From patchwork Thu Jan 15 19:03:27 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: vboudevin X-Patchwork-Id: 78810 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id DA911D46613 for ; Thu, 15 Jan 2026 19:03:37 +0000 (UTC) Received: from mail-qv1-f53.google.com (mail-qv1-f53.google.com [209.85.219.53]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.2514.1768503816076518051 for ; Thu, 15 Jan 2026 11:03:36 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=Y6tN1owz; spf=pass (domain: gmail.com, ip: 209.85.219.53, mailfrom: valentin.boudevin@gmail.com) Received: by mail-qv1-f53.google.com with SMTP id 6a1803df08f44-8887e471148so974366d6.2 for ; Thu, 15 Jan 2026 11:03:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768503815; x=1769108615; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=HHU0XiQUApRchJKzBWkRSnMPfbgtSv3bRvQw2Aa5NZ0=; b=Y6tN1owz1KIHVyYVD2KNEiz6WedHDY4B93ucCYA3YUW8gqItKB6z8QUFuGR59NdwZh Lit3RR3d3aFReQjjagyHAWVqIJjkhTJb+OJBY0tyS5q/0PoRutSiYy0cNxD0Ndl5FX1M AlNyNqNydPhHdcEBB0q9IzPDlxZ0L+jaIuzw5wNBqD0Oi9N+XctFDcYWuhAJAF04oE5X Wh1aDCclPhaZnfBCcEC0FegMboiM2bqYKPxK19oa/VY3NX+zmkq5G6PapXqu+WiYIjD3 TqgsXsa50haIv3O4OKdBBhYiA1RuvItsXpLtpHcfUUk82mXPxH+Yzfi5XDIxqBtPBkad xFqg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768503815; x=1769108615; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=HHU0XiQUApRchJKzBWkRSnMPfbgtSv3bRvQw2Aa5NZ0=; b=sh8n+A4YDw/P5XqgpqweLyjzwlkhwYM2wlasWsBURRoLMSqAQw9z5P6Dy+/IG5ryyq U6IMyXIbSSHoNxTqq61z6jPpmh4sND8TdyOMcaf3cDHiJv8PqMImmCpS89L5mLKTAO4S I0nVTgRIKb31zN5ps4bWYDkOq/gv/A/8yM17sZPBHIVkEwnbPOjBH3aluagYC1zxAwgR ylRYco6b4HXModrkHVPoRyJLrDcSJY/yz8bzjalVub49SPyAKM3Om1J7tYniMdPDR8Mk v/NJLDnIsDbWdaCV4s9zqb8ynO8dc4Us8Kbv7is2J5VoQ/jGk+WM+MslJ6sZwK45grNu ZfPQ== X-Gm-Message-State: AOJu0YwWO9sh/EYM5x6bRKl5MohDln5QbgiasxlnDpdcyUXZALqh21bj psEZ4dIyo44JfwxCaHhanNATFB9PGNCSGLPo9fTUy8tJZBu1B3rbar0QXELwfUvcYYc= X-Gm-Gg: AY/fxX4IZXdHxzMbwauQ0aRSfhVKojMZQGjglcnPSlfftTH4icbZbtmhBfAAY53o1Zx IY4xJ5dnmCstCDer2zrMpILkSzceiWPbzL7VgtmGcvSOrpHWVMqDK6oqUumDnIjFcighPVj5pKx uFGJCnYyUZkn+fcx+g2SJn6vSNV0UuRTubrMIXwVM5p99OJ12uT0N3bU8Kao8K5t5vAY3UaV4F7 1Qu1ysYjyC2hk+63SWz1OOt0HZIzR/1ZV1QxwHEvpi05JAyszX/RuVM5tRSxc0cVNV3QzOPS+55 0vqYPhD7nqfDHHykbABrUSokyDixVUGCRnKttRRUx526Pa1A72MxBWsO3cZgvedyiUVNV6hfsAR 5A8yxpurhMNRR6XCPaTFiZASjzrBWtqQywM9o6d3HCQTRRu+HGBsRcUSDyew27OMjQxX58A/0nf cqVtAcKsbekcLF0irLrHJG6Q4Bj+e8uNTty2Q59deQcOo7nPAXZmnFB1Q= X-Received: by 2002:a05:6214:5c8f:b0:890:7086:e147 with SMTP id 6a1803df08f44-8942dbfae9dmr4753136d6.2.1768503814871; Thu, 15 Jan 2026 11:03:34 -0800 (PST) Received: from vboudevin-pc.mtl.sfl (mtl.savoirfairelinux.net. [208.88.110.46]) by smtp.gmail.com with ESMTPSA id af79cd13be357-8c6a71c06e5sm17016385a.16.2026.01.15.11.03.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 15 Jan 2026 11:03:34 -0800 (PST) From: ValentinBoudevin To: openembedded-core@lists.openembedded.org Cc: ValentinBoudevin Subject: [PATCH v4 1/4] generate-cve-exclusions: Add --output-json option Date: Thu, 15 Jan 2026 14:03:27 -0500 Message-ID: <20260115190331.2276779-2-valentin.boudevin@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260115190331.2276779-1-valentin.boudevin@gmail.com> References: <20260115190331.2276779-1-valentin.boudevin@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 15 Jan 2026 19:03:37 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/229428 This option "--output-json" can be used to return a json file instead of the standard .inc file provided. The JSON file can easily be manipulated contrary to the .inc file. Example output structure of the JSON file: ```json { "cve_status": { "CVE-2019-25160": { "active": false, "message": "fixed-version: Fixed from version 5.0" }, "CVE-2019-25162": { "active": false, "message": "fixed-version: Fixed from version 6.0" }, ... ``` Also, this commit doesn't affect or modify any existing behaviour of the script. Signed-off-by: Valentin Boudevin --- .../linux/generate-cve-exclusions.py | 64 +++++++++++++++---- 1 file changed, 50 insertions(+), 14 deletions(-) diff --git a/meta/recipes-kernel/linux/generate-cve-exclusions.py b/meta/recipes-kernel/linux/generate-cve-exclusions.py index dfc16663a5..5a0a947e06 100755 --- a/meta/recipes-kernel/linux/generate-cve-exclusions.py +++ b/meta/recipes-kernel/linux/generate-cve-exclusions.py @@ -91,6 +91,7 @@ def main(argp=None): parser = argparse.ArgumentParser() parser.add_argument("datadir", type=pathlib.Path, help="Path to a clone of https://github.com/CVEProject/cvelistV5 or https://git.kernel.org/pub/scm/linux/security/vulns.git") parser.add_argument("version", type=Version, help="Kernel version number to generate data for, such as 6.1.38") + parser.add_argument("--output-json", action="store_true", help="Return CVE_STATUS mapping as JSON") args = parser.parse_args(argp) datadir = args.datadir.resolve() @@ -99,7 +100,10 @@ def main(argp=None): data_version = subprocess.check_output(("git", "describe", "--tags", "HEAD"), cwd=datadir, text=True) - print(f""" + cve_status = {} + + if not args.output_json: + print(f""" # Auto-generated CVE metadata, DO NOT EDIT BY HAND. # Generated at {datetime.datetime.now(datetime.timezone.utc)} for kernel version {version} # From {datadir.name} {data_version} @@ -131,26 +135,58 @@ do_cve_check[prefuncs] += "check_kernel_cve_status_version" continue first_affected, fixed, backport_ver = get_fixed_versions(cve_info, base_version) if not fixed: - print(f"# {cve} has no known resolution") + cve_status[cve] = { + "active": True, + "message": "no known resolution" + } + if not args.output_json: + print(f"# {cve} has no known resolution") elif first_affected and version < first_affected: - print(f'CVE_STATUS[{cve}] = "fixed-version: only affects {first_affected} onwards"') + cve_status[cve] = { + "active": False, + "message": f"fixed-version: only affects {first_affected} onwards" + } + if not args.output_json: + print(f'CVE_STATUS[{cve}] = "fixed-version: only affects {first_affected} onwards"') elif fixed <= version: - print( - f'CVE_STATUS[{cve}] = "fixed-version: Fixed from version {fixed}"' - ) + cve_status[cve] = { + "active": False, + "message": f"fixed-version: Fixed from version {fixed}" + } + if not args.output_json: + print(f'CVE_STATUS[{cve}] = "fixed-version: Fixed from version {fixed}"') else: if backport_ver: if backport_ver <= version: - print( - f'CVE_STATUS[{cve}] = "cpe-stable-backport: Backported in {backport_ver}"' - ) + cve_status[cve] = { + "active": False, + "message": f"cpe-stable-backport: Backported in {backport_ver}" + } + if not args.output_json: + print(f'CVE_STATUS[{cve}] = "cpe-stable-backport: Backported in {backport_ver}"') else: - print(f"# {cve} may need backporting (fixed from {backport_ver})") + cve_status[cve] = { + "active": True, + "message": f"May need backporting (fixed from {backport_ver})" + } + if not args.output_json: + print(f"# {cve} may need backporting (fixed from {backport_ver})") else: - print(f"# {cve} needs backporting (fixed from {fixed})") - - print() - + cve_status[cve] = { + "active": True, + "message": f"#Needs backporting (fixed from {fixed})" + } + if not args.output_json: + print(f"# {cve} needs backporting (fixed from {fixed})") + + if not args.output_json: + print() + + # Emit structured output if --ret-struct was requested + if args.output_json: + print(json.dumps({ + "cve_status": cve_status, + }, indent=2)) if __name__ == "__main__": main() From patchwork Thu Jan 15 19:03:28 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: vboudevin X-Patchwork-Id: 78812 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BF49BD46616 for ; Thu, 15 Jan 2026 19:03:47 +0000 (UTC) Received: from mail-qk1-f193.google.com (mail-qk1-f193.google.com [209.85.222.193]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.2516.1768503817700286042 for ; Thu, 15 Jan 2026 11:03:37 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=MrWOrwOz; spf=pass (domain: gmail.com, ip: 209.85.222.193, mailfrom: valentin.boudevin@gmail.com) Received: by mail-qk1-f193.google.com with SMTP id af79cd13be357-8c52c670401so17607885a.3 for ; Thu, 15 Jan 2026 11:03:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768503817; x=1769108617; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=rloV7sh7pHwmiy1slhgkhgMg5d4boS9+0ypHCZYSD/M=; b=MrWOrwOzp5k/AR8iST8uUx3bT7Guqekjzj7X2GPtVEBwRZd2PqehuleZePMolHsW1T bUGfshjJxueO5d6qQXR0LPBUsDx4uj1T/tZdue96tBv0qZ7kpHWuYK/CY5XOEeI4h7YA cvq/gMWC6O2M4daRdNVnPjAQkYTu5vF6/UsAnDoAISmMrRT1yd+4TKTyFIa+JQNouw0/ YkZ8qbotk8fLnRtLKvpJc4o/VEoqtgAM2A8wZ4uXdjL7cePcIFwAyn4AamhWlomM4Zmd B0Jqpk+nxiV04qLiuqfhSBZ33NH2pnkjMWq39ArunV7Iil6fBEbCS3jJaiwAMbrA1P1J 8BiA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768503817; x=1769108617; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=rloV7sh7pHwmiy1slhgkhgMg5d4boS9+0ypHCZYSD/M=; b=CHxfTdYLt7SRB8Rey9NAbNrkW1knEBCInrFvE+zWDQ+PLRRxcVXbzJ62gvKKdpouyd AfRyjZ8nY4FpCNTlfE/1rx+OKhkvco8jVRHowal6gaMbb3NRv1PNDCsgxvw8/WQEecM7 Uobe+O7TNPFXUItDU5Qi7JGN0CNGhXLdYY/T+03xi168QdQ01h9hNQT76EBN/rLS8efe WWJskwVTKICrAM6EnVQWEBtgwiRFPP1WNWAtCnXrHLyJ9OboYOSbSTHvLbiqY+tIQGGJ bVfbXcco8HW+kqxZBq1a+eSsYwElMsAMVW4MPmt4hSoLT2RzRNAaeS76hUo8RNE/DeCb DDJg== X-Gm-Message-State: AOJu0YxhjMJdnXcN/zlby5/46MMkuoBO/ZB5THkDyzC9orpVTxNYR9DV bknLn4+nmCXe4F4jLFHR87ayFQDI14HAF/5/MJAf/obSJoi4X3Gt6Xdv+y00xMOOMvlcIw== X-Gm-Gg: AY/fxX7ZfB4pO7yzih/3a6R7T2e9dr3cGmoI7Leo18PYjpnx/LRvE9HrL3NXrr7oy1H ZTMtolJ8M9s7G7PPG5yT1Uy8PKflOJRAXdzACm224FBcHVZD6CzQNnLRG6O2yD6ILjFRg/HpSED wva2Ks1SuyHDXz9CZDRof7gcqs/0E59DixSeGtFFx0erhnrQnFn6qifSMyuQ8VjHy6UpME6bJUL DJmID9zPfn2+UauXDqZljaxVGYZ7asN2FVLBBSq2qDE6htn5Fa15E0vdsJMrPBgBjnd6pCecTPT hTgkOSC2UUQb82rEJvgDbfZfNzCVEWeqQRa3Vwh+sjmpLiDtt4BZ4bwCGRa2MWXlv7uFkHn+clo BzI7OZG5M2VmGMe6miXCtTgc3gTijH2Rhsj3n2OhbAQDncI6r/+vSHvNF/K0U0Rtj/Iz6S3vR6g dlHuABp2PbSYvjWbBxcNpApKqvXpUhHt8W9wQASMXN5TYjV5lAOzVdJbY= X-Received: by 2002:a05:620a:1911:b0:8a3:d644:6930 with SMTP id af79cd13be357-8c6a6716bedmr59966485a.5.1768503816142; Thu, 15 Jan 2026 11:03:36 -0800 (PST) Received: from vboudevin-pc.mtl.sfl (mtl.savoirfairelinux.net. [208.88.110.46]) by smtp.gmail.com with ESMTPSA id af79cd13be357-8c6a71c06e5sm17016385a.16.2026.01.15.11.03.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 15 Jan 2026 11:03:35 -0800 (PST) From: ValentinBoudevin To: openembedded-core@lists.openembedded.org Cc: ValentinBoudevin Subject: [PATCH v4 2/4] generate-cve-exclusions: Add a .bbclass Date: Thu, 15 Jan 2026 14:03:28 -0500 Message-ID: <20260115190331.2276779-3-valentin.boudevin@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260115190331.2276779-1-valentin.boudevin@gmail.com> References: <20260115190331.2276779-1-valentin.boudevin@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 15 Jan 2026 19:03:47 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/229429 Add a .bbclass to generate-cve-exclusions to use this script at every run. Two steps for testing: 1) Inherit this class in the kernel recipe with "inherit generate-cve-exclusions.bbclass" 2) Use the following command to generate a cvelistV5 entry with a JSON file in in ${WORKDIR}/cvelistV5/ : "bitbake linux-yocto -c generate-cve-exclusions" The JSON file can then be parsed in the following run by cve-check. This class contains several methods: *do_clone_cvelistV5: Clone the cvelistV5 repo in ${WORKDIR}/cvelistV5/git (e.g. bitbake-builds/poky-master/build/tmp/work/qemux86_64-poky-linux/ linux-yocto/6.18.1+git/cvelistV5/git) *do_generate_cve_exclusions: Use the script generate-cve-exclusions.py. It uses the new "--output-json" argument to generate a JSON file as an output stored in ${WORKDIR}/cvelistV5//cve-exclusion_${LINUX_VERSION}.json *do_cve_check:prepend: Parse the previously generated JSON file to set the variable CVE_STATUS corretly The class also provides some variables: *GENERATE_CVE_EXCLUSIONS_SRC_URI and GENERATE_CVE_EXCLUSIONS_SRCREV can be used to change the source repository or fix a commit with SRCREV (usefull for deterministic testing) *GENERATE_CVE_EXCLUSIONS_NETWORK can be set to 0 to provide an offline mode based on DL_DIR directory. *GENERATE_CVE_EXCLUSIONS_WORKDIR path used as a working directory for this class Signed-off-by: Valentin Boudevin --- meta/classes/generate-cve-exclusions.bbclass | 97 ++++++++++++++++++++ 1 file changed, 97 insertions(+) create mode 100644 meta/classes/generate-cve-exclusions.bbclass diff --git a/meta/classes/generate-cve-exclusions.bbclass b/meta/classes/generate-cve-exclusions.bbclass new file mode 100644 index 0000000000..163f23ecee --- /dev/null +++ b/meta/classes/generate-cve-exclusions.bbclass @@ -0,0 +1,97 @@ +GENERATE_CVE_EXCLUSIONS_SRC_URI ?= "git://github.com/CVEProject/cvelistV5.git;branch=main;protocol=https;destsuffix=git" +GENERATE_CVE_EXCLUSIONS_SRCREV ?= "${@bb.fetch2.get_autorev(d)}" +GENERATE_CVE_EXCLUSIONS_NETWORK ?= "1" +GENERATE_CVE_EXCLUSIONS_WORKDIR ?= "${WORKDIR}/cvelistV5" + +SRC_URI:append = " ${GENERATE_CVE_EXCLUSIONS_SRC_URI};name=generate-cve-exclusions" +SRCREV_generate-cve-exclusions = "${GENERATE_CVE_EXCLUSIONS_SRCREV}" + +python do_clone_cvelistV5() { + import subprocess + import shutil, os + network_allowed = d.getVar("GENERATE_CVE_EXCLUSIONS_NETWORK") == "1" + rootdir = d.getVar("GENERATE_CVE_EXCLUSIONS_WORKDIR") + # Remove existing unpacked directory if any + if os.path.exists(rootdir): + shutil.rmtree(rootdir) + # Prepare fetcher + src_uri_list = (d.getVar('SRC_URI') or "").split() + fetcher = bb.fetch2.Fetch(src_uri_list, d) + # Clone only if network is allowed + if network_allowed: + fetcher.download() + else: + # Offline mode without network access + bb.note("GENERATE_CVE_EXCLUSIONS_NETWORK=0: Skipping online fetch. Checking local downloads in DL_DIR...") + have_sources = False + dl_dir = d.getVar("DL_DIR") + srcrev = d.getVar("SRCREV") + # Check SRCREV is NOT set to AUTOREV + if srcrev.strip() in ("${AUTOREV}", "AUTOINC"): + bb.warn("Offline mode but SRCREV is set to AUTOREV/AUTOINC. Cannot proceed without network access.") + return + # Loop through the fetcher's expanded URL data + for ud in fetcher.expanded_urldata(): + ud.setup_localpath(d) + # Check mirror tarballs first + for mirror_fname in ud.mirrortarballs: + mirror_path = os.path.join(dl_dir, mirror_fname) + if os.path.exists(mirror_path): + bb.note(f"Found mirror tarball: {mirror_path}") + have_sources = True + break + # If no mirror, check original download path + if not have_sources and ud.localpath and os.path.exists(ud.localpath): + bb.note(f"Found local download: {ud.localpath}") + have_sources = True + if not have_sources: + bb.warn("Offline mode but required source is missing.\n"f"SRC_URI = {ud.url}") + return + # Unpack into the standard work directory + fetcher.unpack(rootdir) + # Remove the folder ${PN} set by unpack + subdirs = [d for d in os.listdir(rootdir) if os.path.isdir(os.path.join(rootdir, d))] + if len(subdirs) == 1: + srcdir = os.path.join(rootdir, subdirs[0]) + for f in os.listdir(srcdir): + shutil.move(os.path.join(srcdir, f), rootdir) + shutil.rmtree(srcdir) + bb.note("Vulnerabilities repo unpacked into: %s" % rootdir) +} +do_clone_cvelistV5[network] = "${GENERATE_CVE_EXCLUSIONS_NETWORK}" +do_clone_cvelistV5[nostamp] = "1" +do_clone_cvelistV5[doc] = "Clone CVE information from the CVE Project: https://github.com/CVEProject/cvelistV5.git" +addtask clone_cvelistV5 before do_generate_cve_exclusions + +do_generate_cve_exclusions() { + generate_cve_exclusions_script=$(find ${COREBASE} -name "generate-cve-exclusions.py") + if [ -z "${generate_cve_exclusions_script}" ]; then + bbfatal "generate-cve-exclusions.py not found in ${COREBASE}." + fi + python3 "${generate_cve_exclusions_script}" \ + "${GENERATE_CVE_EXCLUSIONS_WORKDIR}/git" \ + ${LINUX_VERSION} \ + --output-json > ${GENERATE_CVE_EXCLUSIONS_WORKDIR}/cve-exclusion_${LINUX_VERSION}.json +} +do_generate_cve_exclusions[nostamp] = "1" +do_generate_cve_exclusions[doc] = "Generate CVE exclusions for the kernel build. (e.g., cve-exclusion_6.12.inc)" +addtask generate_cve_exclusions after do_clone_cvelistV5 before do_cve_check + +python do_cve_check:prepend() { + import os + import json + workdir = d.getVar("GENERATE_CVE_EXCLUSIONS_WORKDIR") + kernel_version = d.getVar("LINUX_VERSION") + json_input_file = os.path.join(workdir, "cve-exclusion_%s.json" % kernel_version) + if os.path.exists(json_input_file): + with open(json_input_file, 'r', encoding='utf-8') as f: + cve_data = json.load(f) + cve_status_dict = cve_data.get("cve_status", {}) + count = 0 + for cve_id, info in cve_status_dict.items(): + if info.get("active", True): + continue + d.setVarFlag("CVE_STATUS", cve_id, info.get("message", "")) + count += 1 + bb.note("Loaded %d CVE_STATUS entries from JSON output for kernel %s" % (count, kernel_version)) +} \ No newline at end of file From patchwork Thu Jan 15 19:03:29 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: vboudevin X-Patchwork-Id: 78811 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BF457D46613 for ; Thu, 15 Jan 2026 19:03:47 +0000 (UTC) Received: from mail-qk1-f169.google.com (mail-qk1-f169.google.com [209.85.222.169]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.2518.1768503818765599284 for ; Thu, 15 Jan 2026 11:03:38 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=PTmjDbV3; spf=pass (domain: gmail.com, ip: 209.85.222.169, mailfrom: valentin.boudevin@gmail.com) Received: by mail-qk1-f169.google.com with SMTP id af79cd13be357-8c52ed1af33so14746185a.0 for ; Thu, 15 Jan 2026 11:03:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768503818; x=1769108618; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=QZox6An/C+1JDlJ4Vcku+OVl9Mk71VbAZ7t0/m3Y7HI=; b=PTmjDbV3iSxh10ZV3ea9e7bwoG9iUgVoQA6G5xC0E9jXS7AXwk0XvuF5RiYzEpyP6r 4X1kS7FnBYdBWZ1tLpSlTDrEvD8Rb04bjBCkzX/pEudOWlG2I4wm1iIpf97CxHVHCV4O cbqc/fThPeohxiNlrNmJhPLvVHg76QOoAHevriH75TtCfD9Ui1Mn4gWyfEAj6O96n42z eRScSIDn73W3eBvEQ0ptHbwOh14kyOZPCHHiuVTGvel2OLt9pbUHTpU/fudC0CUv9muj jZS4nDS15duzFJZo1cCkd69E0rFqPfFXuGLK7jPnWG25vS8CUEQIQgjtGv526ssnMS9r 8BnA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768503818; x=1769108618; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=QZox6An/C+1JDlJ4Vcku+OVl9Mk71VbAZ7t0/m3Y7HI=; b=i16UIexQmDr5qPssx+aU37WTeVVdWaUAIz88ecAjrskzQL6OQxCevcJSnfHWC7LhqN TDIBoJ6ppOQpa92wJZTn/oW1GuHmisbs+J8dw8spOdcuQyBXjjrit0h5jd97+auPxLOK gvyhasYpCYemqMhV0SoYDQNTreqYMljgdiRFU3f6n8edLQ740hZ5WNsjFQ/PQ5FuYCH1 BseQZKMMD7KUJmpx4uemUCg3Z9DjgrUfi7jte/fNxmfSDgonebFfWhtrVrkFVf+W4xC8 W5er8CJSJQ8eW+Wz+SyHfPSndQj2LlNgCADk0rtvx42LxL0MMtZmkRBhO8Wv9zi0oTE2 oCRQ== X-Gm-Message-State: AOJu0Yzg96WyQalzEv/vsknd9ChreucWUcYSWMwWb3dCKsuvHcCyiKVj YuiO9jkfqLcEmL9tPO3e0I7NkaPfOT+gewawdB+LXCRKdhcngXa74kQk9yrd4bzjeAI= X-Gm-Gg: AY/fxX7zq/NLNA0FeiYtQCxfI4YdPxvBnI6JUgZW44psBo8UBwQCOJvJmRwqEU1bKkZ dKhuW0xAHmtCqSiKPSX9/u5HZiZr01pDGPZPXGjMv3TxJ6569UGi0n0ZkvUL0+GCrBI4Y+KgLDl /O1e4/uzfoEI3IY7zHmSDoOvxkVOnfXjVld9yB1dD18c03qcXKgJzhDL2Y56y9/TWq4i2sj0jYL 8ZpjIHWXsHmN3jv04wx4k3EQOsuuIANvR+H2vUGK6tU0afsWp/NIDiFUPaBTt7LNFBw6hEN/R46 aJLuHFCKMBwSgdGq9njAPV0+93MaAThOe+QobegCxfy6iIqwWSsLe47pNWoVYoUgN/ySKC0rhQo jtkr4yXywFK2r6YgNZtSBabTQOB91gagb8a0Mb1yUl3DMdw0EOm/WodlZlbzuSGv0vi5m4azblS BwgxzMv1an4bvCyko8l0qu3WSXH9ttYAg0YSazP5WOtPvSTQF9zXBkTPA= X-Received: by 2002:a05:620a:1911:b0:8a3:d644:6930 with SMTP id af79cd13be357-8c6a6716bedmr59976085a.5.1768503817681; Thu, 15 Jan 2026 11:03:37 -0800 (PST) Received: from vboudevin-pc.mtl.sfl (mtl.savoirfairelinux.net. [208.88.110.46]) by smtp.gmail.com with ESMTPSA id af79cd13be357-8c6a71c06e5sm17016385a.16.2026.01.15.11.03.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 15 Jan 2026 11:03:37 -0800 (PST) From: ValentinBoudevin To: openembedded-core@lists.openembedded.org Cc: ValentinBoudevin Subject: [PATCH v4 3/4] generate-cve-exclusions: Move python script Date: Thu, 15 Jan 2026 14:03:29 -0500 Message-ID: <20260115190331.2276779-4-valentin.boudevin@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260115190331.2276779-1-valentin.boudevin@gmail.com> References: <20260115190331.2276779-1-valentin.boudevin@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 15 Jan 2026 19:03:47 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/229430 The script should be located with other scripts in scripts/contrib instead of staying in meta/classes/. Update the new .bbclass to match this modification Signed-off-by: Valentin Boudevin --- meta/classes/generate-cve-exclusions.bbclass | 2 +- .../linux => scripts/contrib}/generate-cve-exclusions.py | 0 2 files changed, 1 insertion(+), 1 deletion(-) rename {meta/recipes-kernel/linux => scripts/contrib}/generate-cve-exclusions.py (100%) diff --git a/meta/classes/generate-cve-exclusions.bbclass b/meta/classes/generate-cve-exclusions.bbclass index 163f23ecee..1b0fa4baa5 100644 --- a/meta/classes/generate-cve-exclusions.bbclass +++ b/meta/classes/generate-cve-exclusions.bbclass @@ -64,7 +64,7 @@ do_clone_cvelistV5[doc] = "Clone CVE information from the CVE Project: https://g addtask clone_cvelistV5 before do_generate_cve_exclusions do_generate_cve_exclusions() { - generate_cve_exclusions_script=$(find ${COREBASE} -name "generate-cve-exclusions.py") + generate_cve_exclusions_script=${COREBASE}/scripts/contrib/generate-cve-exclusions.py if [ -z "${generate_cve_exclusions_script}" ]; then bbfatal "generate-cve-exclusions.py not found in ${COREBASE}." fi diff --git a/meta/recipes-kernel/linux/generate-cve-exclusions.py b/scripts/contrib/generate-cve-exclusions.py similarity index 100% rename from meta/recipes-kernel/linux/generate-cve-exclusions.py rename to scripts/contrib/generate-cve-exclusions.py From patchwork Thu Jan 15 19:03:30 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: vboudevin X-Patchwork-Id: 78813 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D5F8BD46618 for ; Thu, 15 Jan 2026 19:03:47 +0000 (UTC) Received: from mail-qv1-f44.google.com (mail-qv1-f44.google.com [209.85.219.44]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.2520.1768503820057542198 for ; Thu, 15 Jan 2026 11:03:40 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=W+ozcM6S; spf=pass (domain: gmail.com, ip: 209.85.219.44, mailfrom: valentin.boudevin@gmail.com) Received: by mail-qv1-f44.google.com with SMTP id 6a1803df08f44-8887e471148so974426d6.2 for ; Thu, 15 Jan 2026 11:03:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768503819; x=1769108619; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=hsCmgxLTmhR7vzse6zQX5HnO+P0hIojb9r6NQIid2cQ=; b=W+ozcM6SL1LtHOghBE/xetosNcSK+7r1dlzWTUuRi14cU2xgzE6rD7brQMNB8lPqUG rfPMo/4BPrNm4vHXJO+Evehl3B2dW5eu17tBLVJ0BvDIEI03vLsirS9znvTIk7X7QR45 NFhorLhzFrecfYJAXo8BW/0ojGoGF4IfVDICtZUJw2Pbk5oJa8bLjcRPpKZK5wWCaahx spLdHlJzynE0b6uhzZ+QsJvEWIh0VIkQveUzmXUXFHe6J1ZaFs32EW/LsmB+wZNzIEcs ibtaVCYyi92WOXDQ/YvYIu0ZIYCXtlgRe0OIDDDFp4g6Vl/EJrXThNlYXwIrMRneUifH /RKw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768503819; x=1769108619; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=hsCmgxLTmhR7vzse6zQX5HnO+P0hIojb9r6NQIid2cQ=; b=Nnqoj3tuVl8Ak7jvURz9cH4Z/0arC7pUkLQGtqAu6458JpRneQGcEkr+m/kGZV7vO6 gJ+rK6Y7GLo8JQevJl9aET9jsCFp3iDFVjcjugv9nV+neqCIhCx790k/g9eFbnLSeWul aKLprGxsO2IpO3IEB4z/mJ8SO4BUhijNI3aFLUOxLskuSBYo4VC6WefmrQk/PoIfUyQd bKZ8VbRivy2neiUVjvYcXDzUsgZRZ5eNtJhLW2yPw9cK64qOgtc+2leIqlqMJSybwvS2 vOotJlAoiKPcELGoJUOGKcSJd7aihmBsr+eLi5crGnNU9/kar4fnAmn5oYDZSrIppV7p pfBQ== X-Gm-Message-State: AOJu0Yyf2ieftQpAdBgXKod5v2JR7txwXMYFPhPMAt846swAjKfhHfg7 I/D78/TJTRVeY1Rgv0ymrd0ItzKJDDq0R84itKBfqMV4IfnXFaT/CqAUE1O83SUXG9A= X-Gm-Gg: AY/fxX6pF0j6Mjp2whHlhQtaAFOcI71vZtQy9lt+o1oNbeX1fGoKnzoT5sElr6XBds8 pI14RoBMogPkwYgumPQIWMU0mWr6vpkkefkeCN+9PpS8rGmn9c6nMY7pih5zFO3BOgPpUPW49yF 3vVUmSxqR0dE+bspfagqNsfJcXo+TFxwGlel52lwWujCiL7PHJg/EiXQyW96ZjF4w+YPpSJnFUn yHnVm86LbFMbJbuCuLLJZP7OTlNXd2QFhUiRLDFbWOz76P7x5BBalSGgygEtMvnyJXJ8FOXgj4r sHST2YL21gpkeOi0mJlFZIlgf3Uh5ZOYEC+WShIG6XB8lOQWwrM9cpZyhFETutg/3Ku04wrpnC1 br+eEbrBaD4dQ9SgLMKNLQH0yAXqito2PqSN6hGLtkkPGpuHd0SYk5SxmmauIdpOOIETHojSo+m 9rpRdf64kjIr1fp8eUJ4X3MYczr2cj7vzirvSNPrh/5HkPmoz0IxTgFcE= X-Received: by 2002:a05:6214:610a:b0:87d:cb51:4015 with SMTP id 6a1803df08f44-8942dbfb374mr4507486d6.1.1768503818786; Thu, 15 Jan 2026 11:03:38 -0800 (PST) Received: from vboudevin-pc.mtl.sfl (mtl.savoirfairelinux.net. [208.88.110.46]) by smtp.gmail.com with ESMTPSA id af79cd13be357-8c6a71c06e5sm17016385a.16.2026.01.15.11.03.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 15 Jan 2026 11:03:38 -0800 (PST) From: ValentinBoudevin To: openembedded-core@lists.openembedded.org Cc: ValentinBoudevin Subject: [PATCH v4 4/4] linux: Add inherit on generate-cve-exclusions Date: Thu, 15 Jan 2026 14:03:30 -0500 Message-ID: <20260115190331.2276779-5-valentin.boudevin@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260115190331.2276779-1-valentin.boudevin@gmail.com> References: <20260115190331.2276779-1-valentin.boudevin@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 15 Jan 2026 19:03:47 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/229431 Update linux-yocto.inc to inherit the new generate-cve-exclusions class. Signed-off-by: Valentin Boudevin --- meta/recipes-kernel/linux/linux-yocto.inc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta/recipes-kernel/linux/linux-yocto.inc b/meta/recipes-kernel/linux/linux-yocto.inc index 4d0a726bb6..f6a1161940 100644 --- a/meta/recipes-kernel/linux/linux-yocto.inc +++ b/meta/recipes-kernel/linux/linux-yocto.inc @@ -5,6 +5,9 @@ HOMEPAGE = "https://www.yoctoproject.org/" LIC_FILES_CHKSUM ?= "file://COPYING;md5=d7810fab7487fb0aad327b76f1be7cd7" +# Generate Dynamic CVE Exclusions +inherit generate-cve-exclusions + UPSTREAM_CHECK_GITTAGREGEX = "(?P\d+\.\d+(\.\d+)*)" RECIPE_NO_UPDATE_REASON = "Recipe is updated through a separate process"