From patchwork Fri Apr 3 09:41:05 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Jo=C3=A3o_Marcos_Costa?= X-Patchwork-Id: 85215 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4F2A2E7E35E for ; Fri, 3 Apr 2026 09:41:28 +0000 (UTC) Received: from smtpout-02.galae.net (smtpout-02.galae.net [185.246.84.56]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.8389.1775209280890880491 for ; Fri, 03 Apr 2026 02:41:22 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@bootlin.com header.s=dkim header.b=ZgjNd6iJ; spf=pass (domain: bootlin.com, ip: 185.246.84.56, mailfrom: joaomarcos.costa@bootlin.com) Received: from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233]) by smtpout-02.galae.net (Postfix) with ESMTPS id E77F01A3129 for ; Fri, 3 Apr 2026 09:41:18 +0000 (UTC) Received: from mail.galae.net (mail.galae.net [212.83.136.155]) by smtpout-01.galae.net (Postfix) with ESMTPS id B18A6603C1; Fri, 3 Apr 2026 09:41:18 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id 51AB410451A8C; Fri, 3 Apr 2026 11:41:15 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=dkim; t=1775209278; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding; bh=1jbYtAgny00GO9mFSxtq0ScjGYDDqdwf0w1mBvB/I1w=; b=ZgjNd6iJq4FMF6qWNRcnYsHaNh76OdoCEMxzzF8hGiOT+bDYpbkO6oLMwB7uUhxcnsGNxB rDAiWK532zZceN+w/PVW/Zjdrn8sXdvYkzj4KAqjS6VkTe2H/EEnaUQQrgFSjhxH5N5PLZ LQmk2+bF7qJ8oAVjgpS5RBzLdYMzQYLv1UGb8XmPMCScck0EOBXWO7HuCSVXsEQ/lgbYAl bUehg8q/NCB82rvw/wepc8qSbRwXaekiM2ZA/8TsJI8VLnFE4Gdez5K8D02faniKxWprEz 6p2asKS0xmtUIJ43I0jsS8IUdF7mu0WcS6lhYQvXTG3iH1PNE/PXkvLidS1DkQ== From: =?utf-8?q?Jo=C3=A3o_Marcos_Costa?= To: openembedded-core@lists.openembedded.org Cc: thomas.petazzoni@bootlin.com, benjamin.robin@bootlin.com, steve@sakoman.com, mathieu.dubois-briand@bootlin.com, pascal.eberhard@se.com, yoann.congal@smile.fr, =?utf-8?q?Jo=C3=A3o_Marcos_Costa_=28Schneider_Electr?= =?utf-8?q?ic=29?= Subject: [scarthgap][PATCH 1/2] linux/generate-cve-exclusions: backport script from master branch Date: Fri, 3 Apr 2026 11:41:05 +0200 Message-ID: <20260403094106.819783-1-joaomarcos.costa@bootlin.com> X-Mailer: git-send-email 2.47.0 MIME-Version: 1.0 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 03 Apr 2026 09:41:28 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/234575 From: João Marcos Costa (Schneider Electric) The current version of this script in Scarthgap is outdated, since it still uses data from linux_kernel_cves. This repository was archived in 2024. To avoid any risks of conflicts, and/or a patch series longer than it needs to be, I copied the generate-cve-exclusions.py script from oe-core's master branch (rev. "e954a94b5b528b2430e8da331107d7d58287f89b") as-is. Signed-off-by: João Marcos Costa (Schneider Electric) --- .../linux/generate-cve-exclusions.py | 122 +++++++++++++----- 1 file changed, 90 insertions(+), 32 deletions(-) diff --git a/meta/recipes-kernel/linux/generate-cve-exclusions.py b/meta/recipes-kernel/linux/generate-cve-exclusions.py index aa9195aab4..5139b11055 100755 --- a/meta/recipes-kernel/linux/generate-cve-exclusions.py +++ b/meta/recipes-kernel/linux/generate-cve-exclusions.py @@ -1,7 +1,7 @@ #! /usr/bin/env python3 # Generate granular CVE status metadata for a specific version of the kernel -# using data from linuxkernelcves.com. +# using json data from cvelistV5 or vulns repository # # SPDX-License-Identifier: GPL-2.0-only @@ -9,7 +9,9 @@ import argparse import datetime import json import pathlib -import re +import os +import glob +import subprocess from packaging.version import Version @@ -25,26 +27,82 @@ def parse_version(s): return Version(s) return None +def get_fixed_versions(cve_info, base_version): + ''' + Get fixed versionss + ''' + first_affected = None + fixed = None + fixed_backport = None + next_version = Version(str(base_version) + ".5000") + for affected in cve_info["containers"]["cna"]["affected"]: + # In case the CVE info is not complete, it might not have default status and therefore + # we don't know the status of this CVE. + if not "defaultStatus" in affected: + return first_affected, fixed, fixed_backport + if affected["defaultStatus"] == "affected": + for version in affected["versions"]: + v = Version(version["version"]) + if v == Version('0'): + #Skiping non-affected + continue + if version["status"] == "unaffected" and first_affected and v < first_affected: + first_affected = Version(f"{v.major}.{v.minor}") + if version["status"] == "affected" and not first_affected: + first_affected = v + elif (version["status"] == "unaffected" and + version['versionType'] == "original_commit_for_fix"): + fixed = v + elif base_version < v and v < next_version: + fixed_backport = v + elif affected["defaultStatus"] == "unaffected": + # Only specific versions are affected. We care only about our base version + if "versions" not in affected: + continue + for version in affected["versions"]: + if "versionType" not in version: + continue + if version["versionType"] == "git": + continue + v = Version(version["version"]) + # in case it is not in our base version + less_than = Version(version["lessThan"]) + + if not first_affected: + first_affected = v + fixed = less_than + if base_version < v and v < next_version: + fixed_backport = less_than + + return first_affected, fixed, fixed_backport + +def is_linux_cve(cve_info): + '''Return true is the CVE belongs to Linux''' + if not "affected" in cve_info["containers"]["cna"]: + return False + for affected in cve_info["containers"]["cna"]["affected"]: + if not "product" in affected: + return False + if affected["product"] == "Linux" and affected["vendor"] == "Linux": + return True + return False def main(argp=None): parser = argparse.ArgumentParser() - parser.add_argument("datadir", type=pathlib.Path, help="Path to a clone of https://github.com/nluedtke/linux_kernel_cves") + parser.add_argument("datadir", type=pathlib.Path, help="Path to a clone of https://github.com/CVEProject/cvelistV5 or https://git.kernel.org/pub/scm/linux/security/vulns.git") parser.add_argument("version", type=Version, help="Kernel version number to generate data for, such as 6.1.38") args = parser.parse_args(argp) - datadir = args.datadir + datadir = args.datadir.resolve() version = args.version - base_version = f"{version.major}.{version.minor}" + base_version = Version(f"{version.major}.{version.minor}") - with open(datadir / "data" / "kernel_cves.json", "r") as f: - cve_data = json.load(f) - - with open(datadir / "data" / "stream_fixes.json", "r") as f: - stream_data = json.load(f) + data_version = subprocess.check_output(("git", "describe", "--tags", "--always", "HEAD"), cwd=datadir, text=True) print(f""" # Auto-generated CVE metadata, DO NOT EDIT BY HAND. -# Generated at {datetime.datetime.now(datetime.timezone.utc)} for version {version} +# Generated at {datetime.datetime.now(datetime.timezone.utc)} for kernel version {version} +# From {datadir.name} {data_version} python check_kernel_cve_status_version() {{ this_version = "{version}" @@ -55,17 +113,23 @@ python check_kernel_cve_status_version() {{ do_cve_check[prefuncs] += "check_kernel_cve_status_version" """) - for cve, data in cve_data.items(): - if "affected_versions" not in data: - print(f"# Skipping {cve}, no affected_versions") - print() - continue + # Loop though all CVES and check if they are kernel related, newer than 2015 + pattern = os.path.join(datadir, '**', "CVE-20*.json") - affected = data["affected_versions"] - first_affected, fixed = re.search(r"(.+) to (.+)", affected).groups() - first_affected = parse_version(first_affected) - fixed = parse_version(fixed) + files = glob.glob(pattern, recursive=True) + for cve_file in sorted(files): + # Get CVE Id + cve = cve_file[cve_file.rfind("/")+1:cve_file.rfind(".json")] + # We process from 2015 data, old request are not properly formated + year = cve.split("-")[1] + if int(year) < 2015: + continue + with open(cve_file, 'r', encoding='utf-8') as json_file: + cve_info = json.load(json_file) + if not is_linux_cve(cve_info): + continue + first_affected, fixed, backport_ver = get_fixed_versions(cve_info, base_version) if not fixed: print(f"# {cve} has no known resolution") elif first_affected and version < first_affected: @@ -75,19 +139,13 @@ do_cve_check[prefuncs] += "check_kernel_cve_status_version" f'CVE_STATUS[{cve}] = "fixed-version: Fixed from version {fixed}"' ) else: - if cve in stream_data: - backport_data = stream_data[cve] - if base_version in backport_data: - backport_ver = Version(backport_data[base_version]["fixed_version"]) - if backport_ver <= version: - print( - f'CVE_STATUS[{cve}] = "cpe-stable-backport: Backported in {backport_ver}"' - ) - else: - # TODO print a note that the kernel needs bumping - print(f"# {cve} needs backporting (fixed from {backport_ver})") + if backport_ver: + if backport_ver <= version: + print( + f'CVE_STATUS[{cve}] = "cpe-stable-backport: Backported in {backport_ver}"' + ) else: - print(f"# {cve} needs backporting (fixed from {fixed})") + print(f"# {cve} may need backporting (fixed from {backport_ver})") else: print(f"# {cve} needs backporting (fixed from {fixed})")