new file mode 100644
@@ -0,0 +1,46 @@
+# Generate CVE exclusions for the kernel build (set to "1" to enable)
+GENERATE_CVE_EXCLUSIONS_OUTPUT_JSON = "${WORKDIR}/temp/cve-exclusion_${LINUX_VERSION}.json"
+GENERATE_CVE_EXCLUSIONS_OUTPUT_INC = "${WORKDIR}/temp//cve-exclusion_${LINUX_VERSION}.inc"
+
+do_generate_cve_exclusions() {
+ # Check for required files and directories
+ generate_cve_exclusions_script=${COREBASE}/scripts/contrib/generate-cve-exclusions.py
+ if [ ! -f "${generate_cve_exclusions_script}" ]; then
+ bbwarn "generate-cve-exclusions.py not found in ${generate_cve_exclusions_script}."
+ return 0
+ fi
+ if [ ! -d "${STAGING_DATADIR_NATIVE}/cvelistv5-native" ]; then
+ bbwarn "CVE exclusions source directory not found in ${STAGING_DATADIR_NATIVE}/cvelistv5-native."
+ return 0
+ fi
+ # Generate the CVE exclusions JSON & INC file
+ python3 "${generate_cve_exclusions_script}" \
+ "${STAGING_DATADIR_NATIVE}/cvelistv5-native" \
+ ${LINUX_VERSION} \
+ --output-json-file "${GENERATE_CVE_EXCLUSIONS_OUTPUT_JSON}" \
+ --output-inc-file "${GENERATE_CVE_EXCLUSIONS_OUTPUT_INC}"
+ bbplain "CVE exclusions generated for kernel version ${LINUX_VERSION} at ${GENERATE_CVE_EXCLUSIONS_OUTPUT_INC} and ${GENERATE_CVE_EXCLUSIONS_OUTPUT_JSON}."
+}
+do_generate_cve_exclusions[depends] += "cvelistv5-native:do_populate_sysroot"
+do_generate_cve_exclusions[nostamp] = "1"
+do_generate_cve_exclusions[doc] = "Generate CVE exclusions for the kernel build. (e.g., cve-exclusion_6.12.json)"
+addtask generate_cve_exclusions after do_prepare_recipe_sysroot before do_cve_check
+
+python do_cve_check:prepend() {
+ import os
+ import json
+ workdir = d.getVar("${STAGING_DATADIR_NATIVE}/cvelistv5-native")
+ kernel_version = d.getVar("LINUX_VERSION")
+ json_input_file = d.getVar("GENERATE_CVE_EXCLUSIONS_OUTPUT_JSON")
+ if os.path.exists(json_input_file):
+ with open(json_input_file, 'r', encoding='utf-8') as f:
+ cve_data = json.load(f)
+ cve_status_dict = cve_data.get("cve_status", {})
+ count = 0
+ for cve_id, info in cve_status_dict.items():
+ if info.get("active", True):
+ continue
+ d.setVarFlag("CVE_STATUS", cve_id, info.get("message", ""))
+ count += 1
+ bb.note("Loaded %d CVE_STATUS entries from JSON output for kernel %s" % (count, kernel_version))
+}
Add a new class named kernel-generate-cve-exclusions.bbclass to generate-cve-exclusions to use this script at every run. Two steps for testing: 1) inherit this class in the kernel recipe with "inherit kernel-generate-cve-exclusions.bbclass" 2) Use the following command to generate cve exclusions .json, and .inc file : "bitbake linux-yocto -c "do_generate_cve_exclusions" This class contains several methods: *do_generate_cve_exclusions: Use the script generate-cve-exclusions.py. It uses the new "--output-json-file" argument to generate a JSON file as an output stored in ${GENERATE_CVE_EXCLUSIONS_OUTPUT_JSON}, and a .inc file in ${GENERATE_CVE_EXCLUSIONS_OUTPUT_INC} *do_cve_check:prepend: Parse the previously generated JSON file to set the variable CVE_STATUS corretly The class also provides some variables: *GENERATE_CVE_EXCLUSIONS_OUTPUT_JSON: path of the output JSON file used to set CVE_STATUS *GENERATE_CVE_EXCLUSIONS_OUTPUT_INC: cve exclusions .inc file output path. Not used directly by this class (needs to be inherit manually). Signed-off-by: Valentin Boudevin <valentin.boudevin@gmail.com> --- .../kernel-generate-cve-exclusions.bbclass | 46 +++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 meta/classes/kernel-generate-cve-exclusions.bbclass