From patchwork Mon Apr 28 13:42:00 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Daniel Turull <daniel.turull@ericsson.com>
X-Patchwork-Id: 62024
Return-Path: <daniel.turull@ericsson.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 95ABDC369D5
	for <webhook@archiver.kernel.org>; Mon, 28 Apr 2025 13:42:39 +0000 (UTC)
Received: from EUR03-DBA-obe.outbound.protection.outlook.com
 (EUR03-DBA-obe.outbound.protection.outlook.com [40.107.104.46])
 by mx.groups.io with SMTP id smtpd.web10.48682.1745847751611030780
 for <openembedded-core@lists.openembedded.org>;
 Mon, 28 Apr 2025 06:42:32 -0700
Authentication-Results: mx.groups.io;
 dkim=fail reason="dkim: body hash did not verify" header.i=@ericsson.com
 header.s=selector1 header.b=AV51LApn;
 spf=pass (domain: ericsson.com, ip: 40.107.104.46,
 mailfrom: edaturu@ericsson.com)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;
 b=jXRgqCgjsDeVsOwZLzmQm7YPoTFJgv+9mzL1/h5qlJw9SX8+2DStE92ys75uEoXNa52IbNPPtoIaIdCpJ82XULLry8q0QBOckpbSiKJWmkAYosP8C0iU67Nn30UtrFP62cuMeP2sU0FtTbRz8AOZ/0V9y7cr54lTSRQ+NsbBKhTTIfTmMArwg8gfyARVrKFQYCT5tatAYr/frbZ66ps3HRGGNb5eG7rtfl2txncorGOCjiRMmYDNbYsArO+7ePpwpMlu7ybQNKUKGk8BG96YTPdgBC2CIi73Lp+PunMLP0g4Ym2pdx3sSyuehUjtjxvw3uBe174ukAghxBi2iRJWxA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector10001;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=/B7GtLxPEWtYx7CA1R098ShUtnmiactZ2YE8qdmIaq4=;
 b=Jkr5HyFAXQAIRyEd0ZOqydqetkGx8XkoSbAnJIweXor2aM22PxlaeDc+fZCmoSqL6Z4o7mIACbVlTnnqftUdz92jsK0fJ5d6tMp7Q7fnbpVEBlyGNwDXjGiYH5eUFmi+4Ft5C1iK7cD2d4Etg7tjmhLglhYeUvJOZgr8KnQbnzIkSMkj9zIdrhYcNFNPNrSC6z9E5/BmDofTkK2qECrfIb0bn/Ei4igkbM1gXvVumxjHxxbFhBmzL0wgPx/1OLoJ8lRXHJWEZlX9ALhvDwDoRgjQiR4WLTk7yYzYCwmkoXzxPUsNu3RUnqOxFv5kRc/fVI5DciNLrjNADLLpJvK3oQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
 192.176.1.74) smtp.rcpttodomain=arm.com smtp.mailfrom=ericsson.com;
 dmarc=pass (p=reject sp=reject pct=100) action=none header.from=ericsson.com;
 dkim=none (message not signed); arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com;
 s=selector1;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=/B7GtLxPEWtYx7CA1R098ShUtnmiactZ2YE8qdmIaq4=;
 b=AV51LApnmoacFi+0nTnOp4yiUVEfMNdHYIKbykH4NF1foV2q3WXyAROqGuCUqYsrpfK5bSlQC//6N2tTq/6SHKaS22TA1XDpkK5QYZtCrWWQRa7aCpjEZiy3v70WanJFOl7r/rksA5Nzi1fCCBRG6dMH4v3crNjEMOgs+To7qqzeV9boKaKy4BwZrCsnnr+pAk1AtUE+LH37efaSefuyCJv5UQ0DxGJAhPQGH8U58VrOR6NqPOh+Wz5phWPBi7CVI1PTnRkaS63u0+hnpFlUgsxbrjfSKcYXPB0HT7Pqtx5dD3Sc98chdDcLAUAjo1k8kUjRBo98LHD26pQo5lzkqA==
Received: from DB8PR03CA0032.eurprd03.prod.outlook.com (2603:10a6:10:be::45)
 by VI1PR07MB6685.eurprd07.prod.outlook.com (2603:10a6:800:18f::13) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8678.28; Mon, 28 Apr
 2025 13:42:27 +0000
Received: from DB1PEPF000509E3.eurprd03.prod.outlook.com
 (2603:10a6:10:be:cafe::3f) by DB8PR03CA0032.outlook.office365.com
 (2603:10a6:10:be::45) with Microsoft SMTP Server (version=TLS1_3,
 cipher=TLS_AES_256_GCM_SHA384) id 15.20.8655.36 via Frontend Transport; Mon,
 28 Apr 2025 13:42:27 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 192.176.1.74)
 smtp.mailfrom=ericsson.com; dkim=none (message not signed)
 header.d=none;dmarc=pass action=none header.from=ericsson.com;
Received-SPF: Pass (protection.outlook.com: domain of ericsson.com designates
 192.176.1.74 as permitted sender) receiver=protection.outlook.com;
 client-ip=192.176.1.74; helo=oa.msg.ericsson.com; pr=C
Received: from oa.msg.ericsson.com (192.176.1.74) by
 DB1PEPF000509E3.mail.protection.outlook.com (10.167.242.53) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.8678.33 via Frontend Transport; Mon, 28 Apr 2025 13:42:27 +0000
Received: from seroius18814.sero.gic.ericsson.se (153.88.142.248) by
 smtp-central.internal.ericsson.com (100.87.178.67) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.2.1544.14; Mon, 28 Apr 2025 15:42:27 +0200
Received: from seroius08462.sero.gic.ericsson.se
 (seroius08462.sero.gic.ericsson.se [10.63.237.245])
	by seroius18814.sero.gic.ericsson.se (Postfix) with ESMTP id 99CCA402061B;
	Mon, 28 Apr 2025 15:42:26 +0200 (CEST)
Received: by seroius08462.sero.gic.ericsson.se (Postfix, from userid 160155)
	id 842A27000229; Mon, 28 Apr 2025 15:42:26 +0200 (CEST)
From: <daniel.turull@ericsson.com>
To: <openembedded-core@lists.openembedded.org>
CC: <rybczynska@gmail.com>, <steve@sakoman.com>, <Peter.Marko@siemens.com>,
	<ross.burton@arm.com>, <skandigraun@gmail.com>, Daniel Turull
	<daniel.turull@ericsson.com>, Peter Marko <peter.marko@siemens.com>
Subject: [PATCH v2 1/6] linux-vulns: fetch kernel.org CNA info
Date: Mon, 28 Apr 2025 15:42:00 +0200
Message-ID: <20250428134205.900354-2-daniel.turull@ericsson.com>
X-Mailer: git-send-email 2.48.1
In-Reply-To: <20250428134205.900354-1-daniel.turull@ericsson.com>
References: <20250428134205.900354-1-daniel.turull@ericsson.com>
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DB1PEPF000509E3:EE_|VI1PR07MB6685:EE_
X-MS-Office365-Filtering-Correlation-Id: a7aab0b2-aafc-42df-6e7a-08dd865a841f
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: 
	BCL:0;ARA:13230040|1800799024|82310400026|36860700013|376014;
X-Microsoft-Antispam-Message-Info: 
 ix6qAXubw+kHhvG9o2uAwhgGmedlkPbiITjA9gm+caIp5I2jizIZ83PCzvaQl6LKEfutT7MpDEb4qhmCY5Yo6Ed3Eh/H7gWWk60QAGdm1axIjfdYal/VvR5kJH0DBtTg+FyhMWnUPB2WbxX6APXn0pTbFcKyd7G0upmLbKL9di921ZFxxesDXUbB4ANMIOQiSaRyEmhLDgBpsomHZZz/LN0bEOP0gWx/s32EdIYbG61APqjHQWa55OS9V9kxDFdThaZ55GoQsWGq3SP7N1JNoDvwvX7jk+PTZBxeWma+2JWhrSxJOMVutlUJM/KaOBBorLTL+zUOc2kcm57ArYEVxRmZRBQ0EoHi4zNjMhfk3hx2c9gXYKT3OirFTU5t3qjMOm5PZLlBVR+b6UF1WF7mJWJn7irchk1dCrCrUKuYXW7JFeI2oM/0NvS+qJ3WKinD9uDbqNdjeGy/lriWzmyKhSCYkm7x8MBhs3Lq4wKx5ZAzlx5rEQ8vCQemnS5CDDgGfy3y5ntyAMn6LyrA4YR8eC+k2jE2GvzJog5VgCr31NPoSk6tylY+dpTbar105cBG8atXhR/t5Bg0VNC+u+FIS1cUDrO0eesubBvvwYvnifsJUGXc36n2n+tZjkEvSYFDKd0yfAP1gHf2+G7orjjm9BAB1T08nde5ePiC2bV3ehQWiVtxiEA+DvioH6h+pWLxeWlyaWfvwuXHYC+6XXhBBx49haTdO8hdnuRRycRauJdw60YvjuNtcCsImp6AM3u9EbCQUGxIjZiMUBx5nTiaY3fylooTgHZxdEoTs6nELFoSDkRuhV9+md7ditE+VysbkqCsArDfpiiKibAd+j/x5EIouFXVgsJHXN8LNTr4iUhp7aVUi2jeSC7UIZtOryITrG9y+eTdq6wY5K7YzZbNT5bmi8eO/SwZp0uPA3fkDr525tGHA9HsI7y7d5KpXWSTivs6E11aqY2zKEyzVnMsQrQooDRP+g+LU3qDhRu7m9mugxyF57Dg/bMBMIUZod6JQi3ovDlTUoBWLqGP4m/uUNN2BCtMfGfN2iIXrZASZqcVZFhHs/8nxT9DmRbpRRB15lJ/vr+NVtW/WFcndwKpncSstOw7+3i1NzsptYNDKzun8yJm+2T2oCFTMX55jcrvw3iqaooLDCVmlOkN9a78YL0rFpqzf8I9kx4TbaH5rwDPbVkZiBQPA8bC0M/87lG7L87uiB0ptYB0RDgMqQUqfbKejLUpugkv2tKfqEDuzF8NnzvR+o2X+cr6MUGM0b8VF6G3smRb1xfpwgbot7mPfTFqg08fJXoS7twrfq/tewEfOcgBRvYSflkHQlvenQn26OwKPK4VckMTYmxc6o5ZGAYPp9LAK+evV1lGPEYsHql5RZfx4/hEPiy0ca0CSS6dd0hS9NkemOh14XCVzt++Wf2mMzzpoB2j7hYDK9vOjgnRu1XQvM7X7tsLkoacc1Wv/cqnPnihBnNgEfH1sJrt+aLip9Q5zQ9IYFff0r1qOXwN0jELB9G8Umn+NY9z7bY1uqezj3i8sAlDeOM9ViVxMg==
X-Forefront-Antispam-Report: 
	CIP:192.176.1.74;CTRY:SE;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:oa.msg.ericsson.com;PTR:office365.se.ericsson.net;CAT:NONE;SFS:(13230040)(1800799024)(82310400026)(36860700013)(376014);DIR:OUT;SFP:1101;
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Apr 2025 13:42:27.7381
 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 a7aab0b2-aafc-42df-6e7a-08dd865a841f
X-MS-Exchange-CrossTenant-Id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: 
 TenantId=92e84ceb-fbfd-47ab-be52-080c6b87953f;Ip=[192.176.1.74];Helo=[oa.msg.ericsson.com]
X-MS-Exchange-CrossTenant-AuthSource: 
	DB1PEPF000509E3.eurprd03.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR07MB6685
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Mon, 28 Apr 2025 13:42:39 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/215600

From: Daniel Turull <daniel.turull@ericsson.com>

Add CVE data source for kernel.org.

It includes more information than the one provided by NVD.
Use similar mechanism and same variables as cve-check to define
when to update.

To use without internet access, change variable VULNS_URL to a local
copy or mirror.

CC: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Daniel Turull <daniel.turull@ericsson.com>
---
 meta/conf/distro/include/maintainers.inc  |  1 +
 meta/recipes-core/meta/linux-vulns_git.bb | 76 +++++++++++++++++++++++
 2 files changed, 77 insertions(+)
 create mode 100644 meta/recipes-core/meta/linux-vulns_git.bb

diff --git a/meta/conf/distro/include/maintainers.inc b/meta/conf/distro/include/maintainers.inc
index 8065287c17..ec427fe6a4 100644
--- a/meta/conf/distro/include/maintainers.inc
+++ b/meta/conf/distro/include/maintainers.inc
@@ -468,6 +468,7 @@ RECIPE_MAINTAINER:pn-lighttpd = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-linux-dummy = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-linux-firmware = "Otavio Salvador <otavio.salvador@ossystems.com.br>"
 RECIPE_MAINTAINER:pn-linux-libc-headers = "Bruce Ashfield <bruce.ashfield@gmail.com>"
+RECIPE_MAINTAINER:pn-linux-vulns = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-linux-yocto = "Bruce Ashfield <bruce.ashfield@gmail.com>"
 RECIPE_MAINTAINER:pn-linux-yocto-dev = "Bruce Ashfield <bruce.ashfield@gmail.com>"
 RECIPE_MAINTAINER:pn-linux-yocto-rt = "Bruce Ashfield <bruce.ashfield@gmail.com>"
diff --git a/meta/recipes-core/meta/linux-vulns_git.bb b/meta/recipes-core/meta/linux-vulns_git.bb
new file mode 100644
index 0000000000..fc48558eb8
--- /dev/null
+++ b/meta/recipes-core/meta/linux-vulns_git.bb
@@ -0,0 +1,76 @@
+SUMMARY = "CVE information from kernel.org"
+DESCRIPTION = "Repo for tracking and maintaining the CVE identifiers reserved \
+and assigned to the Linux kernel project."
+HOMEPAGE = "https://git.kernel.org/pub/scm/linux/security/vulns.git/about/"
+LICENSE = "GPL-2.0-only & cve-tou"
+SECTION = "base"
+
+INHIBIT_DEFAULT_DEPS = "1"
+
+inherit native
+inherit nopackages
+
+VULNS_URL ?= "https://git.kernel.org/pub/scm/linux/security/vulns"
+CVE_CHECK_KERNEL_DB_DIR ??= "${DL_DIR}/CVE_CHECK/vulns"
+
+# Use same intervals as cve-update-db-native. By default: once a day (24*60*60).
+# Use 0 to force the update
+# Use a negative value to skip the update
+
+CVE_DB_UPDATE_INTERVAL ??= "86400"
+
+python do_fetch(){
+    import os
+    import bb.utils
+
+    bb.utils.export_proxies(d)
+    db_file = d.getVar("CVE_CHECK_KERNEL_DB_DIR")
+    repo_url = d.getVar("VULNS_URL")
+
+    try:
+        import time
+        update_interval = int(d.getVar("CVE_DB_UPDATE_INTERVAL"))
+
+        if update_interval < 0:
+            bb.note("Kernel CVE database update skipped")
+            return
+        if time.time() - os.path.getmtime(db_file) < update_interval:
+            bb.debug(2,"Kernel CVE database, recently updated, skipping")
+            return
+
+    except OSError:
+        pass
+
+    bb.utils.mkdirhier(os.path.dirname(db_file))
+    # Configure cmd
+    if not os.path.exists(db_file):
+        cmd = f"git clone {repo_url} {db_file}"
+    else:
+        cmd = f"git -C {db_file} pull"
+    try:
+        bb.fetch2.runfetchcmd(cmd, d)
+    except bb.fetch2.FetchError as e:
+        bb.warn(f"Kernel vulns repo url not accessible. {repo_url}")
+        bb.warn("Set VULNS_URL in local.conf to point to a local copy or mirror")
+}
+
+do_clean() {
+    rm -rf ${CVE_CHECK_KERNEL_DB_DIR}
+}
+
+deltask do_patch
+deltask do_unpack
+deltask do_configure
+deltask do_compile
+deltask do_install
+deltask do_populate_sysroot
+deltask do_runtime_spdx
+deltask do_create_spdx
+deltask do_populate_lic
+deltask do_cve_check
+
+do_fetch[nostamp] = "1"
+do_fetch[file-checksums] = ""
+do_fetch[vardeps] = ""
+
+EXCLUDE_FROM_WORLD = "1"

From patchwork Mon Apr 28 13:42:01 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Daniel Turull <daniel.turull@ericsson.com>
X-Patchwork-Id: 62026
Return-Path: <daniel.turull@ericsson.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id ABDF4C3ABA4
	for <webhook@archiver.kernel.org>; Mon, 28 Apr 2025 13:43:19 +0000 (UTC)
Received: from EUR02-DB5-obe.outbound.protection.outlook.com
 (EUR02-DB5-obe.outbound.protection.outlook.com [40.107.249.62])
 by mx.groups.io with SMTP id smtpd.web10.48697.1745847790166629298
 for <openembedded-core@lists.openembedded.org>;
 Mon, 28 Apr 2025 06:43:10 -0700
Authentication-Results: mx.groups.io;
 dkim=fail reason="dkim: body hash did not verify" header.i=@ericsson.com
 header.s=selector1 header.b=F6vUMmUX;
 spf=pass (domain: ericsson.com, ip: 40.107.249.62,
 mailfrom: edaturu@ericsson.com)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;
 b=LLA9bNPl/h+Z13IRMAGPQDJJiu3GGwszLtK5ftNl+aF5OqabyDkur+aPIA1g5msQMWHUITgbjS47YnHORXR1abdRQVv5ydEBUQzFrP184ze3Vvf/8kGMelKzH3zsekThyvmIjlt1ycMloM3cXHlT4A/cUFegAsMBpnWTR1Al7MBvsQrx3efuZvaPLFHRypl+0QQ1ejqam+bRWQg6g+gmh5nrRztz42k647rX/slCwy0Vh4ibmLQgEQr00uFQtn2oHW28kJHDWAPGlVa3mHrqvP4GJpRzS4NEOIHh46qS+5AYI0uVVKK1FMoJBTirIJ3z3MOpvA70jAGbQ/ifdmi2ZQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector10001;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=JBeWvVzdv7t7NPwfrziFw0NCHqXj/pelHeJ0mrvclj0=;
 b=niT6dQEBX7Zofii7HF+EiqS+u3eaCWVyU77j4lx/OyJRbIvFMFsZXn9q5g+B6CbP0zHPzRPlkVZzO7UNoptqCMkouNx6o46yRejm/yLTh/39Po397WcrhWIbx9Y9/zQK05il9DJxmZWubGYT2BorbWT+DNr8Hkn/0pVtf0vD08JGeNaF/Zy3GbFelGO5ayf6ClI0Mo+FS/TnyQ1n+4QGlqSu5J1GMfhByGO6YXFu6j5wqr8IYkzIP6sPlhXV2oB5NGWOo3dbEXKDCFg+niRu9YGWsvIjaQSELaqPY1Lrz11UFVXzAIsrfDOCTv5X67xT14LMddbFPVBsjy/X796zNw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
 192.176.1.74) smtp.rcpttodomain=arm.com smtp.mailfrom=ericsson.com;
 dmarc=pass (p=reject sp=reject pct=100) action=none header.from=ericsson.com;
 dkim=none (message not signed); arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com;
 s=selector1;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=JBeWvVzdv7t7NPwfrziFw0NCHqXj/pelHeJ0mrvclj0=;
 b=F6vUMmUX2pDhxtGK0cwBnVPU3z5ZDgBgmrnLN3vsRCZr36fi3vPVs9o1RP99qrYGiL6GprAjlCYzTOckn8P9F76/XWIJ/3p4+osgMMUgkk5icqA4MGfgwbtVoxuzYRChd3bA/TsF98fGxB1VSxqfqqiW7wrqS2+8jz7i/AkfM3zqVYc1LJJvAhlDbY2x6h3SV86D9i8M7lIJvSsspT6dFoR1WbW7VmiissFw9U5gf2X+F43Bz0PG+/Y9aO+iEcjBgowsTBO9hFvXL5L6NhBujMQtB3kHyLCbc22qlqTIFesnJpjcH9raw2nQQ89HnCpUm5C5uG5K+7SfqHN5gHHjdA==
Received: from DUZP191CA0066.EURP191.PROD.OUTLOOK.COM (2603:10a6:10:4fa::9) by
 DB8PR07MB6218.eurprd07.prod.outlook.com (2603:10a6:10:141::17) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.8678.31; Mon, 28 Apr 2025 13:43:06 +0000
Received: from DU2PEPF00028D0F.eurprd03.prod.outlook.com
 (2603:10a6:10:4fa:cafe::df) by DUZP191CA0066.outlook.office365.com
 (2603:10a6:10:4fa::9) with Microsoft SMTP Server (version=TLS1_3,
 cipher=TLS_AES_256_GCM_SHA384) id 15.20.8655.40 via Frontend Transport; Mon,
 28 Apr 2025 13:43:06 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 192.176.1.74)
 smtp.mailfrom=ericsson.com; dkim=none (message not signed)
 header.d=none;dmarc=pass action=none header.from=ericsson.com;
Received-SPF: Pass (protection.outlook.com: domain of ericsson.com designates
 192.176.1.74 as permitted sender) receiver=protection.outlook.com;
 client-ip=192.176.1.74; helo=oa.msg.ericsson.com; pr=C
Received: from oa.msg.ericsson.com (192.176.1.74) by
 DU2PEPF00028D0F.mail.protection.outlook.com (10.167.242.23) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.8678.33 via Frontend Transport; Mon, 28 Apr 2025 13:43:06 +0000
Received: from seroius18815.sero.gic.ericsson.se (153.88.142.248) by
 smtp-central.internal.ericsson.com (100.87.178.66) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.2.1544.14; Mon, 28 Apr 2025 15:42:27 +0200
Received: from seroius08462.sero.gic.ericsson.se
 (seroius08462.sero.gic.ericsson.se [10.63.237.245])
	by seroius18815.sero.gic.ericsson.se (Postfix) with ESMTP id A129B402159E;
	Mon, 28 Apr 2025 15:42:26 +0200 (CEST)
Received: by seroius08462.sero.gic.ericsson.se (Postfix, from userid 160155)
	id 8A512700022A; Mon, 28 Apr 2025 15:42:26 +0200 (CEST)
From: <daniel.turull@ericsson.com>
To: <openembedded-core@lists.openembedded.org>
CC: <rybczynska@gmail.com>, <steve@sakoman.com>, <Peter.Marko@siemens.com>,
	<ross.burton@arm.com>, <skandigraun@gmail.com>, Daniel Turull
	<daniel.turull@ericsson.com>
Subject: [PATCH v2 2/6] cve-check: fix debug message
Date: Mon, 28 Apr 2025 15:42:01 +0200
Message-ID: <20250428134205.900354-3-daniel.turull@ericsson.com>
X-Mailer: git-send-email 2.48.1
In-Reply-To: <20250428134205.900354-1-daniel.turull@ericsson.com>
References: <20250428134205.900354-1-daniel.turull@ericsson.com>
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DU2PEPF00028D0F:EE_|DB8PR07MB6218:EE_
X-MS-Office365-Filtering-Correlation-Id: c6ec17fb-3957-4d15-5935-08dd865a9b3f
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: 
	BCL:0;ARA:13230040|376014|82310400026|36860700013|1800799024;
X-Microsoft-Antispam-Message-Info: 
 ZptyjxbdC4VLQe+I+Wio04NSRBlycCbNEwckYJkus0mA/7KfAlZ/0ac6AG1Ilt8NYKkY1wK/KT2GrfGLozDhIUZpAGWrM/4VocFCibtuHP4CNcNqJuSGhbhtcxH+0u12T5yM5Atcz7hQ/P5SPl07/aqe8AQ+MrWsML3jHsQ+F/yPZf5Pi+v34Yt9LCZiAQqrGROmAmW14ss7giQ3ffHnr5WHQPFVsYIgk5AmVpKaN+pPjl03yiZpG1xa4+u08sfnANeimbsSIV9b4aXaR1MICp6ITz9xVacTO8PnBHNo8AvSPiW8xVbAsqHo9r36cZDSZ/FF6PVIQs0+CiA1gIx900na0qNtf7mfb/di5IwGGLcO26Ku0OqgsP8LFVtRLPBoCQ3QEMoPJo1z0T2nE6zX5mldwVtBCZp2CbRbG564Y2EE3D1qxYtmyD+jYjAJojFDdMRD/Ii4bn8idh5LQDfv71WogO6R29atmLZ1B/n6+Coe53ZNZHpDkWFKOHLpeVGd6YlISs6j9hBM3d6RZ/9WOPpzuvvbCiZmX3NvnhFDQCQDQYY3DbP0MEz8P/GFf3+FswPvgO44UXnUvC5g7Maae9dMSTw8ZSdA6hFyuoJoIHYObIu4r8+9toFIdmWSDrf/4N3HheNDR2XGDP9gwCQRwQP22/awxMiYoRvpoVef8AppIVBYdRgy4QIFK0KdQTjNYjF21feEuGkSXviRMd2sb9w8lehfaIPKamXwI1NfodXccGp0r9yTZYXIwxjaWG/XwAr+IwqNKhMQVeJnDS4mVOZ5jjOpmtWvemhhtI3fzcQtnXVcUaM754Nu2XEUmonakCICDceNtgg39WtinuAalZ5sJsKOc0hYM8ACEBroQphg5f/Qgu9QOsFUshmvDAQ/Bxk4LNL1+Ps5kcXTrhF6xZj/4IliCwSvTqWIEV7SuGShVAhlXM4XXg06gkyzE+TkZjiPYFlzb7DBAukTZlx2lKNfxLN5+XZ474glioMo66wTz5co9Z25m2OOl8U2RiBr+DPuTxIxF91IRuGaIRVyTydDv/BLN4wc1KZ1/7A6LVs9Q5jBN2zOviD8mTi8tR42El8gCXZ2abxHcwgK7W55i+HbEczJHPJyIeI+1FQ5wJHDj6dkPG21a7C8s7fjGcM762TVJfsTHYNhxuIODG3I5BsmXpigxYWHxs3LNTMlafkKKRjkqFdxTy1fN9AutMDCxZZMtxO1xPAn0ATy50KeUeFMDlJo+/kHExL2sD9GqRE53wGtsyaCC7aigjRCQbhclvgmoRbHkebBpHH5OE2ExcoWZ/7OpS6UJ3Bzmm/wOpdxpjW/KTfWfAE5JJUuGMM9Z5fLahsUrb+f1PhcuOqRNLtYU66KostNQeBU7Fi93xT+N7eFNLZEopto18XnY9Erckj9E/cERRaFjZAWhZDikyg4TbQsDRnZdahScYjJd9G3CZx1H9YHxZY2QYERM34Ht3bzxuGpiSPtvhywzUr58sN4idUDZlIc+KANKHQNObRw8it1Z8FGsGHwBZojBsE1
X-Forefront-Antispam-Report: 
	CIP:192.176.1.74;CTRY:SE;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:oa.msg.ericsson.com;PTR:office365.se.ericsson.net;CAT:NONE;SFS:(13230040)(376014)(82310400026)(36860700013)(1800799024);DIR:OUT;SFP:1101;
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Apr 2025 13:43:06.5402
 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 c6ec17fb-3957-4d15-5935-08dd865a9b3f
X-MS-Exchange-CrossTenant-Id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: 
 TenantId=92e84ceb-fbfd-47ab-be52-080c6b87953f;Ip=[192.176.1.74];Helo=[oa.msg.ericsson.com]
X-MS-Exchange-CrossTenant-AuthSource: 
	DU2PEPF00028D0F.eurprd03.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB8PR07MB6218
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Mon, 28 Apr 2025 13:43:19 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/215605

From: Daniel Turull <daniel.turull@ericsson.com>

Debug level was not added as a parameter, causing a warning.

Signed-off-by: Daniel Turull <daniel.turull@ericsson.com>
---
 meta/classes/cve-check.bbclass | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 1aef00d297..86ddfaae5f 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -288,16 +288,16 @@ def cve_update(d, cve_data, cve, entry):
         if entry['status'] == "version-in-range" and cve_data[cve]['status'] == "version-not-in-range":
             # New result from the scan, vulnerable
             cve_data[cve] = entry
-            bb.debug("CVE entry %s update from Patched to Unpatched from the scan result" % cve)
+            bb.debug(1, "CVE entry %s update from Patched to Unpatched from the scan result" % cve)
             return
     if entry['abbrev-status'] == "Patched" and cve_data[cve]['abbrev-status'] == "Unpatched":
         if entry['status'] == "version-not-in-range" and cve_data[cve]['status'] == "version-in-range":
             # Range does not match the scan, but we already have a vulnerable match, ignore
-            bb.debug("CVE entry %s update from Patched to Unpatched from the scan result - not applying" % cve)
+            bb.debug(1, "CVE entry %s update from Patched to Unpatched from the scan result - not applying" % cve)
             return
     # If we have an "Ignored", it has a priority
     if cve_data[cve]['abbrev-status'] == "Ignored":
-        bb.debug("CVE %s not updating because Ignored" % cve)
+        bb.debug(1, "CVE %s not updating because Ignored" % cve)
         return
     bb.warn("Unhandled CVE entry update for %s from %s to %s" % (cve, cve_data[cve], entry))
 

From patchwork Mon Apr 28 13:42:02 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Daniel Turull <daniel.turull@ericsson.com>
X-Patchwork-Id: 62022
Return-Path: <daniel.turull@ericsson.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 96B10C3ABA4
	for <webhook@archiver.kernel.org>; Mon, 28 Apr 2025 13:42:39 +0000 (UTC)
Received: from EUR03-VI1-obe.outbound.protection.outlook.com
 (EUR03-VI1-obe.outbound.protection.outlook.com [40.107.103.42])
 by mx.groups.io with SMTP id smtpd.web11.48601.1745847756699557488
 for <openembedded-core@lists.openembedded.org>;
 Mon, 28 Apr 2025 06:42:37 -0700
Authentication-Results: mx.groups.io;
 dkim=fail reason="dkim: body hash did not verify" header.i=@ericsson.com
 header.s=selector1 header.b=yIoSgbY2;
 spf=pass (domain: ericsson.com, ip: 40.107.103.42,
 mailfrom: edaturu@ericsson.com)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;
 b=JzDVVRX6aQDno1A16m4j5/lT2/r4gFY5vGefSFHmidzdP5bbcjt04qjRLHBnE8/w2fiCzlucEUJG2KGVo0N3l5Hm9JqTATLv9RXmuhWpGNo2eJWRD/48MI9VOIcRcRGg4c8EpUDMAOMvdebJ49E50XXpArr+83GvqnQbD4VJy05lE1eg6JV3ZOwAo4X0BnK1Ld69E13kKOtQi2CO5PHHAC0z/mMqM2iiH0vrkPoJUAAfZ7XvJvP6gQCAEhVTApiQ5qMTN0ozhF6VJr+zIGWdRvQd831uO6o83LGXkXyuKgHeoEucH6O81y16RTLgO6KNvxLbuhLSnHllm4VISFilUw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector10001;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=icrRFtrH7MLxNRaDavOKGqmeWuhc3H138jtoGsL88D8=;
 b=IiU0R4bDaT+duclaPYH1E+bbQjBFT7vxsiTQ6C0297hizIBCwnN4zEVWLG5EfWIVWtrkSx3yLaW1YIoyJFlD8nfgH/fLZucG0ihVcIqyPB92M0yFA0Ve4j1QT4iTaJS5Qw0035FP2Vx/DDocOYR0FzQxDydoaFI4u/pQ9bvH2QSUoRsa/gf4/YSD3m5/VWmX9pPDjPZkiDaTHYOLGa3L+zf7zm9qWUOXsJDb5iE73bN7oCtHFY1I8yzzSHLFhRaCZYhNR1T4GZf0RGsAJ8mVw3rARLtdnU6AaYYVDIKgyF8ff7YubFXrXZGPT31i7BUkdSSDJQL6GO3/ZFFBtPgGZg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
 192.176.1.74) smtp.rcpttodomain=arm.com smtp.mailfrom=ericsson.com;
 dmarc=pass (p=reject sp=reject pct=100) action=none header.from=ericsson.com;
 dkim=none (message not signed); arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com;
 s=selector1;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=icrRFtrH7MLxNRaDavOKGqmeWuhc3H138jtoGsL88D8=;
 b=yIoSgbY2dxoyu2HPDvwBm6NL0DFZ9AkRKpkvYXiN+WDOCrVMQ3XLw7qsKyBn0Drkhm8M9H0jSNrXUq1sCy9fJCN5YsaNhsLdnaUxNB1Cas2Ticb6z9dk4lcdutYYg9kQFOMTvhJ9qS5wHT0DCkd07ys1GOw9d92l5EyQKD0r9Vd0gNVpcz5yCz15Ctj5xoDA4mEusMHWE3+pNWW6G2zeeG3fUiOqzH5I7cBYDRMJvvox9u0mj+jKFnCOWYECG1rl2+ntTThFyodkVa4ONNpwYjn3DkWbp36zxX+beJCrepXcz9oamCgxY6QrJ4rHAhRVwnd0YdvD1JGDj/iPx+LAFw==
Received: from DU2P251CA0004.EURP251.PROD.OUTLOOK.COM (2603:10a6:10:230::14)
 by DU4PR07MB10183.eurprd07.prod.outlook.com (2603:10a6:10:584::14) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8678.29; Mon, 28 Apr
 2025 13:42:33 +0000
Received: from DU2PEPF0001E9BF.eurprd03.prod.outlook.com
 (2603:10a6:10:230:cafe::8a) by DU2P251CA0004.outlook.office365.com
 (2603:10a6:10:230::14) with Microsoft SMTP Server (version=TLS1_3,
 cipher=TLS_AES_256_GCM_SHA384) id 15.20.8655.38 via Frontend Transport; Mon,
 28 Apr 2025 13:42:32 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 192.176.1.74)
 smtp.mailfrom=ericsson.com; dkim=none (message not signed)
 header.d=none;dmarc=pass action=none header.from=ericsson.com;
Received-SPF: Pass (protection.outlook.com: domain of ericsson.com designates
 192.176.1.74 as permitted sender) receiver=protection.outlook.com;
 client-ip=192.176.1.74; helo=oa.msg.ericsson.com; pr=C
Received: from oa.msg.ericsson.com (192.176.1.74) by
 DU2PEPF0001E9BF.mail.protection.outlook.com (10.167.8.68) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.8678.33 via Frontend Transport; Mon, 28 Apr 2025 13:42:32 +0000
Received: from seroius18813.sero.gic.ericsson.se (153.88.142.248) by
 smtp-central.internal.ericsson.com (100.87.178.68) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.2.1544.14; Mon, 28 Apr 2025 15:42:27 +0200
Received: from seroius08462.sero.gic.ericsson.se
 (seroius08462.sero.gic.ericsson.se [10.63.237.245])
	by seroius18813.sero.gic.ericsson.se (Postfix) with ESMTP id A596C950A9;
	Mon, 28 Apr 2025 15:42:26 +0200 (CEST)
Received: by seroius08462.sero.gic.ericsson.se (Postfix, from userid 160155)
	id 8FEA6700022B; Mon, 28 Apr 2025 15:42:26 +0200 (CEST)
From: <daniel.turull@ericsson.com>
To: <openembedded-core@lists.openembedded.org>
CC: <rybczynska@gmail.com>, <steve@sakoman.com>, <Peter.Marko@siemens.com>,
	<ross.burton@arm.com>, <skandigraun@gmail.com>, Daniel Turull
	<daniel.turull@ericsson.com>, Peter Marko <peter.marko@siemens.com>
Subject: [PATCH v2 3/6] kernel: add support to extract compiled files
Date: Mon, 28 Apr 2025 15:42:02 +0200
Message-ID: <20250428134205.900354-4-daniel.turull@ericsson.com>
X-Mailer: git-send-email 2.48.1
In-Reply-To: <20250428134205.900354-1-daniel.turull@ericsson.com>
References: <20250428134205.900354-1-daniel.turull@ericsson.com>
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DU2PEPF0001E9BF:EE_|DU4PR07MB10183:EE_
X-MS-Office365-Filtering-Correlation-Id: 57da1f26-2d78-44fe-5c66-08dd865a870e
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: 
	BCL:0;ARA:13230040|82310400026|376014|36860700013|1800799024;
X-Microsoft-Antispam-Message-Info: 
 XS/ZNzG1UMfCSKgjl0bbv9WasIc5HIcL0teQ6p1x4Swgb39H+itrdsjpgxm52GZpZcaLdORnROU8cWP86wZumpbp4ScOlf2kaHQhH2Ws15XLnHQ1PaHmr7U4yCDCm9R/1ccl+or9kF8KkuWUq49bTG2mfexCfDpLDBzMiS9qvPSv12kZQ9OocF4pDn5X07S7EhTy6FGZPYWlpY7O+XkwyenVz9IAK8dv5L8UlZxLztqcZ7ar6M3ixVWl7wIhh1UcuankBCVAw5UIvnJGbVGhbJKLY4zu+OHNb4LZEvpSFoofhaQm4eVXeY8eNBWt5gJeFuX8kFNjZevi8LrzS2TAMp98rM5mb8Pk+J+bQsRcaxRJDEZFWbZmO8DoIPSRDtzcIwYM7GRVg8Pu8lPfoAZBB4LUk7wnnUms9/hT/wj0G7i86sTXJbpRCAHETzabJYV93gl51s6kr5TEMUCCJsgYCreji20lUXP3ksopNoDrx3IAsRFIRB7/rDpG9bpv1vkOaIoodLUutmWSt4yXOc75mppiXVOwu/3b1mCnnzGF6+OaaItl83WBkMRkQ0wF2RoPY3qvnn1VMwf3oeMIvnLtWzS3Rzxq289v20EcA342YEl4xhL+cSKoKdAd6ro6xFUPQ+dyuVV0nHgwRJEzUENbU6Jv1fHPUp6CcYPqhu2AxghQ7JduUZnjTIohZuJ8O6sIba5DpZUEXLCSzr6/6//cIf7oxdIvJxhzzIIuW25J7yUEdH1AK2qEKJ9N/dCwd2coKfrH9pG8rYGhiwPfBVj+AwO4N2+mbwTEP4c3IolKh11aspNCKl0d93CBFxTmoYNkRnWSy8F+1XjGCWaLMnNYv0lxUdTIlI2+M3bhCjN5wpiH5plg4plABw1EXNJnGPHJamifWlgBf3b/ym7dQJTSfJoHEXYudcaVJTURLWs8uzsEuELVIIHjw2aeUK0OGVcoi/XqLJb6tDGY6QsCmA9xlIZ9flf7/Yq+Jbb71UFq4mkbEViBuI47GAnBu/+iVYhfXi8wxSLWtOQ1LsNW+kwgImcZ6H7di+DltTm/YME8p5TmsQPKEBs/6v4WmYSxZxqMr1S+6mUKbS8PT1gprcJ1bnuZkWhASydBjKPovojWjiliEY+pPOXYuTSOBpiIclFIgocOlFC0Omr/QzX+d9o+lXYaI4JyTjFyWpSjSFXZTrEWjsw6GG551795iSg1JPhwZzVJOE5l8KVuP3ixiVPvk2XxMq5DbB/PGdnJWRaPoyAxdee0SrALjSCA9xybqFnfb4Dwtno69appAM6Ik0sT+ywPoreeZZ4cpUZcZiyKW6u0HcjW+7Pxl8y8o7oSOLuoXk/gzjXQf+9KjQ9BkAli3F7FZkBNCBUzHI3ie9QZ6TEHwDO3kxYVzs4gGM4kmdnfQ1j5RabVyGiZww0tI/fuzc+FjqMAcx2vEE6NjvOBfYB6/1W4PzJuXfpXnoe22TtJPIssqPD3UIhVosev+mrVUX+ouSmMmFTT420zRTOVvOrAVEUPlaTLBgVBhWNca4bl
X-Forefront-Antispam-Report: 
	CIP:192.176.1.74;CTRY:SE;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:oa.msg.ericsson.com;PTR:office365.se.ericsson.net;CAT:NONE;SFS:(13230040)(82310400026)(376014)(36860700013)(1800799024);DIR:OUT;SFP:1101;
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Apr 2025 13:42:32.6653
 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 57da1f26-2d78-44fe-5c66-08dd865a870e
X-MS-Exchange-CrossTenant-Id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: 
 TenantId=92e84ceb-fbfd-47ab-be52-080c6b87953f;Ip=[192.176.1.74];Helo=[oa.msg.ericsson.com]
X-MS-Exchange-CrossTenant-AuthSource: 
	DU2PEPF0001E9BF.eurprd03.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DU4PR07MB10183
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Mon, 28 Apr 2025 13:42:39 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/215604

From: Daniel Turull <daniel.turull@ericsson.com>

Use gen_compile_commands.py to extract files used during compilation
for the used kernel configuration.

CC: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Daniel Turull <daniel.turull@ericsson.com>
Signed-off-by: Daniel Turull <daniel.turull@ericsson.com<mailto:daniel.turull@ericsson.com>>
---
 meta/classes-recipe/kernel.bbclass | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/meta/classes-recipe/kernel.bbclass b/meta/classes-recipe/kernel.bbclass
index 36ce659762..56060f2c91 100644
--- a/meta/classes-recipe/kernel.bbclass
+++ b/meta/classes-recipe/kernel.bbclass
@@ -867,3 +867,14 @@ EXPORT_FUNCTIONS do_deploy
 
 # Add using Device Tree support
 inherit kernel-devicetree
+
+KERNEL_FILES_DIR ?= "${LOG_DIR}/cve/kernel_files"
+KERNEL_SRC_FILES ?= "${KERNEL_FILES_DIR}/compile_commands.json"
+
+do_save_compiled_files() {
+    bbdebug 1 "Saving compiled files in ${KERNEL_SRC_FILES}"
+    mkdir -p ${KERNEL_FILES_DIR}
+    ${S}/scripts/clang-tools/gen_compile_commands.py -o ${KERNEL_SRC_FILES} -d ${B}
+}
+
+addtask do_save_compiled_files after do_compile do_compile_kernelmodules

From patchwork Mon Apr 28 13:42:03 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Daniel Turull <daniel.turull@ericsson.com>
X-Patchwork-Id: 62027
Return-Path: <daniel.turull@ericsson.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id AAE0CC369D5
	for <webhook@archiver.kernel.org>; Mon, 28 Apr 2025 13:43:19 +0000 (UTC)
Received: from AM0PR02CU008.outbound.protection.outlook.com
 (AM0PR02CU008.outbound.protection.outlook.com [52.101.72.56])
 by mx.groups.io with SMTP id smtpd.web11.48613.1745847796599456883
 for <openembedded-core@lists.openembedded.org>;
 Mon, 28 Apr 2025 06:43:16 -0700
Authentication-Results: mx.groups.io;
 dkim=fail reason="dkim: body hash did not verify" header.i=@ericsson.com
 header.s=selector1 header.b=d9aNrqnP;
 spf=pass (domain: ericsson.com, ip: 52.101.72.56,
 mailfrom: edaturu@ericsson.com)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;
 b=GtEQ+bQue7xhUHT14I1zTceU1dGnHEDpWYXwDyMxjCAumR8rA+l1Zdt+QPG/5raQkYEBHdmQrCHfPP+X1a86EQ1ghvR5iHyXzTYv8b9VGA44PFntgLfHAWflZmik1ezEZjCxU4ilkzIwXhk+9heViZOQLmEunG9PDLaPhC0ZaSRy+KM+Ss9JcxlCNIcyxiqSvu7VqD9DelfGhUKTK3jEylQ+p0pDdciAqwO/DijnhbMl3h8vTA6Z7IyAE2DxYEywAm5iEVH2cRtMhhfhQhMRuDJVw3IQ2CjyBh8Wmku42ee2QUcT3LMIdo5R5jPoykRdNwnZQ3o13NKFfLjMJlupNw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector10001;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=piIyb8mYVEkqAsZrvQpXzlmGF86/o2P+/rFkuAjS00o=;
 b=m63dHB7XvKOQpaFvpuRviG571uQoHZDkQJmbbOWbwUbstS6Z0MjVWjpLrGOGXI9/gv8axVBVBlAuFTHMuYROAn/k5qmneTwcLP2yh3/bNVzTFRlGH+em4tzS/OauLm2FTrWwa8mHMUg+AXwNUKm3iCjnpxIRlZnE6X2CUsHdmORxiSKF8A0LCkBqX9+KOggtqeEkloDvn+OIc94057NnnIMbFOJF9R19pGy2usdsJOLGzYVuze8EuQ0o+2d5zIkNwVHLiyvfQ9+TLPTNcH7wXUAJNNSCbls/LJB3W/yQTZbzRPRVsQ7IWjnxzSf/HGv947OkujuZzz25wo3690TF9Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
 192.176.1.74) smtp.rcpttodomain=arm.com smtp.mailfrom=ericsson.com;
 dmarc=pass (p=reject sp=reject pct=100) action=none header.from=ericsson.com;
 dkim=none (message not signed); arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com;
 s=selector1;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=piIyb8mYVEkqAsZrvQpXzlmGF86/o2P+/rFkuAjS00o=;
 b=d9aNrqnPJn6BMJmt1Ver0ntiIbZMZgE0SkLVcLpeybWHmFDZdbWoz2NVIMKMvE/z3c5TpXFiWcqr9ejo0F/0g9Rtai6vsN+pTgXwJMko2yQir92gJ/+bOavoRDLM1Cka35g+bcKSlq70V43sBwXABSheL6gNDSops8nwjwNPAmMubZwpsIvHm/v39TV2jPQqjfiJkZn2zKuEyov36WqgYITfjq7+cjFLC6Gv+SwJZ2L03KSxgMfNNR72FsrQVSpY3lHZQIIngiTSfipqr1hNk1JaytfLlA/lyJqc8Uvt8deX0ZVzpAUalpIkUSv7cIXw5ap5T7/D+W3U9l2Nix/Yxw==
Received: from DU7P190CA0020.EURP190.PROD.OUTLOOK.COM (2603:10a6:10:550::34)
 by PAWPR07MB10010.eurprd07.prod.outlook.com (2603:10a6:102:38e::5) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8678.29; Mon, 28 Apr
 2025 13:43:12 +0000
Received: from DU6PEPF0000B61E.eurprd02.prod.outlook.com
 (2603:10a6:10:550:cafe::1b) by DU7P190CA0020.outlook.office365.com
 (2603:10a6:10:550::34) with Microsoft SMTP Server (version=TLS1_3,
 cipher=TLS_AES_256_GCM_SHA384) id 15.20.8655.41 via Frontend Transport; Mon,
 28 Apr 2025 13:43:12 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 192.176.1.74)
 smtp.mailfrom=ericsson.com; dkim=none (message not signed)
 header.d=none;dmarc=pass action=none header.from=ericsson.com;
Received-SPF: Pass (protection.outlook.com: domain of ericsson.com designates
 192.176.1.74 as permitted sender) receiver=protection.outlook.com;
 client-ip=192.176.1.74; helo=oa.msg.ericsson.com; pr=C
Received: from oa.msg.ericsson.com (192.176.1.74) by
 DU6PEPF0000B61E.mail.protection.outlook.com (10.167.8.133) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.8678.33 via Frontend Transport; Mon, 28 Apr 2025 13:43:12 +0000
Received: from seroius18814.sero.gic.ericsson.se (153.88.142.248) by
 smtp-central.internal.ericsson.com (100.87.178.64) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.2.1544.14; Mon, 28 Apr 2025 15:42:27 +0200
Received: from seroius08462.sero.gic.ericsson.se
 (seroius08462.sero.gic.ericsson.se [10.63.237.245])
	by seroius18814.sero.gic.ericsson.se (Postfix) with ESMTP id A9D84402061E;
	Mon, 28 Apr 2025 15:42:26 +0200 (CEST)
Received: by seroius08462.sero.gic.ericsson.se (Postfix, from userid 160155)
	id 9594670E75F2; Mon, 28 Apr 2025 15:42:26 +0200 (CEST)
From: <daniel.turull@ericsson.com>
To: <openembedded-core@lists.openembedded.org>
CC: <rybczynska@gmail.com>, <steve@sakoman.com>, <Peter.Marko@siemens.com>,
	<ross.burton@arm.com>, <skandigraun@gmail.com>, Daniel Turull
	<daniel.turull@ericsson.com>, Peter Marko <peter.marko@siemens.com>
Subject: [PATCH v2 4/6] cve-check: move message outsite check_cves and sort
Date: Mon, 28 Apr 2025 15:42:03 +0200
Message-ID: <20250428134205.900354-5-daniel.turull@ericsson.com>
X-Mailer: git-send-email 2.48.1
In-Reply-To: <20250428134205.900354-1-daniel.turull@ericsson.com>
References: <20250428134205.900354-1-daniel.turull@ericsson.com>
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DU6PEPF0000B61E:EE_|PAWPR07MB10010:EE_
X-MS-Office365-Filtering-Correlation-Id: acfb690d-7ddb-4065-c706-08dd865a9ee5
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: 
	BCL:0;ARA:13230040|376014|36860700013|1800799024|82310400026;
X-Microsoft-Antispam-Message-Info: 
 zCLFGvlZ2nhVpujsQaiqny7arRV4DFSnI2+a+oGkASrKccsb5sBM4Str9b+LmgnOO4irj/6Q34QkUL51VOMEX54G+Dp+Q777Q7RZ9CRxsXwAZ8Ssbq4c0izw7V7aDB61jgv6FlMdoeFqzRhyLQn7nIeTETMEuAXISVaBEDjfwNIy6rIBgfHpR6xPLte3qVBB2NOol3Im1fVyW4LYin4SWsg55a5hlPJRcVid69/gGRon++uDxvyDjQANmw3VLd65YZzzq87aAJCwJVTVTl49KrBpNHLgttCrbgecpJw0D60wYJSe3hO+/GKLgeCL0iS3yEiy2tXIdqrqxZNa5nWLTavoDLJwp5gwQvHBMsXikRa+RMfxAi4b0W+9XHGgwo/p9oU+UPbjS/ykGwnlbsU/4eN91lni4i41CfqxBhdF4P9WXMw6GQf9aPalV+bkLVuAyKJi0ypGzbVPK1g0/SP/lNPu1MkmeheIDadtreENBtQWAyW0/O1Ak10lE7hkfoVZPlrZK0Qo4sz+aF00yVA7LNZZILrSP1XJrwRLBpczg55sbTeKsj8PWAMAMycXyTxly8Nwql1e2f5DA7ydy4ZbUEmSnFUh+eD6q+aYbH6owNz0sx1Ucs8AvX/MR0ZupyARi1NDWxNZFvl9ef6fEFF+xfnoWK0USJa+Gfn5rCJHMxKqeOBvKw3PH4aWTkMGBTNOqagTCVaDt4rg508sm2GwPB04N2YQ5B4NI+VYfv4RcXndP7aRkGmOCEczEOswVZNSSkMiZ5jZK/fb+gIIeXVyWwyFHMYqaqPx/jWZdsCB96HyPlaHYsYUGCm/fG6SWp9RuRNr4/Umz4KVqsQEMYNwXUrLI8nGUeSTN+oxnGxRnpuWFfA0gdoG5dWaIxOVfB63dh40+TryeZSpyLfx+LAVFQdMPGxFrTyeT2leGZbavKClGA5Wzbs12PuxeN69qOLcDwxKNI/EbmPSMAz1VzLL1anmF0gVYg6ZUOiz/rsjUrFYaWytZ8bY7FZRN69rIRwPf8qgP677j36l3xvdLgMYodWx3zfv/b4/qXe0ynyGkTRkF8p4CNZEVI9JWyWKwLyOyKdaylgGotFAl436aMJiSpqz5XpUr/5mpdLuo0X4p3GujMcLYLluwb4QoHpFnWMZA28CI8CLZExj4IberDBaInAq08ANuAyeCipmMFL1G+6uWUKTF1i56Mi/dd/XZSc2D3rzX0SzNNHOSBXwkZgv80FfqwOSVkTJ0pMEYhnbPjogq7jR38lrHVfl9LKzFgYsAtDuzUYCtMs7dAhne2EtrulX79/g4mrYPq6c8d/vGGVkt9KcNG+lwbH6ilXRdfFTTDx6K1rq3U/VSfjjoesAv6clWJ/JHrtiWlUC3mHdqlszaXh7ughcSqs46RaDWV+s1FfttDZQVIteGb8QPsKCTGdgDJIGfixB/dHApJs/+1FQ7snctaqnYEbaPa5VC5sVeTPIUkENS6ndCTu/cQmJihb+VhUxFZo93UcYX+i6nerkQ5rC6+1sBoUEi1sFaF3d
X-Forefront-Antispam-Report: 
	CIP:192.176.1.74;CTRY:SE;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:oa.msg.ericsson.com;PTR:office365.se.ericsson.net;CAT:NONE;SFS:(13230040)(376014)(36860700013)(1800799024)(82310400026);DIR:OUT;SFP:1101;
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Apr 2025 13:43:12.6631
 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 acfb690d-7ddb-4065-c706-08dd865a9ee5
X-MS-Exchange-CrossTenant-Id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: 
 TenantId=92e84ceb-fbfd-47ab-be52-080c6b87953f;Ip=[192.176.1.74];Helo=[oa.msg.ericsson.com]
X-MS-Exchange-CrossTenant-AuthSource: 
	DU6PEPF0000B61E.eurprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAWPR07MB10010
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Mon, 28 Apr 2025 13:43:19 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/215606

From: Daniel Turull <daniel.turull@ericsson.com>

When adding corrections from multiple sources of CVEs, the
message showing standing CVES should be at the end. Also sort them.

CC: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Daniel Turull <daniel.turull@ericsson.com>
---
 meta/classes/cve-check.bbclass | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 86ddfaae5f..12159a98d2 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -173,6 +173,12 @@ python do_cve_check () {
             if len(cve_data) or (d.getVar("CVE_CHECK_COVERAGE") == "1" and status):
                 get_cve_info(d, cve_data)
                 cve_write_data(d, cve_data, status)
+
+            if d.getVar("CVE_CHECK_SHOW_WARNINGS") == "1":
+                unpatched_cves = [cve for cve in cve_data if cve_data[cve]["abbrev-status"] == "Unpatched"]
+                if unpatched_cves:
+                    bb.warn("Found unpatched CVE (%s)" % " ".join(sorted(unpatched_cves)))
+
         else:
             bb.note("No CVE database found, skipping CVE check")
 
@@ -422,10 +428,6 @@ def check_cves(d, cve_data):
     if not cves_in_recipe:
         bb.note("No CVE records for products in recipe %s" % (pn))
 
-    if d.getVar("CVE_CHECK_SHOW_WARNINGS") == "1":
-        unpatched_cves = [cve for cve in cve_data if cve_data[cve]["abbrev-status"] == "Unpatched"]
-        if unpatched_cves:
-            bb.warn("Found unpatched CVE (%s)" % " ".join(unpatched_cves))
 
     return (cve_data, cves_status)
 

From patchwork Mon Apr 28 13:42:04 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Daniel Turull <daniel.turull@ericsson.com>
X-Patchwork-Id: 62025
Return-Path: <daniel.turull@ericsson.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id A4B2CC369DC
	for <webhook@archiver.kernel.org>; Mon, 28 Apr 2025 13:42:39 +0000 (UTC)
Received: from DUZPR83CU001.outbound.protection.outlook.com
 (DUZPR83CU001.outbound.protection.outlook.com [52.101.67.45])
 by mx.groups.io with SMTP id smtpd.web10.48684.1745847752243210989
 for <openembedded-core@lists.openembedded.org>;
 Mon, 28 Apr 2025 06:42:32 -0700
Authentication-Results: mx.groups.io;
 dkim=fail reason="dkim: body hash did not verify" header.i=@ericsson.com
 header.s=selector1 header.b=yMAYMmmP;
 spf=pass (domain: ericsson.com, ip: 52.101.67.45,
 mailfrom: edaturu@ericsson.com)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;
 b=ccIR3jUuVWtkSLnKGqOg3favIYIsFMAbIn2Z6fx9731CmDgftmJY1vD0B/guRb/JorwYcncbz1aoNLvH+ZDpiidqwrAjx+ffRNc+x7+Df+IiynHHBA9TCDsq4lQX9dklI1oEZBTQiS4l9zZMp49OPrRrATFjtGvGkofRN05UiNPt+3y0gWYB3LhKiw2S9xv4r1V3+fO1pUgUaK2IxIgSACo1bE8GVR1ZgTGZy2337uRwq87xZ9uWAX3kgfyTMHcloH1ku2s6PCVcGvNb9Wmbaa7KCEgGcna+MUD9C/XkmGYHVXmrZtZPS85XBGcZhMq9j0KwzTPXJUJL6zwraq1QrQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector10001;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=+4ZxotT0aYitJPDYbjm/EuGIIlTwIt8jtxdCZM+hG8c=;
 b=pZbRC9RaKNAYqj8DGs4sthiNvEdTLZfuHamLUzg5MTRpHX99AaNDGkbNdtu9BoChOZjy1rvDivQSpQWNfwAhQXEsCM6Dt0kLBUG+T27sRIMFgmQ55lNUOoSk6w2Z1PgbOlJC5qMnpmcT6RX4LRcrJXh4YDN5cpPt3R/c7pYCkkhWzIFF0xf2YcVV8urwzHa/VP9C6V2dHmApTdTdACUe8y4sxjkjze8NzjpmVcsoN56ydLfh8WkaOkCp1aTXHdlAQx2erh4HUbKrzZNQhYWeM8Lk431+9tYgz+zHc1Jc01pOB22AuPhLjDq1xoVzIvncARkIQLPiw6D2nOPVXCvlFw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
 192.176.1.74) smtp.rcpttodomain=arm.com smtp.mailfrom=ericsson.com;
 dmarc=pass (p=reject sp=reject pct=100) action=none header.from=ericsson.com;
 dkim=none (message not signed); arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com;
 s=selector1;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=+4ZxotT0aYitJPDYbjm/EuGIIlTwIt8jtxdCZM+hG8c=;
 b=yMAYMmmPyXhx/xp9fGsTaqtG73liUKieRPlZy74gybzfFrWP+bTYRaOJOL/XiGGu8NAP1Q4m1QCXQjZ8nPyPcnEP05WjhCFwLEFp17uKPYn+JU5MkfoRDmTPHZvEAujzu6LMi3TbCt8AI7QINTC83Iq9pG9vTXdSZfdZ2BEmIcv6tf4Iw92pHJstaxchuF7dzZiWCxuSuAv4VrTkTVqu+KsrKHPJbHRGlYJwUezM+xvP42iFr8yId/h1ssa6b+8V1LWwTrX6T2dfnHqXC42L7kfOkKcGJWnLAndw8m3HODrI0a+0zJ9/AyKGFYDwD/aRdVHrvykTli2+R0HKgihUgA==
Received: from AS4P189CA0002.EURP189.PROD.OUTLOOK.COM (2603:10a6:20b:5d7::11)
 by GV1PR07MB9022.eurprd07.prod.outlook.com (2603:10a6:150:85::9) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8678.33; Mon, 28 Apr
 2025 13:42:28 +0000
Received: from AM3PEPF0000A794.eurprd04.prod.outlook.com
 (2603:10a6:20b:5d7:cafe::6c) by AS4P189CA0002.outlook.office365.com
 (2603:10a6:20b:5d7::11) with Microsoft SMTP Server (version=TLS1_3,
 cipher=TLS_AES_256_GCM_SHA384) id 15.20.8655.40 via Frontend Transport; Mon,
 28 Apr 2025 13:42:28 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 192.176.1.74)
 smtp.mailfrom=ericsson.com; dkim=none (message not signed)
 header.d=none;dmarc=pass action=none header.from=ericsson.com;
Received-SPF: Pass (protection.outlook.com: domain of ericsson.com designates
 192.176.1.74 as permitted sender) receiver=protection.outlook.com;
 client-ip=192.176.1.74; helo=oa.msg.ericsson.com; pr=C
Received: from oa.msg.ericsson.com (192.176.1.74) by
 AM3PEPF0000A794.mail.protection.outlook.com (10.167.16.123) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.8678.33 via Frontend Transport; Mon, 28 Apr 2025 13:42:28 +0000
Received: from seroius18813.sero.gic.ericsson.se (153.88.142.248) by
 smtp-central.internal.ericsson.com (100.87.178.65) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.2.1544.14; Mon, 28 Apr 2025 15:42:27 +0200
Received: from seroius08462.sero.gic.ericsson.se
 (seroius08462.sero.gic.ericsson.se [10.63.237.245])
	by seroius18813.sero.gic.ericsson.se (Postfix) with ESMTP id ACA23950AF;
	Mon, 28 Apr 2025 15:42:26 +0200 (CEST)
Received: by seroius08462.sero.gic.ericsson.se (Postfix, from userid 160155)
	id 9B22770E75F3; Mon, 28 Apr 2025 15:42:26 +0200 (CEST)
From: <daniel.turull@ericsson.com>
To: <openembedded-core@lists.openembedded.org>
CC: <rybczynska@gmail.com>, <steve@sakoman.com>, <Peter.Marko@siemens.com>,
	<ross.burton@arm.com>, <skandigraun@gmail.com>, Daniel Turull
	<daniel.turull@ericsson.com>, Peter Marko <peter.marko@siemens.com>
Subject: [PATCH v2 5/6] cve-check, vex,
 spdx: use metadata from linux-vulns to enhance CVE reporting
Date: Mon, 28 Apr 2025 15:42:04 +0200
Message-ID: <20250428134205.900354-6-daniel.turull@ericsson.com>
X-Mailer: git-send-email 2.48.1
In-Reply-To: <20250428134205.900354-1-daniel.turull@ericsson.com>
References: <20250428134205.900354-1-daniel.turull@ericsson.com>
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: AM3PEPF0000A794:EE_|GV1PR07MB9022:EE_
X-MS-Office365-Filtering-Correlation-Id: 61564fa2-7679-4172-9b7c-08dd865a846c
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: 
	BCL:0;ARA:13230040|82310400026|376014|36860700013|1800799024|13003099007;
X-Microsoft-Antispam-Message-Info: 
 QGv6C1GNdXdRkFjl0JdR3fzpxPSGjN/r6mn3iNhL4xOdEu87cBjfFW4lgDOiXukKDrg4B21BV1aijTUoKj+N4mgWz7q4ANRnhEhr8yWwVv04EXD4H/TZDmHlXNqnwIqImjWAGUPHKyLaMutHJS55AeWq+5RVWHmNrgz1BZvYtTLc+FKNX1oaQlqR1+S4N4+XmBnUEpzEfDTGTtH8SqnqL9wQDRSiQEDpYjBqDjN5qZOP21ZBzZFrfG6tiem+iEVzzI3GTgcKPnym/sPc1WeQMyRiCgySznWrFYUzUv4s81FVSVv749TZyiLvBuXM6HQO4m3RhM2oKPkRZXQmfAcD6nP86O0WylLuxm6/LP66S1fwcdpaebWDSRi9Edh3tr+6T3Lw7bzWISuqK01T7GHFEJW6zblEO6QuHcBtjVA1U88MZKUsTFBcenqiEcgGd5kik/BP1MZrwkJnLPTCoQhKW8i/Upuy3R2P3ULHv3uekjBbvzFoo5Jnh2ikRnuq28nqbgkObvsvQ9wejky+ZVrfxPr3a4zohGIOvXMQ+oHNVV4tFM7ixasuBBO6qfx/RhIJEJb1X5dXbDE7xKWJAKuoV4auicSE2JcQzRV+67PpYixFXeX3uZ1NScr7WUdDS59qif/2YdVovZrc26tbm+eF/tK9z6ldb9rb+dyrQj3Yusz/aE0a835a0L5+5hdq+CDGOpzJMqYJFs+vwvmuglW6atVOQkeZyWM1c8HZjQStIz/waplwtZdjd9Hjir3q69XLItclOypGD6DJSYpvLE2ZPrP9apgpO9cGk/uOnQYveTOt863r6MPg++MMaGQfTBn80kQChct6HQl1Z3D3W72R3ujPkOW0dHoOcuXsI2iV/i3HUAgAYFrNYB4BgJ1T8LOA52Z3F3TNnRE+axNrZnzAWVwlDCHWLVk7g4hb5fBmHcVUYY+Td1KhzVwsKTcz+oYGvK/o69GFo+jEy8IEdnyWucFiZb0nzKrXOOV/G9AXsEmiP7H7dYAbec1OfGXl38I6vlffMEKBPqD88BwRU1OPr496jvU38Pr8SFfLp+jVRNlYaFLugxh838D8kIW6o4TOqshp0Skuc9JFDeJqMuHO7ZRrhWBKHRJKocylNY306nfnnDcvVXqYegFJbfM28KYEyaqZVscTCjX2d7dYkS7Z6EvVhCbY/vdwb2qKHQ5v8D0Ve9uNFSZDGvQh/HX1A19jFFtzOEFWos9tW/smSz9GPjVGJ7z4wVOBFPNCyC5mjiEmFA2dhcF8R4kaTNPXnxa4LiCGXvpCYvLUy1TaK+Lak3D+SzfRTkpk/xA/34Lz4eJkB+bnr4jdNULzfhpuVm0kbJf2B6oaoI4/ausjB4T5DRY1bK5CPAWqGuLzr5Rv34zCSWWjUdIThyYJwWFQnP4KH7oeJ9x56iZqDIlGPIkYZGQulVgQ0k45Rr40TzbEjsbxqq9sdEHml2EVHDD0d8GOzZ1Z9VXbWYIkcwG+MLeNTXsJfJrx6t982KFFRiKUmMRFce2W8e+RqVrPwpRnLOcHd6Xg0WiJYwoQsRo2r3WJZg==
X-Forefront-Antispam-Report: 
	CIP:192.176.1.74;CTRY:SE;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:oa.msg.ericsson.com;PTR:office365.se.ericsson.net;CAT:NONE;SFS:(13230040)(82310400026)(376014)(36860700013)(1800799024)(13003099007);DIR:OUT;SFP:1101;
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Apr 2025 13:42:28.2777
 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 61564fa2-7679-4172-9b7c-08dd865a846c
X-MS-Exchange-CrossTenant-Id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: 
 TenantId=92e84ceb-fbfd-47ab-be52-080c6b87953f;Ip=[192.176.1.74];Helo=[oa.msg.ericsson.com]
X-MS-Exchange-CrossTenant-AuthSource: 
	AM3PEPF0000A794.eurprd04.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: GV1PR07MB9022
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Mon, 28 Apr 2025 13:42:39 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/215602

From: Daniel Turull <daniel.turull@ericsson.com>

Introducing two new options to check kernel CVEs using linux-vulns.

- CVE_CHECK_KERNEL = "1"
To add linux-vulns metadata on cve-report for cve_check, vex and spdx.
This will check for kernel CVEs, and use the metadata to resolve them.
Enabled by default

- CVE_CHECK_KERNEL_CONFIG = "1"
CVE Check using kernel compiled files, disabled by default since it requires
a compiled kernel and it will increase cve-check times.
Metadata in the CVE information includes the affected files, and using the
compiled files by the kernel we can ignore some of the cves.

The above variables are defined in cve_check.bbclass, vex.bbclass and
spdx.bbclass in case not all classes are used at the same time. The ones in
cve_check has priority.

Example of output with CVE_CHECK_KERNEL_CONFIG when using cve-check:

{
  "id": "CVE-2024-26710",
  "status": "Ignored",
  "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26710",
  "summary": "In the Linux kernel, the following vulnerability [...]",
  "scorev2": "0.0",
  "scorev3": "5.5",
  "scorev4": "0.0",
  "modified": "2025-03-17T15:36:11.620",
  "vector": "LOCAL",
  "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
  "detail": "not-applicable-config",
  "description": "Source code not compiled by config. ['arch/powerpc/include/asm/thread_info.h']"
},

And same with vex:
{
  "id": "CVE-2024-26710",
  "status": "Ignored",
  "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26710",
  "detail": "not-applicable-config",
  "description": "Source code not compiled by config. ['arch/powerpc/include/asm/thread_info.h']"
},

And new information for the Unpatched showing where the fix (if any) is available:
Tested with 6.12.22 kernel
{
  "id": "CVE-2025-39728",
  "status": "Unpatched",
  "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39728",
  "summary": "In the Linux kernel, the following vulnerability has been [...],
  "scorev2": "0.0",
  "scorev3": "0.0",
  "scorev4": "0.0",
  "modified": "2025-04-21T14:23:45.950",
  "vector": "UNKNOWN",
  "vectorString": "UNKNOWN",
  "detail": "version-in-range",
  "description": "Needs backporting (fixed from 6.12.23)"
},

Tested with cve-check, create-spdx2.2, create-spdx3.0, vex

CC: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Daniel Turull <daniel.turull@ericsson.com>
---
 meta/classes/cve-check.bbclass   |  19 ++-
 meta/classes/spdx-common.bbclass |   7 ++
 meta/classes/vex.bbclass         |  10 ++
 meta/lib/oe/cve_check.py         | 210 ++++++++++++++++++++++++++++++-
 4 files changed, 244 insertions(+), 2 deletions(-)

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 12159a98d2..02266f171f 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -34,6 +34,13 @@ CVE_VERSION ??= "${PV}"
 # Possible database sources: NVD1, NVD2, FKIE
 NVD_DB_VERSION ?= "FKIE"
 
+# CVE Check using kernel CNA and compiled files
+CVE_CHECK_KERNEL ?= "1"
+# CVE Check using kernel compiled files
+CVE_CHECK_KERNEL_CONFIG ?= "0"
+# Location of the linux-vulns data
+CVE_CHECK_KERNEL_DB_DIR ?= "${DL_DIR}/CVE_CHECK/vulns"
+
 # Use different file names for each database source, as they synchronize at different moments, so may be slightly different
 CVE_CHECK_DB_FILENAME ?= "${@'nvdcve_2-2.db' if d.getVar('NVD_DB_VERSION') == 'NVD2' else 'nvdcve_1-3.db' if d.getVar('NVD_DB_VERSION') == 'NVD1' else 'nvdfkie_1-1.db'}"
 CVE_CHECK_DB_FETCHER ?= "${@'cve-update-nvd2-native' if d.getVar('NVD_DB_VERSION') == 'NVD2' else 'cve-update-db-native'}"
@@ -111,6 +118,9 @@ python () {
     if nvd_database_type not in ("NVD1", "NVD2", "FKIE"):
         bb.erroronce("Malformed NVD_DB_VERSION, must be one of: NVD1, NVD2, FKIE. Defaulting to NVD2")
         d.setVar("NVD_DB_VERSION", "NVD2")
+
+    from oe.cve_check import extend_cve_kernel_config
+    extend_cve_kernel_config(d, "do_cve_check")
 }
 
 def generate_json_report(d, out_path, link_path):
@@ -161,7 +171,7 @@ python do_cve_check () {
     """
     Check recipe for patched and unpatched CVEs
     """
-    from oe.cve_check import get_patched_cves
+    from oe.cve_check import get_patched_cves, get_kernel_cves
 
     with bb.utils.fileslocked([d.getVar("CVE_CHECK_DB_FILE_LOCK")], shared=True):
         if os.path.exists(d.getVar("CVE_CHECK_DB_FILE")):
@@ -170,6 +180,13 @@ python do_cve_check () {
             except FileNotFoundError:
                 bb.fatal("Failure in searching patches")
             cve_data, status = check_cves(d, patched_cves)
+
+            cve_check_kernel = d.getVar("CVE_CHECK_KERNEL")
+            if "linux_kernel" in d.getVar("CVE_PRODUCT") and cve_check_kernel == "1":
+                kernel_unpatched_cves, _kernel_patched_cves = get_kernel_cves(d)
+                # Patched CVEs are already returned in the get_patched_cves(). Adding the unpatched
+                cve_data.update(kernel_unpatched_cves)
+
             if len(cve_data) or (d.getVar("CVE_CHECK_COVERAGE") == "1" and status):
                 get_cve_info(d, cve_data)
                 cve_write_data(d, cve_data, status)
diff --git a/meta/classes/spdx-common.bbclass b/meta/classes/spdx-common.bbclass
index 713a7fc651..d2b9c6993a 100644
--- a/meta/classes/spdx-common.bbclass
+++ b/meta/classes/spdx-common.bbclass
@@ -37,9 +37,16 @@ SPDX_CUSTOM_ANNOTATION_VARS ??= ""
 
 SPDX_MULTILIB_SSTATE_ARCHS ??= "${SSTATE_ARCHS}"
 
+CVE_CHECK_KERNEL ??= "0"
+CVE_CHECK_KERNEL_CONFIG ??= "0"
+CVE_CHECK_KERNEL_DB_DIR ?= "${DL_DIR}/CVE_CHECK/vulns"
+
 python () {
     from oe.cve_check import extend_cve_status
     extend_cve_status(d)
+
+    from oe.cve_check import extend_cve_kernel_config
+    extend_cve_kernel_config(d, "do_create_spdx")
 }
 
 def create_spdx_source_deps(d):
diff --git a/meta/classes/vex.bbclass b/meta/classes/vex.bbclass
index 905d67b47d..56ebdb0580 100644
--- a/meta/classes/vex.bbclass
+++ b/meta/classes/vex.bbclass
@@ -26,6 +26,13 @@
 CVE_PRODUCT ??= "${BPN}"
 CVE_VERSION ??= "${PV}"
 
+# CVE Check using kernel CNA and compiled files
+CVE_CHECK_KERNEL ?= "0"
+# CVE Check using kernel compiled files
+CVE_CHECK_KERNEL_CONFIG ?= "0"
+
+CVE_CHECK_KERNEL_DB_DIR ?= "${DL_DIR}/CVE_CHECK/vulns"
+
 CVE_CHECK_SUMMARY_DIR ?= "${LOG_DIR}/cve"
 
 CVE_CHECK_SUMMARY_FILE_NAME_JSON = "cve-summary.json"
@@ -78,6 +85,9 @@ python () {
 
     from oe.cve_check import extend_cve_status
     extend_cve_status(d)
+
+    from oe.cve_check import extend_cve_kernel_config
+    extend_cve_kernel_config(d, "do_generate_vex")
 }
 
 def generate_json_report(d, out_path, link_path):
diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py
index ae194f27cf..9f34da0e91 100644
--- a/meta/lib/oe/cve_check.py
+++ b/meta/lib/oe/cve_check.py
@@ -47,6 +47,7 @@ class Version():
             self._version.pre_l,
             self._version.pre_v
         )
+        self.version = version
 
     def __eq__(self, other):
         if not isinstance(other, Version):
@@ -58,6 +59,9 @@ class Version():
             return NotImplemented
         return self._key > other._key
 
+    def __str__(self) -> str:
+        return self.version
+
 def _cmpkey(release, patch_l, pre_l, pre_v):
     # remove leading 0
     _release = tuple(
@@ -202,8 +206,14 @@ def get_patched_cves(d):
                 "affected-product": decoded_status["product"],
             }
 
-    return patched_cves
+    # If we are parsing the kernel, check compiled files
+    cve_check_kernel = d.getVar("CVE_CHECK_KERNEL")
+    if "linux_kernel" in d.getVar("CVE_PRODUCT") and cve_check_kernel == "1":
+         bb.debug(1, "Checking kernel CVEs")
+         _kernel_unpatched_cves, kernel_patched_cves = get_kernel_cves(d)
+         patched_cves.update(kernel_patched_cves)
 
+    return patched_cves
 
 def get_cpe_ids(cve_product, version):
     """
@@ -376,3 +386,201 @@ def extend_cve_status(d):
                 d.setVarFlag("CVE_STATUS", cve, d.getVarFlag(cve_status_group, "status"))
         else:
             bb.warn("CVE_STATUS_GROUPS contains undefined variable %s" % cve_status_group)
+
+def extend_cve_kernel_config(d, task):
+    pn = d.getVar('PN')
+    # For kernel CVEs, add required dependencies
+    if "linux_kernel" in d.getVar("CVE_PRODUCT"):
+        if d.getVar("CVE_CHECK_KERNEL_CONFIG") == "1":
+            bb.debug(1, "Checking kernel CVEs using kernel config")
+            depends = f" {pn}:do_save_compiled_files "
+            d.appendVarFlag(task, "depends", depends)
+            d.setVar('CVE_CHECK_KERNEL','1')
+        if d.getVar("CVE_CHECK_KERNEL") == "1":
+            bb.debug(1, "Checking kernel CVEs using linux-vulns")
+            d.appendVarFlag(task, "depends", " linux-vulns:do_fetch ")
+
+def get_kernel_cves(d):
+    """
+    Get CVEs for the kernel
+    """
+    import glob
+    import json
+    patched_cves = {}
+    unpatched_cves = {}
+    datadir = f"{d.getVar('CVE_CHECK_KERNEL_DB_DIR')}/cve/published/"
+    version_str = d.getVar("LINUX_VERSION")
+    check_config = d.getVar("CVE_CHECK_KERNEL_CONFIG")
+    version = Version(version_str)
+    base_version = Version(".".join(version_str.split(".")[0:2]))
+
+    # Check all CVES from kernel vulns
+    pattern = os.path.join(datadir, '**', f"CVE-*.json")
+    cve_files = glob.glob(pattern, recursive=True)
+    not_applicable_config = 0
+    fixed_as_later_backport = 0
+    for cve_file in cve_files:
+        cve_info = {}
+        with open(cve_file, "r") as f:
+            cve_info = json.load(f)
+
+        if len(cve_info) == 0:
+            bb.error(f"Not valid data in {cve_file}. Aborting")
+            break
+        cve_id = cve_info["cveMetadata"]["cveID"]
+
+        first_affected, fixed, backport_ver = get_kernel_fixed_versions(cve_info, base_version)
+        if not fixed:
+            if check_config == "1":
+                is_affected, affected_files = check_kernel_compiled_files(d, cve_info)
+            else:
+                is_affected = True
+            if not is_affected and len(affected_files) > 0:
+                bb.debug(1, f"{cve_id} - not applicable configuration since affected files not compiled: {affected_files}")
+                patched_cves[cve_id] = {
+                    "abbrev-status": "Ignored",
+                    "status": "not-applicable-config",
+                    "justification": f"Source code not compiled by config. {affected_files}"
+                }
+            else:
+                bb.debug(1, f"{cve_id} not fixed usptream")
+                description = cve_info["containers"]["cna"]["descriptions"][0]["value"]
+                unpatched_cves[cve_id] = {
+                    "abbrev-status": "Unpatched",
+                    "status": "version-in-range",
+                    "summary": description,
+                    "justification": f"No fix available upstream"
+                }
+        elif first_affected and version < first_affected:
+            bb.debug(1, f'{cve_id} - "fixed-version: only affects {first_affected} onwards"')
+            patched_cves[cve_id] = {
+                "abbrev-status": "Patched",
+                "status": "fixed-version",
+                "justification": f"only affects {first_affected} onwards"
+            }
+        elif fixed <= version:
+            bb.debug(1, f'{cve_id} - "fixed-version: Fixed from version {fixed}"')
+            patched_cves[cve_id] = {
+                "abbrev-status": "Patched",
+                "status": "fixed-version",
+                "justification": f"fixed-version: Fixed from version {fixed}"
+            }
+        else:
+            if backport_ver:
+                if backport_ver <= version:
+                    bb.debug(1, f'{cve_id} - "cpe-stable-backport: Backported in {backport_ver}"')
+                    patched_cves[cve_id] = {
+                        "abbrev-status": "Patched",
+                        "status": "cpe-stable-backport",
+                        "justification": f"Backported in {backport_ver}"
+                    }
+                else:
+                    bb.debug(1, f"{cve_id}: needs backporting (fixed from {backport_ver})")
+                    description = cve_info["containers"]["cna"]["descriptions"][0]["value"]
+                    unpatched_cves[cve_id] = {
+                        "abbrev-status": "Unpatched",
+                        "status": "version-in-range",
+                        "summary": description,
+                        "justification": f"Needs backporting (fixed from {backport_ver})"
+                    }
+                    fixed_as_later_backport += 1
+            else:
+                # Check if file affected
+                if check_config == "1":
+                    is_affected, affected_files = check_kernel_compiled_files(d, cve_info)
+                else:
+                    is_affected = True
+                if not is_affected and len(affected_files) > 0:
+                    bb.debug(1, f"{cve_id} - not applicable configuration since affected files not compiled: {affected_files}")
+                    patched_cves[cve_id] = {
+                         "abbrev-status": "Ignored",
+                         "status": "not-applicable-config",
+                         "justification": f"Source code not compiled by config. {affected_files}"
+                    }
+                    not_applicable_config +=1
+                else:
+                    bb.debug(1, f"{cve_id}: needs backporting (fixed from {fixed})")
+                    description = cve_info["containers"]["cna"]["descriptions"][0]["value"]
+                    unpatched_cves[cve_id] = {
+                        "abbrev-status": "Unpatched",
+                        "status": "version-in-range",
+                        "summary": description,
+                        "justification": f"Needs backporting (fixed from {fixed})"
+                    }
+    if len(cve_files) > 0:
+        bb.debug(1, f"Total CVEs ignored due to not applicable config {not_applicable_config}")
+        bb.debug(1, f"Total vulnerable CVEs: {len(unpatched_cves)}")
+        bb.debug(1, f"Total CVEs already backported in {base_version}: {fixed_as_later_backport}")
+    return unpatched_cves, patched_cves
+
+def check_kernel_compiled_files(d, cve_info):
+    """
+    Return if a CVE affected us depending on compiled files
+    """
+    import json
+    files_affected = []
+    kfiles = []
+    is_affected = False
+    with open(d.getVar('KERNEL_SRC_FILES'), 'r') as file:
+        for item in json.load(file):
+            kfiles.append(item['file'].replace(f"{d.getVar('S')}/",""))
+
+    for item in cve_info['containers']['cna']['affected']:
+        if item["defaultStatus"] == "affected":
+            if "programFiles" in item:
+                files = item['programFiles']
+                files_affected.extend(files)
+
+    if len(files_affected) > 0:
+        for f in files_affected:
+            if f in kfiles:
+                bb.debug(1, f"File match: {f}")
+                is_affected = True
+    return is_affected, files_affected
+
+def get_kernel_fixed_versions(cve_info, base_version):
+    '''
+    Get fixed versions for a given CVE
+    '''
+    first_affected = None
+    fixed = None
+    fixed_backport = None
+    next_version = Version(str(base_version) + ".5000")
+    for affected in cve_info["containers"]["cna"]["affected"]:
+        # In case the CVE info is not complete, it might not have default status and therefore
+        # we don't know the status of this CVE.
+        if not "defaultStatus" in affected:
+            return first_affected, fixed, fixed_backport
+        if affected["defaultStatus"] == "affected":
+            for version in affected["versions"]:
+                v = Version(version["version"])
+                if v == 0:
+                    # Skiping non-affected
+                    continue
+                if version["status"] == "affected" and not first_affected:
+                    first_affected = v
+                elif (version["status"] == "unaffected" and
+                    version['versionType'] == "original_commit_for_fix"):
+                    fixed = v
+                elif base_version < v and v < next_version:
+                    fixed_backport = v
+        elif affected["defaultStatus"] == "unaffected":
+            # Only specific versions are affected. We care only about our base version
+            if "versions" not in affected:
+                continue
+            for version in affected["versions"]:
+                if "versionType" not in version:
+                    continue
+                if version["versionType"] == "git":
+                    continue
+                v = Version(version["version"])
+                # in case it is not in our base version
+                less_than = Version(version["lessThan"])
+
+                if not first_affected:
+                    first_affected = v
+                fixed = less_than
+                if base_version < v and v < next_version:
+                    fixed_backport = less_than
+
+    return first_affected, fixed, fixed_backport

From patchwork Mon Apr 28 13:42:05 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Daniel Turull <daniel.turull@ericsson.com>
X-Patchwork-Id: 62023
Return-Path: <daniel.turull@ericsson.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id AC100C3ABA6
	for <webhook@archiver.kernel.org>; Mon, 28 Apr 2025 13:42:39 +0000 (UTC)
Received: from AM0PR83CU005.outbound.protection.outlook.com
 (AM0PR83CU005.outbound.protection.outlook.com [52.101.69.67])
 by mx.groups.io with SMTP id smtpd.web10.48683.1745847751876037816
 for <openembedded-core@lists.openembedded.org>;
 Mon, 28 Apr 2025 06:42:32 -0700
Authentication-Results: mx.groups.io;
 dkim=fail reason="dkim: body hash did not verify" header.i=@ericsson.com
 header.s=selector1 header.b=Vhj8yV5R;
 spf=pass (domain: ericsson.com, ip: 52.101.69.67,
 mailfrom: edaturu@ericsson.com)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;
 b=co7fmnUU+V5lQQXUEosDQ+FAXu9tUlz7547ploARExpwm/38tNysYBqIxF6EQZaeO3pvnDBrwToKoKtY0SeW2F2g94IsKUB2B9vLq+cUPt9vLjZve7lr3lbFxdb8kXjcZiRfeXCYtcocXpMQfEY5NLOkFg2B31qTdZGUp9i9bIuXMGGJZsHdfikMB6gmxMD9NmEJCeitiQ7E0y42+QcmZWp5FEjBR+MDVUR2+zivqzKpoImawc2QbaW1x4lNscB3aZPFwm1wqMt7QSRuX0Apkrb0UrNP3kZyIO2I6w89F+1vQtO9+b+O7J5KelzZAk8K2piBGxPJGFeuI3A9cOUtvw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector10001;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=/YD2A0U6hlobZuOAUwDa4mT7U0BLyJbIXjGkbbJZyak=;
 b=aEd6ppBUKaAQUJ47HzuTUAi8s0o3YPlhnRUc8Tnyuv8DC7izE/ghACit44iTVNhUHd7ymoaCMCzhOJR0pSPPHr0L4ckTPwWWUkuNLjWaGSxuZtX6ti9t9BChyrw0rtkAnhMyKRhc7oNUDqhl4z+Uo1VYSScSdncedMkWMvDUK/DS+SzJgLfhpxZVQAiqieKOWV8CajileLwXgQAWRX5UKxFIxXdduxNoUmf9xH/AIUR1JpeFbnnBOslFxoSOllAA9zioDcbwKtUd0uwXm09l4LgUGlwS0NwYSok9uSXnTmRiSuduknFGsgvqxp8+YAhisM8nug6SHoF+OhdBoYkXXg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
 192.176.1.74) smtp.rcpttodomain=arm.com smtp.mailfrom=ericsson.com;
 dmarc=pass (p=reject sp=reject pct=100) action=none header.from=ericsson.com;
 dkim=none (message not signed); arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com;
 s=selector1;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=/YD2A0U6hlobZuOAUwDa4mT7U0BLyJbIXjGkbbJZyak=;
 b=Vhj8yV5RBU1GWEueL7ILcgH8lLYQqG0LEBPrlyuMaGHgJd4bn8FmZdtZ4prbjp40goV09J0Z25RU7JJDRP+0h8rDQIYctLbCCujv+h6Se2r6MF1woz/BS9jzcDUoeHZj+UwrT5prccUYVVlh4kMO3qyi7PwmVVS2yncQ4r/lf7VLEvyKXXmWG/R8PLZBsC+hTtn2+u3kJUK2fPiZtQGlOD7l+zmzwu2Lf1jAAIfTOwThzkHI+oHaLVFngms5ZObMhkLVZgAQT0Ii9/Nqs4F6+zhIh4sdznjfQJiR5SDnI7CnmKyseY5dNyiNU05OX/0TEB32uEsOlN8O8X5E7nfa0A==
Received: from DB8PR03CA0036.eurprd03.prod.outlook.com (2603:10a6:10:be::49)
 by AS8PR07MB8156.eurprd07.prod.outlook.com (2603:10a6:20b:377::8) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8678.33; Mon, 28 Apr
 2025 13:42:28 +0000
Received: from DB1PEPF000509E3.eurprd03.prod.outlook.com
 (2603:10a6:10:be:cafe::ec) by DB8PR03CA0036.outlook.office365.com
 (2603:10a6:10:be::49) with Microsoft SMTP Server (version=TLS1_3,
 cipher=TLS_AES_256_GCM_SHA384) id 15.20.8655.36 via Frontend Transport; Mon,
 28 Apr 2025 13:42:28 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 192.176.1.74)
 smtp.mailfrom=ericsson.com; dkim=none (message not signed)
 header.d=none;dmarc=pass action=none header.from=ericsson.com;
Received-SPF: Pass (protection.outlook.com: domain of ericsson.com designates
 192.176.1.74 as permitted sender) receiver=protection.outlook.com;
 client-ip=192.176.1.74; helo=oa.msg.ericsson.com; pr=C
Received: from oa.msg.ericsson.com (192.176.1.74) by
 DB1PEPF000509E3.mail.protection.outlook.com (10.167.242.53) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.8678.33 via Frontend Transport; Mon, 28 Apr 2025 13:42:28 +0000
Received: from seroius18815.sero.gic.ericsson.se (153.88.142.248) by
 smtp-central.internal.ericsson.com (100.87.178.67) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.2.1544.14; Mon, 28 Apr 2025 15:42:27 +0200
Received: from seroius08462.sero.gic.ericsson.se
 (seroius08462.sero.gic.ericsson.se [10.63.237.245])
	by seroius18815.sero.gic.ericsson.se (Postfix) with ESMTP id F0BD7402159F;
	Mon, 28 Apr 2025 15:42:26 +0200 (CEST)
Received: by seroius08462.sero.gic.ericsson.se (Postfix, from userid 160155)
	id A06E370E75F4; Mon, 28 Apr 2025 15:42:26 +0200 (CEST)
From: <daniel.turull@ericsson.com>
To: <openembedded-core@lists.openembedded.org>
CC: <rybczynska@gmail.com>, <steve@sakoman.com>, <Peter.Marko@siemens.com>,
	<ross.burton@arm.com>, <skandigraun@gmail.com>, Daniel Turull
	<daniel.turull@ericsson.com>, Joshua Watt <JPEWhacker@gmail.com>, Peter Marko
	<peter.marko@siemens.com>
Subject: [PATCH v2 6/6] spdx: add option to include only compiled kernel files
Date: Mon, 28 Apr 2025 15:42:05 +0200
Message-ID: <20250428134205.900354-7-daniel.turull@ericsson.com>
X-Mailer: git-send-email 2.48.1
In-Reply-To: <20250428134205.900354-1-daniel.turull@ericsson.com>
References: <20250428134205.900354-1-daniel.turull@ericsson.com>
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DB1PEPF000509E3:EE_|AS8PR07MB8156:EE_
X-MS-Office365-Filtering-Correlation-Id: f08a7ab0-b354-4331-2037-08dd865a846f
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: 
	BCL:0;ARA:13230040|1800799024|376014|36860700013|82310400026;
X-Microsoft-Antispam-Message-Info: 
 YUMND+eI0VWSsQ+NmWJyB8nDdBmVu3muYQGaCXro14ZiDDJH4FsJsTIE5Fwt05wAXAnw6w6yqlEUA6ITOTJg4BpzBRKIRROpAf9/X+ZbzVfXuPwhzI4e++U1eBwTt0GFMHq6IiiR2wn8ar2OMcDUlX4sJUxqITCf4h+nbOvrHxOeH11Rt+x6wuNjpv9Tx0QQe+gLvon0znlMJIoeVv/V8zaFYVafPcejy7qK+TFK3UWBqBzDAb2hsZVJ1/nXIiR90KX8WCGKMvOUJBV+B3+44G//2Iy16yoEspMmvM2TqhK+zbkT3HT8mauwQybWDYGIOr1JLh4tN0B5VkMd9HR9nRLlAkxo0erI8Chl3UwTD8zVYOP2NuoRB9/9Q943a8UVOSQTe/2IcN20HZYfObj1XopTJo5eNCqEW6p5HrBgrQVC4seKqEomgXEWMjakodNvvELfAfz+I7LjUM4BHlB4Jrjp/4gyOKNb6xRmyNaQb1ggyKjC8JjnPlmtpFahveRNMKZTCHB7Jbo+h0rLwlGvTAOgedgX2VnLYi6aodkzAAptaVpaMJu3+8eTFKd+VfCWTvCUELrDbgfx5z9PTRCZRgKsXj9qv0xQXHqAwyBy33c/Dee671U7mr4RRwaJVCUGmWG1vZB5DkbRWwOCyOnkxpyL8LRaFpuIBsXqMC9VJ+8x6lBJofwR0AZA+abKKExSV4sUL5QbE5ciDdUqHjkH8XbfTmO7jngKer1lmxSPYNa0BqBT2lzNdfOwVB3GfEYfrwySTA4i5MwR6AE0AR4Z3Ucy0pwqBsq3jO54AXxfewxO2Mw6IIL2fXls0US6QPVVrsIrRm5TTPLeVqBuoJiLNA46cWV4ZT68sqmy9lj/YVuPQuZB7g82tjcQ4WphE1ychnB7Ye7KFqgSgJnCbl191Mzkxp+CnvY7JpMiLaGJfTFPCPe67bxImDumQGSQ5N6O9B5QTHBJ+hbLmehRtRr2lQ3J6br/m5eelUY/esmKZKLcQHl3g23s575swun7BZMRnOR7uUiMKlOglmEC6rd4AL7OogubH/JJtbZbxdjuUcXJNkAATT/e9PA8diyeSlcRkc3UlRTCSe4KpeXgWA9mqG0qQ1uwS7Vo1QzwWo8ue8Y6w/kWFCp5u+mftEtzxquhnzszgxptmMQPzJve3LkfP3rs6hWWI+ZaIxTYwJnwf0ZmR7uVBoEUqRiO9jCA+/dFMs/mKx3E+sWl8FdNEwRkIu0ZhmGLvk7qw3oZbtwzvj66pzyXwwRZEsckyTfRxjniVdGXEZz9dr/rrcQKZ0WvCX0bswUarrbda+u2adnQYRSWx2C0dXyS/us1ham2IxqUneQWoChw92xluc9dmDHvQIRF/Y2lr0i6tktm12jy8i10Dw9PzcsKCyeQpuJiafqecEF6vnkHb/8bNy3tGu1gVnQ0b84exaE5oTD8gJUgS6/ZuXcZjhYLI/ZouD1ATD2iH+G1dssjmVdyrecFB7lcZCdmcMtuQRyL/MUVT2a4nPh6M/cYbXPCmLy1NhnzjbDx
X-Forefront-Antispam-Report: 
	CIP:192.176.1.74;CTRY:SE;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:oa.msg.ericsson.com;PTR:office365.se.ericsson.net;CAT:NONE;SFS:(13230040)(1800799024)(376014)(36860700013)(82310400026);DIR:OUT;SFP:1101;
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Apr 2025 13:42:28.2225
 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 f08a7ab0-b354-4331-2037-08dd865a846f
X-MS-Exchange-CrossTenant-Id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: 
 TenantId=92e84ceb-fbfd-47ab-be52-080c6b87953f;Ip=[192.176.1.74];Helo=[oa.msg.ericsson.com]
X-MS-Exchange-CrossTenant-AuthSource: 
	DB1PEPF000509E3.eurprd03.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR07MB8156
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Mon, 28 Apr 2025 13:42:39 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/215601

From: Daniel Turull <daniel.turull@ericsson.com>

When CVE_CHECK_KERNEL_CONFIG is enabled, only include the
source code (.c, .h) files that are used during compilation.

This enables an external tool to use the SPDX information to disregard
vulnerabilities that are not compiled.

CC: Joshua Watt <JPEWhacker@gmail.com>
CC: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Daniel Turull <daniel.turull@ericsson.com>
---
 meta/classes/create-spdx-2.2.bbclass |  8 +++++++
 meta/lib/oe/spdx30_tasks.py          |  8 +++++++
 meta/lib/oe/spdx_common.py           | 34 ++++++++++++++++++++++++++++
 3 files changed, 50 insertions(+)

diff --git a/meta/classes/create-spdx-2.2.bbclass b/meta/classes/create-spdx-2.2.bbclass
index 7e8f8b9ff5..6bf0c70bd4 100644
--- a/meta/classes/create-spdx-2.2.bbclass
+++ b/meta/classes/create-spdx-2.2.bbclass
@@ -137,6 +137,10 @@ def add_package_files(d, doc, spdx_pkg, topdir, get_spdxid, get_types, *, archiv
     spdx_files = []
 
     file_counter = 1
+
+    check_kernel_compiled = bb.data.inherits_class("kernel", d) and d.getVar("CVE_CHECK_KERNEL_CONFIG") == "1"
+    if check_kernel_compiled:
+        kernel_sources = oe.spdx_common.get_kernel_compiled_files(d)
     for subdir, dirs, files in os.walk(topdir):
         dirs[:] = [d for d in dirs if d not in ignore_dirs]
         if subdir == str(topdir):
@@ -147,6 +151,10 @@ def add_package_files(d, doc, spdx_pkg, topdir, get_spdxid, get_types, *, archiv
             filename = str(filepath.relative_to(topdir))
 
             if not filepath.is_symlink() and filepath.is_file():
+                # When creating spdx for the kernel, we only include compiled files.
+                if check_kernel_compiled:
+                     if not oe.spdx_common.is_kernel_compiled(file, kernel_sources, d):
+                          break
                 spdx_file = oe.spdx.SPDXFile()
                 spdx_file.SPDXID = get_spdxid(file_counter)
                 for t in get_types(filepath):
diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py
index ba965821f8..14f26773c5 100644
--- a/meta/lib/oe/spdx30_tasks.py
+++ b/meta/lib/oe/spdx30_tasks.py
@@ -156,6 +156,10 @@ def add_package_files(
         bb.note(f"Skip {topdir}")
         return spdx_files
 
+    check_kernel_compiled = bb.data.inherits_class("kernel", d) and d.getVar("CVE_CHECK_KERNEL_CONFIG") == "1"
+    if check_kernel_compiled:
+        kernel_sources = oe.spdx_common.get_kernel_compiled_files(d)
+
     for subdir, dirs, files in os.walk(topdir, onerror=walk_error):
         dirs[:] = [d for d in dirs if d not in ignore_dirs]
         if subdir == str(topdir):
@@ -167,6 +171,10 @@ def add_package_files(
             filepath = Path(subdir) / file
             if filepath.is_symlink() or not filepath.is_file():
                 continue
+            # When creating spdx for the kernel, we only include compiled files
+            if check_kernel_compiled:
+                 if not oe.spdx_common.is_kernel_compiled(file, kernel_sources, d):
+                      break
 
             filename = str(filepath.relative_to(topdir))
             file_purposes = get_purposes(filepath)
diff --git a/meta/lib/oe/spdx_common.py b/meta/lib/oe/spdx_common.py
index 4caefc7673..c87e3875c7 100644
--- a/meta/lib/oe/spdx_common.py
+++ b/meta/lib/oe/spdx_common.py
@@ -242,3 +242,37 @@ def fetch_data_to_uri(fd, name):
         uri = uri + "@" + fd.revision
 
     return uri
+
+def is_kernel_compiled(filename, kernel_sources, d):
+    """
+    Check if the file, is a kernel compiled file
+    """
+    import os
+
+    _, extension = os.path.splitext(filename)
+    # Special case, that we need to ignore, since this is not a source file
+    if filename.rfind(".mod.c") > 0:
+        return True
+    # We filter .c files and header files
+    if extension not in [".c", ".h"]:
+        return True
+    # Check that the c file is in the list
+    if filename in kernel_sources:
+        return True
+    return False
+
+def get_kernel_compiled_files(d):
+    """
+    Get results from the save_compiled files and include also header files
+    """
+    import json
+    import os
+    kfiles = []
+    with open(d.getVar('KERNEL_SRC_FILES'), 'r') as f:
+        for item in json.load(f):
+            kfile = os.path.basename(item['file'])
+            # Return also the correspondig header file
+            hfile = ".h".join(kfile.rsplit(".c", 1))
+            kfiles.append(kfile)
+            kfiles.append(hfile)
+    return kfiles