From patchwork Tue Jan 6 20:46:43 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: ValentinBoudevin X-Patchwork-Id: 78115 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id CA962CEFD0F for ; Tue, 6 Jan 2026 20:47:02 +0000 (UTC) Received: from mail-qv1-f54.google.com (mail-qv1-f54.google.com [209.85.219.54]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.100227.1767732416640527087 for ; Tue, 06 Jan 2026 12:46:56 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=WeKRzVqK; spf=pass (domain: gmail.com, ip: 209.85.219.54, mailfrom: valentin.boudevin@gmail.com) Received: by mail-qv1-f54.google.com with SMTP id 6a1803df08f44-8887165aaabso315236d6.1 for ; Tue, 06 Jan 2026 12:46:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767732416; x=1768337216; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=HHU0XiQUApRchJKzBWkRSnMPfbgtSv3bRvQw2Aa5NZ0=; b=WeKRzVqKjRokFzTu3qePsooHTPOnbJ8xNDNnOoE9GmI4FVSR6nlA9WfqwAwPtVuV6z B+aruLKtm5pcRiFYxVY5TdG5YoVKzAQ5Vj3BnoLKcwsW0D5Alv04g0xiLP9Zbpzq6u71 kdwSs++f1YgxF6M8KLFsWRiYO9flcxt6Fa/LsZKuJ68dv3m+x5Y4O9Hdl8nkdxO87+PO l3XOTQ37HjH49i0zmm3rT6QJ8zpakqZaLi/PLvDoYDuPmK2Syj/F8XgbeyvmOYvqfWGh xmXLDBLjW1Nrnz0058q548vN7h5IPTwW8i/XBXUJuXLtxLB3AEpnoMkIHfauKoruDLfk QHgg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767732416; x=1768337216; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=HHU0XiQUApRchJKzBWkRSnMPfbgtSv3bRvQw2Aa5NZ0=; b=VajBTDjiPB2HDKPmgWY/IR1/K/m53Rua6cevkTjncQIsnk1Lr93xn5C+L3LOiwYVSy o8M/K49yk+MGjbIfXZ0TDewqQRVm7qJAqICU2/KfiA+Os2pejAeIN/oA9m9n29+Mzv/C CDyjtGY1Tzp6kORkGvU8l5p4L2BaU2/+ZuEA3dGLYlRG1PK0irftNxI7gB4Ev2jMX902 UwslNcRlZ/cl2WO/3rCI/qujDhINGL4liOsYXrIAhbNVdh+xdRTQsyY2+M5hVUR+Vg+1 VX0rWCNufqlleKjb3kwDryp3WxFnjU4Z4wAufQw7NPCCw49eBe0WQq1O3GXAIhFxNXbg FdEA== X-Gm-Message-State: AOJu0YwJhjKy4jxS/Zm2D5V/7U0wXgTpcQA0nqpvY58fMjf7/9fjUVzE fLJ3kv+tklv1JrxvruJ26dUfJWro2GWQdUtyFImaFRQKVZOFG7/wHVODGBQb54i7gMk= X-Gm-Gg: AY/fxX4LoDNplKwjxwGgEpyYkcXKyVL87tVV2yC/vK+isNqnjPKD3cSLAcaiSnTFmM0 LgUk0molydNp1BG/qxCSWhJ8e+UeWijAF9LXVxs4IMIV/d1oOCv0fbqiSVnREqJjtBAEM79LxYg tJ+11TY8GSnCcAoZsBe2lbjxrzqPDSS4oEtREVwkTCVRCnLCXBJ6UlFguRVqjU5PFPtnmf8L4wS q0vb3Ri+xQeqOaRoyeuJM7YrsC2Kanbtweqj4MWev4SdjA1xZbDDETIvxJMQVHMJM822meyaWDQ p28TA24xrSKRc+BMiJKM/y6gRFrxIbRrxeF0CphWd08Zd2rY3iC+/chSLOXM+b4vEyLMI+3/A/e kaAIIls+PaQxjpKL2cDnvgIHmdoL9nWa+4323e83UMKAyZeWJKpPfZOgdpZmllBIHcioqSoJvmV CvseZkQq5ppc/fcPdtB5/A8SVLHywwRmxP0qGQVcJGBwlc6tDmgSPbb5M= X-Google-Smtp-Source: AGHT+IG2x4M8jeh2VjJmgsxMVBmz+kH6SDL8gDZgg+JAu+GMWu6UfYpDFZxW6uljKbZ096IfwRtoBw== X-Received: by 2002:a05:6214:1306:b0:87c:19b6:398e with SMTP id 6a1803df08f44-890841754e9mr3015036d6.2.1767732415619; Tue, 06 Jan 2026 12:46:55 -0800 (PST) Received: from vboudevin-pc.mtl.sfl (mtl.savoirfairelinux.net. [208.88.110.46]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-890770ce298sm20361976d6.8.2026.01.06.12.46.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 06 Jan 2026 12:46:55 -0800 (PST) From: ValentinBoudevin To: openembedded-core@lists.openembedded.org Cc: ValentinBoudevin Subject: [PATCH v3 1/4] generate-cve-exclusions: Add --output-json option Date: Tue, 6 Jan 2026 15:46:43 -0500 Message-ID: <20260106204646.3417382-2-valentin.boudevin@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260106204646.3417382-1-valentin.boudevin@gmail.com> References: <20260106204646.3417382-1-valentin.boudevin@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 06 Jan 2026 20:47:02 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/228925 This option "--output-json" can be used to return a json file instead of the standard .inc file provided. The JSON file can easily be manipulated contrary to the .inc file. Example output structure of the JSON file: ```json { "cve_status": { "CVE-2019-25160": { "active": false, "message": "fixed-version: Fixed from version 5.0" }, "CVE-2019-25162": { "active": false, "message": "fixed-version: Fixed from version 6.0" }, ... ``` Also, this commit doesn't affect or modify any existing behaviour of the script. Signed-off-by: Valentin Boudevin --- .../linux/generate-cve-exclusions.py | 64 +++++++++++++++---- 1 file changed, 50 insertions(+), 14 deletions(-) diff --git a/meta/recipes-kernel/linux/generate-cve-exclusions.py b/meta/recipes-kernel/linux/generate-cve-exclusions.py index dfc16663a5..5a0a947e06 100755 --- a/meta/recipes-kernel/linux/generate-cve-exclusions.py +++ b/meta/recipes-kernel/linux/generate-cve-exclusions.py @@ -91,6 +91,7 @@ def main(argp=None): parser = argparse.ArgumentParser() parser.add_argument("datadir", type=pathlib.Path, help="Path to a clone of https://github.com/CVEProject/cvelistV5 or https://git.kernel.org/pub/scm/linux/security/vulns.git") parser.add_argument("version", type=Version, help="Kernel version number to generate data for, such as 6.1.38") + parser.add_argument("--output-json", action="store_true", help="Return CVE_STATUS mapping as JSON") args = parser.parse_args(argp) datadir = args.datadir.resolve() @@ -99,7 +100,10 @@ def main(argp=None): data_version = subprocess.check_output(("git", "describe", "--tags", "HEAD"), cwd=datadir, text=True) - print(f""" + cve_status = {} + + if not args.output_json: + print(f""" # Auto-generated CVE metadata, DO NOT EDIT BY HAND. # Generated at {datetime.datetime.now(datetime.timezone.utc)} for kernel version {version} # From {datadir.name} {data_version} @@ -131,26 +135,58 @@ do_cve_check[prefuncs] += "check_kernel_cve_status_version" continue first_affected, fixed, backport_ver = get_fixed_versions(cve_info, base_version) if not fixed: - print(f"# {cve} has no known resolution") + cve_status[cve] = { + "active": True, + "message": "no known resolution" + } + if not args.output_json: + print(f"# {cve} has no known resolution") elif first_affected and version < first_affected: - print(f'CVE_STATUS[{cve}] = "fixed-version: only affects {first_affected} onwards"') + cve_status[cve] = { + "active": False, + "message": f"fixed-version: only affects {first_affected} onwards" + } + if not args.output_json: + print(f'CVE_STATUS[{cve}] = "fixed-version: only affects {first_affected} onwards"') elif fixed <= version: - print( - f'CVE_STATUS[{cve}] = "fixed-version: Fixed from version {fixed}"' - ) + cve_status[cve] = { + "active": False, + "message": f"fixed-version: Fixed from version {fixed}" + } + if not args.output_json: + print(f'CVE_STATUS[{cve}] = "fixed-version: Fixed from version {fixed}"') else: if backport_ver: if backport_ver <= version: - print( - f'CVE_STATUS[{cve}] = "cpe-stable-backport: Backported in {backport_ver}"' - ) + cve_status[cve] = { + "active": False, + "message": f"cpe-stable-backport: Backported in {backport_ver}" + } + if not args.output_json: + print(f'CVE_STATUS[{cve}] = "cpe-stable-backport: Backported in {backport_ver}"') else: - print(f"# {cve} may need backporting (fixed from {backport_ver})") + cve_status[cve] = { + "active": True, + "message": f"May need backporting (fixed from {backport_ver})" + } + if not args.output_json: + print(f"# {cve} may need backporting (fixed from {backport_ver})") else: - print(f"# {cve} needs backporting (fixed from {fixed})") - - print() - + cve_status[cve] = { + "active": True, + "message": f"#Needs backporting (fixed from {fixed})" + } + if not args.output_json: + print(f"# {cve} needs backporting (fixed from {fixed})") + + if not args.output_json: + print() + + # Emit structured output if --ret-struct was requested + if args.output_json: + print(json.dumps({ + "cve_status": cve_status, + }, indent=2)) if __name__ == "__main__": main() From patchwork Tue Jan 6 20:46:44 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: ValentinBoudevin X-Patchwork-Id: 78112 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id AE244CEFD09 for ; Tue, 6 Jan 2026 20:47:02 +0000 (UTC) Received: from mail-qk1-f195.google.com (mail-qk1-f195.google.com [209.85.222.195]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.100228.1767732417685355633 for ; Tue, 06 Jan 2026 12:46:57 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=QrKDQT+z; spf=pass (domain: gmail.com, ip: 209.85.222.195, mailfrom: valentin.boudevin@gmail.com) Received: by mail-qk1-f195.google.com with SMTP id af79cd13be357-8c0b24cc4ddso11929785a.3 for ; Tue, 06 Jan 2026 12:46:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767732417; x=1768337217; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=GJRUHEguu+JhdDL/0vyuj5JhzWdgaK1jCzeaAdqwBI0=; b=QrKDQT+zhq1dK5PWEfKhUKaklEFUCnsmLenjsp8lBLdOTt/A+++xUxCvgHLdu9N/zl OWOIq1t63fybdRTDaqCLtDqG/eLphBWpnngBtuZsB9EkORt62W4SDuLek1mCVy/n+VTI Zuk2/rAWGX8QsMS0bMzfQTmJQWTRlTS14fHO7iVojtAeCOvKx/9U8kC+J2Xq/qu2Z599 ML70oZkSIFVGzy7pKrs3mJcWBXmBuOjvFxhXt1/wpFHgilyGePORA8jUYjy0sIZan9qo kz2IMNVi8Uu7HnwEedu2sKRGUlTCVCk4sAfOCQ/2MPRrPhJq2N+5J0tynTtkliJcttFi c+Zw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767732417; x=1768337217; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=GJRUHEguu+JhdDL/0vyuj5JhzWdgaK1jCzeaAdqwBI0=; b=PqZJS7hYgwvc/4Zlv18jPuVLtcBhxLYc9phZMpGVgk97+ZRjRV7hvZjXnBFTmU3kyM kd0XARdb6u2X/Jg86eza1DBlwb/JQRAgzfVIDTZ7YWeFxtrOGO5s//E+NpzLCD0iR1t1 rV6xf3D5jOPLJ2KoHseDaISAXNflg5xgHnt5wf4RgaBe+hsXoZFK9F5v9XH6qvEzzN5I UhSvAow2kWal5l1w5+50pE4tbZGToPH2/ciBffYfGJ32VUZvXVVvFxi2XTFTwyUAWMc1 NhVcYmS8SHXKKKWGGedpyuBMaXktkmMFWwRRbLczCh1PRFMuXerCtHbH47QrPrInDLrl LmpQ== X-Gm-Message-State: AOJu0YyrpYIe6J5DdcPdw7DarvwxhVApZGrCVefYHHG+rjQ6dZ7g2QWy G4wEQaOoW8iyr+C/0hxIceTTcBZQqowqX0cpWOVZ/zjgaACkRVz1zQ03wOMF2U86px8qZw== X-Gm-Gg: AY/fxX4l5ffM0PS+MjK38z+eyCYUFhlziUYn/qySlBTN1r1Q6B8ErOHT9z5h2oeWvfJ qYV0Habk6D5wJ76jGGTg0UhEGytWOHDXyK+PAsfap+UZrDrPD9S658hPHuDHcsiOwMDwD8QV72L qPb0lCAR4kapgTzNZm0VQYEWZd8ZHjmFlRHDPCMnGrOEmlYYl1erQ9B3Moy2xD6k364n5K0INWW CoHM8Elt39labTbKzDYYacdmcdnusIrNBGEzMDMsz7qHdsRn8QnweiZIMUNlhRNHt0Jh3dmmvf+ 4Afynd1j5/Cpn8+IO8lyF4zrxlUWoaNSRgJuzg2G/7Z5bi2VVzddWdMy+bRhLtBSoHg1520TKh1 d3uarmDWoh1VmRlgF1NLxFNvmECtwZHTX4L4qyUjd0Jq6D/02DA1Z/lPvu23Ldp89S9Q7K3hqUO KcCcXiRyoch6tUeOrLXQxI8Gags0N9SWaxvOoajJ/+E+D7vRtFxLk6LREP91JiZ8RCEw== X-Google-Smtp-Source: AGHT+IFKsXkOYDdVFs4FLnOa2OFXOKfvsG3Kt664/xQDKnph2026kCCV9/x0Jtqye/eoUCaN7Js6jA== X-Received: by 2002:a05:6214:27ec:b0:88f:ca7a:6c3a with SMTP id 6a1803df08f44-890840b7d83mr3592816d6.0.1767732416580; Tue, 06 Jan 2026 12:46:56 -0800 (PST) Received: from vboudevin-pc.mtl.sfl (mtl.savoirfairelinux.net. [208.88.110.46]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-890770ce298sm20361976d6.8.2026.01.06.12.46.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 06 Jan 2026 12:46:56 -0800 (PST) From: ValentinBoudevin To: openembedded-core@lists.openembedded.org Cc: ValentinBoudevin Subject: [PATCH v3 2/4] generate-cve-exclusions: Add a .bbclass Date: Tue, 6 Jan 2026 15:46:44 -0500 Message-ID: <20260106204646.3417382-3-valentin.boudevin@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260106204646.3417382-1-valentin.boudevin@gmail.com> References: <20260106204646.3417382-1-valentin.boudevin@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 06 Jan 2026 20:47:02 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/228926 Add a .bbclass to generate-cve-exclusions to use this script at every run. Two steps for testing: 1) Inherit this class in the kernel recipe with "inherit generate-cve-exclusions.bbclass" 2) Use the following command to generate a cvelistV5 entry with a JSON file in in ${WORKDIR}/cvelistV5/ : "bitbake linux-yocto -c generate-cve-exclusions" The JSON file can then be parsed in the following run by cve-check. This class contains several methods: *do_clone_cvelistV5: Clone the cvelistV5 repo in ${WORKDIR}/cvelistV5/git (e.g. bitbake-builds/poky-master/build/tmp/work/qemux86_64-poky-linux/ linux-yocto/6.18.1+git/cvelistV5/git) *do_generate_cve_exclusions: Use the script generate-cve-exclusions.py. It uses the new "--output-json" argument to generate a JSON file as an output stored in ${WORKDIR}/cvelistV5//cve-exclusion_${LINUX_VERSION}.json *do_cve_check:prepend: Parse the previously generated JSON file to set the variable CVE_STATUS corretly Signed-off-by: Valentin Boudevin --- meta/classes/generate-cve-exclusions.bbclass | 67 ++++++++++++++++++++ 1 file changed, 67 insertions(+) create mode 100644 meta/classes/generate-cve-exclusions.bbclass diff --git a/meta/classes/generate-cve-exclusions.bbclass b/meta/classes/generate-cve-exclusions.bbclass new file mode 100644 index 0000000000..254ea5531d --- /dev/null +++ b/meta/classes/generate-cve-exclusions.bbclass @@ -0,0 +1,67 @@ +CVE_EXCLUSIONS_WORKDIR ?= "${WORKDIR}/cvelistV5" +CVELISTV5_PATH ?= "${CVE_EXCLUSIONS_WORKDIR}/git" + +python do_clone_cvelistV5() { + import subprocess + import shutil, os + rootdir = d.getVar("CVELISTV5_PATH") + d.setVar("SRC_URI", "git://github.com/CVEProject/cvelistV5.git;branch=main;protocol=https") + d.setVar("SRCREV", "${AUTOREV}") + src_uri = (d.getVar('SRC_URI') or "").split() + # Fetch the kernel vulnerabilities sources + fetcher = bb.fetch2.Fetch(src_uri, d) + fetcher.download() + # Unpack into the standard work directory + fetcher.unpack(rootdir) + # Remove the folder ${PN} set by unpack + subdirs = [d for d in os.listdir(rootdir) if os.path.isdir(os.path.join(rootdir, d))] + if len(subdirs) == 1: + srcdir = os.path.join(rootdir, subdirs[0]) + for f in os.listdir(srcdir): + shutil.move(os.path.join(srcdir, f), rootdir) + shutil.rmtree(srcdir) + bb.note("Vulnerabilities repo unpacked into: %s" % rootdir) +} +do_clone_cvelistV5[network] = "1" +do_clone_cvelistV5[nostamp] = "1" +do_clone_cvelistV5[doc] = "Clone CVE information from the CVE Project: https://github.com/CVEProject/cvelistV5.git" +addtask clone_cvelistV5 before do_generate_cve_exclusions + +do_generate_cve_exclusions() { + generate_cve_exclusions_script=$(find ${COREBASE} -name "generate-cve-exclusions.py") + if [ -z "${generate_cve_exclusions_script}" ]; then + bbfatal "generate-cve-exclusions.py not found in ${COREBASE}." + fi + python3 "${generate_cve_exclusions_script}" \ + ${CVELISTV5_PATH} \ + ${LINUX_VERSION} \ + --output-json > ${CVE_EXCLUSIONS_WORKDIR}/cve-exclusion_${LINUX_VERSION}.json +} +do_generate_cve_exclusions[nostamp] = "1" +do_generate_cve_exclusions[doc] = "Generate CVE exclusions for the kernel build. (e.g., cve-exclusion_6.12.inc)" +addtask generate_cve_exclusions after do_clone_cvelistV5 + +python do_cve_check:prepend() { + import os + import json + + workdir = d.getVar("CVE_EXCLUSIONS_WORKDIR") + kernel_version = d.getVar("LINUX_VERSION") + json_input_file = os.path.join(workdir, "cve-exclusion_%s.json" % kernel_version) + + if os.path.exists(json_input_file): + with open(json_input_file, 'r', encoding='utf-8') as f: + cve_data = json.load(f) + cve_status_dict = cve_data.get("cve_status", {}) + count = 0 + for cve_id, info in cve_status_dict.items(): + if info.get("active", True): + # Skip active CVEs + continue + d.setVarFlag("CVE_STATUS", cve_id, info.get("message", "")) + count += 1 + + bb.note("Loaded %d CVE_STATUS entries from JSON output for kernel %s" % (count, kernel_version)) + else: + bb.warn("CVE exclusion JSON not found: %s. Skipping CVE_STATUS updates" % json_input_file) +} \ No newline at end of file From patchwork Tue Jan 6 20:46:45 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: ValentinBoudevin X-Patchwork-Id: 78114 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B8360CEFD0C for ; Tue, 6 Jan 2026 20:47:02 +0000 (UTC) Received: from mail-qk1-f173.google.com (mail-qk1-f173.google.com [209.85.222.173]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.100300.1767732418577055720 for ; Tue, 06 Jan 2026 12:46:58 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=HcCR/Koj; spf=pass (domain: gmail.com, ip: 209.85.222.173, mailfrom: valentin.boudevin@gmail.com) Received: by mail-qk1-f173.google.com with SMTP id af79cd13be357-8bd07cab115so13792385a.2 for ; Tue, 06 Jan 2026 12:46:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767732417; x=1768337217; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=9N2IxZU1r9ba7gxaE86SmA/VDazfuHLvIdM9IRPMBZ0=; b=HcCR/Kojc7AKHBbYl0KiCJnt72mifSwVlaC1T0BBYf+SCgAeszfOKONzIPYh26sqXX //+d2x/tWfkuB+SfZOAZwBwBbgvzAa4Ms+xk3aaBwPdPU9zp7ZA0DdRGQ8Eo/tJ+FVnT WiS8/fwdfti/5rxWAnm9nMM2kcy+3L0/RRL7v2lyzlsmWWOWbYT4T+Doq7eoHHdL2EM9 iuJevE3Fm4xW6yKakTDaAnC5493OVs8tI6ZsvnmWau8IHKi4Pk+1D5BmfFBp5n6iMreb vyot/tBSq8pCIkWR8QSTVL9Lm1+hHlGH6wBO1nxrMemT7FVZgH0mnyZgAvptInfJFdvd I1vw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767732417; x=1768337217; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=9N2IxZU1r9ba7gxaE86SmA/VDazfuHLvIdM9IRPMBZ0=; b=gV+V0wX2kstQP7oT/5D700hkOqZl+uiQvmeSuzDtOUdy1bj8NYu4+m42unIA4pPjhF Z6u/vbheuahuSeMGDtC10MBVEqsLRT0YepFbFVTuT1znldq3YQkD0v7hBwcBlDqKoChE 2OeTrNF2K7J7jkqZnmnimE5sDNj3xyIgwhMhoz8hh/pB04oTIOQXGhXxterB6aNdrOK3 n/5+Ck1IIETkJhmrJknZ7pIA2tQxGO09/nnYCM0TWyNrZJy1NgEf+4OvF+K2VoqUeYqY oeEOhJ2Jf+Z5LJYoTXu/4AudArVfWtRZ6F1EkxFRmcvjOzsikSpiAtbUB3Mfs6LbGtgH Vn+w== X-Gm-Message-State: AOJu0Yxiircaf6bLPuEVfKb2rjRI2oUq9Xc9V3raZmMUTzpymcUonOpU VCUfPdy/R3uLl/OsGVB3v2TYyWII6a4yNRe6s43E7fiTYeVGg+n7uSvDaacQJtEy7pY= X-Gm-Gg: AY/fxX64rbgG2jomlTfCrFGOykFJMp58ZDmZ8G66wYrnb3zUqAv6HNQFJDJcKcw/xej AsepR25Fv+9n45ZRWFlRp4InNDUzJjs72tWe14OBklBphuJ1Wkl+GD9O5Kl+6hlc35pWKAhx/lQ QPPv3wL+fj2I3Zoziulg5fSWSso2ZQSnAP+6AKvL5vqHrmcSFGqshF9itztfbsQFmg6skpnmAM+ vJXvCxVR+Q83CudH/38h9Buhkv/GjS8OTgCKoTHcyv9euWEKjyfppCpWbw0kLDoLDdifTTiQLFf 4KjYMoTXBsJZRjozGeOrA4POEpEPlJ/+RGpLAeBS0SsFBJ75vtUphB2ZFDUw+E8RFiCfqOyAtgd 1L6ujilYHRS/hBeRt9PAjIYsMbiVnCrk8/0LdXjHE/pvdEyVf8eh/0//aUvf4nnfzATsz42LUnM OyziA5I3He24RL9eBPbxjFrghOGzBpViBkYLGhjkEh3SncU0gMh/r9wPw= X-Google-Smtp-Source: AGHT+IHhzjBbLQYexJnayIMP6NC/KkjsR1JqaOELrNcyVjhyy83LT285c3tIU2vVIXTlSXag2nHAdw== X-Received: by 2002:ad4:576e:0:b0:880:55fc:c984 with SMTP id 6a1803df08f44-8908429cff1mr2944926d6.5.1767732417569; Tue, 06 Jan 2026 12:46:57 -0800 (PST) Received: from vboudevin-pc.mtl.sfl (mtl.savoirfairelinux.net. [208.88.110.46]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-890770ce298sm20361976d6.8.2026.01.06.12.46.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 06 Jan 2026 12:46:57 -0800 (PST) From: ValentinBoudevin To: openembedded-core@lists.openembedded.org Cc: ValentinBoudevin Subject: [PATCH v3 3/4] generate-cve-exclusions: Move python script Date: Tue, 6 Jan 2026 15:46:45 -0500 Message-ID: <20260106204646.3417382-4-valentin.boudevin@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260106204646.3417382-1-valentin.boudevin@gmail.com> References: <20260106204646.3417382-1-valentin.boudevin@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 06 Jan 2026 20:47:02 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/228927 The script should be located with other scripts in scripts/contrib instead of staying in meta/classes/. Update the new .bbclass to match this modification Signed-off-by: Valentin Boudevin --- meta/classes/generate-cve-exclusions.bbclass | 2 +- .../linux => scripts/contrib}/generate-cve-exclusions.py | 0 2 files changed, 1 insertion(+), 1 deletion(-) rename {meta/recipes-kernel/linux => scripts/contrib}/generate-cve-exclusions.py (100%) diff --git a/meta/classes/generate-cve-exclusions.bbclass b/meta/classes/generate-cve-exclusions.bbclass index 254ea5531d..100d2e99b6 100644 --- a/meta/classes/generate-cve-exclusions.bbclass +++ b/meta/classes/generate-cve-exclusions.bbclass @@ -28,7 +28,7 @@ do_clone_cvelistV5[doc] = "Clone CVE information from the CVE Project: https://g addtask clone_cvelistV5 before do_generate_cve_exclusions do_generate_cve_exclusions() { - generate_cve_exclusions_script=$(find ${COREBASE} -name "generate-cve-exclusions.py") + generate_cve_exclusions_script=${COREBASE}/scripts/contrib/generate-cve-exclusions.py if [ -z "${generate_cve_exclusions_script}" ]; then bbfatal "generate-cve-exclusions.py not found in ${COREBASE}." fi diff --git a/meta/recipes-kernel/linux/generate-cve-exclusions.py b/scripts/contrib/generate-cve-exclusions.py similarity index 100% rename from meta/recipes-kernel/linux/generate-cve-exclusions.py rename to scripts/contrib/generate-cve-exclusions.py From patchwork Tue Jan 6 20:46:46 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: ValentinBoudevin X-Patchwork-Id: 78113 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B83A9CEFD0D for ; Tue, 6 Jan 2026 20:47:02 +0000 (UTC) Received: from mail-qv1-f45.google.com (mail-qv1-f45.google.com [209.85.219.45]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.100229.1767732419661580201 for ; Tue, 06 Jan 2026 12:46:59 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=RsVeDF9C; spf=pass (domain: gmail.com, ip: 209.85.219.45, mailfrom: valentin.boudevin@gmail.com) Received: by mail-qv1-f45.google.com with SMTP id 6a1803df08f44-8887e471148so1094626d6.2 for ; Tue, 06 Jan 2026 12:46:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767732419; x=1768337219; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=hsCmgxLTmhR7vzse6zQX5HnO+P0hIojb9r6NQIid2cQ=; b=RsVeDF9ClUbIjry1UIuuZyRIWU1YF3EKPnAyapfr94x+WYUvX1RrbzwckI4luZFA99 xWZ4XeA9Hmi7Ioy7vLvEKjaW6S+T/wYbUaTawOeJOB3duLS99uZmKfIHBf57AU2SXLpS GIBQpAIQSg4GU2vqESV/nqzjeuw9FqTfYOHoL/GiaDLRdL0GczbkK52zYZWh0LaA6kJj ozYhkSSAun1iZPINQVCyY4PH+W8rzSGXgut+kgoRX3NqnRx2fP/ZY0xGW9a7KXQXLrsL oG2UKbB3bltuU9waOgdKgc4cbAu2gXJjSBsaU95rjEUmPyWPwlselROwkpd+VujSRLfq AA/Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767732419; x=1768337219; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=hsCmgxLTmhR7vzse6zQX5HnO+P0hIojb9r6NQIid2cQ=; b=P/4WnC6OlRCT+K+Yd5Hbf7SgmUDNhBlJRe7MdcwK4pCpazuAT8sjwaQLnIvtyBi3aB 7V2jzcYwCyfCDS0L25fpr52DxMaRiUMzsxlwZYZ8ObwIlDwgifqD+8iVBjzTKOBVMDwq 3kJoXv72R/rz8xX6pCIbZz7htYLqEYW6GIWw+enjAbEx5k/7NkKah63jdJAO7Pi5RD72 9IoEjV/dAD4b2uMrg5TFlPmvL2twji9Lwd2tDeqJN0WLYVoU6k50aLTUCAjXuNNOKafl XWGK7bwJe2c105GzYszopl6pfNFzF49DhSSXyqMrN5XtXFXF4SelcTSwB7uoM6tQ5EWX UHhQ== X-Gm-Message-State: AOJu0YzHYaYe6jrUvGQ4poUpWx8n91XMOl6EZE/MNt69qvA++LW5XFEq NG0LlZq5ZvQSu5jls28EwrK994n8m7ezqlN+2eLx3T997oyjv23cvjp9crts/h00+SE= X-Gm-Gg: AY/fxX653wi2cHAcSQf2rdLfFUAOiugYkaNr0QrPYeNGoece46Sq6kg760oNivr/Wo+ sdPYApjp/PNOJKIAsJ0eTVP48YIOAMDCaM811qU6/smG41PQkS593/REv4UqaVpKTye4y8IAzRK n2etHb7I5xF1/YTOtRfxH5NNHRb9l0uohKGi06E2RnkodBjE7hpLJhh0YLMFuIEKiBmoCBpYwwF 7JNUMREx9knqSDr9Q8GuEdsSpKF4zZXYqU3EN/7AreVi7B7WQBpa463eO6eN9MpGJdGorf013Gf 1PcKcOqcIK9QLQXs8+QbKtXsU+JGnk/H79oRTgxCXwECEeYZSZMLOqG8SeB/TRLKXcnVue83xKE yACJKjyzMy/h9WuwVxOPVMn6zKTI4gwD2sAJunVvB7FJwyWwjCzwwRem1GbhdRfjWK/XJg42YHA G8V1HiQ/JL8lm84nFtC7efQBBMv3vtsAj7w1A10oEJBoyp/xMa0zkkoZQDELSrayOnPQ== X-Google-Smtp-Source: AGHT+IGvGpjYJZ2graF7YRLTnPYwkCihjSt5L71yw3wZgYz+uGY0hV2BLTn/BisdAUL1fjKPtFGInA== X-Received: by 2002:a05:6214:f66:b0:888:2032:4ad2 with SMTP id 6a1803df08f44-8908430f0bfmr2292276d6.8.1767732418603; Tue, 06 Jan 2026 12:46:58 -0800 (PST) Received: from vboudevin-pc.mtl.sfl (mtl.savoirfairelinux.net. [208.88.110.46]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-890770ce298sm20361976d6.8.2026.01.06.12.46.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 06 Jan 2026 12:46:58 -0800 (PST) From: ValentinBoudevin To: openembedded-core@lists.openembedded.org Cc: ValentinBoudevin Subject: [PATCH v3 4/4] linux: Add inherit on generate-cve-exclusions Date: Tue, 6 Jan 2026 15:46:46 -0500 Message-ID: <20260106204646.3417382-5-valentin.boudevin@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260106204646.3417382-1-valentin.boudevin@gmail.com> References: <20260106204646.3417382-1-valentin.boudevin@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 06 Jan 2026 20:47:02 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/228928 Update linux-yocto.inc to inherit the new generate-cve-exclusions class. Signed-off-by: Valentin Boudevin --- meta/recipes-kernel/linux/linux-yocto.inc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta/recipes-kernel/linux/linux-yocto.inc b/meta/recipes-kernel/linux/linux-yocto.inc index 4d0a726bb6..f6a1161940 100644 --- a/meta/recipes-kernel/linux/linux-yocto.inc +++ b/meta/recipes-kernel/linux/linux-yocto.inc @@ -5,6 +5,9 @@ HOMEPAGE = "https://www.yoctoproject.org/" LIC_FILES_CHKSUM ?= "file://COPYING;md5=d7810fab7487fb0aad327b76f1be7cd7" +# Generate Dynamic CVE Exclusions +inherit generate-cve-exclusions + UPSTREAM_CHECK_GITTAGREGEX = "(?P\d+\.\d+(\.\d+)*)" RECIPE_NO_UPDATE_REASON = "Recipe is updated through a separate process"