| Message ID | 20260106191001.3385117-3-valentin.boudevin@gmail.com |
|---|---|
| State | Changes Requested |
| Headers | show |
| Series | [[PATCH,v2] 3/4] generate-cve-exclusions: Move python script | expand |
Hi Valentin, Make sure to update the documentation to point to the new location once this gets merged. https://docs.yoctoproject.org/dev/dev-manual/vulnerabilities.html#linux-kernel-vulnerabilities I was also going to comment to have Bruce aware of the changes, since he runs the script when the kernel gets updated but he already replied to it. Daniel > -----Original Message----- > From: openembedded-core@lists.openembedded.org <openembedded- > core@lists.openembedded.org> On Behalf Of vboudevin via > lists.openembedded.org > Sent: Tuesday, 6 January 2026 20:10 > To: openembedded-core@lists.openembedded.org > Cc: ValentinBoudevin <valentin.boudevin@gmail.com> > Subject: [OE-core] [[PATCH v2] 3/4] generate-cve-exclusions: Move python script > > The script should be located with other scripts in scripts/contrib instead of staying > in meta/classes/. > > Update the new .bbclass to match this modification > --- > meta/classes/generate-cve-exclusions.bbclass | 2 +- > .../linux => scripts/contrib}/generate-cve-exclusions.py | 0 > 2 files changed, 1 insertion(+), 1 deletion(-) rename {meta/recipes-kernel/linux > => scripts/contrib}/generate-cve-exclusions.py (100%) > > diff --git a/meta/classes/generate-cve-exclusions.bbclass > b/meta/classes/generate-cve-exclusions.bbclass > index 254ea5531d..100d2e99b6 100644 > --- a/meta/classes/generate-cve-exclusions.bbclass > +++ b/meta/classes/generate-cve-exclusions.bbclass > @@ -28,7 +28,7 @@ do_clone_cvelistV5[doc] = "Clone CVE information from the > CVE Project: https://g addtask clone_cvelistV5 before > do_generate_cve_exclusions > > do_generate_cve_exclusions() { > - generate_cve_exclusions_script=$(find ${COREBASE} -name "generate-cve- > exclusions.py") > + > + generate_cve_exclusions_script=${COREBASE}/scripts/contrib/generate-cv > + e-exclusions.py > if [ -z "${generate_cve_exclusions_script}" ]; then > bbfatal "generate-cve-exclusions.py not found in ${COREBASE}." > fi > diff --git a/meta/recipes-kernel/linux/generate-cve-exclusions.py > b/scripts/contrib/generate-cve-exclusions.py > similarity index 100% > rename from meta/recipes-kernel/linux/generate-cve-exclusions.py > rename to scripts/contrib/generate-cve-exclusions.py > -- > 2.43.0
Hi Daniel, I updated the class based on your recommendations: https://lists.openembedded.org/g/openembedded-core/message/229427 Now it works with a custom repo/a fixed SRCREV for deterministic purposes (also integrated an offline mode based on DL_DIR content). Keep me informed if you see something else to modify.
Thank you Valentin, please add me in cc for future review, so it goes directly into the main inbox, and for any people that you want to review your changes. Also reply to the patch, so it is easy to comment in the same thread.
I have applied the series into a master build without direct internet connectivity. It breaks the build by default since the class is inherit in your patch 4.
WARNING: yocto-master/meta/recipes-kernel/linux/linux-yocto_6.12.bb: Exception during build_dependencies for fetcher_hashes_dummyfunc | ETA: 0:00:31
WARNING: yocto-master/meta/recipes-kernel/linux/linux-yocto_6.12.bb: Error during finalise of /local/edaturu/yocto-master/meta/recipes-kernel/linux/linux-yocto_6.12.bb
WARNING: yocto-master/meta/recipes-kernel/linux/linux-yocto_6.16.bb: Exception during build_dependencies for fetcher_hashes_dummyfunc
WARNING: yocto-master/meta/recipes-kernel/linux/linux-yocto_6.16.bb: Error during finalise of /local/edaturu/yocto-master/meta/recipes-kernel/linux/linux-yocto_6.16.bb
WARNING: yocto-master/meta/recipes-kernel/linux/linux-yocto_6.18.bb: Exception during build_dependencies for fetcher_hashes_dummyfunc | ETA: 0:00:29
WARNING: yocto-master/meta/recipes-kernel/linux/linux-yocto_6.18.bb: Error during finalise of /local/edaturu/yocto-master/meta/recipes-kernel/linux/linux-yocto_6.18.bb
ERROR: ExpansionError during parsing /yocto-master/meta/recipes-kernel/linux/linux-yocto_6.18.bb########################### | ETA: 0:00:02
bb.data_smart.ExpansionError: Failure expanding variable fetcher_hashes_dummyfunc[vardepvalue], expression was ${@bb.fetch.get_hashvalue(d)}<mailto:$%7b@bb.fetch.get_hashvalue(d)%7d> which triggered exception UntrustedUrl: git -c gc.autoDetach=false -c core.pager=cat -c safe.bareRepository=all -c clone.defaultRemoteName=origin ls-remote https://github.com/CVEProject/cvelistV5.git
The variable dependency chain for the failure is: fetcher_hashes_dummyfunc[vardepvalue]
ERROR: Parsing halted due to errors, see error messages above
You should make sure that nothing is executed by default. You could set a new variable to enable the initialization, for example ENABLE_KERNEL_CVE_EXCLUSIONS = “1” but it is defaulted to ENABLE_KERNEL_CVE_EXCLUSIONS ?= “0”
The problem is that you are adding into the linux-yocto recipe since it is inhering the class. I had exactly the same problem in my original patch.
https://patchwork.yoctoproject.org/project/oe-core/patch/20250429143904.634082-2-daniel.turull@ericsson.com/
Since you have the SRC_URI defined, bitbake verifies that the SRCREV is valid. If you don’t have internet connection, cannot be verified and the build fails.
SRC_URI:append = " ${GENERATE_CVE_EXCLUSIONS_SRC_URI};name=generate-cve-exclusions"
SRCREV_generate-cve-exclusions = "${GENERATE_CVE_EXCLUSIONS_SRCREV}"
Probably it needs to be conditionally initialize only if it is the intended behaviour. It also add the source in the kernel tree, which probably is not the intended behaviour.
Best regards,
Daniel
From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of vboudevin via lists.openembedded.org
Sent: Thursday, 15 January 2026 20:06
To: openembedded-core@lists.openembedded.org
Subject: Re: [OE-core] [[PATCH v2] 3/4] generate-cve-exclusions: Move python script
Hi Daniel,
I updated the class based on your recommendations: https://lists.openembedded.org/g/openembedded-core/message/229427
Now it works with a custom repo/a fixed SRCREV for deterministic purposes (also integrated an offline mode based on DL_DIR content).
Keep me informed if you see something else to modify.
diff --git a/meta/classes/generate-cve-exclusions.bbclass b/meta/classes/generate-cve-exclusions.bbclass index 254ea5531d..100d2e99b6 100644 --- a/meta/classes/generate-cve-exclusions.bbclass +++ b/meta/classes/generate-cve-exclusions.bbclass @@ -28,7 +28,7 @@ do_clone_cvelistV5[doc] = "Clone CVE information from the CVE Project: https://g addtask clone_cvelistV5 before do_generate_cve_exclusions do_generate_cve_exclusions() { - generate_cve_exclusions_script=$(find ${COREBASE} -name "generate-cve-exclusions.py") + generate_cve_exclusions_script=${COREBASE}/scripts/contrib/generate-cve-exclusions.py if [ -z "${generate_cve_exclusions_script}" ]; then bbfatal "generate-cve-exclusions.py not found in ${COREBASE}." fi diff --git a/meta/recipes-kernel/linux/generate-cve-exclusions.py b/scripts/contrib/generate-cve-exclusions.py similarity index 100% rename from meta/recipes-kernel/linux/generate-cve-exclusions.py rename to scripts/contrib/generate-cve-exclusions.py
The script should be located with other scripts in scripts/contrib instead of staying in meta/classes/. Update the new .bbclass to match this modification --- meta/classes/generate-cve-exclusions.bbclass | 2 +- .../linux => scripts/contrib}/generate-cve-exclusions.py | 0 2 files changed, 1 insertion(+), 1 deletion(-) rename {meta/recipes-kernel/linux => scripts/contrib}/generate-cve-exclusions.py (100%)