[v5,2/2] improve_kernel_cve_report: Add a bbclass support

Message ID	20260128163827.386933-3-valentin.boudevin@gmail.com
State	New
Headers	show Return-Path: <valentin.boudevin@gmail.com> ip: 209.85.160.196, mailfrom: valentin.boudevin@gmail.com) From: ValentinBoudevin <valentin.boudevin@gmail.com> To: openembedded-core@lists.openembedded.org Cc: daniel.turull@ericsson.com, jerome.oufella@savoirfairelinux.com, ValentinBoudevin <valentin.boudevin@gmail.com> Subject: [PATCH v5 2/2] improve_kernel_cve_report: Add a bbclass support Date: Wed, 28 Jan 2026 11:38:27 -0500 Message-ID: <20260128163827.386933-3-valentin.boudevin@gmail.com> In-Reply-To: <20260128163827.386933-1-valentin.boudevin@gmail.com> References: <188AFD4FCC1313A8.2683732@lists.openembedded.org> <20260128163827.386933-1-valentin.boudevin@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	improve_kernel_cve_report: Add a bbclass support \| expand [v5,0/2] improve_kernel_cve_report: Add a bbclass support [v5,1/2] vulns: add a new recipe [v5,2/2] improve_kernel_cve_report: Add a bbclass support

Message ID

20260128163827.386933-3-valentin.boudevin@gmail.com

State

New

Headers

From: ValentinBoudevin <valentin.boudevin@gmail.com>
To: openembedded-core@lists.openembedded.org
Cc: daniel.turull@ericsson.com,
	jerome.oufella@savoirfairelinux.com,
	ValentinBoudevin <valentin.boudevin@gmail.com>
Subject: [PATCH v5 2/2] improve_kernel_cve_report: Add a bbclass support
Date: Wed, 28 Jan 2026 11:38:27 -0500
Message-ID: <20260128163827.386933-3-valentin.boudevin@gmail.com>
In-Reply-To: <20260128163827.386933-1-valentin.boudevin@gmail.com>
References: <188AFD4FCC1313A8.2683732@lists.openembedded.org>
 <20260128163827.386933-1-valentin.boudevin@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

improve_kernel_cve_report: Add a bbclass support | expand

Commit Message

ValentinBoudevin Jan. 28, 2026, 4:38 p.m. UTC

The script improve_kernel_cve_report.py doesn't have a bbclass.
It can be useful to have one to generate improved cve-check files at
every run.

This commit contains three classes:

-improve_kernel_cve_report-base.bbclass: Base class which contains the
tasks to perform improve_kernel_cve_report.py initialization and
execution.

-improve_kernel_cve_report-spdx-2.2.bbclass: Set
IMPROVE_KERNEL_SPDX_FILE variable for SPDX-2.2 builds and set
IMPROVE_KERNEL_PREFERRED_PROVIDER to require "create-spdx-2.2" in
INHERIT.

-improve_kernel_cve_report-spdx-3.0.bbclass: Set
IMPROVE_KERNEL_SPDX_FILE variable for SPDX-3.0 project, and set
IMPROVE_KERNEL_PREFERRED_PROVIDER to "create-spdx" to requires it in
INHERIT.

-improve_kernel_cve_report.bbclass: Include this class when you don't
care what version of SPDX you get.

These three new .bbclass files can be used to generate a new output in
tmp/deploy/images with a .scouted.json file in addition to the existing
.json cve-check file.

The new .scouted.json is based on the cve-check file and the SBOM to
generate this improved cve-check file with extra entries found by the
script improve_kernel_cve_report.py.

It only requires to use "inherit" on an image recipe (e.g. on
core-image-minimal).

The bbclass "improve_kernel_cve_report-spdx-2.2.bbclass" can be used if
"create-spdx-2.2" is configured in INHERIT, and "create-spdx" is
removed.

INHERIT:remove = "create-spdx"
INHERIT:append = " create-spdx-2.2"

By default, projects use SPDX-3.0 and don't require any additional
configuration.

Signed-off-by: Valentin Boudevin <valentin.boudevin@gmail.com>
---
 .../improve_kernel_cve_report-base.bbclass    | 60 +++++++++++++++++++
 ...improve_kernel_cve_report-spdx-2.2.bbclass |  4 ++
 ...improve_kernel_cve_report-spdx-3.0.bbclass |  4 ++
 .../classes/improve_kernel_cve_report.bbclass |  3 +
 4 files changed, 71 insertions(+)
 create mode 100644 meta/classes/improve_kernel_cve_report-base.bbclass
 create mode 100644 meta/classes/improve_kernel_cve_report-spdx-2.2.bbclass
 create mode 100644 meta/classes/improve_kernel_cve_report-spdx-3.0.bbclass
 create mode 100644 meta/classes/improve_kernel_cve_report.bbclass

diff --git a/meta/classes/improve_kernel_cve_report-base.bbclass b/meta/classes/improve_kernel_cve_report-base.bbclass
new file mode 100644
index 0000000000..e78722c59c
--- /dev/null
+++ b/meta/classes/improve_kernel_cve_report-base.bbclass
@@ -0,0 +1,60 @@ 
+# Settings for SPDX support
+
+# Setting to specify preferred provider for kernel SPDX file ("create-spdx" or "create-spdx-2.2")
+IMPROVE_KERNEL_PREFERRED_PROVIDER ?= ""
+# Setting to specify the path to the SPDX file to be used for extra kernel vulnerabilities scouting
+IMPROVE_KERNEL_SPDX_FILE ?= ""
+
+python __anonymous() {
+    if bb.data.inherits_class("create-spdx-2.2", d):
+        bb.build.addtask("do_scout_extra_kernel_vulns", "do_build", "do_rootfs", d)
+    elif bb.data.inherits_class("create-spdx", d):
+        bb.build.addtask('do_scout_extra_kernel_vulns', 'do_build', 'do_create_image_sbom_spdx', d)
+}
+
+python do_clean:append() {
+    import os, glob
+    deploy_dir = d.expand('${DEPLOY_DIR_IMAGE}')
+    for f in glob.glob(os.path.join(deploy_dir, '*scouted.json')):
+        bb.note("Removing " + f)
+        os.remove(f)
+}
+
+do_scout_extra_kernel_vulns() {
+    new_cve_report_file="${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}.scouted.json"
+    improve_kernel_cve_script="${COREBASE}/scripts/contrib/improve_kernel_cve_report.py"
+
+    # Check that IMPROVE_KERNEL_SPDX_FILE is set and the file exists
+    if [ -z "${IMPROVE_KERNEL_SPDX_FILE}" ] || [ ! -f "${IMPROVE_KERNEL_SPDX_FILE}" ]; then
+        bbwarn "improve_kernel_cve: IMPROVE_KERNEL_SPDX_FILE is empty or file not found: ${IMPROVE_KERNEL_SPDX_FILE}"
+        return 0
+    fi
+    if [ ! -f "${CVE_CHECK_MANIFEST_JSON}" ]; then
+        bbwarn "improve_kernel_cve: CVE_CHECK file not found: ${CVE_CHECK_MANIFEST_JSON}. Skipping extra kernel vulnerabilities scouting."
+        return 0
+    fi
+    if [ ! -f "${improve_kernel_cve_script}" ]; then
+        bbwarn "improve_kernel_cve: improve_kernel_cve_report.py not found in ${COREBASE}."
+        return 0
+    fi
+    if [ ! -d "${STAGING_DATADIR_NATIVE}/vulns-native" ]; then
+        bbwarn "improve_kernel_cve: Vulnerabilities data not found in ${STAGING_DATADIR_NATIVE}/vulns-native."
+        return 0
+    fi
+
+    #Run the improve_kernel_cve_report.py script
+    bbplain "improve_kernel_cve: Using SPDX file for extra kernel vulnerabilities scouting: ${IMPROVE_KERNEL_SPDX_FILE}"
+    python3 "${improve_kernel_cve_script}" \
+        --spdx "${IMPROVE_KERNEL_SPDX_FILE}" \
+        --old-cve-report "${CVE_CHECK_MANIFEST_JSON}" \
+        --new-cve-report "${new_cve_report_file}" \
+        --datadir "${STAGING_DATADIR_NATIVE}/vulns-native"
+    bbplain "Improve CVE report with extra kernel cves: ${new_cve_report_file}"
+
+    #Create a symlink as every other JSON file in tmp/deploy/images
+    ln -sf ${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}.scouted.json ${DEPLOY_DIR_IMAGE}/${IMAGE_BASENAME}${IMAGE_MACHINE_SUFFIX}${IMAGE_NAME_SUFFIX}.scouted.json
+}
+do_scout_extra_kernel_vulns[depends] += "vulns-native:do_populate_sysroot"
+do_scout_extra_kernel_vulns[nostamp] = "1"
+do_scout_extra_kernel_vulns[doc] = "Scout extra kernel vulnerabilities and create a new enhanced version of the cve_check file in the deploy directory"
+addtask scout_extra_kernel_vulnsate_cve_exclusions after do_prepare_recipe_sysroot
\ No newline at end of file
diff --git a/meta/classes/improve_kernel_cve_report-spdx-2.2.bbclass b/meta/classes/improve_kernel_cve_report-spdx-2.2.bbclass
new file mode 100644
index 0000000000..45b483134d
--- /dev/null
+++ b/meta/classes/improve_kernel_cve_report-spdx-2.2.bbclass
@@ -0,0 +1,4 @@ 
+IMPROVE_KERNEL_PREFERRED_PROVIDER = "create-spdx-2.2"
+IMPROVE_KERNEL_SPDX_FILE = "${DEPLOY_DIR}/spdx/2.2/${@d.getVar('MACHINE').replace('-', '_')}/recipes/recipe-${PREFERRED_PROVIDER_virtual/kernel}.spdx.json"
+
+inherit improve_kernel_cve_report-base
\ No newline at end of file
diff --git a/meta/classes/improve_kernel_cve_report-spdx-3.0.bbclass b/meta/classes/improve_kernel_cve_report-spdx-3.0.bbclass
new file mode 100644
index 0000000000..3849f66aaf
--- /dev/null
+++ b/meta/classes/improve_kernel_cve_report-spdx-3.0.bbclass
@@ -0,0 +1,4 @@ 
+IMPROVE_KERNEL_PREFERRED_PROVIDER = "create-spdx"
+IMPROVE_KERNEL_SPDX_FILE = "${SPDXIMAGEDEPLOYDIR}/${IMAGE_LINK_NAME}.spdx.json"
+
+inherit improve_kernel_cve_report-base
\ No newline at end of file
diff --git a/meta/classes/improve_kernel_cve_report.bbclass b/meta/classes/improve_kernel_cve_report.bbclass
new file mode 100644
index 0000000000..7b237d1e22
--- /dev/null
+++ b/meta/classes/improve_kernel_cve_report.bbclass
@@ -0,0 +1,3 @@ 
+# Include this class when you don't care what version of SPDX you get; it will
+# be updated to the latest stable version that is supported
+inherit improve_kernel_cve_report-spdx-3.0
\ No newline at end of file

[v5,2/2] improve_kernel_cve_report: Add a bbclass support

Commit Message

Patch