From patchwork Thu Jan 29 21:10:09 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: ValentinBoudevin X-Patchwork-Id: 80054 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3D979D73E8C for ; Thu, 29 Jan 2026 21:10:22 +0000 (UTC) Received: from mail-qv1-f51.google.com (mail-qv1-f51.google.com [209.85.219.51]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.25888.1769721017795944210 for ; Thu, 29 Jan 2026 13:10:17 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=gQR6F/KN; spf=pass (domain: gmail.com, ip: 209.85.219.51, mailfrom: valentin.boudevin@gmail.com) Received: by mail-qv1-f51.google.com with SMTP id 6a1803df08f44-8946421dd8fso2714766d6.0 for ; Thu, 29 Jan 2026 13:10:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1769721017; x=1770325817; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=sibQHT+4601KjxE2rEQ2qrSn1NvvggnTN773EtcAZBs=; b=gQR6F/KNfMTnA45vP3VvtXYicY1mTb3yGhw3VYh+4VCJB+JQIJsi62nhZsdIt7AUQ7 QdBKM2Ww57sudzKqCkV/2o2JFZxGtXPYKN4Iy/VvWAH5q7O57qXb/sFoo11y8QMu1iJf 9Lx1SCJe9llX+t0oAVtCqstYA6vaYiOJiLupHxZWtNZuwSiZNhWjToX5bmvGp0HClIjr GEYFwQnYJJPq7EPzKBw1t7hAmEd9tTTptvwpWDSq/ZLB5CArR6Wzd4Q+0OystksVrCf3 ISLQsSo+Ghk7JthTjgFzEtGAshXjGZBo1euGeygv5OEtGmFyTUpW7rjMycSmApvM3GiK 0o1g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1769721017; x=1770325817; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=sibQHT+4601KjxE2rEQ2qrSn1NvvggnTN773EtcAZBs=; b=IXPh2u2iBLhNrrHHfiK7LlXRRrlGqlPBjwjMK+t+TBBwj0sO3BkglueRAIj/iQxxBJ 3aaVT4VNF+05pEQcrdY9y+Y3llcp167f8HLCAPTeoZoLoi6+inioHhLwS+9ZkpQ05VEz ZJJYW/qNLEz/FMPekEYZTsybC5ML05KTIDdsHBSILjk+nogaRplwKn0YWUUWDJcn6LR9 H9+Bsc0QDYWhZ1EvZi2XyvS8eyScu22mmcAb1QBNqDhtTTILRRiKdpUbAozhXVMNm/MD jQvDfhGg46a+IYTEKJ78aeHLLqr8TdDmnam9Nr3JwGQJiYePjuiN0rriTDSh3Z4asMF6 MNGA== X-Gm-Message-State: AOJu0YwEw0bI96ZS5Fq1/sii+mMFTbPRTTDbRP19R9FtymUp75IjHsQh idhqsEqLY3EpSMeQAIqyeQhgWyVoJ+IKuPWDKrW2XKuPVgyh0vc30rQD0ME11b8Rhu4= X-Gm-Gg: AZuq6aKDC8eWdt79nYVumO33c1iEVSjrUEQpZsIPn63bvZybGkec6VbOQRDWJM2NLmi mvoMZf/aQg5TqW3PgnveEQz7QzhBdCETOFrEbey34SB4alr3dVYlMEpgh2AdGo/613rSMttrhF1 vllp7xzSgRJQNfIIEeSpj5L/aQuV2rD7BHlqwedO2LQ0RP3jNqJHBy7R6rHWv5nr5M2+XomCAW6 HcFfeVQKzMQ6dci0EFaWs3DsppDW13UvbZXmtO0Qgp8kiklQ/pPCxqqWmi1w/gwhOqs4kVJRAnA Qg+W6dU0HPs4iHeNZ1lSDBXQCYBlQJjeEWTzoaAnNSGY7pjtZMlLf6Mrhb98yQARamqUUJ2wsng 5lv9wj8f1WUaM7h1KIY/wquboBIwOl56ut1DOdnhrDnD/s8RIYJwG9N4Nnd9hlOI+vxFrgHx8tU 1VYwjS6wqfKzNQJT+U7gvIf8E//90G19P/MUTYiAvTjnH4zVFmFPiv954= X-Received: by 2002:a05:6214:3316:b0:882:63cf:3970 with SMTP id 6a1803df08f44-894e9f3155fmr9420726d6.1.1769721016563; Thu, 29 Jan 2026 13:10:16 -0800 (PST) Received: from vboudevin-pc.mtl.sfl (mtl.savoirfairelinux.net. [208.88.110.46]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-894d36a5fb1sm45251326d6.9.2026.01.29.13.10.16 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 29 Jan 2026 13:10:16 -0800 (PST) From: ValentinBoudevin To: openembedded-core@lists.openembedded.org Cc: daniel.turull@ericsson.com, jerome.oufella@savoirfairelinux.com, ValentinBoudevin Subject: [PATCH v6 1/4] generate-cve-exclusions: Add output format option Date: Thu, 29 Jan 2026 16:10:09 -0500 Message-ID: <20260129211012.623827-2-valentin.boudevin@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260129211012.623827-1-valentin.boudevin@gmail.com> References: <188AFCD98EA3E578.3200434@lists.openembedded.org> <20260129211012.623827-1-valentin.boudevin@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 29 Jan 2026 21:10:22 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/230160 This option "--output-json-file" can be used to return a json file instead of the printing the output in a .inc file. The JSON file can easily be manipulated contrary to the .inc file. Example output structure of the JSON file: ```json { "cve_status": { "CVE-2019-25160": { "active": false, "message": "fixed-version: Fixed from version 5.0" }, "CVE-2019-25162": { "active": false, "message": "fixed-version: Fixed from version 6.0" }, ... ``` Add a second option "--output-inc-file" to also create a .inc at a given location. Both "--output-inc-file" and "--output-json-file" can be used at the same time. This commit doesn't affect or modify any existing behaviour of the script. Signed-off-by: Valentin Boudevin --- .../linux/generate-cve-exclusions.py | 107 +++++++++++++++--- 1 file changed, 90 insertions(+), 17 deletions(-) diff --git a/meta/recipes-kernel/linux/generate-cve-exclusions.py b/meta/recipes-kernel/linux/generate-cve-exclusions.py index dfc16663a5..3df0e93e07 100755 --- a/meta/recipes-kernel/linux/generate-cve-exclusions.py +++ b/meta/recipes-kernel/linux/generate-cve-exclusions.py @@ -91,19 +91,38 @@ def main(argp=None): parser = argparse.ArgumentParser() parser.add_argument("datadir", type=pathlib.Path, help="Path to a clone of https://github.com/CVEProject/cvelistV5 or https://git.kernel.org/pub/scm/linux/security/vulns.git") parser.add_argument("version", type=Version, help="Kernel version number to generate data for, such as 6.1.38") + parser.add_argument("--output-json-file", type=pathlib.Path, help="Write CVE_STATUS mapping to this JSON file") + parser.add_argument("--output-inc-file", type=pathlib.Path, help="Write CVE_STATUS mapping to this INC file") args = parser.parse_args(argp) datadir = args.datadir.resolve() version = args.version base_version = Version(f"{version.major}.{version.minor}") - - data_version = subprocess.check_output(("git", "describe", "--tags", "HEAD"), cwd=datadir, text=True) - - print(f""" + print_to_stdout = not args.output_json_file and not args.output_inc_file + + cve_status = {} + inc_lines = [] + + if print_to_stdout: + data_version = subprocess.check_output(("git", "describe", "--tags", "HEAD"), cwd=datadir, text=True) + print(f""" # Auto-generated CVE metadata, DO NOT EDIT BY HAND. # Generated at {datetime.datetime.now(datetime.timezone.utc)} for kernel version {version} # From {datadir.name} {data_version} +python check_kernel_cve_status_version() {{ + this_version = "{version}" + kernel_version = d.getVar("LINUX_VERSION") + if kernel_version != this_version: + bb.warn("Kernel CVE status needs updating: generated for %s but kernel is %s" % (this_version, kernel_version)) +}} +do_cve_check[prefuncs] += "check_kernel_cve_status_version" +""") + elif args.output_inc_file: + inc_lines.append(f""" +# Auto-generated CVE metadata, DO NOT EDIT BY HAND. +# Generated at {datetime.datetime.now(datetime.timezone.utc)} for kernel version {version} + python check_kernel_cve_status_version() {{ this_version = "{version}" kernel_version = d.getVar("LINUX_VERSION") @@ -131,26 +150,80 @@ do_cve_check[prefuncs] += "check_kernel_cve_status_version" continue first_affected, fixed, backport_ver = get_fixed_versions(cve_info, base_version) if not fixed: - print(f"# {cve} has no known resolution") + cve_status[cve] = { + "active": True, + "message": "no known resolution" + } + if not args.output_json_file: + print(f"# {cve} has no known resolution") + elif args.output_inc_file: + inc_lines.append(f'# {cve} has no known resolution') elif first_affected and version < first_affected: - print(f'CVE_STATUS[{cve}] = "fixed-version: only affects {first_affected} onwards"') + cve_status[cve] = { + "active": False, + "message": f"fixed-version: only affects {first_affected} onwards" + } + if not args.output_json_file: + print(f'CVE_STATUS[{cve}] = "fixed-version: only affects {first_affected} onwards"') + elif args.output_inc_file: + inc_lines.append(f'CVE_STATUS[{cve}] = "fixed-version: only affects {first_affected} onwards"') elif fixed <= version: - print( - f'CVE_STATUS[{cve}] = "fixed-version: Fixed from version {fixed}"' - ) + cve_status[cve] = { + "active": False, + "message": f"fixed-version: Fixed from version {fixed}" + } + if not args.output_json_file: + print(f'CVE_STATUS[{cve}] = "fixed-version: Fixed from version {fixed}"') + elif args.output_inc_file: + inc_lines.append(f'CVE_STATUS[{cve}] = "fixed-version: Fixed from version {fixed}"') else: if backport_ver: if backport_ver <= version: - print( - f'CVE_STATUS[{cve}] = "cpe-stable-backport: Backported in {backport_ver}"' - ) + cve_status[cve] = { + "active": False, + "message": f"cpe-stable-backport: Backported in {backport_ver}" + } + if not args.output_json_file: + print(f'CVE_STATUS[{cve}] = "cpe-stable-backport: Backported in {backport_ver}"') + elif args.output_inc_file: + inc_lines.append(f'CVE_STATUS[{cve}] = "cpe-stable-backport: Backported in {backport_ver}"') else: - print(f"# {cve} may need backporting (fixed from {backport_ver})") + cve_status[cve] = { + "active": True, + "message": f"May need backporting (fixed from {backport_ver})" + } + if not args.output_json_file: + print(f"# {cve} may need backporting (fixed from {backport_ver})") + elif args.output_inc_file: + inc_lines.append(f'# {cve} may need backporting (fixed from {backport_ver})') else: - print(f"# {cve} needs backporting (fixed from {fixed})") - - print() - + cve_status[cve] = { + "active": True, + "message": f"#Needs backporting (fixed from {fixed})" + } + if not args.output_json_file: + print(f"# {cve} needs backporting (fixed from {fixed})") + elif args.output_inc_file: + inc_lines.append(f'# {cve} needs backporting (fixed from {fixed})') + + if print_to_stdout: + print() + elif args.output_inc_file: + inc_lines.append("") + + # Emit structured output if --ret-struct was requested + if args.output_json_file: + args.output_json_file.write_text( + json.dumps( + { + "cve_status": cve_status, + }, + indent=2 + ), + encoding="utf-8" + ) + if args.output_inc_file: + args.output_inc_file.write_text("\n".join(inc_lines), encoding="utf-8") if __name__ == "__main__": main() From patchwork Thu Jan 29 21:10:10 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: ValentinBoudevin X-Patchwork-Id: 80057 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3CB03D73E83 for ; Thu, 29 Jan 2026 21:10:22 +0000 (UTC) Received: from mail-qv1-f46.google.com (mail-qv1-f46.google.com [209.85.219.46]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.25816.1769721018719264854 for ; Thu, 29 Jan 2026 13:10:18 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=MtgQKYI5; spf=pass (domain: gmail.com, ip: 209.85.219.46, mailfrom: valentin.boudevin@gmail.com) Received: by mail-qv1-f46.google.com with SMTP id 6a1803df08f44-8946648487eso2586886d6.2 for ; Thu, 29 Jan 2026 13:10:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1769721018; x=1770325818; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Qjqy9ylUYRSj52KfBrM1Vd/gMadKSuO5iHIHLuYGHf8=; b=MtgQKYI5tiG25Ze6/b6woc13xVskNt/GmKEpl+qkZN1eOe2RjAL6NorOgvQB8eN/GV JC/i4qQ6WdyUS/4tnWIlu+7BvPmbk5Q99zucfm3RH5MItusz5diZ0KtjfV7BMxMc1nh9 5UhrY3gLON3FzE1PF3d2xI8fW5DDQVx4NmtKONwi75eFWw5H/hScyjx3syzCW3YbLGjh T4fXLAiyq3NS62V6snbJjlrLvZRUawjABOYEX5NuuqbV7K4aC0GXnyG1SZccXYAvPzCa z6AZbw5fG70PXT85maL/oJSP6lzirj8U5xozXxJUPODim9ZhtdBk+0GZWo/2hS4vWtUu CMQA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1769721018; x=1770325818; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=Qjqy9ylUYRSj52KfBrM1Vd/gMadKSuO5iHIHLuYGHf8=; b=JZPj2aY5rZXMJESaSMHpS3MhSpqne9pN+Ca6K8wCGoLUdJuvsQFo0Q0kQftONGpqvX M24Rx7H+jEPnP3EDshZOXuNu6RlACQYXEGvYNAMjVUQxTKHtW8ceEYLgctTtS/YtTbaj Lu4ZrI3fc8cp0+nflR4YS25JqsJzMI2AltP9vX4NeHMumgCZVmBCsrYXmaKUWasLGsBE +62VhnDbxhpwF5Zev2j5AXJ/5lmfBJ7drDpxfFFZu12CyksGHc+/PKYXXWSNX749avAL IGnEijUutyhzdMsTN1nMAUtKje1ezuf29/sHudKf0BZYz0hVLbaIIE3F+tBOfgkfXx5u yMQg== X-Gm-Message-State: AOJu0YyIMK8FIyYsCmk8wa58i8vUdNKZRsXHePs/usOrchUHbwpAhlkA oSj8d9KDfOc7WP5Eu5y7n51/Ol0C1q4Dqmk4SWdWI+9wggZelXUzp4eAwfzg9IWugSM= X-Gm-Gg: AZuq6aK96DmihZPqHtVpj1YFxFUP2rcD+HEjPHJ/IguNzO4e+lgRIG8JJClC87j+BjH qJWBiNdPfwFNqGp+zRY/8szESz2lZP4+qeISEvTtXsBB9YmT6m+CNdvsl66HXQfg0iMW6nUvlGe DLUvntCqjDf3/9VWAy/MHHPfFxhcxHnY/RHF6ocZgCFh/VbyaUCXrTReD5oBebNN1jCDKD80rnL D1JXxApG21t05UJyFfy3U3iLnEwuVdQb/QkGCDlLUzXc45ojxeSnR7nZWqAY3ROMOsmk6jWX3Po Tokn/tDsngA22x6wPqQx08nxRm+rbXPBPtyhaF6r76MwKvcl2vtlblEVIwj6IlhHtxgzwRP8bB7 1uhmGE1BiHicJ1H9WH4kWRbnbPyGxvp5rYP5YMEfC0uMr9tY/JuvwRfFqNCROODbQduTva1VK9Z TvakBp0WGK+GlfJFQ8zMkdKXvXBnmqMIgvsCh/3VxVwXyyOR/RaYjNNQw= X-Received: by 2002:a05:620a:1a90:b0:8c7:eb2:1c3a with SMTP id af79cd13be357-8c9eb20ca23mr113819685a.1.1769721017675; Thu, 29 Jan 2026 13:10:17 -0800 (PST) Received: from vboudevin-pc.mtl.sfl (mtl.savoirfairelinux.net. [208.88.110.46]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-894d36a5fb1sm45251326d6.9.2026.01.29.13.10.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 29 Jan 2026 13:10:17 -0800 (PST) From: ValentinBoudevin To: openembedded-core@lists.openembedded.org Cc: daniel.turull@ericsson.com, jerome.oufella@savoirfairelinux.com, ValentinBoudevin Subject: [PATCH v6 2/4] cvelistv5: add a new recipe Date: Thu, 29 Jan 2026 16:10:10 -0500 Message-ID: <20260129211012.623827-3-valentin.boudevin@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260129211012.623827-1-valentin.boudevin@gmail.com> References: <188AFCD98EA3E578.3200434@lists.openembedded.org> <20260129211012.623827-1-valentin.boudevin@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 29 Jan 2026 21:10:22 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/230161 This recipe is in charge of cloning and setting the cvelistv5 repository: https://github.com/CVEProject/cvelistV5 The variable CVELISTV5_USE_AUTOREV can be used to use AUTOREV to use the latest available commit on the remote repository and stay up-to-date with the latest CVE information available. AUTOREV would make the build non-deterministic, turned off by default. Signed-off-by: ValentinBoudevin --- .../cvelistv5-native/cvelistv5-native_git.bb | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 meta/recipes-kernel/cvelistv5-native/cvelistv5-native_git.bb diff --git a/meta/recipes-kernel/cvelistv5-native/cvelistv5-native_git.bb b/meta/recipes-kernel/cvelistv5-native/cvelistv5-native_git.bb new file mode 100644 index 0000000000..f25dda9f3d --- /dev/null +++ b/meta/recipes-kernel/cvelistv5-native/cvelistv5-native_git.bb @@ -0,0 +1,24 @@ +SUMMARY = "CVE List V5" +DESCRIPTION = "Official CVE List. It is a catalog of all CVE Records identified by, or reported to, the CVE Program. \ +The cvelistV5 repository hosts downloadable files of CVE Records in the CVE Record Format." +HOMEPAGE = "https://github.com/CVEProject/cvelistV5" +LICENSE = "cve-tou" +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/cve-tou;md5=4f7e96b3094e80e66b53359a8342c7f8" + +inherit native allarch + +SRC_URI = "git://github.com/CVEProject/cvelistV5.git;branch=main;protocol=https" +CVELISTV5_USE_AUTOREV ?= "0" +CVELISTV5_DEFAULT_SRCREV ?= "644ce1758db1773336ebebb6a0da90e132da0eb7" + +python __anonymous () { + if d.getVar("CVELISTV5_USE_AUTOREV") == "1": + d.setVar("SRCREV", d.getVar("AUTOREV")) + else: + d.setVar("SRCREV", d.getVar("CVELISTV5_DEFAULT_SRCREV")) +} + +do_install(){ + install -d ${D}${datadir}/cvelistv5-native + cp -r ${UNPACKDIR}/cvelistv5-git/* ${D}${datadir}/cvelistv5-native/ +} From patchwork Thu Jan 29 21:10:11 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: ValentinBoudevin X-Patchwork-Id: 80056 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4BA7ED73E8E for ; Thu, 29 Jan 2026 21:10:22 +0000 (UTC) Received: from mail-qv1-f67.google.com (mail-qv1-f67.google.com [209.85.219.67]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.25890.1769721019802060966 for ; Thu, 29 Jan 2026 13:10:19 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=Ke3xJwIQ; spf=pass (domain: gmail.com, ip: 209.85.219.67, mailfrom: valentin.boudevin@gmail.com) Received: by mail-qv1-f67.google.com with SMTP id 6a1803df08f44-8946f000d75so1859486d6.0 for ; Thu, 29 Jan 2026 13:10:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1769721019; x=1770325819; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=WF+NAd+xB0whLcp0r0w6eP2XbiHLAttvuw3ON64g3X4=; b=Ke3xJwIQ3MKZaAZInhGNKBnpq0ogxwYDHAqSylO5UDy9Hri0DKnc3AiLGZ7c7GcIZL smXbr1CMozl3Sb7Pl7STVBhEXnULSaFDLAYdMv2SvOFWE4SX34B+mj0/h/dpJ/Fn+0dt +RxP8JOALYQjDXSvj75P0Kw9OmdPvT2+iLuR7Oc1rbgjouPEy1MZJCTl4ZnL0uMmMehp 5lIJihClu0IpF3gFSa6UGWz3be4OeJqeCmyI19mp9R7ZqsjcgjJMnhfLFmP5Y+JR4l5o LzdQW0jO1AhMHM6s8PY6p4c6FK/HudzFrvUD6idiFUSbVNDVod9PEv1e/eiHDB2MPc7k N2Xw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1769721019; x=1770325819; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=WF+NAd+xB0whLcp0r0w6eP2XbiHLAttvuw3ON64g3X4=; b=UEiZyWxkHZPgHFS4Ts2qkRIGccMgr0i16yC4jL3hzKoGU5Aad/NpJT4lqMAoRQgrry E53BFS684aFEpdneFbQ+ktc2zYT7ihMFV1Sn7QvOO2V04vI98zyKtdOwVwc1PNTT1stX RkRxUTftFB1oKEGu/exCHr7Zy7Jyr2w9wBDmDmJXPw7KvL7sw3BxPasddBTZcem3TqSe XqMeK3okhUzp9FRWdDlWJJ6jM7bRdcpyCiLDpnH0dum5zpf9GH+lgK6E8qzWJ0J6VnJ6 3LGzCcTmxSPbVu5EnMpEIaKbXd3+N7Ua4ANkZYGxFaqdkMLPnb5lYhMsam8731QSD2vh vsBg== X-Gm-Message-State: AOJu0YxUpSrzXeaPke/nBMDKtWg7lOdU60ARm8DtTekrIfPQKwD9cVHm sng1vvs0AE7OGeDPD6jDUgDCd6eBjbex22Viau9TL1yeI9Y5sc+rfnV09iI25Mq2Y5q8WQ== X-Gm-Gg: AZuq6aIiVOl6jNDXUJUmnAJy1+qsMpEwO1gTnSa+SFLOUFvm5adjJBwz9WreW71GC6P a1Q5WtzBgG/M3jEGJSLfWbJ1H0NC0FriDp9hErw/jCUK2PbYLreQi78pXoL6jX+Kgd/5NGMjNsf SbWf4RqMrrckUU9OP4QDRKsuFjis72AKBMrXJBP4sb6b9UKCpVqvSYpQ6I4IDfM9+AVo0gDjxb0 ILOTMtkdT90KBjgzsr0HktFf3Yqj/m6EjQNR8y9qsZ+lk9RggoC7CBy8dD8Rpq9PZNqdYm80QRM 4I1C1RIf/k8PZ7Rulf/vt06pVbAIoRryPFp+lDlb6ZcWXw20TryC9K5rj9+urjW9C18fifuD3FN GYGHqS2viOYzxr/I5HGvgdC0rrfQNwyXZMf7CdHW88kNLpLoFzjyQXivN0tFvEWqlkXIkOH6iD2 V4JrWwPP5iydiiUysKIqql/gYHFY9lLdYkzBJJu8ALKFEf15cav3hccNw= X-Received: by 2002:a05:6214:6010:b0:894:9d32:6160 with SMTP id 6a1803df08f44-894e9db4741mr9638766d6.0.1769721018723; Thu, 29 Jan 2026 13:10:18 -0800 (PST) Received: from vboudevin-pc.mtl.sfl (mtl.savoirfairelinux.net. [208.88.110.46]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-894d36a5fb1sm45251326d6.9.2026.01.29.13.10.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 29 Jan 2026 13:10:18 -0800 (PST) From: ValentinBoudevin To: openembedded-core@lists.openembedded.org Cc: daniel.turull@ericsson.com, jerome.oufella@savoirfairelinux.com, ValentinBoudevin Subject: [PATCH v6 3/4] kernel-generate-cve-exclusions: Add a .bbclass Date: Thu, 29 Jan 2026 16:10:11 -0500 Message-ID: <20260129211012.623827-4-valentin.boudevin@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260129211012.623827-1-valentin.boudevin@gmail.com> References: <188AFCD98EA3E578.3200434@lists.openembedded.org> <20260129211012.623827-1-valentin.boudevin@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 29 Jan 2026 21:10:22 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/230162 Add a new class named kernel-generate-cve-exclusions.bbclass to generate-cve-exclusions to use this script at every run. Two steps for testing: 1) inherit this class in the kernel recipe with "inherit kernel-generate-cve-exclusions.bbclass" 2) Use the following command to generate cve exclusions .json, and .inc file : "bitbake linux-yocto -c "do_generate_cve_exclusions" This class contains several methods: *do_generate_cve_exclusions: Use the script generate-cve-exclusions.py. It uses the new "--output-json-file" argument to generate a JSON file as an output stored in ${GENERATE_CVE_EXCLUSIONS_OUTPUT_JSON}, and a .inc file in ${GENERATE_CVE_EXCLUSIONS_OUTPUT_INC} *do_cve_check:prepend: Parse the previously generated JSON file to set the variable CVE_STATUS corretly The class also provides some variables: *GENERATE_CVE_EXCLUSIONS_OUTPUT_JSON: path of the output JSON file used to set CVE_STATUS *GENERATE_CVE_EXCLUSIONS_OUTPUT_INC: cve exclusions .inc file output path. Not used directly by this class (needs to be inherit manually). Signed-off-by: Valentin Boudevin --- .../kernel-generate-cve-exclusions.bbclass | 46 +++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 meta/classes/kernel-generate-cve-exclusions.bbclass diff --git a/meta/classes/kernel-generate-cve-exclusions.bbclass b/meta/classes/kernel-generate-cve-exclusions.bbclass new file mode 100644 index 0000000000..8efa32f6a1 --- /dev/null +++ b/meta/classes/kernel-generate-cve-exclusions.bbclass @@ -0,0 +1,46 @@ +# Generate CVE exclusions for the kernel build (set to "1" to enable) +GENERATE_CVE_EXCLUSIONS_OUTPUT_JSON = "${WORKDIR}/temp/cve-exclusion_${LINUX_VERSION}.json" +GENERATE_CVE_EXCLUSIONS_OUTPUT_INC = "${WORKDIR}/temp//cve-exclusion_${LINUX_VERSION}.inc" + +do_generate_cve_exclusions() { + # Check for required files and directories + generate_cve_exclusions_script=${COREBASE}/scripts/contrib/generate-cve-exclusions.py + if [ ! -f "${generate_cve_exclusions_script}" ]; then + bbwarn "generate-cve-exclusions.py not found in ${generate_cve_exclusions_script}." + return 0 + fi + if [ ! -d "${STAGING_DATADIR_NATIVE}/cvelistv5-native" ]; then + bbwarn "CVE exclusions source directory not found in ${STAGING_DATADIR_NATIVE}/cvelistv5-native." + return 0 + fi + # Generate the CVE exclusions JSON & INC file + python3 "${generate_cve_exclusions_script}" \ + "${STAGING_DATADIR_NATIVE}/cvelistv5-native" \ + ${LINUX_VERSION} \ + --output-json-file "${GENERATE_CVE_EXCLUSIONS_OUTPUT_JSON}" \ + --output-inc-file "${GENERATE_CVE_EXCLUSIONS_OUTPUT_INC}" + bbplain "CVE exclusions generated for kernel version ${LINUX_VERSION} at ${GENERATE_CVE_EXCLUSIONS_OUTPUT_INC} and ${GENERATE_CVE_EXCLUSIONS_OUTPUT_JSON}." +} +do_generate_cve_exclusions[depends] += "cvelistv5-native:do_populate_sysroot" +do_generate_cve_exclusions[nostamp] = "1" +do_generate_cve_exclusions[doc] = "Generate CVE exclusions for the kernel build. (e.g., cve-exclusion_6.12.json)" +addtask generate_cve_exclusions after do_prepare_recipe_sysroot before do_cve_check + +python do_cve_check:prepend() { + import os + import json + workdir = d.getVar("${STAGING_DATADIR_NATIVE}/cvelistv5-native") + kernel_version = d.getVar("LINUX_VERSION") + json_input_file = d.getVar("GENERATE_CVE_EXCLUSIONS_OUTPUT_JSON") + if os.path.exists(json_input_file): + with open(json_input_file, 'r', encoding='utf-8') as f: + cve_data = json.load(f) + cve_status_dict = cve_data.get("cve_status", {}) + count = 0 + for cve_id, info in cve_status_dict.items(): + if info.get("active", True): + continue + d.setVarFlag("CVE_STATUS", cve_id, info.get("message", "")) + count += 1 + bb.note("Loaded %d CVE_STATUS entries from JSON output for kernel %s" % (count, kernel_version)) +} From patchwork Thu Jan 29 21:10:12 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: ValentinBoudevin X-Patchwork-Id: 80055 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4BB1BD73E91 for ; Thu, 29 Jan 2026 21:10:22 +0000 (UTC) Received: from mail-qv1-f52.google.com (mail-qv1-f52.google.com [209.85.219.52]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.25818.1769721020748676146 for ; Thu, 29 Jan 2026 13:10:20 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=jmGh6htq; spf=pass (domain: gmail.com, ip: 209.85.219.52, mailfrom: valentin.boudevin@gmail.com) Received: by mail-qv1-f52.google.com with SMTP id 6a1803df08f44-8887d6d237fso2119646d6.3 for ; Thu, 29 Jan 2026 13:10:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1769721020; x=1770325820; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=zjxYzvvWf4Cu4hPx/VkxvgapdI94Oxv2FhCFriptyZY=; b=jmGh6htqez6Iz496DDZCTD3lBc+h4XNraNpRneTqlt77xkpzNqryV5VPf57ftPXSAe cojAwukHH02L2ao7qvGponhzmJ4UFTAjHK5uVJH2qo7YCVNlmQ5gvSn6tAGCJ8KbOsEU fdV4Zdr3rI83VTQ/99deTjSSqpF5+8AcETadJPgNxHv1hzINceRDiODGJot/XOWgwj+f r6HA+vvMr3XKPsIw4TrUefw9qPjd1j/caomtrMg2L2UJrNWOIhh5ZcDu6DIhOx7+4zMF 7MZa5ZfB+z/nYh2oyeudotKWbVjb8ovsWDGqiSoGZh9S1OomLlvYpP0Nazhacxa78iGU bJKQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1769721020; x=1770325820; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=zjxYzvvWf4Cu4hPx/VkxvgapdI94Oxv2FhCFriptyZY=; b=iko7eGKhyrEix7ggpGUq/vEJtus6eMXLcHA1e+7KtzfF7AFbGuJES2nTugpFRI/8y1 wHCc9nsdQLBghjIc2cQzFLQLJ5t/9J7DojGWZVkhNdKJYxNAYo35mwqtQtzfcdTGoxjT cglabsiYWSJQB4yPg+roHSBX57is4g3aBLtxGE77Mk8RJimT5ewsNzpxHIIJF1Aa033Y eIti1ASNVAb7E7lrkWxuMqnPFE0dmS6f4e98/dP5EkjNyyHPyzkXXyurfplLAjZDCcDD Kqq1toLHd7lAVbOQF5VsM43/DXhTo4jzQGolL8BYKD9YjCnI8nl1AsgakViCdD9r0x7k yVrg== X-Gm-Message-State: AOJu0YxwdPCkYYxE4E24/J04U6/bCSyRY7KptAWxRaJ8y1BuFIrm5+/i p1vdA+IJ77zFUcVMgS9pc0dT7NJGPx9zLJsyhnOUr+B2A0i3UqUfk0E/JQxvL7Wt+x4= X-Gm-Gg: AZuq6aL0h4TpQu+DttzKbcm8zxVdd0GESmv4HMhBO4Nkj6EYuYdczuSjXzMk6b1hEbf uM8hv/Jwjv0BzaQYFd7fy2/3g8BuIshLj8lJmi5gX5s4z3ZSOeVHyDtH6v/nSA0K8kxHnka1scs Njf9zfLXg3DoYmiq4ITfbwzRz317ndZ/3B/Ns826SmbE7PN7SzdV7JOgt+BNZhQnJPiesTqekOn bt5qPjmnFZ6HMN0Lx6H8OdalYL4HsbJD4m6vh1ACPltyE8roh2anCUNvbbsrD6cyUIkXZFYZbpz ZETXtP384Ri0wDK3sT0o8iK/JwWJCDizHjKol29IxUDAR0lQTIzdv38zRXKJ/RGA6gWDg5UaaAH 858x/bGoFwDDU4FLKd7kVaH4mtu+9/TBrLl+M8bz53jHXK9tqMFnfqlQAIbwRYuUJl2+I+RTfU0 OEAhnQoDDSloMzcyRzn3wsJCfRPcv/+3uG5UpsfFhbGqh+RDCzl8J33kA= X-Received: by 2002:a0c:e008:0:b0:894:9617:d527 with SMTP id 6a1803df08f44-894e9db2dcemr9255356d6.0.1769721019788; Thu, 29 Jan 2026 13:10:19 -0800 (PST) Received: from vboudevin-pc.mtl.sfl (mtl.savoirfairelinux.net. [208.88.110.46]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-894d36a5fb1sm45251326d6.9.2026.01.29.13.10.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 29 Jan 2026 13:10:19 -0800 (PST) From: ValentinBoudevin To: openembedded-core@lists.openembedded.org Cc: daniel.turull@ericsson.com, jerome.oufella@savoirfairelinux.com, ValentinBoudevin Subject: [PATCH v6 4/4] generate-cve-exclusions: Move python script Date: Thu, 29 Jan 2026 16:10:12 -0500 Message-ID: <20260129211012.623827-5-valentin.boudevin@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260129211012.623827-1-valentin.boudevin@gmail.com> References: <188AFCD98EA3E578.3200434@lists.openembedded.org> <20260129211012.623827-1-valentin.boudevin@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 29 Jan 2026 21:10:22 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/230163 The script should be located with other scripts in scripts/contrib instead of staying in meta/classes/. Update the new .bbclass to match this modification Signed-off-by: Valentin Boudevin --- .../linux => scripts/contrib}/generate-cve-exclusions.py | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename {meta/recipes-kernel/linux => scripts/contrib}/generate-cve-exclusions.py (100%) diff --git a/meta/recipes-kernel/linux/generate-cve-exclusions.py b/scripts/contrib/generate-cve-exclusions.py similarity index 100% rename from meta/recipes-kernel/linux/generate-cve-exclusions.py rename to scripts/contrib/generate-cve-exclusions.py