From patchwork Mon Feb 2 20:52:27 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: ValentinBoudevin X-Patchwork-Id: 80280 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E05C1E7FDD8 for ; Mon, 2 Feb 2026 20:55:39 +0000 (UTC) Received: from mail-qt1-f170.google.com (mail-qt1-f170.google.com [209.85.160.170]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.1151.1770065736940382835 for ; Mon, 02 Feb 2026 12:55:37 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=X1RFrRkK; spf=pass (domain: gmail.com, ip: 209.85.160.170, mailfrom: valentin.boudevin@gmail.com) Received: by mail-qt1-f170.google.com with SMTP id d75a77b69052e-50332392929so4363181cf.2 for ; Mon, 02 Feb 2026 12:55:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1770065736; x=1770670536; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=sibQHT+4601KjxE2rEQ2qrSn1NvvggnTN773EtcAZBs=; b=X1RFrRkK1OWU1fZOE3tB0esc10R1vMHqUesWJLwGnLk+aNNSJ01FkS7GTMUu9SiM5t FhC20/leKggT/P+uhw3s80eLq4oDBYkAYEU3nWYKdilbyN0Jn84sIKc2glPbuLfBdDDU E0ARrnbDW6X5VABLo4og8V3e/fhVypZJBuZC0L4VUht387SsWjMHFzN+o1FhLHWZsxwT GSNrNRz4gvQ5Iz7O0tY9Vh0o+Zvdl+eIYTRq1U9ECcx+Dh1VbyeRcBMMHxhLGvbofx9t 2UxvSm1c4sPRA4ahTy5ELHYLxMv5O63NyhSFplcdfWR0tkH8gSQaWU72UX4iMNiQiZpZ HgPA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770065736; x=1770670536; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=sibQHT+4601KjxE2rEQ2qrSn1NvvggnTN773EtcAZBs=; b=Nb/rZAaC6G6mSNS+f+E6Z/EXF7h59tU4EGiFONi8VyTTGyP46XkSxavDDrjzHosFky pQcp8TE0WdEReFeBi4Vc51KIVdUspjEuK+B87Xd+i01kyI9qKOPVF7cZ8HJAnPGpgbVz v7ch5OG1yEhKfCwHfiMhbzeTVtXkNfwXxvEPCiMcc2w01SGFaiI1zt5OPAQCmoiyGBrI 0Ikd23/GRXqiNm8H9ZbLk+ZirWZzYlda4wok489m0GL4xUHPOohyC0JDal6JJI5VU9kC oCO0e0rmhQhxB4rDFXr4rg9P5f1JNj0MXJRiDoBEfTuEa2n3MzzadaXUpvO8btyZPRC2 lUrA== X-Gm-Message-State: AOJu0Yx8uvHQWyiz/ydBf6eBLWdGwvBhwwofOtgz6MLcnAi2yCi66jBa k/4eZFh2OI3lVCOZpbkUR1nE716hVsPv4MO+G4o1NBzZtn7sbSwUGwaxx8aWvRNzS/4= X-Gm-Gg: AZuq6aL8HaDnAcRCCvXM1cDK95uxgynizl42gMvYTyE7t9gwVOb6F8v3zxbFuEd4Kwa SS1RefvN1+DlQxai3OmQSkOK+QWi3CRfEJBe8exYkrUVv3uqV5RZbn8PbcVwBwHDOctipPs67Qm 9vN7fCATL3TZaHLK6ODx20kk8dEenmrtL6XUITPLJ+pEziN5OzL/F8XofafGv4Ih0jOXbWYkKRm fN9jYzU3DnJG4fDFHyXTWmq+6q8Tpl9KccvsM4j7mwPH6KO9d1N4ob7kXTA/VqvpJaKfgHpf7cL uRXKmdv1I5ZIjwvj1KnLx3IB5nYVh7U9O3ztBEYZ/IoeoizGoTZ9uBL3hxZZAMhWZtVVDnIzsPa SjqhNjku17fu4Z3OoqcUl2sFanFSNr0rANODoFpEePjoHqDh10fNypUZMZQ9rTJHblyItn39mVw 9JS1N3ElLYQGmhygreMH9glHBsPbgIUTNQ2IqVJ35x93gRnWIi9NXFgxQ= X-Received: by 2002:a05:620a:4141:b0:8b2:6eba:c45d with SMTP id af79cd13be357-8c9eb20cebcmr1257264985a.2.1770065735743; Mon, 02 Feb 2026 12:55:35 -0800 (PST) Received: from vboudevin-pc.mtl.sfl (mtl.savoirfairelinux.net. [208.88.110.46]) by smtp.gmail.com with ESMTPSA id af79cd13be357-8c711d28c71sm1356221285a.33.2026.02.02.12.55.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 02 Feb 2026 12:55:35 -0800 (PST) From: ValentinBoudevin To: openembedded-core@lists.openembedded.org Cc: daniel.turull@ericsson.com, jerome.oufella@savoirfairelinux.com, ValentinBoudevin Subject: [PATCH v7 1/4] generate-cve-exclusions: Add output format option Date: Mon, 2 Feb 2026 15:52:27 -0500 Message-ID: <20260202205231.2134908-2-valentin.boudevin@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260202205231.2134908-1-valentin.boudevin@gmail.com> References: <188B4BEFFC6C387A.3271208@lists.openembedded.org> <20260202205231.2134908-1-valentin.boudevin@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 02 Feb 2026 20:55:39 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/230400 This option "--output-json-file" can be used to return a json file instead of the printing the output in a .inc file. The JSON file can easily be manipulated contrary to the .inc file. Example output structure of the JSON file: ```json { "cve_status": { "CVE-2019-25160": { "active": false, "message": "fixed-version: Fixed from version 5.0" }, "CVE-2019-25162": { "active": false, "message": "fixed-version: Fixed from version 6.0" }, ... ``` Add a second option "--output-inc-file" to also create a .inc at a given location. Both "--output-inc-file" and "--output-json-file" can be used at the same time. This commit doesn't affect or modify any existing behaviour of the script. Signed-off-by: Valentin Boudevin --- .../linux/generate-cve-exclusions.py | 107 +++++++++++++++--- 1 file changed, 90 insertions(+), 17 deletions(-) diff --git a/meta/recipes-kernel/linux/generate-cve-exclusions.py b/meta/recipes-kernel/linux/generate-cve-exclusions.py index dfc16663a5..3df0e93e07 100755 --- a/meta/recipes-kernel/linux/generate-cve-exclusions.py +++ b/meta/recipes-kernel/linux/generate-cve-exclusions.py @@ -91,19 +91,38 @@ def main(argp=None): parser = argparse.ArgumentParser() parser.add_argument("datadir", type=pathlib.Path, help="Path to a clone of https://github.com/CVEProject/cvelistV5 or https://git.kernel.org/pub/scm/linux/security/vulns.git") parser.add_argument("version", type=Version, help="Kernel version number to generate data for, such as 6.1.38") + parser.add_argument("--output-json-file", type=pathlib.Path, help="Write CVE_STATUS mapping to this JSON file") + parser.add_argument("--output-inc-file", type=pathlib.Path, help="Write CVE_STATUS mapping to this INC file") args = parser.parse_args(argp) datadir = args.datadir.resolve() version = args.version base_version = Version(f"{version.major}.{version.minor}") - - data_version = subprocess.check_output(("git", "describe", "--tags", "HEAD"), cwd=datadir, text=True) - - print(f""" + print_to_stdout = not args.output_json_file and not args.output_inc_file + + cve_status = {} + inc_lines = [] + + if print_to_stdout: + data_version = subprocess.check_output(("git", "describe", "--tags", "HEAD"), cwd=datadir, text=True) + print(f""" # Auto-generated CVE metadata, DO NOT EDIT BY HAND. # Generated at {datetime.datetime.now(datetime.timezone.utc)} for kernel version {version} # From {datadir.name} {data_version} +python check_kernel_cve_status_version() {{ + this_version = "{version}" + kernel_version = d.getVar("LINUX_VERSION") + if kernel_version != this_version: + bb.warn("Kernel CVE status needs updating: generated for %s but kernel is %s" % (this_version, kernel_version)) +}} +do_cve_check[prefuncs] += "check_kernel_cve_status_version" +""") + elif args.output_inc_file: + inc_lines.append(f""" +# Auto-generated CVE metadata, DO NOT EDIT BY HAND. +# Generated at {datetime.datetime.now(datetime.timezone.utc)} for kernel version {version} + python check_kernel_cve_status_version() {{ this_version = "{version}" kernel_version = d.getVar("LINUX_VERSION") @@ -131,26 +150,80 @@ do_cve_check[prefuncs] += "check_kernel_cve_status_version" continue first_affected, fixed, backport_ver = get_fixed_versions(cve_info, base_version) if not fixed: - print(f"# {cve} has no known resolution") + cve_status[cve] = { + "active": True, + "message": "no known resolution" + } + if not args.output_json_file: + print(f"# {cve} has no known resolution") + elif args.output_inc_file: + inc_lines.append(f'# {cve} has no known resolution') elif first_affected and version < first_affected: - print(f'CVE_STATUS[{cve}] = "fixed-version: only affects {first_affected} onwards"') + cve_status[cve] = { + "active": False, + "message": f"fixed-version: only affects {first_affected} onwards" + } + if not args.output_json_file: + print(f'CVE_STATUS[{cve}] = "fixed-version: only affects {first_affected} onwards"') + elif args.output_inc_file: + inc_lines.append(f'CVE_STATUS[{cve}] = "fixed-version: only affects {first_affected} onwards"') elif fixed <= version: - print( - f'CVE_STATUS[{cve}] = "fixed-version: Fixed from version {fixed}"' - ) + cve_status[cve] = { + "active": False, + "message": f"fixed-version: Fixed from version {fixed}" + } + if not args.output_json_file: + print(f'CVE_STATUS[{cve}] = "fixed-version: Fixed from version {fixed}"') + elif args.output_inc_file: + inc_lines.append(f'CVE_STATUS[{cve}] = "fixed-version: Fixed from version {fixed}"') else: if backport_ver: if backport_ver <= version: - print( - f'CVE_STATUS[{cve}] = "cpe-stable-backport: Backported in {backport_ver}"' - ) + cve_status[cve] = { + "active": False, + "message": f"cpe-stable-backport: Backported in {backport_ver}" + } + if not args.output_json_file: + print(f'CVE_STATUS[{cve}] = "cpe-stable-backport: Backported in {backport_ver}"') + elif args.output_inc_file: + inc_lines.append(f'CVE_STATUS[{cve}] = "cpe-stable-backport: Backported in {backport_ver}"') else: - print(f"# {cve} may need backporting (fixed from {backport_ver})") + cve_status[cve] = { + "active": True, + "message": f"May need backporting (fixed from {backport_ver})" + } + if not args.output_json_file: + print(f"# {cve} may need backporting (fixed from {backport_ver})") + elif args.output_inc_file: + inc_lines.append(f'# {cve} may need backporting (fixed from {backport_ver})') else: - print(f"# {cve} needs backporting (fixed from {fixed})") - - print() - + cve_status[cve] = { + "active": True, + "message": f"#Needs backporting (fixed from {fixed})" + } + if not args.output_json_file: + print(f"# {cve} needs backporting (fixed from {fixed})") + elif args.output_inc_file: + inc_lines.append(f'# {cve} needs backporting (fixed from {fixed})') + + if print_to_stdout: + print() + elif args.output_inc_file: + inc_lines.append("") + + # Emit structured output if --ret-struct was requested + if args.output_json_file: + args.output_json_file.write_text( + json.dumps( + { + "cve_status": cve_status, + }, + indent=2 + ), + encoding="utf-8" + ) + if args.output_inc_file: + args.output_inc_file.write_text("\n".join(inc_lines), encoding="utf-8") if __name__ == "__main__": main() From patchwork Mon Feb 2 20:52:28 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: ValentinBoudevin X-Patchwork-Id: 80281 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E186FE7FDD9 for ; Mon, 2 Feb 2026 20:55:39 +0000 (UTC) Received: from mail-qk1-f179.google.com (mail-qk1-f179.google.com [209.85.222.179]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.1118.1770065738409047954 for ; Mon, 02 Feb 2026 12:55:38 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=Difuw+oM; spf=pass (domain: gmail.com, ip: 209.85.222.179, mailfrom: valentin.boudevin@gmail.com) Received: by mail-qk1-f179.google.com with SMTP id af79cd13be357-8c71214052eso62769485a.2 for ; Mon, 02 Feb 2026 12:55:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1770065737; x=1770670537; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=pCI5GhPrLRKGq3fSfAkkxA1vZbL51JYKCbfjFVxmMCM=; b=Difuw+oMwbKqPjgcS6f5+pZ4NEfsbQbCKDZ9XGysbg2KxQNiyAQYdSCW61QlYXt1y+ cUZ7vU6oTHaB7dWGs/HdD2fOdA21nIVMTfWsh/jWk9EVMaS2PBn8sFeSmnWmTAveH+p1 YmsHso2HhZYJfcI2xWitHeKllc86BACjB1yTl6VZLLy2iCQCq559sn8pKIbusY2Zdx9/ B5S1xcAlQMaaF7qJunPIw+eW940q0tgyjIa5SuNbAxXVTcy2jdg/dPQWrlx14Z9Ysdoo KryvLV9rh/1oJMAZMJ2QbzTiZaJOmZaQWQoXovvaVOf5T6GbHXKzLFWTHnsuyhUWpM8L FMcQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770065737; x=1770670537; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=pCI5GhPrLRKGq3fSfAkkxA1vZbL51JYKCbfjFVxmMCM=; b=oPCy1SsAO47ndKGGtYTAi/JwaksrJgM7PE0Koke8jNr2wz3IqvKokg3S4uHKl25B0V sY7tBcGwoSeByMZ+f96EBlESaPWXjn+w/vPsQvJUkMWr9bZvsVGNhuJogu+yCEFfYL0p 2dse3DZvw70ntdSXf1pNU4iJbRZBqzujhpzdPt4W8wgD3b0cwI5rrklX+Q3cEizggTJG kTlQ+dJDN+0fVPL/9LN9JNnv62PhqoW4FjepPxqpUVceNLl9wYC9CVdrzZdl1fhkv0yJ SSi7rL6cKpfT6dAVBGbUqcveR9QWJTUf1d1wMw+tH9j1/zg5LgyDWoAo0NL0sQMZ9cZV c7uQ== X-Gm-Message-State: AOJu0YzuKpeYqLqIboq+BKiTi0GtSKJ4N3sUnF0ye2F7M9ajUAg4Uij2 hZqJB4cQKeAGMSJed1/lYMT/R6Q0F4UNLhuvtZlcPkYIXrSSwOZ0Q3bZuI3S1fb/XZQ= X-Gm-Gg: AZuq6aKvSWKC2khs5yBHeq18pIxJM0Vqn7lRYlvSbowrtKiVpYsuhfwRQUUMbvGlDvn ls1p/UKHnjbL6MQe4pDi/pgUpi/HeOww+5tBzOGQ4zgq1IuT3yWh+u/GN7rXOSi31envpxO1PaW 81oRPsJ4Q7ClTreyRdpoC4ZHZjq2s7sMx0y1t1PF3dFo6AXm/gK9lHxGLbij05lAJw0KwsfoxPk 28T4WYYHeLxRk3M30yQUiV+GlMn9Rro1iWurySOQajX53eCHRklcSoNu1hAYoX0pA1yfkDrgLnq I3xtTLnc0QxFzGccpcTxL716droFIPcrDhxBo8UfvV6/D0krBHow2LAm4K7jQeALBOg7kX61Ut5 V6vGLFWM2arEGeuC507c/fLNXa99J16TzA4bEW+w01W+u6tWX08EKGjZ947NDe2WqVu7WFIf5TM eOalAEBX0nNLPTCMWEfsF7KZT9J/BeL9n7YHZCLkVr9LjLQkC/jOdreh8= X-Received: by 2002:a05:620a:1908:b0:8c7:17af:7ae with SMTP id af79cd13be357-8c9eb2f98acmr1222469885a.7.1770065737363; Mon, 02 Feb 2026 12:55:37 -0800 (PST) Received: from vboudevin-pc.mtl.sfl (mtl.savoirfairelinux.net. [208.88.110.46]) by smtp.gmail.com with ESMTPSA id af79cd13be357-8c711d28c71sm1356221285a.33.2026.02.02.12.55.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 02 Feb 2026 12:55:37 -0800 (PST) From: ValentinBoudevin To: openembedded-core@lists.openembedded.org Cc: daniel.turull@ericsson.com, jerome.oufella@savoirfairelinux.com, ValentinBoudevin Subject: [PATCH v7 2/4] cvelistv5: add a new recipe Date: Mon, 2 Feb 2026 15:52:28 -0500 Message-ID: <20260202205231.2134908-3-valentin.boudevin@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260202205231.2134908-1-valentin.boudevin@gmail.com> References: <188B4BEFFC6C387A.3271208@lists.openembedded.org> <20260202205231.2134908-1-valentin.boudevin@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 02 Feb 2026 20:55:39 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/230401 This recipe is in charge of cloning and setting the cvelistv5 repository: https://github.com/CVEProject/cvelistV5 If the build is online, it is recommanded to use SRCREV set to AUTOREV to use the latest available commit on the remote repository and stay up-to-date with the latest CVE information available. AUTOREV would make the build non-deterministic which would break offline, turned off by default. Signed-off-by: ValentinBoudevin --- meta/conf/distro/include/maintainers.inc | 1 + .../cvelistv5-native/cvelistv5-native_git.bb | 19 +++++++++++++++++++ 2 files changed, 20 insertions(+) create mode 100644 meta/recipes-kernel/cvelistv5-native/cvelistv5-native_git.bb diff --git a/meta/conf/distro/include/maintainers.inc b/meta/conf/distro/include/maintainers.inc index e830648945..550ef0e0e7 100644 --- a/meta/conf/distro/include/maintainers.inc +++ b/meta/conf/distro/include/maintainers.inc @@ -139,6 +139,7 @@ RECIPE_MAINTAINER:pn-cryptodev-tests = "Robert Yang " RECIPE_MAINTAINER:pn-cups = "Chen Qi " RECIPE_MAINTAINER:pn-curl = "Robert Joslyn " RECIPE_MAINTAINER:pn-cve-update-nvd2-native = "Ross Burton " +RECIPE_MAINTAINER:pn-cvelistv5-native = "Valentin Boudevin " RECIPE_MAINTAINER:pn-db = "Unassigned " RECIPE_MAINTAINER:pn-dbus = "Chen Qi " RECIPE_MAINTAINER:pn-dbus-glib = "Chen Qi " diff --git a/meta/recipes-kernel/cvelistv5-native/cvelistv5-native_git.bb b/meta/recipes-kernel/cvelistv5-native/cvelistv5-native_git.bb new file mode 100644 index 0000000000..7ee1f04d0a --- /dev/null +++ b/meta/recipes-kernel/cvelistv5-native/cvelistv5-native_git.bb @@ -0,0 +1,19 @@ +SUMMARY = "CVE List V5" +DESCRIPTION = "Official CVE List. It is a catalog of all CVE Records identified by, or reported to, the CVE Program. \ +The cvelistV5 repository hosts downloadable files of CVE Records in the CVE Record Format." +HOMEPAGE = "https://github.com/CVEProject/cvelistV5" +LICENSE = "cve-tou" +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/cve-tou;md5=4f7e96b3094e80e66b53359a8342c7f8" + +inherit allarch native + +SRC_URI = "git://github.com/CVEProject/cvelistV5.git;branch=main;protocol=https" + +# SRCREV is pinned to a fixed commit to ensure reproducible builds +# To get the latest commit available and stay up-to-date, set AUTOREV as SRCREV with SRCREV:pn-cvelistv5-native = "${AUTOREV}" +SRCREV ?= "644ce1758db1773336ebebb6a0da90e132da0eb7" + +do_install(){ + install -d ${D}${datadir}/cvelistv5-native + cp -r ${UNPACKDIR}/cvelistv5-git/* ${D}${datadir}/cvelistv5-native/ +} From patchwork Mon Feb 2 20:52:29 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: ValentinBoudevin X-Patchwork-Id: 80283 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B9441E7FDDB for ; Mon, 2 Feb 2026 20:55:49 +0000 (UTC) Received: from mail-qk1-f193.google.com (mail-qk1-f193.google.com [209.85.222.193]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.1153.1770065739821776974 for ; Mon, 02 Feb 2026 12:55:39 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=Vx9b8RTf; spf=pass (domain: gmail.com, ip: 209.85.222.193, mailfrom: valentin.boudevin@gmail.com) Received: by mail-qk1-f193.google.com with SMTP id af79cd13be357-8c71214052eso62769785a.2 for ; Mon, 02 Feb 2026 12:55:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1770065739; x=1770670539; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=WF+NAd+xB0whLcp0r0w6eP2XbiHLAttvuw3ON64g3X4=; b=Vx9b8RTf8syAg5QB9vdyf03ReA9JtK327xvKJ+BMxQXLgVy0DFE0jGDvWOQh6fFB24 zj45j/esGTODvzmRA7eApAl1wUNXdIkht/WsjmWFAPzZM3PJbW9qSpMYF4grGsHWyUeY cZfx/XAVlG0vtuJRAXVCYJiMNtsFeWQEA8ctE03NhmxgfW9PWxiJOep/4xEBnlar1VcH mZ2TIBMnrncWmuGn37B59J1rZT4ZPAN3rQyq7M27yTQzk6ZPq8URWLaVZSnWUQ4dRCAe oZZKJTOFCQ5K36C9klGieJKcgH21ziGhNtVtVU5XXyQRdk1pCgWrFuzhceHuvxZRU+FC kW8g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770065739; x=1770670539; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=WF+NAd+xB0whLcp0r0w6eP2XbiHLAttvuw3ON64g3X4=; b=YIX8kUfQ9lOrdZ8E1b7XR4LcHepMD7NnRD8RTw1cXhTlQbR4eoA64fS6S9hK6j1Fbe WE2/Qb5hecfzJkV1KbOc/VDaO5bqo7HLFWejXH48fM0EPbarMh9W/2kyhchWSjRqf2je T+8D+UlZdJsmz0qZ/4StU4C7PY7tJ+te8yM1XSkvSofBNRa5Teczqf20hfOmr5iDrSHU C8NBDSJp9f7vpQY1W2nibmkaHm2tlfrAGbm7MN4pyt2uPiP57e/Swg6GgNmGbS6mj0m9 5oHoKeW7EXX9I0Do1LGiOtIDWscfHHbLVCpVsjGcZnWh0PL9rvHSJfFDxAvue9extoxV CaJQ== X-Gm-Message-State: AOJu0Yw3S7kVGMS8Y6GpC6bxtLfxPWqj+l5rQEAP0umGoVUBVWouFjKN kytBnJjIGdAQOR9IMHHJfoZPqkyBAT+m7XTkmrSZwVdb1DvD/LruMNZ1m4OrPhzl X-Gm-Gg: AZuq6aKLGbT63GVDHliFTbwneJk2Pr8RBZc+qK4ZJNJzpg9XVrc9fiUBHKoJPQ1qxp+ vRsbU3yl5bdFIRyu1rRQubGf4NGPukzbysOEvvpozuU7e/MwCCzbh9M3ZCjZgQBwcHifIWnVHJ/ FfAvaOUf07FBBp8OpbYRkqCXw+xXRiwCMDfTC2H/plCMqvDGFeergqu/51x6IMIsuC60WvE+CQl ezDbCRIM2E94sHkBe1T345gi0AOT2gMeo6aOzxLf1yw/WBgFuwWApbXE3HTU7qm+IC/AcWJFbYH 8rcZVi2dL0nTalr+me9az1D4ZZ64tl8TReHCrk/Q/FbZtCTQm7+T329RdPEqi8DNK8dpkfXfOYa LAy8rtqGUXA6FXlguoNhxdioLx1oDfUi+ilOnT1z+IlXDaErtoDOuQ7UqGK5EH73D5tYE/H7Osy aVq6DwzepUxtOgxRtS31Cix/K4/hVw9vZf6g9c1JjwFO6468B7MEui0rg= X-Received: by 2002:a05:620a:178d:b0:8b2:fe27:d2ff with SMTP id af79cd13be357-8c9eb32aaeamr1284737785a.8.1770065738710; Mon, 02 Feb 2026 12:55:38 -0800 (PST) Received: from vboudevin-pc.mtl.sfl (mtl.savoirfairelinux.net. [208.88.110.46]) by smtp.gmail.com with ESMTPSA id af79cd13be357-8c711d28c71sm1356221285a.33.2026.02.02.12.55.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 02 Feb 2026 12:55:38 -0800 (PST) From: ValentinBoudevin To: openembedded-core@lists.openembedded.org Cc: daniel.turull@ericsson.com, jerome.oufella@savoirfairelinux.com, ValentinBoudevin Subject: [PATCH v7 3/4] kernel-generate-cve-exclusions: Add a .bbclass Date: Mon, 2 Feb 2026 15:52:29 -0500 Message-ID: <20260202205231.2134908-4-valentin.boudevin@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260202205231.2134908-1-valentin.boudevin@gmail.com> References: <188B4BEFFC6C387A.3271208@lists.openembedded.org> <20260202205231.2134908-1-valentin.boudevin@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 02 Feb 2026 20:55:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/230402 Add a new class named kernel-generate-cve-exclusions.bbclass to generate-cve-exclusions to use this script at every run. Two steps for testing: 1) inherit this class in the kernel recipe with "inherit kernel-generate-cve-exclusions.bbclass" 2) Use the following command to generate cve exclusions .json, and .inc file : "bitbake linux-yocto -c "do_generate_cve_exclusions" This class contains several methods: *do_generate_cve_exclusions: Use the script generate-cve-exclusions.py. It uses the new "--output-json-file" argument to generate a JSON file as an output stored in ${GENERATE_CVE_EXCLUSIONS_OUTPUT_JSON}, and a .inc file in ${GENERATE_CVE_EXCLUSIONS_OUTPUT_INC} *do_cve_check:prepend: Parse the previously generated JSON file to set the variable CVE_STATUS corretly The class also provides some variables: *GENERATE_CVE_EXCLUSIONS_OUTPUT_JSON: path of the output JSON file used to set CVE_STATUS *GENERATE_CVE_EXCLUSIONS_OUTPUT_INC: cve exclusions .inc file output path. Not used directly by this class (needs to be inherit manually). Signed-off-by: Valentin Boudevin --- .../kernel-generate-cve-exclusions.bbclass | 46 +++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 meta/classes/kernel-generate-cve-exclusions.bbclass diff --git a/meta/classes/kernel-generate-cve-exclusions.bbclass b/meta/classes/kernel-generate-cve-exclusions.bbclass new file mode 100644 index 0000000000..8efa32f6a1 --- /dev/null +++ b/meta/classes/kernel-generate-cve-exclusions.bbclass @@ -0,0 +1,46 @@ +# Generate CVE exclusions for the kernel build (set to "1" to enable) +GENERATE_CVE_EXCLUSIONS_OUTPUT_JSON = "${WORKDIR}/temp/cve-exclusion_${LINUX_VERSION}.json" +GENERATE_CVE_EXCLUSIONS_OUTPUT_INC = "${WORKDIR}/temp//cve-exclusion_${LINUX_VERSION}.inc" + +do_generate_cve_exclusions() { + # Check for required files and directories + generate_cve_exclusions_script=${COREBASE}/scripts/contrib/generate-cve-exclusions.py + if [ ! -f "${generate_cve_exclusions_script}" ]; then + bbwarn "generate-cve-exclusions.py not found in ${generate_cve_exclusions_script}." + return 0 + fi + if [ ! -d "${STAGING_DATADIR_NATIVE}/cvelistv5-native" ]; then + bbwarn "CVE exclusions source directory not found in ${STAGING_DATADIR_NATIVE}/cvelistv5-native." + return 0 + fi + # Generate the CVE exclusions JSON & INC file + python3 "${generate_cve_exclusions_script}" \ + "${STAGING_DATADIR_NATIVE}/cvelistv5-native" \ + ${LINUX_VERSION} \ + --output-json-file "${GENERATE_CVE_EXCLUSIONS_OUTPUT_JSON}" \ + --output-inc-file "${GENERATE_CVE_EXCLUSIONS_OUTPUT_INC}" + bbplain "CVE exclusions generated for kernel version ${LINUX_VERSION} at ${GENERATE_CVE_EXCLUSIONS_OUTPUT_INC} and ${GENERATE_CVE_EXCLUSIONS_OUTPUT_JSON}." +} +do_generate_cve_exclusions[depends] += "cvelistv5-native:do_populate_sysroot" +do_generate_cve_exclusions[nostamp] = "1" +do_generate_cve_exclusions[doc] = "Generate CVE exclusions for the kernel build. (e.g., cve-exclusion_6.12.json)" +addtask generate_cve_exclusions after do_prepare_recipe_sysroot before do_cve_check + +python do_cve_check:prepend() { + import os + import json + workdir = d.getVar("${STAGING_DATADIR_NATIVE}/cvelistv5-native") + kernel_version = d.getVar("LINUX_VERSION") + json_input_file = d.getVar("GENERATE_CVE_EXCLUSIONS_OUTPUT_JSON") + if os.path.exists(json_input_file): + with open(json_input_file, 'r', encoding='utf-8') as f: + cve_data = json.load(f) + cve_status_dict = cve_data.get("cve_status", {}) + count = 0 + for cve_id, info in cve_status_dict.items(): + if info.get("active", True): + continue + d.setVarFlag("CVE_STATUS", cve_id, info.get("message", "")) + count += 1 + bb.note("Loaded %d CVE_STATUS entries from JSON output for kernel %s" % (count, kernel_version)) +} From patchwork Mon Feb 2 20:52:30 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: ValentinBoudevin X-Patchwork-Id: 80282 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B93ADE7FDDA for ; Mon, 2 Feb 2026 20:55:49 +0000 (UTC) Received: from mail-qt1-f182.google.com (mail-qt1-f182.google.com [209.85.160.182]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.1120.1770065745217391906 for ; Mon, 02 Feb 2026 12:55:45 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=Nmto8U/p; spf=pass (domain: gmail.com, ip: 209.85.160.182, mailfrom: valentin.boudevin@gmail.com) Received: by mail-qt1-f182.google.com with SMTP id d75a77b69052e-503312a8333so2134551cf.2 for ; Mon, 02 Feb 2026 12:55:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1770065744; x=1770670544; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=zjxYzvvWf4Cu4hPx/VkxvgapdI94Oxv2FhCFriptyZY=; b=Nmto8U/pjTc8gQQuS81BzzmCp4VpmzhPUD/hGikWefu5Mb4dGMOX01kDbhp+3nbz5G X3vfF8N3Vpwnf7dYj27PFDjipgL2K0nOHFwQssC6HTY/39PLuwvyPT7PlGcp79q53PYi GYG8PUM61WXQ9Cr/D8mDNj8Wt49ykc9XLGBeg43fApk8WjOOPMGYezrCFOm8tRcWM0Tq 2EaUDLjWrRUKXRT6K1oBzUsDvz3MDnMVWvhXXx53wPd8Qz89m1w1oZb6/phWg/TBDA8U 6q46bL+yiV1++2CHRm0RxHRDmD+qBXgk4vsx1ZB73APGYt+M2cZ1lFtJMJe81mLH6/qB qJCA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770065744; x=1770670544; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=zjxYzvvWf4Cu4hPx/VkxvgapdI94Oxv2FhCFriptyZY=; b=YGVNBvQEvJOfMqZn6xRyNXLhqHzyS4wyaTbS1PkPgaNcUaUP278I7ircH2NRtAOocM Y2Tw62Nv1YpiUGxSvhJHyCY078493vADXSq5uM1uZUAy0K2pk+0lETOxvYsKBvQhKt1V SRVpvcTZXgE7I8qXxBWpo8VXxg/xgHtd+mrh2ThV0hTHOrJG050pXQ1yvzCdZ5yu2WKD ZmI/6G37zdaNjxzuI40fW4cY+cMUflnpBQrGKECU5/0+kItPyLTKHXPBdZAAXrT1+XF4 /Cx8IFA9NTVKT/yFnBui0R+foKohKJfpPa/SKsTCN9WIN0Cs/3UeHS6nOfZvWjYpzJvo UGcg== X-Gm-Message-State: AOJu0YyltmZK+NAsATP0aj8Lc8VUyksquiB/Ss1BNmjuE36AIQhiLxL3 YNhsB2mOwpXegQ71XAeqYrSUIKOa85jQNPgAChDFD3GcvaxHpAFkXHwDYDhHIiMfnQk= X-Gm-Gg: AZuq6aL3UZNMZOioY0x3Y/eurEq6Fzc3OMBqbYOtWVoEHLRn24Z5N7mC5cS0zUrZ477 TNHBJhV/PKgUXznpgXwmHjmR8XNGuchkKCdhrIvJCR6uPff7y2afElASrlOPXReFwM1/O6YEveQ Q3TkLrM7UnoYR7KyDJohFOQ0+MklUSTC4uHLrjsw4JgdAsEtIyxez8JuzRLyK7USj23gzGnRXeI AfZpbBNlPqGWTjUdJ7yKL3RLSuDjHi1hKTwt50zpAjG3a5QBr0j0UyabwAss3dKfbBCXqTmAHkp ToH/0wdrK/ID2xfLUnbEjWeieh6PzryiaW/RImRnkpJ8E+gDo+PlAxo/2JfzoWnVFbTMl1+8TrX cl5X6NLdCJHG1CrB0zF9AZQMqDFZdbqx34lKmyuZvjkqncO2+y3ZRtexQGHeICP0s9sBo1ao3km A7oUHYqF187p2F6WdEQ3IdeMZuOJfJOTgsuH1HKIN+uFqVFx/n6fkvJNM= X-Received: by 2002:a05:6214:6001:b0:889:e38c:d13a with SMTP id 6a1803df08f44-894ea073029mr120792106d6.5.1770065744154; Mon, 02 Feb 2026 12:55:44 -0800 (PST) Received: from vboudevin-pc.mtl.sfl (mtl.savoirfairelinux.net. [208.88.110.46]) by smtp.gmail.com with ESMTPSA id af79cd13be357-8c711d28c71sm1356221285a.33.2026.02.02.12.55.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 02 Feb 2026 12:55:43 -0800 (PST) From: ValentinBoudevin To: openembedded-core@lists.openembedded.org Cc: daniel.turull@ericsson.com, jerome.oufella@savoirfairelinux.com, ValentinBoudevin Subject: [PATCH v7 4/4] generate-cve-exclusions: Move python script Date: Mon, 2 Feb 2026 15:52:30 -0500 Message-ID: <20260202205231.2134908-5-valentin.boudevin@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260202205231.2134908-1-valentin.boudevin@gmail.com> References: <188B4BEFFC6C387A.3271208@lists.openembedded.org> <20260202205231.2134908-1-valentin.boudevin@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 02 Feb 2026 20:55:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/230403 The script should be located with other scripts in scripts/contrib instead of staying in meta/classes/. Update the new .bbclass to match this modification Signed-off-by: Valentin Boudevin --- .../linux => scripts/contrib}/generate-cve-exclusions.py | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename {meta/recipes-kernel/linux => scripts/contrib}/generate-cve-exclusions.py (100%) diff --git a/meta/recipes-kernel/linux/generate-cve-exclusions.py b/scripts/contrib/generate-cve-exclusions.py similarity index 100% rename from meta/recipes-kernel/linux/generate-cve-exclusions.py rename to scripts/contrib/generate-cve-exclusions.py