 
-CVE_STATUS[CVE-2025-37953] = "fixed-version: only affects 6.15rc2 onwards"
+# CVE-2025-37953 needs backporting (fixed from 6.12.29)
 
 # CVE-2025-37954 needs backporting (fixed from 6.12.29)
 
@@ -12920,13 +12920,13 @@  CVE_STATUS[CVE-2025-37953] = "fixed-version: only affects 6.15rc2 onwards"
 
 # CVE-2025-37961 needs backporting (fixed from 6.12.29)
 
-CVE_STATUS[CVE-2025-37962] = "fixed-version: only affects 6.15rc1 onwards"
+# CVE-2025-37962 needs backporting (fixed from 6.12.29)
 
 # CVE-2025-37963 needs backporting (fixed from 6.12.29)
 
-CVE_STATUS[CVE-2025-37964] = "fixed-version: only affects 6.14 onwards"
+# CVE-2025-37964 needs backporting (fixed from 6.12.29)
 
-CVE_STATUS[CVE-2025-37965] = "fixed-version: only affects 6.15rc2 onwards"
+# CVE-2025-37965 needs backporting (fixed from 6.12.29)
 
 CVE_STATUS[CVE-2025-37966] = "fixed-version: only affects 6.13 onwards"
 
@@ -12944,7 +12944,7 @@  CVE_STATUS[CVE-2025-37966] = "fixed-version: only affects 6.13 onwards"
 
 # CVE-2025-37973 needs backporting (fixed from 6.12.29)
 
-CVE_STATUS[CVE-2025-37974] = "fixed-version: only affects 6.13 onwards"
+# CVE-2025-37974 needs backporting (fixed from 6.12.29)
 
 CVE_STATUS[CVE-2025-37975] = "cpe-stable-backport: Backported in 6.12.25"
 
@@ -12998,7 +12998,7 @@  CVE_STATUS[CVE-2025-39688] = "cpe-stable-backport: Backported in 6.12.23"
 
 CVE_STATUS[CVE-2025-39728] = "cpe-stable-backport: Backported in 6.12.23"
 
-CVE_STATUS[CVE-2025-39735] = "fixed-version: only affects 6.13 onwards"
+CVE_STATUS[CVE-2025-39735] = "cpe-stable-backport: Backported in 6.12.23"
 
 CVE_STATUS[CVE-2025-39755] = "fixed-version: only affects 6.13 onwards"
 
diff --git a/meta/recipes-kernel/linux/generate-cve-exclusions.py b/meta/recipes-kernel/linux/generate-cve-exclusions.py
index 302ec8ebc9..ea59c15a01 100755
--- a/meta/recipes-kernel/linux/generate-cve-exclusions.py
+++ b/meta/recipes-kernel/linux/generate-cve-exclusions.py
@@ -42,9 +42,11 @@  def get_fixed_versions(cve_info, base_version):
         if affected["defaultStatus"] == "affected":
             for version in affected["versions"]:
                 v = Version(version["version"])
-                if v == 0:
+                if v == Version('0'):
                     #Skiping non-affected
                     continue
+                if version["status"] == "unaffected" and first_affected and v < first_affected:
+                    first_affected = Version(f"{v.major}.{v.minor}")
                 if version["status"] == "affected" and not first_affected:
                     first_affected = v
                 elif (version["status"] == "unaffected" and