From patchwork Fri Feb 20 05:34:10 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 81443 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id F1772C54F5C for ; Fri, 20 Feb 2026 05:34:49 +0000 (UTC) Received: from alln-iport-5.cisco.com (alln-iport-5.cisco.com [173.37.142.92]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.32338.1771565685765362574 for ; Thu, 19 Feb 2026 21:34:45 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=ZXNWXOKr; spf=pass (domain: cisco.com, ip: 173.37.142.92, mailfrom: hetpat@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=5947; q=dns/txt; s=iport01; t=1771565685; x=1772775285; h=from:to:cc:subject:date:message-id:mime-version: content-transfer-encoding; bh=RPz35DxSaIaZcoE9qJ2U275qxVI3j6VH5ytLgamlQ6U=; b=ZXNWXOKrZqKqAZMjZ1vNiYrPp7JLN0PR46tim1be9kZ8bT07PnK8Av4X qfvhlv8h1bymajVqjPR5qjB7qdRWfycDxbgUtOSSPTgHhFHD0/Ak3376k eSWXnU74rV3+FYWvbMqo8qLvNBOi3Qpb1s5clg6htmo1AYU6z8zNONlAE c8HudyTrJiCSZU0R3BvJoOGkAH40V0oisLvYJXXhgyinJV3NV+fYNsQ4K 6DmfYyTyvWp2zrug7hGgBElf8tB9DtxkDs0Z+zanriAzGfQycUNzAARFe WC/gYVlaTTmJF+FCRaZvrwh7mqPvKKyfBitXUsfBzqfEO7a6QCETLm6dp A==; X-CSE-ConnectionGUID: ub8wsJ5SQ++b/X49va0CxQ== X-CSE-MsgGUID: 8rWYCdNdTTi3nsMdZjE/FA== X-IPAS-Result: A0BsBQC68Zdp/5H/Ja1aglmCSA+BUEJJk1oBgnCLZ5I2gX8PAQEBD1EEAQGFB40hAiY0CQ4BAgQBAQEBAwIDAQEBAQEBAQEBAQELAQEFAQEBAgEHBYEOE4Zchl02AUYwJisLRIMCgjsDNgIBp0+CLIEB3UMNglIBCxQBgTiFPIJ5hSBaGoR6JxsbgXKEfYIfiGgEgiKBDoZshlaGDUiBHgNZLAFVEw0KCwcFgWYDNRIqFW4yHYEjPheBCxsHBYdTD4kFeG6BIIEbAwsYDUgRLDcUGwQ+bgeOLz+BQWwHAYENAUIJMCsglFA9kXigHXEKKIN0m1yFfBozqmsumFiSEpJHhGiBaDyBWXAVgyJSGQ+IAIZfvjoiNTwCBwsBAQMJk2cBAQ IronPort-Data: A9a23:qKtUiKuAXFvUIgzlXTVoVgP+3efnVAFfMUV32f8akzHdYApBsoF/q tZmKWnQPfmPNDb8KNF2PYix9hwOvJGHyYUxGQBtpXxkRigSgMeUXt7xwmUckM+xwmwvaGo9s q3yv/GZdJhcokf0/0nrav666yEgiclkf5KkYMbcICd9WAR4fykojBNnioYRj5Vh6TSDK1vlV eja/YuFYTdJ5xYuajhKs/jZ8Es01BjPkGpwUmIWNKgjUGD2zxH5PLpHTYmtIn3xRJVjH+LSb 47r0LGj82rFyAwmA9Wjn6yTWhVirmn6ZFXmZtJ+AsBOszAazsAA+v9T2Mk0NS+7vw60c+VZk 72hg3AfpTABZcUgkMxFO/VR/roX0aduoNcrKlDn2SCfItGvn3bEm51T4E8K0YIw5+wnHnpsq Mcha3MHKSDf1vy/mJmrc7w57igjBJGD0II3oHpsy3TdSP0hW52GG/WM7t5D1zB2jcdLdRrcT 5NGMnw0M1KaPkAJYwtKYH49tL/Aan3XczBEsFuJjaE2+GPUigd21dABNfKLJYbRGpkIwhfwS mTur37GMzoWEtCj9Tve9GmJit3NsGTVcddHfFG/3rsw6LGJ/UQUEBAQWF6xrPW1h0L7UNVFJ mQQ+zEytu417EGtQ9z3UhG0rXLCuQQTM+e8CMUg4w2Lj66R6AGDCy1cHnhKaccts4k9QjlCO kK1ou4FzAdH6NW9IU9xPJ/Nxd9uEUD59VM/WBI= IronPort-HdrOrdr: A9a23:+Gd8O6CyVgJiM9zlHemn55DYdb4zR+YMi2TDGXofdfUzSL38qy nAppUmPHPP5Qr5O0tQ++xoRpPhfZq0z/cciuMs1NyZMjUO1lHFEGgb1/qA/9UlcBeOkdK0Es xbAsxDNOE= X-Talos-CUID: 9a23:P4Bc12r09IRx/ER5UtoTR/HmUd0vImLG7irrGgz7AyFZFOyLQAe76Joxxg== X-Talos-MUID: 9a23:GaoXCAa+rYFjIuBT5yXTtRpuEstU36X1DlsonacElo6qHHkl X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.21,301,1763424000"; d="scan'208";a="672374549" Received: from rcdn-l-core-08.cisco.com ([173.37.255.145]) by alln-iport-5.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 20 Feb 2026 05:34:44 +0000 Received: from sjc-ads-8556.cisco.com (sjc-ads-8556.cisco.com [171.68.222.95]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by rcdn-l-core-08.cisco.com (Postfix) with ESMTPS id B1141180001C1; Fri, 20 Feb 2026 05:34:44 +0000 (GMT) Received: by sjc-ads-8556.cisco.com (Postfix, from userid 1847788) id 581B6CC8CB9; Thu, 19 Feb 2026 21:34:44 -0800 (PST) From: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Cc: xe-linux-external@cisco.com, vchavda@cisco.com Subject: [openembedded-core] [scarthgap] [PATCH v1 01/34] cve-check: encode affected product/vendor in CVE_STATUS Date: Thu, 19 Feb 2026 21:34:10 -0800 Message-Id: <20260220053443.3006180-1-hetpat@cisco.com> X-Mailer: git-send-email 2.35.6 MIME-Version: 1.0 X-Outbound-SMTP-Client: 171.68.222.95, sjc-ads-8556.cisco.com X-Outbound-Node: rcdn-l-core-08.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 20 Feb 2026 05:34:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/231457 From: Marta Rybczynska CVE_STATUS contains assesment of a given CVE, but until now it didn't have include the affected vendor/product. In the case of a global system include, that CVE_STATUS was visible in all recipes. This patch allows encoding of affected product/vendor to each CVE_STATUS assessment, also for groups. We can then filter them later and use only CVEs that correspond to the recipe. This is going to be used in meta/conf/distro/include/cve-extra-exclusions.inc and similar places. Backport Changes: - Discarded the changes to meta/lib/oe/spdx30_tasks.py, as the commit history for this file diverges from the base commit itself (9c9b9545049a in the scarthgap branch). - Additionally, the changes do not introduce any major features and are primarily focused on code restructuring. Signed-off-by: Marta Rybczynska Signed-off-by: Richard Purdie (cherry picked from commit abca80a716e92fc18d3085aba1a15f4bac72379c) Signed-off-by: Het Patel --- meta/classes/cve-check.bbclass | 24 ++++++++++----------- meta/lib/oe/cve_check.py | 39 ++++++++++++++++++++++++++-------- 2 files changed, 42 insertions(+), 21 deletions(-) diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 3f4704fb4e..de5ddf6f04 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -316,8 +316,8 @@ def check_cves(d, patched_cves): # Convert CVE_STATUS into ignored CVEs and check validity cve_ignore = [] for cve in (d.getVarFlags("CVE_STATUS") or {}): - decoded_status, _, _ = decode_cve_status(d, cve) - if decoded_status == "Ignored": + decoded_status = decode_cve_status(d, cve) + if 'mapping' in decoded_status and decoded_status['mapping'] == "Ignored": cve_ignore.append(cve) import sqlite3 @@ -500,11 +500,11 @@ def cve_write_data_text(d, patched, unpatched, ignored, cve_data): write_string += "PACKAGE VERSION: %s%s\n" % (d.getVar("EXTENDPE"), d.getVar("PV")) write_string += "CVE: %s\n" % cve write_string += "CVE STATUS: %s\n" % status - _, detail, description = decode_cve_status(d, cve) - if detail: - write_string += "CVE DETAIL: %s\n" % detail - if description: - write_string += "CVE DESCRIPTION: %s\n" % description + status_details = decode_cve_status(d, cve) + if 'detail' in status_details: + write_string += "CVE DETAIL: %s\n" % status_details['detail'] + if 'description' in status_details: + write_string += "CVE DESCRIPTION: %s\n" % status_details['description'] write_string += "CVE SUMMARY: %s\n" % cve_data[cve]["summary"] write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["scorev2"] write_string += "CVSS v3 BASE SCORE: %s\n" % cve_data[cve]["scorev3"] @@ -632,11 +632,11 @@ def cve_write_data_json(d, patched, unpatched, ignored, cve_data, cve_status): "status" : status, "link": issue_link } - _, detail, description = decode_cve_status(d, cve) - if detail: - cve_item["detail"] = detail - if description: - cve_item["description"] = description + status_details = decode_cve_status(d, cve) + if 'detail' in status_details: + cve_item["detail"] = status_details['detail'] + if 'description' in status_details: + cve_item["description"] = status_details['description'] cve_list.append(cve_item) package_data["issue"] = cve_list diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py index 7c09b78242..767d1a6750 100644 --- a/meta/lib/oe/cve_check.py +++ b/meta/lib/oe/cve_check.py @@ -132,8 +132,8 @@ def get_patched_cves(d): # Search for additional patched CVEs for cve in (d.getVarFlags("CVE_STATUS") or {}): - decoded_status, _, _ = decode_cve_status(d, cve) - if decoded_status == "Patched": + decoded_status = decode_cve_status(d, cve) + if 'mapping' in decoded_status and decoded_status['mapping'] == "Patched": bb.debug(2, "CVE %s is additionally patched" % cve) patched_cves.add(cve) @@ -227,22 +227,43 @@ def convert_cve_version(version): def decode_cve_status(d, cve): """ - Convert CVE_STATUS into status, detail and description. + Convert CVE_STATUS into status, vendor, product, detail and description. """ status = d.getVarFlag("CVE_STATUS", cve) if not status: - return ("", "", "") + return {} + + status_split = status.split(':', 5) + status_out = {} + status_out["detail"] = status_split[0] + product = "*" + vendor = "*" + description = "" + if len(status_split) >= 4 and status_split[1].strip() == "cpe": + # Both vendor and product are mandatory if cpe: present, the syntax is then: + # detail: cpe:vendor:product:description + vendor = status_split[2].strip() + product = status_split[3].strip() + description = status_split[4].strip() + elif len(status_split) >= 2 and status_split[1].strip() == "cpe": + # Malformed CPE + bb.warn('Invalid CPE information for CVE_STATUS[%s] = "%s", not setting CPE' % (detail, cve, status)) + else: + # Other case: no CPE, the syntax is then: + # detail: description + description = status_split[len(status_split)-1].strip() if (len(status_split) > 1) else "" - status_split = status.split(':', 1) - detail = status_split[0] - description = status_split[1].strip() if (len(status_split) > 1) else "" + status_out["vendor"] = vendor + status_out["product"] = product + status_out["description"] = description - status_mapping = d.getVarFlag("CVE_CHECK_STATUSMAP", detail) + status_mapping = d.getVarFlag("CVE_CHECK_STATUSMAP", status_out['detail']) if status_mapping is None: bb.warn('Invalid detail "%s" for CVE_STATUS[%s] = "%s", fallback to Unpatched' % (detail, cve, status)) status_mapping = "Unpatched" + status_out["mapping"] = status_mapping - return (status_mapping, detail, description) + return status_out def extend_cve_status(d): # do this only once in case multiple classes use this From patchwork Fri Feb 20 05:34:11 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 81435 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8764FC53217 for ; Fri, 20 Feb 2026 05:34:49 +0000 (UTC) Received: from alln-iport-7.cisco.com (alln-iport-7.cisco.com [173.37.142.94]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.32605.1771565685725808830 for ; Thu, 19 Feb 2026 21:34:45 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=VGiSlCJu; spf=pass (domain: cisco.com, ip: 173.37.142.94, mailfrom: hetpat@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=1396; q=dns/txt; s=iport01; t=1771565685; x=1772775285; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=pChrlrj1HjSfy095E5SXgAbKy5rObB+g9wgjinCw6jU=; b=VGiSlCJur+QpFrVDvQ1OS6E+JoQhYmXntFJRfI4GQTCDhk/X2JKzY4/h SJp7bucyGKnvvjgzkVTHcdOr+gHADyIIVx9psF+rFwWLiCi77FwUJW5on 2v1MkhBkkgwDbna/ktudf+PSyfw4s8iYhkBGW5gjqFYl4FNQeh+T5JGWv 7zGD8Jh8V/CrD45N+hT68WxU+2QL6LmAW+jeWN26EV4K4FbXtz98Todg/ Mb8iBQ3RHNQj9vI9W4D+3okBMWUv3plkuXHBR49T1lUCrG7tQ/csER83U hIhSE49SRKlQkPbY49aNUhLIjfA/iPAnWHxcUUE4FVd64qASzsItLRvA1 g==; X-CSE-ConnectionGUID: LPpH8oOwTdSSdx5v7xXQSA== X-CSE-MsgGUID: fEW4kD7PQOqF4wBfaV96VQ== X-IPAS-Result: A0CQBQC68Zdp/5P/Ja1aglmCSA+BUEJJlk6eGoF/DwEBAQ9RBAEBhQcCjR8CJjYHDgECBAEBAQEDAgMBAQEBAQEBAQEBAQsBAQUBAQECAQcFgQ4ThlyGWwIBAzIBRhAgMSsrGYMCgnQCAadPgiyBAeAiAQsUAYE4hTyIGWsJhHonGxuBcoEVgnlvhAqBBoV3BIMwk09IgR4DWSwBVRMNCgsHBYFmAzUSKhVuMh2BIz4XgQsbBwWCQoURD4kFeG6BIIEbAwsYDUgRLDcUGwQ+bgeOLz+CNIEOqEyhDgoog3ShWBozhASmZy6YWIJYogGEaIFvBDGBWXAVgyJSGQ+OX746IjU8AgcLAQEDCZFqgX0BAQ IronPort-Data: A9a23:4BV+pqJb5qrBTcM7FE+RhpQlxSXFcZb7ZxGr2PjKsXjdYENSgWMCx mMYUW+OO/eIMWukLd1+bIi28hkPuZLUxoNgGlYd+CA2RRqmiyZq6fd1j6vUF3nPRiEWZBs/t 63yUvGZcoZsCCSa/kvxWlTYhSEU/bmSQbbhA/LzNCl0RAt1IA8skhsLd9QR2uaEuvDnRVnU0 T/Oi5eHYgH9gWQsajl8B5+r8XuDgtyj4Fv0gXRmDRx7lAe2v2UYCpsZOZawIxPQKqFIHvS3T vr017qw+GXU5X8FUrtJRZ6iLyXm6paLVeS/oiI+t5qK23CulQRuukoPD8fwXG8M49m/c3+d/ /0W3XC4YV9B0qQhA43xWTEAe811FfUuFLMqvRFTvOTLp3AqfUcAzN1KNFkWbYo/5dp7OlpC5 aEGdyA9Vyuq0rfeLLKTEoGAh+w5J8XteYdasXZ6wHSAVbAtQIvIROPB4towMDUY358VW62BI ZBENHw2MEuojx5nYj/7DLo+kfuwj2XXeDxDo1XTrq0yi4TW5FIuiOC2YYaNJbRmQ+1bs3nEp U6Zx13eGz9GK/aRwATUrEyV07qncSTTHdh6+KeD3vlyjVuew2YeBBEbWR6wpuO0okq/QM5Eb UsM9ywjqKI/+ECmQp/6RRLQnZKflgQXV9wVF6gx7xuAj/OMpQ2YHWMDCDVGbbTKqfMLeNDj7 XfR9/uBONClmOT9pa61nltMkQ6PBA== IronPort-HdrOrdr: A9a23:WT7sd6PRIJ5tccBcTsajsMiBIKoaSvp037Dk7S9MoHtuA6ulfq +V/cjzuSWYtN9VYgBDpTniAtjlfZqjz/5ICOAqVN/INjUO+lHYSb2KhrGN/9SPIUHDH5ZmpM Rdm2wUMqyIMbC85vyKhjWFLw== X-Talos-CUID: 9a23:oDFNCmH6hJv8MpS7qmJDzFY0SscCbUHR90zcMxKmVnZZcYa8HAo= X-Talos-MUID: 9a23:1fVzVgR4vjUFkm0bRXTiqQ4+N+s3252JEW5Rjr8IsvfVaxJJbmI= X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.21,301,1763424000"; d="scan'208";a="670039407" Received: from rcdn-l-core-10.cisco.com ([173.37.255.147]) by alln-iport-7.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 20 Feb 2026 05:34:44 +0000 Received: from sjc-ads-8556.cisco.com (sjc-ads-8556.cisco.com [171.68.222.95]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by rcdn-l-core-10.cisco.com (Postfix) with ESMTPS id B421118000247; Fri, 20 Feb 2026 05:34:44 +0000 (GMT) Received: by sjc-ads-8556.cisco.com (Postfix, from userid 1847788) id 5B15FCC8CF2; Thu, 19 Feb 2026 21:34:44 -0800 (PST) From: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Cc: xe-linux-external@cisco.com, vchavda@cisco.com Subject: [openembedded-core] [scarthgap] [PATCH v1 02/34] cve_check: Update selftest with new status detail Date: Thu, 19 Feb 2026 21:34:11 -0800 Message-Id: <20260220053443.3006180-2-hetpat@cisco.com> X-Mailer: git-send-email 2.35.6 In-Reply-To: <20260220053443.3006180-1-hetpat@cisco.com> References: <20260220053443.3006180-1-hetpat@cisco.com> MIME-Version: 1.0 X-Outbound-SMTP-Client: 171.68.222.95, sjc-ads-8556.cisco.com X-Outbound-Node: rcdn-l-core-10.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 20 Feb 2026 05:34:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/231455 From: Samantha Jalabert Signed-off-by: Samantha Jalabert Signed-off-by: Marta Rybczynska Signed-off-by: Richard Purdie (cherry picked from commit ea7681ffc15cac970c395daab56ba264ac406cd6) Signed-off-by: Het Patel --- meta/lib/oeqa/selftest/cases/cve_check.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/meta/lib/oeqa/selftest/cases/cve_check.py b/meta/lib/oeqa/selftest/cases/cve_check.py index 60cecd1328..a40272c919 100644 --- a/meta/lib/oeqa/selftest/cases/cve_check.py +++ b/meta/lib/oeqa/selftest/cases/cve_check.py @@ -217,9 +217,10 @@ CVE_CHECK_REPORT_PATCHED = "1" # m4 CVE should not be in logrotate self.assertNotIn("CVE-2008-1687", found_cves) # logrotate has both Patched and Ignored CVEs + detail = "version-not-in-range" self.assertIn("CVE-2011-1098", found_cves) self.assertEqual(found_cves["CVE-2011-1098"]["status"], "Patched") - self.assertEqual(len(found_cves["CVE-2011-1098"]["detail"]), 0) + self.assertEqual(found_cves["CVE-2011-1098"]["detail"], detail) self.assertEqual(len(found_cves["CVE-2011-1098"]["description"]), 0) detail = "not-applicable-platform" description = "CVE is debian, gentoo or SUSE specific on the way logrotate was installed/used" From patchwork Fri Feb 20 05:34:12 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 81450 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1698EC54FCC for ; Fri, 20 Feb 2026 05:34:50 +0000 (UTC) Received: from alln-iport-1.cisco.com (alln-iport-1.cisco.com [173.37.142.88]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.32607.1771565685880906200 for ; Thu, 19 Feb 2026 21:34:46 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=WjGvxue0; spf=pass (domain: cisco.com, ip: 173.37.142.88, mailfrom: hetpat@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=19067; q=dns/txt; s=iport01; t=1771565685; x=1772775285; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=+6a8f8QOZjHnH8QFA6HcYnWOct2WlK9bSmQOd7nhAZs=; b=WjGvxue0mKxdRNeWLL6DSAy40+aJ53f5Bidm1X8hLLNozM5PVNFUh2o6 xVoCaPfmL1h3u1KxqOG+yzjxynZTBUFyL0fAC2xWFL8xxq+mW2qzSTyuJ EyJnwS9yG2+rGymtYhswojsagfV1Tl6LODCMhTAcq17XYvhNTJxX8CMy0 jStZM0aagr02iio1my1DSTKUQOcozvZN1mtwNXmWu3M+rv1Z3wHZQbi6d 7G67xiTdTN2l2qPnWBGDwbqIcmlgdkKAVzGsgjBsWTe0kg1ztkGenQWvX N7T3qcU5AqjFn+gESCVRYi2LBpSPVbzuoQrinOO6lcIyREtu1EaCLK+aG Q==; X-CSE-ConnectionGUID: C+XT/mEtRUef71ct5+6zyw== X-CSE-MsgGUID: jMOilzNISn6EK1w3ewbcuw== X-IPAS-Result: A0CnBABB8Zdp/5P/Ja1aglmCGDAPcV8ZKUmWSwOLZJI2gX8PAQEBDzcaBAEBhQcCjR8CJjQJDgECBAEBAQEDAgMBAQEBAQEBAQEBAQsBAQUBAQECAQcFgQ4ThhUBBjMNhlsCAQMyAUYQIDEgCysZgwIBgjoDNgIBp1aCLIEBgmaCFthHDYJSAQUGFAGBOIU8gnmFIFoahHonGxuBcoR9gh9CAYglBIIigQ6CAIk0gg6GDUiBHgNZLAFVEw0KCwcFgWYDNRIqFW4yHYEjPheBCxsHBYdTD4kFeG6BIIEbAwsYDUgRLDcUGwQ+bgeOLz+BQXIBASxFDQUKASsEARswKxYKBUwBGDo4A5JDLioTj1eCIZ9QTXEKKIN0jB6PPoV8GjOEBKZnmQaCWIsxhAmSR4RogWg8RoEBCwdwFTuCZ1IZD4d/AYZfdgEHhEO4WSI1PAIHCwEBAwmTZwEB IronPort-Data: A9a23:cdFpuaod3dRwWRZ1Fv/7i7pvXI5eBmJPZBIvgKrLsJaIsI4StFCzt garIBmGa66IajOgctsibdu3oRkP7JeEz4c1TwRtqClnFyNEp+PIVI+TRqvS04x+DSFioGZPt Zh2hgzodZhsJpPkjk7zdOCn9j8kif3gqoPUUIbsIjp2SRJvVBAvgBdin/9RqoNziLBVOSvV0 T/Ji5OZYgbNNwJcaDpOtfrZ8ks355wehRtB1rAATaET1LPhvyF94KI3fcmZM3b+S49IKe+2L 86r5K255G7Q4yA2AdqjlLvhGmVSKlIFFVHT4pb+c/HKbilq/kTe4I5iXBYvQRs/ZwGyojxE4 I4lWapc5useFvakdOw1C3G0GszlVEFM0OevzXOX6aR/w6BaGpfh660GMa04AWEX0s00MV0J8 NEEEg0AYE/ajP7rg+ypW/Y506zPLOGzVG8ekmtrwTecCbMtRorOBvySo9RZxzw3wMtJGJ4yZ eJANmEpN0uGOUASfA5LV/rSn8/w7pX7Wz1VtEqcuYI84nPYy0p6172F3N/9JIPUGZwEwhbCz o7A12bcJRAeJvq+8jzb31H1mbTCginwRZ1HQdVU8dYv2jV/3Fc7DwUbU1a+q/S1hkOyHtlYM UE8/is1sbN081SmSNT4VRC0rHOI+BkGVLJt//YS8gqBzO/Qpg2eHGVBF2YHY909v8hwTjsvv rOUo+7U6fVUmOX9YRqgGn289Fte5QB9wbc+WBI5 IronPort-HdrOrdr: A9a23:472QWKvFZuQQqZWDBsq2PcOt7skDcdV00zEX/kB9WHVpmwKj+P xG+85rsiMc5wxxZJhNo7290ey7MBHhHP1OkO0s1MmZPDUO0VHAROoJ0WKh+UyEJ8SUzIBgPM lbH5SWcOeAbmSTSa3BkXCF+xFK+qjgzJyV X-Talos-CUID: 9a23:H9BthG0+si3pzwR6XTvsK7xfMYMVTjrY4WvqHkK2Vj9iVODWF02B5/Yx X-Talos-MUID: 9a23:U2vwew6oHrkLnsU7cyTgttGRxoxqxoOvDFIrsK4A5eSnbDMrNiiXhymoF9o= X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.21,301,1763424000"; d="scan'208";a="676419482" Received: from rcdn-l-core-10.cisco.com ([173.37.255.147]) by alln-iport-1.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 20 Feb 2026 05:34:44 +0000 Received: from sjc-ads-8556.cisco.com (sjc-ads-8556.cisco.com [171.68.222.95]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by rcdn-l-core-10.cisco.com (Postfix) with ESMTPS id B7F0A180008B4; Fri, 20 Feb 2026 05:34:44 +0000 (GMT) Received: by sjc-ads-8556.cisco.com (Postfix, from userid 1847788) id 5FE29CC8CF3; Thu, 19 Feb 2026 21:34:44 -0800 (PST) From: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Cc: xe-linux-external@cisco.com, vchavda@cisco.com Subject: [openembedded-core] [scarthgap] [PATCH v1 03/34] cve-check: annotate CVEs during analysis Date: Thu, 19 Feb 2026 21:34:12 -0800 Message-Id: <20260220053443.3006180-3-hetpat@cisco.com> X-Mailer: git-send-email 2.35.6 In-Reply-To: <20260220053443.3006180-1-hetpat@cisco.com> References: <20260220053443.3006180-1-hetpat@cisco.com> MIME-Version: 1.0 X-Outbound-SMTP-Client: 171.68.222.95, sjc-ads-8556.cisco.com X-Outbound-Node: rcdn-l-core-10.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 20 Feb 2026 05:34:50 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/231458 From: Marta Rybczynska Add status information for each CVE under analysis. Previously the information passed between different function of the cve-check class included only tables of patched, unpatched, ignored vulnerabilities and the general status of the recipe. The VEX work requires more information, and we need to pass them between different functions, so that it can be enriched as the analysis progresses. Instead of multiple tables, use a single one with annotations for each CVE encountered. For example, a patched CVE will have: {"abbrev-status": "Patched", "status": "version-not-in-range"} abbrev-status contains the general status (Patched, Unpatched, Ignored and Unknown that will be added in the VEX code) status contains more detailed information that can come from CVE_STATUS and the analysis. Additional fields of the annotation include for example the name of the patch file fixing a given CVE. We also use the annotation in CVE_STATUS to filter out entries that do not apply to the given recipe Backport Changes: - Cherry-picking this patch, which precedes commit [358dbfcd80ae] in master. Since commit [358dbfcd80ae] was already cherry-picked earlier in scarthgap, adjusted the changes accordingly to avoid conflicts. Signed-off-by: Marta Rybczynska Signed-off-by: Samantha Jalabert Signed-off-by: Richard Purdie (cherry picked from commit 452e605b55ad61c08f4af7089a5a9c576ca28f7d) Signed-off-by: Het Patel --- meta/classes/cve-check.bbclass | 214 +++++++++++++++++---------------- meta/lib/oe/cve_check.py | 35 +++++- 2 files changed, 142 insertions(+), 107 deletions(-) diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index de5ddf6f04..32fb9e8a5c 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -176,10 +176,10 @@ python do_cve_check () { patched_cves = get_patched_cves(d) except FileNotFoundError: bb.fatal("Failure in searching patches") - ignored, patched, unpatched, status = check_cves(d, patched_cves) - if patched or unpatched or (d.getVar("CVE_CHECK_COVERAGE") == "1" and status): - cve_data = get_cve_info(d, patched + unpatched + ignored) - cve_write_data(d, patched, unpatched, ignored, cve_data, status) + cve_data, status = check_cves(d, patched_cves) + if len(cve_data) or (d.getVar("CVE_CHECK_COVERAGE") == "1" and status): + get_cve_info(d, cve_data) + cve_write_data(d, cve_data, status) else: bb.note("No CVE database found, skipping CVE check") @@ -287,7 +287,51 @@ ROOTFS_POSTPROCESS_COMMAND:prepend = "${@'cve_check_write_rootfs_manifest ' if d do_rootfs[recrdeptask] += "${@'do_cve_check' if d.getVar('CVE_CHECK_CREATE_MANIFEST') == '1' else ''}" do_populate_sdk[recrdeptask] += "${@'do_cve_check' if d.getVar('CVE_CHECK_CREATE_MANIFEST') == '1' else ''}" -def check_cves(d, patched_cves): +def cve_is_ignored(d, cve_data, cve): + if cve not in cve_data: + return False + if cve_data[cve]['abbrev-status'] == "Ignored": + return True + return False + +def cve_is_patched(d, cve_data, cve): + if cve not in cve_data: + return False + if cve_data[cve]['abbrev-status'] == "Patched": + return True + return False + +def cve_update(d, cve_data, cve, entry): + # If no entry, just add it + if cve not in cve_data: + cve_data[cve] = entry + return + # If we are updating, there might be change in the status + bb.debug("Trying CVE entry update for %s from %s to %s" % (cve, cve_data[cve]['abbrev-status'], entry['abbrev-status'])) + if cve_data[cve]['abbrev-status'] == "Unknown": + cve_data[cve] = entry + return + if cve_data[cve]['abbrev-status'] == entry['abbrev-status']: + return + # Update like in {'abbrev-status': 'Patched', 'status': 'version-not-in-range'} to {'abbrev-status': 'Unpatched', 'status': 'version-in-range'} + if entry['abbrev-status'] == "Unpatched" and cve_data[cve]['abbrev-status'] == "Patched": + if entry['status'] == "version-in-range" and cve_data[cve]['status'] == "version-not-in-range": + # New result from the scan, vulnerable + cve_data[cve] = entry + bb.debug("CVE entry %s update from Patched to Unpatched from the scan result" % cve) + return + if entry['abbrev-status'] == "Patched" and cve_data[cve]['abbrev-status'] == "Unpatched": + if entry['status'] == "version-not-in-range" and cve_data[cve]['status'] == "version-in-range": + # Range does not match the scan, but we already have a vulnerable match, ignore + bb.debug("CVE entry %s update from Patched to Unpatched from the scan result - not applying" % cve) + return + # If we have an "Ignored", it has a priority + if cve_data[cve]['abbrev-status'] == "Ignored": + bb.debug("CVE %s not updating because Ignored" % cve) + return + bb.warn("Unhandled CVE entry update for %s from %s to %s" % (cve, cve_data[cve], entry)) + +def check_cves(d, cve_data): """ Connect to the NVD database and find unpatched cves. """ @@ -297,28 +341,19 @@ def check_cves(d, patched_cves): real_pv = d.getVar("PV") suffix = d.getVar("CVE_VERSION_SUFFIX") - cves_unpatched = [] - cves_ignored = [] cves_status = [] cves_in_recipe = False # CVE_PRODUCT can contain more than one product (eg. curl/libcurl) products = d.getVar("CVE_PRODUCT").split() # If this has been unset then we're not scanning for CVEs here (for example, image recipes) if not products: - return ([], [], [], []) + return ([], []) pv = d.getVar("CVE_VERSION").split("+git")[0] # If the recipe has been skipped/ignored we return empty lists if pn in d.getVar("CVE_CHECK_SKIP_RECIPE").split(): bb.note("Recipe has been skipped by cve-check") - return ([], [], [], []) - - # Convert CVE_STATUS into ignored CVEs and check validity - cve_ignore = [] - for cve in (d.getVarFlags("CVE_STATUS") or {}): - decoded_status = decode_cve_status(d, cve) - if 'mapping' in decoded_status and decoded_status['mapping'] == "Ignored": - cve_ignore.append(cve) + return ([], []) import sqlite3 db_file = d.expand("file:${CVE_CHECK_DB_FILE}?mode=ro") @@ -337,11 +372,10 @@ def check_cves(d, patched_cves): for cverow in cve_cursor: cve = cverow[0] - if cve in cve_ignore: + if cve_is_ignored(d, cve_data, cve): bb.note("%s-%s ignores %s" % (product, pv, cve)) - cves_ignored.append(cve) continue - elif cve in patched_cves: + elif cve_is_patched(d, cve_data, cve): bb.note("%s has been patched" % (cve)) continue # Write status once only for each product @@ -357,7 +391,7 @@ def check_cves(d, patched_cves): for row in product_cursor: (_, _, _, version_start, operator_start, version_end, operator_end) = row #bb.debug(2, "Evaluating row " + str(row)) - if cve in cve_ignore: + if cve_is_ignored(d, cve_data, cve): ignored = True version_start = convert_cve_version(version_start) @@ -396,16 +430,16 @@ def check_cves(d, patched_cves): if vulnerable: if ignored: bb.note("%s is ignored in %s-%s" % (cve, pn, real_pv)) - cves_ignored.append(cve) + cve_update(d, cve_data, cve, {"abbrev-status": "Ignored"}) else: bb.note("%s-%s is vulnerable to %s" % (pn, real_pv, cve)) - cves_unpatched.append(cve) + cve_update(d, cve_data, cve, {"abbrev-status": "Unpatched", "status": "version-in-range"}) break product_cursor.close() if not vulnerable: bb.note("%s-%s is not vulnerable to %s" % (pn, real_pv, cve)) - patched_cves.add(cve) + cve_update(d, cve_data, cve, {"abbrev-status": "Patched", "status": "version-not-in-range"}) cve_cursor.close() if not cves_in_product: @@ -413,49 +447,46 @@ def check_cves(d, patched_cves): cves_status.append([product, False]) conn.close() - diff_ignore = list(set(cve_ignore) - set(cves_ignored)) - if diff_ignore: - oe.qa.handle_error("cve_status_not_in_db", "Found CVE (%s) with CVE_STATUS set that are not found in database for this component" % " ".join(diff_ignore), d) if not cves_in_recipe: bb.note("No CVE records for products in recipe %s" % (pn)) - return (list(cves_ignored), list(patched_cves), cves_unpatched, cves_status) + return (cve_data, cves_status) -def get_cve_info(d, cves): +def get_cve_info(d, cve_data): """ Get CVE information from the database. """ import sqlite3 - cve_data = {} db_file = d.expand("file:${CVE_CHECK_DB_FILE}?mode=ro") conn = sqlite3.connect(db_file, uri=True) - for cve in cves: + for cve in cve_data: cursor = conn.execute("SELECT * FROM NVD WHERE ID IS ?", (cve,)) for row in cursor: - cve_data[row[0]] = {} - cve_data[row[0]]["summary"] = row[1] - cve_data[row[0]]["scorev2"] = row[2] - cve_data[row[0]]["scorev3"] = row[3] - cve_data[row[0]]["scorev4"] = row[4] - cve_data[row[0]]["modified"] = row[5] - cve_data[row[0]]["vector"] = row[6] - cve_data[row[0]]["vectorString"] = row[7] + # The CVE itdelf has been added already + if row[0] not in cve_data: + bb.note("CVE record %s not present" % row[0]) + continue + #cve_data[row[0]] = {} + cve_data[row[0]]["NVD-summary"] = row[1] + cve_data[row[0]]["NVD-scorev2"] = row[2] + cve_data[row[0]]["NVD-scorev3"] = row[3] + cve_data[row[0]]["NVD-scorev4"] = row[4] + cve_data[row[0]]["NVD-modified"] = row[5] + cve_data[row[0]]["NVD-vector"] = row[6] + cve_data[row[0]]["NVD-vectorString"] = row[7] cursor.close() conn.close() - return cve_data -def cve_write_data_text(d, patched, unpatched, ignored, cve_data): +def cve_write_data_text(d, cve_data): """ Write CVE information in WORKDIR; and to CVE_CHECK_DIR, and CVE manifest if enabled. """ - from oe.cve_check import decode_cve_status - cve_file = d.getVar("CVE_CHECK_LOG") fdir_name = d.getVar("FILE_DIRNAME") layer = fdir_name.split("/")[-3] @@ -472,7 +503,7 @@ def cve_write_data_text(d, patched, unpatched, ignored, cve_data): return # Early exit, the text format does not report packages without CVEs - if not patched+unpatched+ignored: + if not len(cve_data): return nvd_link = "https://nvd.nist.gov/vuln/detail/" @@ -481,37 +512,30 @@ def cve_write_data_text(d, patched, unpatched, ignored, cve_data): bb.utils.mkdirhier(os.path.dirname(cve_file)) for cve in sorted(cve_data): - is_patched = cve in patched - is_ignored = cve in ignored - - status = "Unpatched" - if (is_patched or is_ignored) and not report_all: + if not report_all and (cve_data[cve]["abbrev-status"] == "Patched" or cve_data[cve]["abbrev-status"] == "Ignored"): continue - if is_ignored: - status = "Ignored" - elif is_patched: - status = "Patched" - else: - # default value of status is Unpatched - unpatched_cves.append(cve) - write_string += "LAYER: %s\n" % layer write_string += "PACKAGE NAME: %s\n" % d.getVar("PN") write_string += "PACKAGE VERSION: %s%s\n" % (d.getVar("EXTENDPE"), d.getVar("PV")) write_string += "CVE: %s\n" % cve - write_string += "CVE STATUS: %s\n" % status - status_details = decode_cve_status(d, cve) - if 'detail' in status_details: - write_string += "CVE DETAIL: %s\n" % status_details['detail'] - if 'description' in status_details: - write_string += "CVE DESCRIPTION: %s\n" % status_details['description'] - write_string += "CVE SUMMARY: %s\n" % cve_data[cve]["summary"] - write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["scorev2"] - write_string += "CVSS v3 BASE SCORE: %s\n" % cve_data[cve]["scorev3"] - write_string += "CVSS v4 BASE SCORE: %s\n" % cve_data[cve]["scorev4"] - write_string += "VECTOR: %s\n" % cve_data[cve]["vector"] - write_string += "VECTORSTRING: %s\n" % cve_data[cve]["vectorString"] + write_string += "CVE STATUS: %s\n" % cve_data[cve]["abbrev-status"] + + if 'status' in cve_data[cve]: + write_string += "CVE DETAIL: %s\n" % cve_data[cve]["status"] + if 'justification' in cve_data[cve]: + write_string += "CVE DESCRIPTION: %s\n" % cve_data[cve]["justification"] + + if "NVD-summary" in cve_data[cve]: + write_string += "CVE SUMMARY: %s\n" % cve_data[cve]["NVD-summary"] + write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["NVD-scorev2"] + write_string += "CVSS v3 BASE SCORE: %s\n" % cve_data[cve]["NVD-scorev3"] + write_string += "CVSS v3 BASE SCORE: %s\n" % cve_data[cve]["NVD-scorev4"] + write_string += "VECTOR: %s\n" % cve_data[cve]["NVD-vector"] + write_string += "VECTORSTRING: %s\n" % cve_data[cve]["NVD-vectorString"] + write_string += "MORE INFORMATION: %s%s\n\n" % (nvd_link, cve) + if cve_data[cve]["abbrev-status"] == "Unpatched": + unpatched_cves.append(cve) if unpatched_cves and d.getVar("CVE_CHECK_SHOW_WARNINGS") == "1": bb.warn("Found unpatched CVE (%s), for more information check %s" % (" ".join(unpatched_cves),cve_file)) @@ -563,13 +587,11 @@ def cve_check_write_json_output(d, output, direct_file, deploy_file, manifest_fi with open(index_path, "a+") as f: f.write("%s\n" % fragment_path) -def cve_write_data_json(d, patched, unpatched, ignored, cve_data, cve_status): +def cve_write_data_json(d, cve_data, cve_status): """ Prepare CVE data for the JSON format, then write it. """ - from oe.cve_check import decode_cve_status - output = {"version":"1", "package": []} nvd_link = "https://nvd.nist.gov/vuln/detail/" @@ -587,8 +609,6 @@ def cve_write_data_json(d, patched, unpatched, ignored, cve_data, cve_status): if include_layers and layer not in include_layers: return - unpatched_cves = [] - product_data = [] for s in cve_status: p = {"product": s[0], "cvesInRecord": "Yes"} @@ -603,40 +623,32 @@ def cve_write_data_json(d, patched, unpatched, ignored, cve_data, cve_status): "version" : package_version, "products": product_data } + cve_list = [] for cve in sorted(cve_data): - is_patched = cve in patched - is_ignored = cve in ignored - status = "Unpatched" - if (is_patched or is_ignored) and not report_all: + if not report_all and (cve_data[cve]["abbrev-status"] == "Patched" or cve_data[cve]["abbrev-status"] == "Ignored"): continue - if is_ignored: - status = "Ignored" - elif is_patched: - status = "Patched" - else: - # default value of status is Unpatched - unpatched_cves.append(cve) - issue_link = "%s%s" % (nvd_link, cve) cve_item = { "id" : cve, - "summary" : cve_data[cve]["summary"], - "scorev2" : cve_data[cve]["scorev2"], - "scorev3" : cve_data[cve]["scorev3"], - "scorev4" : cve_data[cve]["scorev4"], - "vector" : cve_data[cve]["vector"], - "vectorString" : cve_data[cve]["vectorString"], - "status" : status, - "link": issue_link + "status" : cve_data[cve]["abbrev-status"], + "link": issue_link, } - status_details = decode_cve_status(d, cve) - if 'detail' in status_details: - cve_item["detail"] = status_details['detail'] - if 'description' in status_details: - cve_item["description"] = status_details['description'] + if 'NVD-summary' in cve_data[cve]: + cve_item["summary"] = cve_data[cve]["NVD-summary"] + cve_item["scorev2"] = cve_data[cve]["NVD-scorev2"] + cve_item["scorev3"] = cve_data[cve]["NVD-scorev3"] + cve_item["scorev4"] = cve_data[cve]["NVD-scorev4"] + cve_item["vector"] = cve_data[cve]["NVD-vector"] + cve_item["vectorString"] = cve_data[cve]["NVD-vectorString"] + if 'status' in cve_data[cve]: + cve_item["detail"] = cve_data[cve]["status"] + if 'justification' in cve_data[cve]: + cve_item["description"] = cve_data[cve]["justification"] + if 'resource' in cve_data[cve]: + cve_item["patch-file"] = cve_data[cve]["resource"] cve_list.append(cve_item) package_data["issue"] = cve_list @@ -648,12 +660,12 @@ def cve_write_data_json(d, patched, unpatched, ignored, cve_data, cve_status): cve_check_write_json_output(d, output, direct_file, deploy_file, manifest_file) -def cve_write_data(d, patched, unpatched, ignored, cve_data, status): +def cve_write_data(d, cve_data, status): """ Write CVE data in each enabled format. """ if d.getVar("CVE_CHECK_FORMAT_TEXT") == "1": - cve_write_data_text(d, patched, unpatched, ignored, cve_data) + cve_write_data_text(d, cve_data) if d.getVar("CVE_CHECK_FORMAT_JSON") == "1": - cve_write_data_json(d, patched, unpatched, ignored, cve_data, status) + cve_write_data_json(d, cve_data, status) diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py index 767d1a6750..37230b7957 100644 --- a/meta/lib/oe/cve_check.py +++ b/meta/lib/oe/cve_check.py @@ -88,7 +88,7 @@ def get_patched_cves(d): # (cve_match regular expression) cve_file_name_match = re.compile(r".*(CVE-\d{4}-\d+)", re.IGNORECASE) - patched_cves = set() + patched_cves = {} patches = oe.patch.src_patches(d) bb.debug(2, "Scanning %d patches for CVEs" % len(patches)) for url in patches: @@ -98,7 +98,7 @@ def get_patched_cves(d): fname_match = cve_file_name_match.search(patch_file) if fname_match: cve = fname_match.group(1).upper() - patched_cves.add(cve) + patched_cves[cve] = {"abbrev-status": "Patched", "status": "fix-file-included", "resource": patch_file} bb.debug(2, "Found %s from patch file name %s" % (cve, patch_file)) # Remote patches won't be present and compressed patches won't be @@ -124,7 +124,7 @@ def get_patched_cves(d): cves = patch_text[match.start()+5:match.end()] for cve in cves.split(): bb.debug(2, "Patch %s solves %s" % (patch_file, cve)) - patched_cves.add(cve) + patched_cves[cve] = {"abbrev-status": "Patched", "status": "fix-file-included", "resource": patch_file} text_match = True if not fname_match and not text_match: @@ -133,9 +133,15 @@ def get_patched_cves(d): # Search for additional patched CVEs for cve in (d.getVarFlags("CVE_STATUS") or {}): decoded_status = decode_cve_status(d, cve) - if 'mapping' in decoded_status and decoded_status['mapping'] == "Patched": - bb.debug(2, "CVE %s is additionally patched" % cve) - patched_cves.add(cve) + products = d.getVar("CVE_PRODUCT") + if has_cve_product_match(decoded_status, products) == True: + patched_cves[cve] = { + "abbrev-status": decoded_status["mapping"], + "status": decoded_status["detail"], + "justification": decoded_status["description"], + "affected-vendor": decoded_status["vendor"], + "affected-product": decoded_status["product"] + } return patched_cves @@ -286,3 +292,20 @@ def extend_cve_status(d): d.setVarFlag("CVE_STATUS", cve, d.getVarFlag(cve_status_group, "status")) else: bb.warn("CVE_STATUS_GROUPS contains undefined variable %s" % cve_status_group) + +def has_cve_product_match(detailed_status, products): + """ + Check product/vendor match between detailed_status from decode_cve_status and a string of + products (like from CVE_PRODUCT) + """ + for product in products.split(): + vendor = "*" + if ":" in product: + vendor, product = product.split(":", 1) + + if (vendor == detailed_status["vendor"] or detailed_status["vendor"] == "*") and \ + (product == detailed_status["product"] or detailed_status["product"] == "*"): + return True + + #if no match, return False + return False From patchwork Fri Feb 20 05:34:13 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 81433 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8684CC54EFC for ; Fri, 20 Feb 2026 05:34:49 +0000 (UTC) Received: from alln-iport-3.cisco.com (alln-iport-3.cisco.com [173.37.142.90]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.32604.1771565685718979248 for ; Thu, 19 Feb 2026 21:34:45 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=gWSCKD38; spf=pass (domain: cisco.com, ip: 173.37.142.90, mailfrom: hetpat@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=2535; q=dns/txt; s=iport01; t=1771565685; x=1772775285; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=O8SR6U+bdA1Wp2hQ9N7Qf1aCBSztoRgEJvHWKiEOFaA=; b=gWSCKD38s+qRt6+1ciDZDOLwl1oc3jv7N8eYZe8Vbm2g6oIChnxP1tc+ nE6skESNAuWonedgNPDXXJ+MlbxBTctYqUM99PaEmjemnywe6uuIVnHn+ GnsFMtjDMSX9c+/xbKPjY9jqhgurydrE+CR92OHKc9uN5U9KzSgNkLPXM Z+bemYM7iA0Yw64pZe1CL1hc2WRbve3EUSm5kXipY9DY+5+fMwTLDmjHH ltPYlMvpfATfBCELF+soAi4MuMt2R8WEsAQJDRuwryojPo7DIH5PysTVR KgVeL2ohl1YRWQHayOgU9DFXNvpIfvuCbtRYMTriQFHGlOhSXrIJP8sDh Q==; X-CSE-ConnectionGUID: K3DWlE9bRx2jD6AcoqKYOA== X-CSE-MsgGUID: V3i+coZ/ThO26tqxu1g51A== X-IPAS-Result: A0BDBACY8Jdp/5D/Ja1agjQQGoJED4FQQkmWSwOLZJI2gX8PAQEBD1EEAQGFBwKNHwImNAkOAQIEAQEBAQMCAwEBAQEBAQEBAQEBAQoBAQUBAQECAQcFgQ4ThlyGWwIBAzIBRhAgMSALKxmDAoI7AzYCAaoGgiyBAYR8sikNglIBCxQBgTiFPIJ5hSBaGoR6JxsbgXKEB3aCH4JxhXcEgiKBDpNPSIEeA1ksAVUTDQoLBwWBZgM1EioVbjIdgSM+F4ELGwcFh1MPiQV4boEggRsDCxgNSBEsNxQbBD5uB44vP4IANAEeNDtFbKcboB1xCiiDdJtchXwaM6prmQaSEpJHhGiBaDyBWXAVgyJSGQ/YYiI1PAIHCwEBAwmTZwEB IronPort-Data: A9a23:ofmimKkz12X+Dz+CbIjI8x7o5gw7JERdPkR7XQ2eYbSJt1+Wr1Gzt xIbWzuGPPyJY2Wnfdknb9u19E5X78OHm9E3SwI+pSs9FFtH+JHPbTi7wugcHM8zwunrFh8PA xA2M4GYRCwMZiaC4Errav668CgUOZigHtLUEPTDNj16WThqQSIgjQMLs+Mii+aEu/Dha++2k Y20+ZS31GONgWYubDpOsfrb8XuDgdyr0N8mlg1mDRx0lAe2e0k9VPo3Oay3Jn3kdYhYdsbSq zHrlezREsvxpn/BO/v9+lrJWhRiro36YWBivkFrt52K2XCukMCdPpETb5LwYW8P49mAcksYJ N9l7fRcQi9xVkHAdXh0vxRwS0lD0aN6FLDvAiOTjsi+nkf8YyHu76tHB0YvHrw/07MiaY1O3 aRwxDEldBuPgaeyhbm8UOQp3ptlJ8jwN4RZsXZlpd3bJa95GtaYHOOQuIIehWts7ixNNa62i 84xaTdzdB3cSxZOIVwQTpk5mY9Eg1GhI20B8QjI/PZfD2778ldwk7PqAp3pevvQG9lMjlvBq T+f1jGsav0dHJnFodafyVqrnuLJkCbxVY4eGbH9/flwjXWXx3cPE1sRTVa9rPyzh0KyVt4ZL FYbkhfCtoAo/0CtC924VBqirTvc4VgXWsFbFKsx7wTlJrfo3jt1z1MsFlZpAOHKfudvLdD2/ jdlR+/UOAE= IronPort-HdrOrdr: A9a23:KjW+5qviNKfxYi1p4Pj0/1my7skDcdV00zEX/kB9WHVpmwKj+P xG+85rsiMc5wxxZJhNo7290ey7MBHhHP1OkO0s1MmZPDUO0VHAROoJ0WKh+UyEJ8SUzIBgPM lbH5SWcOeAbmSTSa3BkXCF+xFK+qjgzJyV X-Talos-CUID: 9a23:zDxAuWz/8IgpFuOAwJ/LBgU3QewadlCMxk3AeU2UV09iT6S2eHi5rfY= X-Talos-MUID: 9a23:w3ZeHgyP5wadoDpHiVjVGEkiUh6aqJr1CQMGlqdBh8mjb3JsIieA1TvqG6Zyfw== X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.21,301,1763424000"; d="scan'208";a="688112514" Received: from rcdn-l-core-07.cisco.com ([173.37.255.144]) by alln-iport-3.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 20 Feb 2026 05:34:44 +0000 Received: from sjc-ads-8556.cisco.com (sjc-ads-8556.cisco.com [171.68.222.95]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by rcdn-l-core-07.cisco.com (Postfix) with ESMTPS id BBF9E18000203; Fri, 20 Feb 2026 05:34:44 +0000 (GMT) Received: by sjc-ads-8556.cisco.com (Postfix, from userid 1847788) id 64596CC8CF4; Thu, 19 Feb 2026 21:34:44 -0800 (PST) From: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Cc: xe-linux-external@cisco.com, vchavda@cisco.com Subject: [openembedded-core] [scarthgap] [PATCH v1 04/34] cve-check-map: add new statuses Date: Thu, 19 Feb 2026 21:34:13 -0800 Message-Id: <20260220053443.3006180-4-hetpat@cisco.com> X-Mailer: git-send-email 2.35.6 In-Reply-To: <20260220053443.3006180-1-hetpat@cisco.com> References: <20260220053443.3006180-1-hetpat@cisco.com> MIME-Version: 1.0 X-Outbound-SMTP-Client: 171.68.222.95, sjc-ads-8556.cisco.com X-Outbound-Node: rcdn-l-core-07.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 20 Feb 2026 05:34:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/231454 From: Marta Rybczynska Add 'fix-file-included', 'version-not-in-range' and 'version-in-range' generated by the cve-check. 'fix-file-included' means that a fix file for the CVE has been located. 'version-not-in-range' means that the product version has been found outside of the vulnerable range. 'version-in-range' means that the product version has been found inside of the vulnerable range. Signed-off-by: Marta Rybczynska Signed-off-by: Samantha Jalabert Signed-off-by: Richard Purdie (cherry picked from commit d25f1817752bc8a84c40dcbef75f7559801ce15e) Signed-off-by: Het Patel --- meta/conf/cve-check-map.conf | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/meta/conf/cve-check-map.conf b/meta/conf/cve-check-map.conf index 17b0f15571..ac956379d1 100644 --- a/meta/conf/cve-check-map.conf +++ b/meta/conf/cve-check-map.conf @@ -8,11 +8,17 @@ CVE_CHECK_STATUSMAP[backported-patch] = "Patched" CVE_CHECK_STATUSMAP[cpe-stable-backport] = "Patched" # use when NVD DB does not mention correct version or does not mention any verion at all CVE_CHECK_STATUSMAP[fixed-version] = "Patched" +# use when a fix file has been included (set automatically) +CVE_CHECK_STATUSMAP[fix-file-included] = "Patched" +# do not use directly: automatic scan reports version number NOT in the vulnerable range (set automatically) +CVE_CHECK_STATUSMAP[version-not-in-range] = "Patched" # used internally by this class if CVE vulnerability is detected which is not marked as fixed or ignored CVE_CHECK_STATUSMAP[unpatched] = "Unpatched" # use when CVE is confirmed by upstream but fix is still not available CVE_CHECK_STATUSMAP[vulnerable-investigating] = "Unpatched" +# do not use directly: automatic scan reports version number IS in the vulnerable range (set automatically) +CVE_CHECK_STATUSMAP[version-in-range] = "Unpatched" # used for migration from old concept, do not use for new vulnerabilities CVE_CHECK_STATUSMAP[ignored] = "Ignored" @@ -26,3 +32,6 @@ CVE_CHECK_STATUSMAP[not-applicable-config] = "Ignored" CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored" # use when upstream acknowledged the vulnerability but does not plan to fix it CVE_CHECK_STATUSMAP[upstream-wontfix] = "Ignored" + +# use when it is impossible to conclude if the vulnerability is present or not +CVE_CHECK_STATUSMAP[unknown] = "Unknown" From patchwork Fri Feb 20 05:34:14 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 81436 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9BAADC54F4C for ; Fri, 20 Feb 2026 05:34:49 +0000 (UTC) Received: from alln-iport-8.cisco.com (alln-iport-8.cisco.com [173.37.142.95]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.32606.1771565685734441813 for ; Thu, 19 Feb 2026 21:34:45 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=cc++n5tr; spf=pass (domain: cisco.com, ip: 173.37.142.95, mailfrom: hetpat@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=3593; q=dns/txt; s=iport01; t=1771565685; x=1772775285; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=ek0QSNLtGTW1ms66bNSMIm1CDT5VlFnSC9ceyVoSsXo=; b=cc++n5trfqQnCsuLzH0+mVvDXHgzjFC9ktB/gR4DzgakKo6440RfIieB jXGvqXUAkxMRqT+I92mV58QS5GLcCsyBzQkXfQ7WEn6bNhx9TKG6KUc9z z+ZUSX5qhgpMih+V+YrjDX8I8xdTmnS6zwDvLMj0FlNSJsTTt6dGpPe5Q 4wAW4NxhkqhNjOlQ1ylXlNwsQ9HNmJHReNQG+aFrrwIa4iMEVF7uu8+P2 tLAw/6ax3y6huF6VMRKgWAbp1fMecs5UMaoOPzo0YC08yk9OjSpD3EhmS rrL42OEGPsCiEHB52BL2b6BKic6Jb9rb8jyAOeJQuvgyznpO8ZK7Bha5w w==; X-CSE-ConnectionGUID: IlF1YIj8RxWmyHQ4At6SSQ== X-CSE-MsgGUID: axAL5pHbRQ+6nh5FlPR/Wg== X-IPAS-Result: A0BBBABB8Zdp/5D/Ja1aglmCSA+BUEJJlk6LZIxYhV6Bfw8BAQEPUQQBAYUHAo0fAiY0CQ4BAgQBAQEBAwIDAQEBAQEBAQEBAQELAQEFAQEBAgEHBYEOE4ZchlsCAQMyAUYQIDEgCysZgwKCOwM2AgGnVoIsgQGEfNhHDYJSAQsUAYE4hTyCeYUgdIR6JxsbgXKEfYIfiGgEgiKBDo1Chg1IgR4DWSwBVRMNCgsHBYFmAzUSKhVuMh2BIz4XgQsbBwWHUw+JBXhugSCBGwMLGA1IESw3FBsEPm4Hji8/gjSBDpZUkXigHXEKKIN0m1yFfBozqmsuh2WQc5ISkkeEaIFoPIFZcBWDIlIZD45fvhoiNTwCBwsBAQMJk2cBAQ IronPort-Data: A9a23:ArZb+KuUSFlcHiCsUWuwVA2lOufnVAFfMUV32f8akzHdYApBsoF/q tZmKWGDaPeJM2PweNkkPIW//BgC65fSn9YwGwRtqS4zHnwagMeUXt7xwmUckM+xwmwvaGo9s q3yv/GZdJhcokf0/0nrav666yEgiclkf5KkYMbcICd9WAR4fykojBNnioYRj5Vh6TSDK1vlV eja/YuFYTdJ5xYuajhKs/jZ8Es01BjPkGpwUmIWNKgjUGD2zxH5PLpHTYmtIn3xRJVjH+LSb 47r0LGj82rFyAwmA9Wjn6yTWhVirmn6ZFXmZtJ+AsBOszAazsAA+v9T2Mk0NS+7vw60c+VZk 72hg3AfpTABZcUgkMxFO/VR/roX0aduoNcrKlDn2SCfItGvn3bEm51T4E8K0YIw2+JZWFBv9 6wiOA8IfzC628uqnomAc7w57igjBJGD0II3oHpsy3TdSP0hW52GG/qM7t5D1zB2jcdLdRrcT 5NGMnw0M1KaPkAJYwtLYH49tL/Aan3XczBEsFuJjaE2+GPUigd21dABNfKLJYXaFJoKxBnwS mTu9nTQJkwCFNal8Hnb9HLxqOv3p2TEV9dHfFG/3rsw6LGJ/UQUEBAQWF6xrPW1h0L7UNVFJ mQQ+zEytu417EGtQ9z3UhG0rXLCuQQTM+e8CMUg4w2Lj66R6AGDCy1cEXhKaccts4k9QjlCO kK1ou4FzAdH6NW9IU9xPJ/Nxd9uEUD59VM/WBI= IronPort-HdrOrdr: A9a23:PTb3K6+ePq3vk3DNKLhuk+DfI+orL9Y04lQ7vn2ZhyY7TiX+rb HIoB11737JYVoqNU3I3OrwWpVoIkmskaKdn7NwAV7KZmCP0wGVxcNZnO7fKlbbdREWmNQw6U 4ZSdkcNDU1ZmIK9PoTJ2KDYrAd/OU= X-Talos-CUID: 9a23:IH2MyWBdIL8AQgL6Ewhj2hclO8J1SG3iyWbwGhORFThSc4TAHA== X-Talos-MUID: 9a23:BxU5qAysr+XnFX/FvEQkXnRICliaqK2+IWRQibUMgfDHaypwZhmZtA7wfYByfw== X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.21,301,1763424000"; d="scan'208";a="671897727" Received: from rcdn-l-core-07.cisco.com ([173.37.255.144]) by alln-iport-8.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 20 Feb 2026 05:34:44 +0000 Received: from sjc-ads-8556.cisco.com (sjc-ads-8556.cisco.com [171.68.222.95]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by rcdn-l-core-07.cisco.com (Postfix) with ESMTPS id BF9A018000481; Fri, 20 Feb 2026 05:34:44 +0000 (GMT) Received: by sjc-ads-8556.cisco.com (Postfix, from userid 1847788) id 6A5D3CC8CF5; Thu, 19 Feb 2026 21:34:44 -0800 (PST) From: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Cc: xe-linux-external@cisco.com, vchavda@cisco.com Subject: [openembedded-core] [scarthgap] [PATCH v1 05/34] selftest: add test_product_match Date: Thu, 19 Feb 2026 21:34:14 -0800 Message-Id: <20260220053443.3006180-5-hetpat@cisco.com> X-Mailer: git-send-email 2.35.6 In-Reply-To: <20260220053443.3006180-1-hetpat@cisco.com> References: <20260220053443.3006180-1-hetpat@cisco.com> MIME-Version: 1.0 X-Outbound-SMTP-Client: 171.68.222.95, sjc-ads-8556.cisco.com X-Outbound-Node: rcdn-l-core-07.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 20 Feb 2026 05:34:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/231456 From: Marta Rybczynska CVECheck.test_product_match tests has_cve_product_match() Signed-off-by: Marta Rybczynska Signed-off-by: Richard Purdie (cherry picked from commit 30ee6edc57ff7629a72606d1005f92d43a5d14f9) Signed-off-by: Het Patel --- meta/lib/oeqa/selftest/cases/cve_check.py | 48 +++++++++++++++++++++++ 1 file changed, 48 insertions(+) diff --git a/meta/lib/oeqa/selftest/cases/cve_check.py b/meta/lib/oeqa/selftest/cases/cve_check.py index a40272c919..3dd3e89d3e 100644 --- a/meta/lib/oeqa/selftest/cases/cve_check.py +++ b/meta/lib/oeqa/selftest/cases/cve_check.py @@ -72,6 +72,54 @@ class CVECheck(OESelftestTestCase): self.assertEqual(convert_cve_version("6.2_rc8"), "6.2-rc8") self.assertEqual(convert_cve_version("6.2_rc31"), "6.2-rc31") + def test_product_match(self): + from oe.cve_check import has_cve_product_match + + status = {} + status["detail"] = "ignored" + status["vendor"] = "*" + status["product"] = "*" + status["description"] = "" + status["mapping"] = "" + + self.assertEqual(has_cve_product_match(status, "some_vendor:some_product"), True) + self.assertEqual(has_cve_product_match(status, "*:*"), True) + self.assertEqual(has_cve_product_match(status, "some_product"), True) + self.assertEqual(has_cve_product_match(status, "glibc"), True) + self.assertEqual(has_cve_product_match(status, "glibca"), True) + self.assertEqual(has_cve_product_match(status, "aglibc"), True) + self.assertEqual(has_cve_product_match(status, "*"), True) + self.assertEqual(has_cve_product_match(status, "aglibc glibc test:test"), True) + + status["product"] = "glibc" + self.assertEqual(has_cve_product_match(status, "some_vendor:some_product"), False) + # The CPE in the recipe must be defined, no * accepted + self.assertEqual(has_cve_product_match(status, "*:*"), False) + self.assertEqual(has_cve_product_match(status, "*"), False) + self.assertEqual(has_cve_product_match(status, "some_product"), False) + self.assertEqual(has_cve_product_match(status, "glibc"), True) + self.assertEqual(has_cve_product_match(status, "glibca"), False) + self.assertEqual(has_cve_product_match(status, "aglibc"), False) + self.assertEqual(has_cve_product_match(status, "some_vendor:glibc"), True) + self.assertEqual(has_cve_product_match(status, "some_vendor:glibc test"), True) + self.assertEqual(has_cve_product_match(status, "test some_vendor:glibc"), True) + + status["vendor"] = "glibca" + status["product"] = "glibc" + self.assertEqual(has_cve_product_match(status, "some_vendor:some_product"), False) + # The CPE in the recipe must be defined, no * accepted + self.assertEqual(has_cve_product_match(status, "*:*"), False) + self.assertEqual(has_cve_product_match(status, "*"), False) + self.assertEqual(has_cve_product_match(status, "some_product"), False) + self.assertEqual(has_cve_product_match(status, "glibc"), False) + self.assertEqual(has_cve_product_match(status, "glibca"), False) + self.assertEqual(has_cve_product_match(status, "aglibc"), False) + self.assertEqual(has_cve_product_match(status, "some_vendor:glibc"), False) + self.assertEqual(has_cve_product_match(status, "glibca:glibc"), True) + self.assertEqual(has_cve_product_match(status, "test:test glibca:glibc"), True) + self.assertEqual(has_cve_product_match(status, "test glibca:glibc"), True) + self.assertEqual(has_cve_product_match(status, "glibca:glibc test"), True) + def test_recipe_report_json(self): config = """ From patchwork Fri Feb 20 05:34:15 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 81452 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 53DE7C55163 for ; Fri, 20 Feb 2026 05:34:50 +0000 (UTC) Received: from alln-iport-7.cisco.com (alln-iport-7.cisco.com [173.37.142.94]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.32605.1771565685725808830 for ; Thu, 19 Feb 2026 21:34:46 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=YQ03jGXZ; spf=pass (domain: cisco.com, ip: 173.37.142.94, mailfrom: hetpat@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=8570; q=dns/txt; s=iport01; t=1771565686; x=1772775286; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=59v3V0PQsdLO5SrkeNSw1SV59uGdGdcZlax8wCTr7NQ=; b=YQ03jGXZ6yU4dWJvSCxk5FQuTrLYdvqgkyxwhYXhXLGQJdeSe+UkmuRp gEEpb5HiM/+pMVsB1rAZXg5nxD+VNigMvE2DaVyZfJXa9OYKF7eYZkIKO 8HDqp3s3m/87qBsfNh0aKz8TRnksKCF7Y5hv0mqD4zEdXf28lj7MWS2F4 TdHLwEbiXdsLSiZ/VOZBgz3ZQIPv4A9PCSlewlipd+WcbvHiJbMT/7Rde faELTd5t2nML/1B441Fpp96Ux1pJKYlbF53UQS3fUv8Ne/o0Azx3uBxPv DESG5kGdAl7X63t53ms4pUrWCknr9aukFGVRfN7xcTJ6Qmfq4qpRjFJzK g==; X-CSE-ConnectionGUID: IzvRV+LbQq2tes5OByco/w== X-CSE-MsgGUID: Xewe+7nWRvmc5V7O8/dRNw== X-IPAS-Result: A0BDBAC68Zdp/5L/Ja1aglmCSA9xX0JJlksDi2SSNoF/DwEBAQ83GgQBAYUHAo0fAiY0CQ4BAgQBAQEBAwIDAQEBAQEBAQEBAQELAQEFAQEBAgEHBYEOE4ZPDYZbAgEDMgFGECAxIAsrGYMCAYI6AzYCAadPgiyBAYJmghbYRw2CUgELFAGBOIU8gnmFIFoahHonGxuBcoR9gh9CAYglBIIigQ6CAIZhBopoSIEeA1ksAVUTDQoLBwWBZgM1EioVbjIdgSM+F4ELGwcFh1MPiQV4boEggRsDCxgNSBEsNxQbBD5uB44vP4I0ARUXYQErBU89Cj8jQA0wknGQFIIhoB1xCiiDdIwejz6FfBozhASUFZJSkk2GOY4JhAmSR4RogWg8gUcLB3AVgyIJSRkPjl+FQYNltRQiNTwCBwsBAQMJk2cBAQ IronPort-Data: A9a23:jWh3/q05mQ44HPyVOfbD5YRwkn2cJEfYwER7XKvMYLTBsI5bpzBWm GofCG/TOKzfYmOhc98gYI3k8htQv5fVnNY3GQtl3Hw8FHgiRegpqji6wuYcGwvIc6UvmWo+t 512huHodZ5yFjmH4E/xbtANlFEkvYmQXL3wFeXYDS54QA5gWU8JhAlq8wIDqtYAbeORXUXX4 Lsen+WFYAX7g2QuajpPg06+gEoHUMra6WtwUmMWPZinjHeG/1EJAZQWI72GLneQauF8Au6gS u/f+6qy92Xf8g1FIovNfmHTKxBirhb6ZGBiu1IOM0SQqkEqSh8ajs7XAMEhhXJ/0F1lqTzeJ OJl7vRcQS9xVkHFdX90vxNwS0mSNoUekFPLzOTWXcG7lyX7n3XQL/pGLVMoB7Nb3uxOGDtS+ OdFDxocZRfEmLfjqF67YrEEasULNsLnOsYb/3pn1zycVadgSpHYSKKM7thdtNsyrpkRRrCFO IxDNGcpNUieC/FMEg9/5JYWnOq0nnDjWzZZs1mS46Ew5gA/ySQvj+C1a4uJI4XiqcN9rkuHq yGZ+VvDHBQRaeLA7mrC/kiKmbqa9c/8cMdIfFGizdZtmFCVy2kZBREaWFf+qv6jh2a6WslDM AoT4icooK04+UCnQ9W7WAe3yENopTYGUNZWVul/4waXx++MskCSB3MPSXhKb9lOWNIKeAHGH 2Shx7vBbQGDepXPIZ5B3t94dQ+PBBU= IronPort-HdrOrdr: A9a23:/rtUeKr3FurtDYBNBAFpbL0aV5oseYIsimQD101hICG9vPb2qy nIpoV96faaslcssR0b9OxofZPwI080lqQFhbX5Q43DYOCOggLBR+tfBMnZsljd8kbFmNK1u5 0NT0EHMqySMbC/5vyKmTVR1L0bsb+6zJw= X-Talos-CUID: 9a23:FjEBlGy/uFtmt7/vGgJYBgU1CN4fTD75xk7JeVO1EjtOYqyeThiPrfY= X-Talos-MUID: 9a23:etXCUQopP/nV9eL24qMezwFvK8orvKKRMl4Imsg45O7UciBKHSjI2Q== X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.21,301,1763424000"; d="scan'208";a="670039411" Received: from rcdn-l-core-09.cisco.com ([173.37.255.146]) by alln-iport-7.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 20 Feb 2026 05:34:45 +0000 Received: from sjc-ads-8556.cisco.com (sjc-ads-8556.cisco.com [171.68.222.95]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by rcdn-l-core-09.cisco.com (Postfix) with ESMTPS id 20E921800022C; Fri, 20 Feb 2026 05:34:45 +0000 (GMT) Received: by sjc-ads-8556.cisco.com (Postfix, from userid 1847788) id 6EA00CC8CF6; Thu, 19 Feb 2026 21:34:44 -0800 (PST) From: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Cc: xe-linux-external@cisco.com, vchavda@cisco.com Subject: [openembedded-core] [scarthgap] [PATCH v1 06/34] cve-check: remove the TEXT format support Date: Thu, 19 Feb 2026 21:34:15 -0800 Message-Id: <20260220053443.3006180-6-hetpat@cisco.com> X-Mailer: git-send-email 2.35.6 In-Reply-To: <20260220053443.3006180-1-hetpat@cisco.com> References: <20260220053443.3006180-1-hetpat@cisco.com> MIME-Version: 1.0 X-Outbound-SMTP-Client: 171.68.222.95, sjc-ads-8556.cisco.com X-Outbound-Node: rcdn-l-core-09.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 20 Feb 2026 05:34:50 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/231461 From: Marta Rybczynska Remove the TEXT format support, as the JSON format offers more functions. Users who do automation should have migrated already. Support of both formats makes the code more complex than necessary. Users can convert JSON files to TEXT files with cve-json-to-text.py in scripts/ Backport Changes: - The changes from commit [81e702c85c62] have been discarded. Signed-off-by: Marta Rybczynska Signed-off-by: Richard Purdie (cherry picked from commit 05ef4f2a7b225c8d230eaca8d333ffb921729d79) Signed-off-by: Het Patel --- meta/classes/cve-check.bbclass | 118 +-------------------------------- 1 file changed, 1 insertion(+), 117 deletions(-) diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 32fb9e8a5c..65d90dd420 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -36,20 +36,15 @@ CVE_CHECK_DB_DIR ?= "${STAGING_DIR}/CVE_CHECK" CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/${CVE_CHECK_DB_FILENAME}" CVE_CHECK_DB_FILE_LOCK ?= "${CVE_CHECK_DB_FILE}.lock" -CVE_CHECK_LOG ?= "${T}/cve.log" -CVE_CHECK_TMP_FILE ?= "${TMPDIR}/cve_check" CVE_CHECK_SUMMARY_DIR ?= "${LOG_DIR}/cve" CVE_CHECK_SUMMARY_FILE_NAME ?= "cve-summary" -CVE_CHECK_SUMMARY_FILE ?= "${CVE_CHECK_SUMMARY_DIR}/${CVE_CHECK_SUMMARY_FILE_NAME}" CVE_CHECK_SUMMARY_FILE_NAME_JSON = "cve-summary.json" CVE_CHECK_SUMMARY_INDEX_PATH = "${CVE_CHECK_SUMMARY_DIR}/cve-summary-index.txt" CVE_CHECK_LOG_JSON ?= "${T}/cve.json" CVE_CHECK_DIR ??= "${DEPLOY_DIR}/cve" -CVE_CHECK_RECIPE_FILE ?= "${CVE_CHECK_DIR}/${PN}" CVE_CHECK_RECIPE_FILE_JSON ?= "${CVE_CHECK_DIR}/${PN}_cve.json" -CVE_CHECK_MANIFEST ?= "${IMGDEPLOYDIR}/${IMAGE_NAME}.cve" CVE_CHECK_MANIFEST_JSON_SUFFIX ?= "json" CVE_CHECK_MANIFEST_JSON ?= "${IMGDEPLOYDIR}/${IMAGE_NAME}.${CVE_CHECK_MANIFEST_JSON_SUFFIX}" CVE_CHECK_COPY_FILES ??= "1" @@ -60,9 +55,6 @@ CVE_CHECK_REPORT_PATCHED ??= "1" CVE_CHECK_SHOW_WARNINGS ??= "1" -# Provide text output -CVE_CHECK_FORMAT_TEXT ??= "1" - # Provide JSON output CVE_CHECK_FORMAT_JSON ??= "1" @@ -139,20 +131,11 @@ python cve_save_summary_handler () { import datetime from oe.cve_check import update_symlinks - cve_tmp_file = d.getVar("CVE_CHECK_TMP_FILE") - cve_summary_name = d.getVar("CVE_CHECK_SUMMARY_FILE_NAME") cvelogpath = d.getVar("CVE_CHECK_SUMMARY_DIR") bb.utils.mkdirhier(cvelogpath) timestamp = datetime.datetime.now().strftime('%Y%m%d%H%M%S') - cve_summary_file = os.path.join(cvelogpath, "%s-%s.txt" % (cve_summary_name, timestamp)) - - if os.path.exists(cve_tmp_file): - shutil.copyfile(cve_tmp_file, cve_summary_file) - cvefile_link = os.path.join(cvelogpath, cve_summary_name) - update_symlinks(cve_summary_file, cvefile_link) - bb.plain("Complete CVE report summary created at: %s" % cvefile_link) if d.getVar("CVE_CHECK_FORMAT_JSON") == "1": json_summary_link_name = os.path.join(cvelogpath, d.getVar("CVE_CHECK_SUMMARY_FILE_NAME_JSON")) @@ -195,7 +178,6 @@ python cve_check_cleanup () { """ Delete the file used to gather all the CVE information. """ - bb.utils.remove(e.data.getVar("CVE_CHECK_TMP_FILE")) bb.utils.remove(e.data.getVar("CVE_CHECK_SUMMARY_INDEX_PATH")) } @@ -213,9 +195,6 @@ python cve_check_write_rootfs_manifest () { from oe.cve_check import cve_check_merge_jsons, update_symlinks if d.getVar("CVE_CHECK_COPY_FILES") == "1": - deploy_file = d.getVar("CVE_CHECK_RECIPE_FILE") - if os.path.exists(deploy_file): - bb.utils.remove(deploy_file) deploy_file_json = d.getVar("CVE_CHECK_RECIPE_FILE_JSON") if os.path.exists(deploy_file_json): bb.utils.remove(deploy_file_json) @@ -235,19 +214,13 @@ python cve_check_write_rootfs_manifest () { json_data = {"version":"1", "package": []} text_data = "" enable_json = d.getVar("CVE_CHECK_FORMAT_JSON") == "1" - enable_text = d.getVar("CVE_CHECK_FORMAT_TEXT") == "1" save_pn = d.getVar("PN") for pkg in recipies: - # To be able to use the CVE_CHECK_RECIPE_FILE variable we have to evaluate + # To be able to use the CVE_CHECK_RECIPE_FILE_JSON variable we have to evaluate # it with the different PN names set each time. d.setVar("PN", pkg) - if enable_text: - pkgfilepath = d.getVar("CVE_CHECK_RECIPE_FILE") - if os.path.exists(pkgfilepath): - with open(pkgfilepath) as pfile: - text_data += pfile.read() if enable_json: pkgfilepath = d.getVar("CVE_CHECK_RECIPE_FILE_JSON") @@ -258,17 +231,6 @@ python cve_check_write_rootfs_manifest () { d.setVar("PN", save_pn) - if enable_text: - manifest_name = d.getVar("CVE_CHECK_MANIFEST") - - with open(manifest_name, "w") as f: - f.write(text_data) - - if link_name: - link_path = os.path.join(deploy_dir, "%s.cve" % link_name) - update_symlinks(manifest_name, link_path) - bb.plain("Image CVE report stored in: %s" % manifest_name) - if enable_json: manifest_name_suffix = d.getVar("CVE_CHECK_MANIFEST_JSON_SUFFIX") manifest_name = d.getVar("CVE_CHECK_MANIFEST_JSON") @@ -481,82 +443,6 @@ def get_cve_info(d, cve_data): cursor.close() conn.close() -def cve_write_data_text(d, cve_data): - """ - Write CVE information in WORKDIR; and to CVE_CHECK_DIR, and - CVE manifest if enabled. - """ - - cve_file = d.getVar("CVE_CHECK_LOG") - fdir_name = d.getVar("FILE_DIRNAME") - layer = fdir_name.split("/")[-3] - - include_layers = d.getVar("CVE_CHECK_LAYER_INCLUDELIST").split() - exclude_layers = d.getVar("CVE_CHECK_LAYER_EXCLUDELIST").split() - - report_all = d.getVar("CVE_CHECK_REPORT_PATCHED") == "1" - - if exclude_layers and layer in exclude_layers: - return - - if include_layers and layer not in include_layers: - return - - # Early exit, the text format does not report packages without CVEs - if not len(cve_data): - return - - nvd_link = "https://nvd.nist.gov/vuln/detail/" - write_string = "" - unpatched_cves = [] - bb.utils.mkdirhier(os.path.dirname(cve_file)) - - for cve in sorted(cve_data): - if not report_all and (cve_data[cve]["abbrev-status"] == "Patched" or cve_data[cve]["abbrev-status"] == "Ignored"): - continue - write_string += "LAYER: %s\n" % layer - write_string += "PACKAGE NAME: %s\n" % d.getVar("PN") - write_string += "PACKAGE VERSION: %s%s\n" % (d.getVar("EXTENDPE"), d.getVar("PV")) - write_string += "CVE: %s\n" % cve - write_string += "CVE STATUS: %s\n" % cve_data[cve]["abbrev-status"] - - if 'status' in cve_data[cve]: - write_string += "CVE DETAIL: %s\n" % cve_data[cve]["status"] - if 'justification' in cve_data[cve]: - write_string += "CVE DESCRIPTION: %s\n" % cve_data[cve]["justification"] - - if "NVD-summary" in cve_data[cve]: - write_string += "CVE SUMMARY: %s\n" % cve_data[cve]["NVD-summary"] - write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["NVD-scorev2"] - write_string += "CVSS v3 BASE SCORE: %s\n" % cve_data[cve]["NVD-scorev3"] - write_string += "CVSS v3 BASE SCORE: %s\n" % cve_data[cve]["NVD-scorev4"] - write_string += "VECTOR: %s\n" % cve_data[cve]["NVD-vector"] - write_string += "VECTORSTRING: %s\n" % cve_data[cve]["NVD-vectorString"] - - write_string += "MORE INFORMATION: %s%s\n\n" % (nvd_link, cve) - if cve_data[cve]["abbrev-status"] == "Unpatched": - unpatched_cves.append(cve) - - if unpatched_cves and d.getVar("CVE_CHECK_SHOW_WARNINGS") == "1": - bb.warn("Found unpatched CVE (%s), for more information check %s" % (" ".join(unpatched_cves),cve_file)) - - with open(cve_file, "w") as f: - bb.note("Writing file %s with CVE information" % cve_file) - f.write(write_string) - - if d.getVar("CVE_CHECK_COPY_FILES") == "1": - deploy_file = d.getVar("CVE_CHECK_RECIPE_FILE") - bb.utils.mkdirhier(os.path.dirname(deploy_file)) - with open(deploy_file, "w") as f: - f.write(write_string) - - if d.getVar("CVE_CHECK_CREATE_MANIFEST") == "1": - cvelogpath = d.getVar("CVE_CHECK_SUMMARY_DIR") - bb.utils.mkdirhier(cvelogpath) - - with open(d.getVar("CVE_CHECK_TMP_FILE"), "a") as f: - f.write("%s" % write_string) - def cve_check_write_json_output(d, output, direct_file, deploy_file, manifest_file): """ Write CVE information in the JSON format: to WORKDIR; and to @@ -665,7 +551,5 @@ def cve_write_data(d, cve_data, status): Write CVE data in each enabled format. """ - if d.getVar("CVE_CHECK_FORMAT_TEXT") == "1": - cve_write_data_text(d, cve_data) if d.getVar("CVE_CHECK_FORMAT_JSON") == "1": cve_write_data_json(d, cve_data, status) From patchwork Fri Feb 20 05:34:16 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 81454 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3CAC5C54FD3 for ; Fri, 20 Feb 2026 05:34:50 +0000 (UTC) Received: from alln-iport-8.cisco.com (alln-iport-8.cisco.com [173.37.142.95]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.32606.1771565685734441813 for ; Thu, 19 Feb 2026 21:34:46 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=gMQ3EVep; spf=pass (domain: cisco.com, ip: 173.37.142.95, mailfrom: hetpat@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=1603; q=dns/txt; s=iport01; t=1771565686; x=1772775286; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=BkjQpOCeBHysTCbZM3/bQBgoskMIHXrMaZYxjAN1i/0=; b=gMQ3EVep+LH29j71lGukunAVW4cx1iiDuPkkv+0l75xmHMk0skZpxALR b/cZ/gw8Itaav/VVuKMKTI1xbiiaaWcU3Xb83HIe9fsw7I2WEDfQ17TFI 3rernTor30tpJavvA2Jb/RpLhJxFGQ0SHwjodqBZekZPMoDKsn4rS7ZcU hXZBNbLRxOAxne0PuSUeags5QxPQ+194KpjeSTt5FfTt/MF/pEdmNs1/o Dx0i1hbIJX6yISx1uTXcdzEiFwAHjlccqnSl96nPQA8DLWl6Um8JQ+mPt 8EjaZ9mHW0y4pMOY0BaW5GE5U4kwtQjdKU7C++rHSSP71CvBCG6ie05hO w==; X-CSE-ConnectionGUID: wXHYrR7OSNC4qWEuAbj8+g== X-CSE-MsgGUID: B5Jsm+tuSwazWJr2fJKFvQ== X-IPAS-Result: A0BHBABB8Zdp/47/Ja1aHgErCwYMgXKCSA9xX0JJA5ZIA54agX8PAQEBDzcaBAEBhQcCjR8CJjQJDgECBAEBAQEDAgMBAQEBAQEBAQEBAQsBAQUBAQECAQcFgQ4Thk8NhlsCAQMyAUYQICYLKysZgwIBgnMCAadWgiyBAeAiAQsUAYE4hTyIGVoRCYR6JxsbgXKEfYQKIWWFdwSDMIIAkU9IgR4DWSwBVRMNCgsHBYFmAzUSKhVuMh2BIz4XgQsbBwWCQoURD4kFeG6BIIEbAwsYDUgRLDcUGwQ+bgeOLz+BcQ41AYENKyMyMUAIplOhDgoog3SMHpU6GjOEBKZnLphYgliiAYRogWg8RoETcBWDIglJGQ+OLRYcgh27fSI1EykCBwsBAQMJkWqBfQEB IronPort-Data: A9a23:gYGSWa3a0mzyXq6oUPbD5YRwkn2cJEfYwER7XKvMYLTBsI5bpzIEn zBMWmmHOvqPNjD8etF+bIiwp0hVvsLRmtcxHQpk3Hw8FHgiRegpqji6wuYcGwvIc6UvmWo+t 512huHodZ5yFjmH4E/xbtANlFEkvYmQXL3wFeXYDS54QA5gWU8JhAlq8wIDqtYAbeORXUXX4 Lsen+WFYAX7g2QuajpPg06+gEoHUMra6WtwUmMWPZinjHeG/1EJAZQWI72GLneQauF8Au6gS u/f+6qy92Xf8g1FIovNfmHTKxBirhb6ZGBiu1IOM0SQqkEqSh8ajs7XAMEhhXJ/0F1lqTzeJ OJl7vRcQS9xVkHFdX90vxNwS0mSNoUekFPLzOTWXcG7lyX7n3XQL/pGE3EWDJcipcFMJ0oS7 MM1NRkHbEDAiLfjqF67YrEEasULNsLnOsYb/3pn1zycVatgSpHYSKKM7thdtNsyrpkRRrCFO IxDNGcpNUiaC/FMEg9/5JYWnOq0nnDjWzZZs1mS46Ew5gA/ySQvj+G9YYWKIYbiqcN9tBu6v WeF43nCHRgIC/6FkzSn0Vyyv7qa9c/8cMdIfFGizdZtmFCVy2kZBREaWFf+qv6jh2a6WslDM AoT4icooK04+UCnQ9W7WAe3yENopTYGUNZWVul/4waXx++MvkCSB3MPSXhKb9lOWNIKeAHGH 2Shx7vBbQGDepXPIZ5B3t94dQ+PBBU= IronPort-HdrOrdr: A9a23:LTBvY69y9IrYpVdCCk5uk+DfI+orL9Y04lQ7vn2ZhyY7TiX+rb HIoB11737JYVoqNU3I3OrwWpVoIkmskaKdn7NwAV7KZmCP0wGVxcNZnO7fKlbbdREWmNQw6U 4ZSdkcNDU1ZmIK9PoTJ2KDYrAd/OU= X-Talos-CUID: 9a23:oTxxFmE8JhxmicclqmJ4xG4lAPp6VUb75yvJHGKlIGxrGP6aHAo= X-Talos-MUID: 9a23:+dtBGAQEOJgQE4V0RXTG2RN5MYR0/p+xAVIys49cteunGzJJbmI= X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.21,301,1763424000"; d="scan'208";a="671897732" Received: from rcdn-l-core-05.cisco.com ([173.37.255.142]) by alln-iport-8.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 20 Feb 2026 05:34:45 +0000 Received: from sjc-ads-8556.cisco.com (sjc-ads-8556.cisco.com [171.68.222.95]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by rcdn-l-core-05.cisco.com (Postfix) with ESMTPS id 207E718000225; Fri, 20 Feb 2026 05:34:45 +0000 (GMT) Received: by sjc-ads-8556.cisco.com (Postfix, from userid 1847788) id 732FFCC8CF7; Thu, 19 Feb 2026 21:34:44 -0800 (PST) From: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Cc: xe-linux-external@cisco.com, vchavda@cisco.com Subject: [openembedded-core] [scarthgap] [PATCH v1 07/34] cve-check-update-nvd2-native: Incremement DL_DIR database location Date: Thu, 19 Feb 2026 21:34:16 -0800 Message-Id: <20260220053443.3006180-7-hetpat@cisco.com> X-Mailer: git-send-email 2.35.6 In-Reply-To: <20260220053443.3006180-1-hetpat@cisco.com> References: <20260220053443.3006180-1-hetpat@cisco.com> MIME-Version: 1.0 X-Outbound-SMTP-Client: 171.68.222.95, sjc-ads-8556.cisco.com X-Outbound-Node: rcdn-l-core-05.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 20 Feb 2026 05:34:50 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/231460 From: Richard Purdie We're seeing a lot of sqlite database corruption issues in our automated testing. It is unclear why this is happening. There were process imrpovements implemented in master and it is unclear if older releases are somehow making those changes ineffective or if the problem is elsewhere. By changing the location in DL_DIR, we split the two sets of accesses to be separate and can isolate whether the master changes really did improve things or not. If successful, we may consider backporting those changes to the stable releases. Signed-off-by: Richard Purdie (cherry picked from commit bcc624012d676192a722a7694614f3c49c6bc4d2) Signed-off-by: Het Patel --- meta/recipes-core/meta/cve-update-nvd2-native.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb b/meta/recipes-core/meta/cve-update-nvd2-native.bb index 945bd1d927..32a14a932b 100644 --- a/meta/recipes-core/meta/cve-update-nvd2-native.bb +++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb @@ -34,7 +34,7 @@ CVE_DB_INCR_UPDATE_AGE_THRES ?= "10368000" # Number of attempts for each http query to nvd server before giving up CVE_DB_UPDATE_ATTEMPTS ?= "5" -CVE_CHECK_DB_DLDIR_FILE ?= "${DL_DIR}/CVE_CHECK/${CVE_CHECK_DB_FILENAME}" +CVE_CHECK_DB_DLDIR_FILE ?= "${DL_DIR}/CVE_CHECK2/${CVE_CHECK_DB_FILENAME}" CVE_CHECK_DB_DLDIR_LOCK ?= "${CVE_CHECK_DB_DLDIR_FILE}.lock" CVE_CHECK_DB_TEMP_FILE ?= "${CVE_CHECK_DB_FILE}.tmp" From patchwork Fri Feb 20 05:34:17 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 81458 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8AE97C55174 for ; Fri, 20 Feb 2026 05:34:50 +0000 (UTC) Received: from alln-iport-1.cisco.com (alln-iport-1.cisco.com [173.37.142.88]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.32607.1771565685880906200 for ; Thu, 19 Feb 2026 21:34:46 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=G/EvC2xC; spf=pass (domain: cisco.com, ip: 173.37.142.88, mailfrom: hetpat@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=1261; q=dns/txt; s=iport01; t=1771565686; x=1772775286; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=kxUtoc7rKV71kukRq/duNsdrbeJj/q1YAnaODxTcaQI=; b=G/EvC2xCP9YWrj/JxA9jR6qfzgrlcTlPSuy0cwDZsFI4DNXNo8fDFKOS f88cx0kogr4bTQCoiCxuUH2K/Qq+rz/nZS9EHJtSv5k2SjH5eciRqaa47 Wh+daSBBsbe2JNR1tVP5C0pYeRhxeQFsRiZZ4r8M/9SZ8PKSmIJD5QBki bVdjOFigl8+YNMMZXMO/E7Q3KSKOPeOPWquIOibFDGJ+iIf7k8AgF5uWY puXaNkX6fwjfeJS0BioCU2l/a2GYeLQ3I2+Uv5CIRepLpVLp2JzG/MwUZ oU/ybxBUy9Y4DPJawalWrX/0fCxdC1Ui48F0yM0fyAE5/CYb0/efq5uz0 A==; X-CSE-ConnectionGUID: os1sdXUpQFSYQdgKyJBLxA== X-CSE-MsgGUID: 6IF99k8vSVSl0211IL6MvA== X-IPAS-Result: A0A/BABB8Zdp/5T/Ja1aglmCSA+BUEJJlk6CfohmkjaBfw8BAQEPUQQBAYUHAo0fAiY0CQ4BAgQBAQEBAwIDAQEBAQEBAQEBAQELAQEFAQEBAgEHBYEOE4ZchlsCAQMyAUYQIDErKxmDAoI7AzYCAadWgiyBAeAiAQsUAYE4hTyIGVoahHonGxuBcoR9aYE2gnGFdwSDMJNPSIEeA1ksAVUTDQoLBwWBZgM1EioVbjIdgSM+F4ELGwcFh1MPiQV4boEggRsDCxgNSBEsNxQbBD5uB44vP4I0AYENqEygHXEKKIN0m12FexozqmuZBpISkkeEaIFoPIFZcBWDIlIZD45fvhoiNTwCBwsBAQMJk2cBAQ IronPort-Data: A9a23:vv7iR6o23G1dlbqca6MQ5k/BzvheBmJPZBIvgKrLsJaIsI4StFCzt garIBnTaKqCMWv9KtpzOYjg8R4OuZ7cn9RjS1Y//C9jQXkWo+PIVI+TRqvS04x+DSFioGZPt Zh2hgzodZhsJpPkjk7zdOCn9j8kif3gqoPUUIbsIjp2SRJvVBAvgBdin/9RqoNziLBVOSvV0 T/Ji5OZYgbNNwJcaDpOtfrZ8ks355wehRtB1rAATaET1LPhvyF94KI3fcmZM3b+S49IKe+2L 86r5K255G7Q4yA2AdqjlLvhGmVSKlIFFVHT4pb+c/HKbilq/kTe4I5iXBYvQRs/ZwGyojxE4 I4lWapc5useFvakdOw1C3G0GszlVEFM0OevzXOX6aR/w6BaGpfh660GMa04AWEX0uFsWHpCx cEAER42XymPiMGn4pifWsA506zPLOGzVG8ekmtrwTecCbMtRorOBvyTo9RZxzw3wMtJGJ4yZ eJANmEpN0uGOUASfA5LWPrSn8/w7pX7Wz1VtEqcuYI84nPYy0p6172F3N/9JIPUGZwEwhbEz o7A1zrYLEBLN4yB8gS+9ir237buuX3eRqtHQdVU8dYv2jV/3Fc7DwUbU1a+q/S1hkOyHtlYM UE8/is1sbN081SmSNT4VRC0rHOI+BkGVLJt//YS8gqBzO/Qpg2eHGVBF2cHY909v8hwTjsvv rOUo+7U6fVUmOX9YRqgGn2891te5QB9wbc+WBI5 IronPort-HdrOrdr: A9a23:KCjIcKxODgu7eQ3oIBAiKrPwK71zdoMgy1knxilNoNJuHfBw8P re+8jzuiWUtN98YhwdcJW7Scu9qBDnhPpICPcqXYtKNTOO0ADDEGgh1/qG/9SKIUPDH4BmuZ uIC5IOa+EZyTNB/L/HCM7SKadH/OW6 X-Talos-CUID: 9a23:o/s3oWugDlqZCsZmvrIsZ1vu6IsiaSTGwEftO3aWMldQRLK2WH263LNNxp8= X-Talos-MUID: 9a23:mRQxVQY01j/N3uBT6R7C1WBhZNlT3Z+qUBpUyLQi5eyaHHkl X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.21,301,1763424000"; d="scan'208";a="676419484" Received: from rcdn-l-core-11.cisco.com ([173.37.255.148]) by alln-iport-1.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 20 Feb 2026 05:34:45 +0000 Received: from sjc-ads-8556.cisco.com (sjc-ads-8556.cisco.com [171.68.222.95]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by rcdn-l-core-11.cisco.com (Postfix) with ESMTPS id 214321800025B; Fri, 20 Feb 2026 05:34:45 +0000 (GMT) Received: by sjc-ads-8556.cisco.com (Postfix, from userid 1847788) id 7B471CC8CF8; Thu, 19 Feb 2026 21:34:44 -0800 (PST) From: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Cc: xe-linux-external@cisco.com, vchavda@cisco.com Subject: [openembedded-core] [scarthgap] [PATCH v1 08/34] cve-check: add field "modified" to JSON report Date: Thu, 19 Feb 2026 21:34:17 -0800 Message-Id: <20260220053443.3006180-8-hetpat@cisco.com> X-Mailer: git-send-email 2.35.6 In-Reply-To: <20260220053443.3006180-1-hetpat@cisco.com> References: <20260220053443.3006180-1-hetpat@cisco.com> MIME-Version: 1.0 X-Outbound-SMTP-Client: 171.68.222.95, sjc-ads-8556.cisco.com X-Outbound-Node: rcdn-l-core-11.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 20 Feb 2026 05:34:50 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/231464 From: Katawann Added the "modified" field to the JSON export in the cve-check.class. This field captures the last modification date of each CVE, providing more detailed information on changes and updates within the exported data. Signed-off-by: Katawann Signed-off-by: Alexandre Belloni Signed-off-by: Richard Purdie (cherry picked from commit 740b8a0b23c4021d07c3714420e3ea8b46e61454) Signed-off-by: Het Patel --- meta/classes/cve-check.bbclass | 1 + 1 file changed, 1 insertion(+) diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 65d90dd420..22161e8539 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -527,6 +527,7 @@ def cve_write_data_json(d, cve_data, cve_status): cve_item["scorev2"] = cve_data[cve]["NVD-scorev2"] cve_item["scorev3"] = cve_data[cve]["NVD-scorev3"] cve_item["scorev4"] = cve_data[cve]["NVD-scorev4"] + cve_item["modified"] = cve_data[cve]["NVD-modified"] cve_item["vector"] = cve_data[cve]["NVD-vector"] cve_item["vectorString"] = cve_data[cve]["NVD-vectorString"] if 'status' in cve_data[cve]: From patchwork Fri Feb 20 05:34:18 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 81455 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6CAD3C5516E for ; Fri, 20 Feb 2026 05:34:50 +0000 (UTC) Received: from alln-iport-4.cisco.com (alln-iport-4.cisco.com [173.37.142.91]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.32608.1771565686056322342 for ; Thu, 19 Feb 2026 21:34:46 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=J932JUxH; spf=pass (domain: cisco.com, ip: 173.37.142.91, mailfrom: hetpat@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=1130; q=dns/txt; s=iport01; t=1771565686; x=1772775286; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=wU03wIqxBB9KdeDAe2MzRIfJvb0ZPNOD92pFDuqEDLo=; b=J932JUxH9EGGZCFTwrP7Zygru/CSyQ70wcM2sPb5y/7c2y3A9fd//jAT HovENrrIQnNbJVHul5wjd9xa8QOlY3HoFop/mDhAP3sljA5qYeRHuFTFW LhDjH1rwPeY7g4sFSn6J/eYDlIsHN6oFarYdUXBxjLwhVqDTSy/iuqWxo 7DvYOnG3mNE2PVnFXajOASEybiPAzc9rQZSu9/y+nR8ulnixfAXBNARpF 0U06jqv89Ci4W3sm187T0fYlMfxboQUQCWWb4YW91AM7Y0GeHg9IWRw+7 5WToW+CdxquJFb41rKvDGOf8xtDpx1zeopvd9fkXVd8TMYq27Lw/fCMWg Q==; X-CSE-ConnectionGUID: na8IKNfCQFW3Uu3Gg/q/8g== X-CSE-MsgGUID: HsDRH9kqSoixuzBvfjBvfw== X-IPAS-Result: A0A/BADP8Jdp/47/Ja1aglmCSA+BUEJJlk6eGoF/DwEBAQ9RBAEBhQcCjR8CJjQJDgECBAEBAQEDAgMBAQEBAQEBAQEBAQsBAQUBAQECAQcFgQ4ThlyGWwIBAzIBRhAgJgsrKxmDAoJ0AgGnVIIsgQHgIgELFAGBOIU8iBlaGoR6JxsbgXKEfYQKgQaFdwSCIoEOjUKGDUiBHgNZLAFVEw0KCwcFgWYDNRIqFW4yHYEjPheBCxsHBYdTD4kFeG6BIIEbAwsYDUgRLDcUGwQ+bgeOLz+CNAGBDZZUkXihDgoog3ShWBozqmuSAIcGpFmEaIFoPIFZcBWDIlIZD45fvhoiNTwCBwsBAQMJkWqBfQEB IronPort-Data: A9a23:S224xau4niL6FoST2BNwcnz0qOfnVAFfMUV32f8akzHdYApBsoF/q tZmKT2BaPaNNzGkc94ib9uz9x4GusDUmoBnTgdkrXxgFyISgMeUXt7xwmUckM+xwmwvaGo9s q3yv/GZdJhcokf0/0nrav666yEgiclkf5KkYMbcICd9WAR4fykojBNnioYRj5Vh6TSDK1vlV eja/YuFYTdJ5xYuajhKs/jZ8Es01BjPkGpwUmIWNKgjUGD2zxH5PLpHTYmtIn3xRJVjH+LSb 47r0LGj82rFyAwmA9Wjn6yTWhVirmn6ZFXmZtJ+AsBOszAazsAA+v9T2Mk0NS+7vw60c+VZk 72hg3AfpTABZcUgkMxFO/VR/roX0aduoNcrKlDn2SCfItGvn3bEm51T4E8K0YIw/O8nIEJo+ 9chBg9WUw3YqO3x2fXrRbw57igjBJGD0II3oHpsy3TdSP0hW52GG/iM7t5D1zB2jcdLdRrcT 5NGMnw0M1KaPkAJYwtNYH49tL/Aan3XczBEsFuJjaE2+GPUigd21dABNfKLJYXSGZsOwhzwS mTu33/VODFLN8WkzjuV72CGmOHNtz31R9dHfFG/3rsw6LGJ/UQUEBAQWF6xrPW1h0L7UNVFJ mQQ+zEytu417EGtQ9z3UhG0rXLCuQQTM+e8CMUg4w2Lj66R6AGDCy1cE3hKaccts4k9QjlCO kK1ou4FzAdH6NW9IU9xPJ/Oxd9uEUD59VM/WBI= IronPort-HdrOrdr: A9a23:o/L+6aNhnAJtXsBcTsajsMiBIKoaSvp037Dk7S9MoHtuA6ulfq +V/cjzuSWYtN9VYgBDpTniAtjlfZqjz/5ICOAqVN/INjUO+lHYSb2KhrGN/9SPIUHDH5ZmpM Rdm2wUMqyIMbC85vyKhjWFLw== X-Talos-CUID: 9a23:yHJ+s2kYTsjCU+mNvgZnSatlvUDXOXvUnFbzBUGTMEhWE4CIEnCfv7ojw8U7zg== X-Talos-MUID: 9a23:ucMryg4mUy2cVqzu/nwpSnaGxoxI+IiUKBEOiK4ButmZJwZuNTW3kjqoF9o= X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.21,301,1763424000"; d="scan'208";a="671046342" Received: from rcdn-l-core-05.cisco.com ([173.37.255.142]) by alln-iport-4.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 20 Feb 2026 05:34:45 +0000 Received: from sjc-ads-8556.cisco.com (sjc-ads-8556.cisco.com [171.68.222.95]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by rcdn-l-core-05.cisco.com (Postfix) with ESMTPS id 245271800023C; Fri, 20 Feb 2026 05:34:45 +0000 (GMT) Received: by sjc-ads-8556.cisco.com (Postfix, from userid 1847788) id 8105ACC8CF9; Thu, 19 Feb 2026 21:34:44 -0800 (PST) From: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Cc: xe-linux-external@cisco.com, vchavda@cisco.com Subject: [openembedded-core] [scarthgap] [PATCH v1 09/34] cve-check: do not skip cve status description after : Date: Thu, 19 Feb 2026 21:34:18 -0800 Message-Id: <20260220053443.3006180-9-hetpat@cisco.com> X-Mailer: git-send-email 2.35.6 In-Reply-To: <20260220053443.3006180-1-hetpat@cisco.com> References: <20260220053443.3006180-1-hetpat@cisco.com> MIME-Version: 1.0 X-Outbound-SMTP-Client: 171.68.222.95, sjc-ads-8556.cisco.com X-Outbound-Node: rcdn-l-core-05.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 20 Feb 2026 05:34:50 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/231462 From: Peter Marko Correct maxsplit parameter from 5 to 4 to not drop text if description contains ":". Example: >>> "detail: cpe:vendor:product:description:cont".split(':', 5) ['detail', ' cpe', 'vendor', 'product', 'description', 'xxx'] >>> "detail: cpe:vendor:product:description:cont".split(':', 4) ['detail', ' cpe', 'vendor', 'product', 'description:xxx'] Signed-off-by: Peter Marko Signed-off-by: Richard Purdie (cherry picked from commit 3c4d8ca41ac0b429af92bf0ea84f1dfd0cda9e1f) Signed-off-by: Het Patel --- meta/lib/oe/cve_check.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py index 37230b7957..c8572d7724 100644 --- a/meta/lib/oe/cve_check.py +++ b/meta/lib/oe/cve_check.py @@ -239,7 +239,7 @@ def decode_cve_status(d, cve): if not status: return {} - status_split = status.split(':', 5) + status_split = status.split(':', 4) status_out = {} status_out["detail"] = status_split[0] product = "*" From patchwork Fri Feb 20 05:34:19 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 81465 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A6FF6C55183 for ; Fri, 20 Feb 2026 05:34:50 +0000 (UTC) Received: from alln-iport-2.cisco.com (alln-iport-2.cisco.com [173.37.142.89]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.32609.1771565686307896284 for ; Thu, 19 Feb 2026 21:34:46 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=KvfSKjRc; spf=pass (domain: cisco.com, ip: 173.37.142.89, mailfrom: hetpat@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=5197; q=dns/txt; s=iport01; t=1771565686; x=1772775286; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=34/mb+ioIaonp0sVCnYCfzk5JAar0VTY3CzeKJSJNmQ=; b=KvfSKjRcrsXf0bcFTc8FSqK/HXTi04R/wHy8FBJWqqJqAyvO8J7FPe0i XSB9zcOeZoUFEULvhZKCAkLTIHA2sqxgWjSiy7zT3nR/1pccbG495QofC Yt+L6p4eeVLtZc043i9NoL7fFPagp1jt54L8N+K20yPJOgZH+A+30iQh5 2eLeZoLu+VMzaULkjQR98q7tTA01p8ufVmzdMHMY+gBJTIEbBlV1MEAkS Yhtl3jZ6oLcw4OLrok9qwpg7oC9aZdI8jd4tw/gyIy/LLdbkPrlmKg4M0 zUS4Jbm+rXRr1fsHz/PoBgifqAU8rA730FJTbBHuNP6b/TTWk6J+qjG0n g==; X-CSE-ConnectionGUID: dvgy7YhCSliNQBc4rUJ/DQ== X-CSE-MsgGUID: JwDK72nLRWuYl7+zrRdSaA== X-IPAS-Result: A0BGBAC68Zdp/47/Ja1aglmCSA9xX0JJA5ZIA54agX8PAQEBDy4PFAQBAYUHAo0fAiY0CQ4BAgQBAQEBAwIDAQEBAQEBAQEBAQELAQEFAQEBAgEHBYEOE4ZPDYZbAgEDATEBRhAgJgsnBCsZgwIBgnMCAREGpziCLIEBg1oCAwkCQ9t1AQsUAYE4hTyIGVoahHonGxuBcoR9gmEBAQEBAReBDYZ9BIIigQ6NQoYNSIEeA1ksAVUTDQoLBwWBZgM1EioVbjIdgSM+F4ELGwcFh1MPiQV4boEggRsDCxgNSBEsNxQbBD5uB44vFSqBOC8JPQcBPFEqAiACdgImbJN8kXihDgoog3SMHo0+h3waM4VbpRCSAIcGizaCU5VnaYRogWg8gVlwFYMiCUkZD45fg0KFE7VlIjUCDC4CBwsBAQMJkWqBfQEB IronPort-Data: A9a23:PBVgjapF3Kpp/FbmuB0oAhYyLzpeBmJPZBIvgKrLsJaIsI4StFCzt garIBmDOPrcM2T0eo8gbYuz9k0OvJKBm9cyTgI9/HxmRiIb9uPIVI+TRqvS04x+DSFioGZPt Zh2hgzodZhsJpPkjk7zdOCn9j8kif3gqoPUUIbsIjp2SRJvVBAvgBdin/9RqoNziLBVOSvV0 T/Ji5OZYgbNNwJcaDpOtfrZ8ks355wehRtB1rAATaET1LPhvyF94KI3fcmZM3b+S49IKe+2L 86r5K255G7Q4yA2AdqjlLvhGmVSKlIFFVHT4pb+c/HKbilq/kTe4I5iXBYvQRs/ZwGyojxE4 I4lWapc5useFvakdOw1C3G0GszlVEFM0OevzXOX6aR/w6BaGpfh660GMa04AWEX0uppDnARx PwzEzQMSCmpjL6s/ZD8ZtA506zPLOGzVG8ekmtrwTecCbMtRorOBv2Xo9RZxzw3wMtJGJ4yZ eJANmEpN0uGOUASfA5LUvrSn8/w7pX7Wz1VtEqcuYI84nPYy0p6172F3N/9JILaH54IzhvCz o7A10bmLjJFbtq78wWYw3bzxf3Vpy/AUatHQdVU8dYv2jV/3Fc7DwUbU1a+q/S1hkOyHtlYM UE8/is1sbN081SmSNT4VRC0rHOI+BkGVLJt//YS8gqBzO/Qpg2eHGVBFmMHY909v8hwTjsvv rOUo+7U6fVUmOX9YRqgGn2891te5QB9wbc+WBI5 IronPort-HdrOrdr: A9a23:uEhdMq8Bx8z3HZG2JEpuk+DfI+orL9Y04lQ7vn2ZhyY7TiX+rb HIoB11737JYVoqNU3I3OrwWpVoIkmskaKdn7NwAV7KZmCP0wGVxcNZnO7fKlbbdREWmNQw6U 4ZSdkcNDU1ZmIK9PoTJ2KDYrAd/OU= X-Talos-CUID: 9a23:sxCramADy1WUzjD6EyV5+19LK8AOSXnc6k76KBOiNEQuZITAHA== X-Talos-MUID: 9a23:ElxXfwz1DynopywJTRpkQV5QaxKaqIaxJGNSy5MigfaZBCgveCWHtjiMS6Zyfw== X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.21,301,1763424000"; d="scan'208";a="668235852" Received: from rcdn-l-core-05.cisco.com ([173.37.255.142]) by alln-iport-2.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 20 Feb 2026 05:34:45 +0000 Received: from sjc-ads-8556.cisco.com (sjc-ads-8556.cisco.com [171.68.222.95]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by rcdn-l-core-05.cisco.com (Postfix) with ESMTPS id 2BA4618000D06; Fri, 20 Feb 2026 05:34:45 +0000 (GMT) Received: by sjc-ads-8556.cisco.com (Postfix, from userid 1847788) id 85854CC8CFA; Thu, 19 Feb 2026 21:34:44 -0800 (PST) From: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Cc: xe-linux-external@cisco.com, vchavda@cisco.com Subject: [openembedded-core] [scarthgap] [PATCH v1 10/34] cve-check: fix malformed cve status description with : characters Date: Thu, 19 Feb 2026 21:34:19 -0800 Message-Id: <20260220053443.3006180-10-hetpat@cisco.com> X-Mailer: git-send-email 2.35.6 In-Reply-To: <20260220053443.3006180-1-hetpat@cisco.com> References: <20260220053443.3006180-1-hetpat@cisco.com> MIME-Version: 1.0 X-Outbound-SMTP-Client: 171.68.222.95, sjc-ads-8556.cisco.com X-Outbound-Node: rcdn-l-core-05.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 20 Feb 2026 05:34:50 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/231468 From: Peter Marko When CPE is not provided and character ":" is in cve status description, current code takes only last part of split function. This works only if there is no ":" in description, otherwise it drops the other split parts. Do a new split of the original string to take the whole description unchanged. This fixes following entries from world build of poky+meta-oe+meta-python: tiff-4.6.0-r0 do_cve_check: CVE_STATUS with 3 parts for CVE-2015-7313 CVE_STATUS: fixed-version: Tested with check from https://security-tracker.debian.org/tracker/CVE-2015-7313 and already 4.3.0 doesn't have the issue description: //security-tracker.debian.org/tracker/CVE-2015-7313 and already 4.3.0 doesn't have the issue corrected: Tested with check from https://security-tracker.debian.org/tracker/CVE-2015-7313 and already 4.3.0 doesn't have the issue gnupg-2.5.0-r0 do_cve_check: CVE_STATUS with 3 parts for CVE-2022-3219 CVE_STATUS: upstream-wontfix: Upstream doesn't seem to be keen on merging the proposed commit - https://dev.gnupg.org/T5993 description: //dev.gnupg.org/T5993 corrected: Upstream doesn't seem to be keen on merging the proposed commit - https://dev.gnupg.org/T5993 libyaml-0.2.5-r0 do_cve_check: CVE_STATUS with 3 parts for CVE-2024-35325 CVE_STATUS: upstream-wontfix: Upstream thinks this is a misuse (or wrong use) of the libyaml API - https://github.com/yaml/libyaml/issues/303 description: //github.com/yaml/libyaml/issues/303 corrected: Upstream thinks this is a misuse (or wrong use) of the libyaml API - https://github.com/yaml/libyaml/issues/303 libyaml-0.2.5-r0 do_cve_check: CVE_STATUS with 3 parts for CVE-2024-35326 CVE_STATUS: upstream-wontfix: Upstream thinks there is no working code that is exploitable - https://github.com/yaml/libyaml/issues/302 description: //github.com/yaml/libyaml/issues/302 corrected: Upstream thinks there is no working code that is exploitable - https://github.com/yaml/libyaml/issues/302 libyaml-0.2.5-r0 do_cve_check: CVE_STATUS with 3 parts for CVE-2024-35328 CVE_STATUS: upstream-wontfix: Upstream thinks there is no working code that is exploitable - https://github.com/yaml/libyaml/issues/302 description: //github.com/yaml/libyaml/issues/302 corrected: Upstream thinks there is no working code that is exploitable - https://github.com/yaml/libyaml/issues/302 cpio-2.15-r0 do_cve_check: CVE_STATUS with 3 parts for CVE-2023-7216 CVE_STATUS: disputed: intended behaviour, see https://lists.gnu.org/archive/html/bug-cpio/2024-03/msg00000.html description: //lists.gnu.org/archive/html/bug-cpio/2024-03/msg00000.html corrected: intended behaviour, see https://lists.gnu.org/archive/html/bug-cpio/2024-03/msg00000.html openssh-9.9p1-r0 do_cve_check: CVE_STATUS with 3 parts for CVE-2023-51767 CVE_STATUS: upstream-wontfix: It was demonstrated on modified sshd and does not exist in upstream openssh https://bugzilla.mindrot.org/show_bug.cgi?id=3656#c1. description: //bugzilla.mindrot.org/show_bug.cgi?id=3656#c1. corrected: It was demonstrated on modified sshd and does not exist in upstream openssh https://bugzilla.mindrot.org/show_bug.cgi?id=3656#c1. cups-2.4.10-r0 do_cve_check: CVE_STATUS with 3 parts for CVE-2021-25317 CVE_STATUS: not-applicable-config: This concerns /var/log/cups having lp ownership, our /var/log/cups is root:root, so this doesn't apply. description: root, so this doesn't apply. corrected: This concerns /var/log/cups having lp ownership, our /var/log/cups is root:root, so this doesn't apply. unzip-1_6.0-r0 do_cve_check: CVE_STATUS with 3 parts for CVE-2008-0888 CVE_STATUS: fixed-version: Patch from https://bugzilla.redhat.com/attachment.cgi?id=293893&action=diff applied to 6.0 source description: //bugzilla.redhat.com/attachment.cgi?id=293893&action=diff applied to 6.0 source corrected: Patch from https://bugzilla.redhat.com/attachment.cgi?id=293893&action=diff applied to 6.0 source syslog-ng-4.7.0-r0 do_cve_check: CVE_STATUS with 6 parts for CVE-2022-38725 CVE_STATUS: cpe-incorrect: cve-check wrongly matches cpe:2.3:a:oneidentity:syslog-ng:*:*:*:*:premium:*:*:* < 7.0.32 description: syslog-ng:*:*:*:*:premium:*:*:* < 7.0.32 corrected: cve-check wrongly matches cpe:2.3:a:oneidentity:syslog-ng:*:*:*:*:premium:*:*:* < 7.0.32 Signed-off-by: Peter Marko Signed-off-by: Richard Purdie (cherry picked from commit cc33dd9176726cb4b2d2f142ed1bc655da8e0a9f) Signed-off-by: Het Patel --- meta/lib/oe/cve_check.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py index c8572d7724..cd152df69a 100644 --- a/meta/lib/oe/cve_check.py +++ b/meta/lib/oe/cve_check.py @@ -257,7 +257,7 @@ def decode_cve_status(d, cve): else: # Other case: no CPE, the syntax is then: # detail: description - description = status_split[len(status_split)-1].strip() if (len(status_split) > 1) else "" + description = status.split(':', 1)[1].strip() if (len(status_split) > 1) else "" status_out["vendor"] = vendor status_out["product"] = product From patchwork Fri Feb 20 05:34:20 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 81437 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9A99BC54F4E for ; Fri, 20 Feb 2026 05:34:49 +0000 (UTC) Received: from alln-iport-1.cisco.com (alln-iport-1.cisco.com [173.37.142.88]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.32607.1771565685880906200 for ; Thu, 19 Feb 2026 21:34:46 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=Zul/NKqj; spf=pass (domain: cisco.com, ip: 173.37.142.88, mailfrom: hetpat@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=1366; q=dns/txt; s=iport01; t=1771565686; x=1772775286; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=gwL5tI1l131kWIHhhNXyAIww7n1T0vvfWqlfuCTBrHU=; b=Zul/NKqjsNHQcreuF+5rFUnPvF7PMzsQTUikJYkNCFDqj48RaBTtRhhC Jgq9hbceaWsdXORmuc85bceuACdi00JGreGefzlFcmlBs4SD1JDiMQrgt CgqBM2MO0WZcIVycmwd5KmQXLMfMEMZFvcb05TD/Q92BSB8rQ5rxOPlZ+ L/rmqgzRvQt2iA6sw6wVD0Qll3ITgWiQo7mvc+T0VJ1gpK8TSHrITfRqH FoIdI85J/oBFW3S5x4w1Qm9PMz4XD7IQkJxCDQlaRpPYRf5yScEQtxnPf +5o/ss5DVq+ouOh+K49VjFBERBXj3gQKH98neLbRnKTL4oJRNCuy0Mzk7 Q==; X-CSE-ConnectionGUID: potf65OQR02J6Si/kuyfVA== X-CSE-MsgGUID: Kd3BD5CLR8Sngv1Y2ScdWQ== X-IPAS-Result: A0BBBABB8Zdp/4z/Ja1aglmCSA+BUEJJlksDmDyFXhSBaw8BAQEPUQQBAYUHAo0fAiY0CQ4BAgQBAQEBAwIDAQEBAQEBAQEBAQELAQEFAQEBAgEHBYEOE4ZchlsCAQMyAUYQICYLKysZgwKCdAIBp1aCLIEB4CIBCxQBgTiFPIgZWhqEeicbG4FyhH2ECh9nhXcEgiKBDos0iBtIgR4DWSwBVRMNCgsHBYFmAzUSKhVuMh2BIz4XgQsbBwWHUw+JBXhugSCBGwMLGA1IESw3FBsEPm4Hji8/gjQBgQ2CGR6TMhw8kguhDgoog3ShWBozqmsuh2WQc6RZhGiBaDyBWXAVgyJSGQ+OX74aIjU8AgcLAQEDCZFqgX0BAQ IronPort-Data: A9a23:OUCT6K4KDUAeaVJZyzCONgxRtG/GchMFZxGqfqrLsTDasY5as4F+v mQeXDzQPPiLYGGnKYoiboW39ExX7cXVm9YwSFZrqyg1Zn8b8sCt6fZ1gavT04J+CuWZESqLO u1HMoGowPgcFyGa/lH2dOC98RGQ7InQLpLkEunIJyttcgFtTSYlmHpLlvUw6mJSqYDR7zil5 5Wo+qUzBHf/g2QqajhOs/rYwP9SlK2aVA0w7wRWic9j5Dcyp1FNZLoDKKe4KWfPQ4U8NoaSW +bZwbilyXjS9hErB8nNuu6TnpoiG+O60aCm0xK6aoD66vRwjnVaPpUTaJLwXXxqZwChxLid/ jniWauYEm/FNoWU8AgUvoIx/ytWZcWq85efSZSzXFD6I0DuKxPRL/tS4E4eJYoE9LgqJlh0r aY6dgsMKROeluyI6efuIgVsrpxLwMjDJogTvDRkiDreF/tjGcuFSKTR7tge1zA17ixMNa+BP IxCNnw1MUmGOkEXUrsUIMpWcOOAhnTjazREgFmUvqEwpWPUyWSd1ZCzb4SJI43WFZg9ckCwh W6d1UikKTUgZOeZxiTcwyiXjePwpHauMG4VPPjinhJwu3WU3mEVBRgcWFe3rPX8gUmkVvpbK lcI4WwptaU0+UmhQ9XxUhH+p2SL1iPwQPJKGOE8rQXIwa3O7kPBXS4PTyVKb5ots8peqSEW6 2JlVujBXVRH2IB5g1rBnltIhVte4RQoEFI= IronPort-HdrOrdr: A9a23:BsQ0iq2t6XbaOud2dyg3UwqjBLUkLtp133Aq2lEZdPWaSKOlfq eV7ZMmPHDP6Qr5NEtMpTnEAtjjfZq+z+8Q3WBuB9eftWDd0QPCRr2Kr7GSpgEIcBeRygcy78 tdmtBFeb7N5ZwQt7eC3OF+eOxQpuW6zA== X-Talos-CUID: 9a23:K7QT3mPsdup4S+5DQC57+hBJPfkfKif/kkzRZEylGGhXYejA X-Talos-MUID: 9a23:N9nnaw0ZAS1rdmcWUPgWwI7KujUjwKj1ImxQurE86/KCOjIpCm2mhziIe9py X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.21,301,1763424000"; d="scan'208";a="676419485" Received: from rcdn-l-core-03.cisco.com ([173.37.255.140]) by alln-iport-1.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 20 Feb 2026 05:34:45 +0000 Received: from sjc-ads-8556.cisco.com (sjc-ads-8556.cisco.com [171.68.222.95]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by rcdn-l-core-03.cisco.com (Postfix) with ESMTPS id 2C2A3180005A3; Fri, 20 Feb 2026 05:34:45 +0000 (GMT) Received: by sjc-ads-8556.cisco.com (Postfix, from userid 1847788) id 8A1D4CC8CFB; Thu, 19 Feb 2026 21:34:44 -0800 (PST) From: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Cc: xe-linux-external@cisco.com, vchavda@cisco.com Subject: [openembedded-core] [scarthgap] [PATCH v1 11/34] cve-check: restore CVE_CHECK_SHOW_WARNINGS functionality Date: Thu, 19 Feb 2026 21:34:20 -0800 Message-Id: <20260220053443.3006180-11-hetpat@cisco.com> X-Mailer: git-send-email 2.35.6 In-Reply-To: <20260220053443.3006180-1-hetpat@cisco.com> References: <20260220053443.3006180-1-hetpat@cisco.com> MIME-Version: 1.0 X-Outbound-SMTP-Client: 171.68.222.95, sjc-ads-8556.cisco.com X-Outbound-Node: rcdn-l-core-03.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 20 Feb 2026 05:34:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/231471 From: Peter Marko Commit 05ef4f2a7b225c8d230eaca8d333ffb921729d79 removed this functionality by accident. It was implemented in text exporter, while it should have been a global feature independent on exporter type to avoid such accidental deletion. Signed-off-by: Peter Marko Cc: Marta Rybczynska Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Richard Purdie (cherry picked from commit 2996b11596afca288a6b7f409a5287063d331f3b) Signed-off-by: Het Patel --- meta/classes/cve-check.bbclass | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 22161e8539..d505c68511 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -413,6 +413,11 @@ def check_cves(d, cve_data): if not cves_in_recipe: bb.note("No CVE records for products in recipe %s" % (pn)) + if d.getVar("CVE_CHECK_SHOW_WARNINGS") == "1": + unpatched_cves = [cve for cve in cve_data if cve_data[cve]["abbrev-status"] == "Unpatched"] + if unpatched_cves: + bb.warn("Found unpatched CVE (%s)" % " ".join(unpatched_cves)) + return (cve_data, cves_status) def get_cve_info(d, cve_data): From patchwork Fri Feb 20 05:34:21 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 81447 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 24A1CC54FD2 for ; Fri, 20 Feb 2026 05:34:50 +0000 (UTC) Received: from alln-iport-3.cisco.com (alln-iport-3.cisco.com [173.37.142.90]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.32604.1771565685718979248 for ; Thu, 19 Feb 2026 21:34:46 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=jYQG5+t/; spf=pass (domain: cisco.com, ip: 173.37.142.90, mailfrom: hetpat@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=2049; q=dns/txt; s=iport01; t=1771565686; x=1772775286; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=HziCI1+V1bhGfWRiQrA1bV8dRzBzWbBusDJ+6cTJKhs=; b=jYQG5+t/Rgbu2UyIAZQuh1g6JVzLf1AET5Caj5YzB/OZ62oHuJahwWgu Clp9FguWDA5SCfSystGCEPbp2S/YrD6GswdIa1cBxmt4OSlWCx8ZZnNWK UfFC7omcGkiwCNtgZsukowXtV4DBqRZmQomKFe6GQ2HIQetTfN4fPlEho I4bFvOsZ6hjgSlFxUY1MiLe4+XXlj5VB5gmrM6vEJY7TPn1lctO9E+0f4 Sx2fgTTBQZK0xz8L/qSRlhX2tnJnIv9Za0+Ac5bNNypeeejb3JzCf1NUD uK+wwrt9LiFocTbbqgqG2sHz/IHoBtSqJzV4YnwJGNlBD8VDglXnoZ6rO w==; X-CSE-ConnectionGUID: t7WxPoF4QvOmK8itbpNdHQ== X-CSE-MsgGUID: Hn9XVQEuS8CMdMfTAvwijw== X-IPAS-Result: A0BBBACY8Jdp/5P/Ja1agjQQGoJED4FQQkmWSwOeGoF/DwEBAQ9RBAEBhQcCjR8CJjQJDgECBAEBAQEDAgMBAQEBAQEBAQEBAQEKAQEFAQEBAgEHBYEOE4ZchlsCAQMyAUYQIDErKxmDAoJ0AgGqBoIsgQGEfLUIAQsUAYE4hTyIGVoahHonGxuBcoR9hRCFdwSCIoEOk09IgR4DWSwBVRMNCgsHBYFmAzUSKhVuMh2BIz4XgQsbBwWHUw+JBXhugSCBGwMLGA1IESw3FBsEPm4Hji8/gjQBLGEwgWFpLJJoRJF6oQ4KKIN0oVgaM6prmQakWYRogWg8gVlwFYMiUhkP2GIiNTwCBwsBAQMJkWwtgU4BAQ IronPort-Data: A9a23:kRLoAK5JuFRP6wF4Pp8mQAxRtILFchMFZxGqfqrLsTDasY5as4F+v jQZDGCGa/6JYDb2KtojPIq09EkBsJ/XmtY3Sws9pXg9Zn8b8sCt6fZ1gavT04J+CuWZESqLO u1HMoGowPgcFyGa+1H1dOO8/BGQ7InQLpLkEunIJyttcgFtTSYlmHpLlvUw6mJSqYDR7zil5 5Wo+qUzBHf/g2QqajhOs/rawP9SlK2aVA0w7wRWic9j5Dcyp1FNZLoDKKe4KWfPQ4U8NoZWk M6akdlVVkuAl/scIovNfoTTKyXmcZaOVeS6sUe6boD56vR0SoPe5Y5gXBYUQR8/ZzxkBLmdw v0V3XC7YV9B0qEhBI3xXjEAexySM5Gq95fbfkevicu9k3TYVH7Pk/RyBlkQMa0hr7Mf7WFmr ZT0KRgXZRyFwubzy7WhR6w13oIoLdLgO8UUvXQIITPxVKl9B8ucBf+XuJkBgGhYasNmRZ4yY +IZZCZ3ZQjoaBxUMVBRA5U79AutrievI2QB8g/M9MLb5UDzyl1B7oHALeGFUfmGYMtpt1iHp 2DZqjGR7hYycYb3JSC+2nW0i+nCmCn2VI4fGPiz8eRnqFmS3XAIThoOWF22pPO0hkKzV5RYM UN8x8Y1hbI5+EruSpz2WAe15Sfc+BUdQNFXVeY97Wlh15bp3upQPUBcJhYpVTDsnJVeqeACv rNRo+7UOA== IronPort-HdrOrdr: A9a23:jNdZJ6j02CdmSzw6ic1FzmQrj3BQXt0ji2hC6mlwRA09TyVXra +TdZMgpHjJYVkqOU3I9ersBEDEewK/yXcX2/h0AV7dZmnbUQKTRekIh7cKgQeQfhEWndQy6U 4PScRD4aXLfDtHZQKQ2njALz7mq+P3lpyVuQ== X-Talos-CUID: 9a23:h6smLmMjzJ+eau5DRHZY5HYTNJwcbFrY7yfRP0WgL2pJcejA X-Talos-MUID: 9a23:yq0l3wvyfEQzbfieoc2npDczBPlRzrmVWGsonbAIh+CaKi1yJGLI X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.21,301,1763424000"; d="scan'208";a="688112519" Received: from rcdn-l-core-10.cisco.com ([173.37.255.147]) by alln-iport-3.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 20 Feb 2026 05:34:45 +0000 Received: from sjc-ads-8556.cisco.com (sjc-ads-8556.cisco.com [171.68.222.95]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by rcdn-l-core-10.cisco.com (Postfix) with ESMTPS id 2C1C918000247; Fri, 20 Feb 2026 05:34:45 +0000 (GMT) Received: by sjc-ads-8556.cisco.com (Postfix, from userid 1847788) id 8EE66CC8CFC; Thu, 19 Feb 2026 21:34:44 -0800 (PST) From: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Cc: xe-linux-external@cisco.com, vchavda@cisco.com Subject: [openembedded-core] [scarthgap] [PATCH v1 12/34] cve-check: fix cvesInRecord Date: Thu, 19 Feb 2026 21:34:21 -0800 Message-Id: <20260220053443.3006180-12-hetpat@cisco.com> X-Mailer: git-send-email 2.35.6 In-Reply-To: <20260220053443.3006180-1-hetpat@cisco.com> References: <20260220053443.3006180-1-hetpat@cisco.com> MIME-Version: 1.0 X-Outbound-SMTP-Client: 171.68.222.95, sjc-ads-8556.cisco.com X-Outbound-Node: rcdn-l-core-10.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 20 Feb 2026 05:34:50 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/231459 From: Peter Marko Currently flag cvesInRecord is set to false if all CVEs are ignored or patched. This is inconsistent as it shows false if a CVE was fixed via patch and true if this CVE was fixed by upgrade. In both cases the CVE is valid and was fixed. As I understand this flag, it should say if any CVE exists for particular component's product (regardless of how this CVE is handled) and can be used to validate if a product is correctly set. Note that skipping ignored CVEs may make sense in some cases, as ignored may mean that NVD DB is wrong, but in many cases it is ignored for other reasons. Further patch can be done to evaluate ignore subtype but that would be against my understanding of this flag as described above. Signed-off-by: Peter Marko Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Richard Purdie (cherry picked from commit c5d499693672ec9619392011b765941cf94aa319) Signed-off-by: Het Patel --- meta/classes/cve-check.bbclass | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index d505c68511..8aa7293368 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -334,17 +334,18 @@ def check_cves(d, cve_data): for cverow in cve_cursor: cve = cverow[0] + # Write status once only for each product + if not cves_in_product: + cves_status.append([product, True]) + cves_in_product = True + cves_in_recipe = True + if cve_is_ignored(d, cve_data, cve): bb.note("%s-%s ignores %s" % (product, pv, cve)) continue elif cve_is_patched(d, cve_data, cve): bb.note("%s has been patched" % (cve)) continue - # Write status once only for each product - if not cves_in_product: - cves_status.append([product, True]) - cves_in_product = True - cves_in_recipe = True vulnerable = False ignored = False From patchwork Fri Feb 20 05:34:22 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 81464 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9753DC55175 for ; Fri, 20 Feb 2026 05:34:50 +0000 (UTC) Received: from alln-iport-3.cisco.com (alln-iport-3.cisco.com [173.37.142.90]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.32604.1771565685718979248 for ; Thu, 19 Feb 2026 21:34:46 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=dHcCEsjB; spf=pass (domain: cisco.com, ip: 173.37.142.90, mailfrom: hetpat@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=1911; q=dns/txt; s=iport01; t=1771565686; x=1772775286; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=4tYobBB9+tnMnKe1rbOLGJ6ch7T5XBBkpY5oerevvxU=; b=dHcCEsjBrLF0gilukfAoptPli1gg92HMFZN9xfVZ5LI0G34Jb8X7Bvhs ZLvi+AG4FwOBFBUgDasg/vu2jtDYpfFVzQcj4DGypA3aD9ZxxcA2q0E5x p3eBysB5I4gLJrLDbarGXnDSBY9U7RwnSM92vMJ89r03L8GVPHwuaqwKs 83KW4U2kA0v3r8K+Gt74KlRZ56ssK7PtX+JyRZNAlN4oikcWQJjaqa4XC A6d3sm2fb4dT6FdxkIGm0beYI0ZB26gt8e5Os4aKQQaRsQImmwvZGFIsX +9MLdTw7gw/TSdtW5gqc//Tz+y3U5Q8snqT5fh1dmkjjU89N/MM+2AMU3 Q==; X-CSE-ConnectionGUID: WultXbJPT1ix14G508qr2A== X-CSE-MsgGUID: lLoa3GLhQcuu7mVVIJDzHg== X-IPAS-Result: A0BCBACY8Jdp/43/Ja1agjQQGoJED4FQQkmWTotkkjaBfw8BAQEPUQQBAYUHAo0fAiY0CQ4BAgQBAQEBAwIDAQEBAQEBAQEBAQEBCgEBBQEBAQIBBwWBDhOGXIZbAgEDMgFGECAxIAsrGYMCgjsDNgIBqgaCLIEBhHyyKQ2CUgELFAGBOIU8gnmFIFoahHonGxuBcoR9gQUBgRmCcYV3BIMwk09IgR4DWSwBVRMNCgsHBYFmAzUSKhVuMh2BIz4XgQsbBwWHUw+JBXhugSCBGwMLGA1IESw3FBsEPm4Hji8/gi0HAXoTQ6gJoB1xCiiDdJtchXwaM6prmQaSEpIQN4RogWg8gVlwFYMiUhkPjjgnygMiNTwCBwsBAQMJk2cBAQ IronPort-Data: A9a23:qOHb7q00Fgc02q0dGPbD5Wlzkn2cJEfYwER7XKvMYLTBsI5bpzQOy zYcC2iPaa6MYjTwLop1Odm2oEpVuZTWm4A1QVNp3Hw8FHgiRegpqji6wuYcGwvIc6UvmWo+t 512huHodZ5yEzmE4EzwY9ANlFEkvYmQXL3wFeXYDS54QA5gWU8JhAlq8wIDqtYAbeORXUXX4 Lsen+WFYAX7g2QuajpNg06+gEoHUMra6WtwUmMWPZinjHeG/1EJAZQWI72GLneQauG4ycbjG o4vZJnglo/o109F5uGNy94XQWVWKlLmBjViv1INM0SUbreukQRpukozHKJ0hU66EFxllfgpo DlGncTYpQvEosQglcxFOyS0HR2SMoV55bvbEXKdifDKzl2fL1Sxm6V3FhsfaNhwFuZfWQmi9 NQCIzwLKxTGjOWszffjFq9nh98oK4/gO4Z3VnNIlG6CS615B8qeHuOTuYYwMDQY3qiiGd7ea tYBYCZHZxXbaBoJMVASYH47tLn41iCmKWAC8Dp5o4Izx2/alyNV0IHmLceKf+K0ZOd5jGaX8 zeuE2PRR0ty2Mak4T2d/3Shg+XCkS/2VMcZE6e13vprm0GIgGsLBRsbUFG2rfW0hgi5Qd03F qAP0jAloa538AmgScPwGkXk5nWFpRUbHdFXFoXW9T2w90Yd2C7BbkBsc9KLQIZOWBMeLdDy6 mK0og== IronPort-HdrOrdr: A9a23:8AdmgKhG6+bZjL4duIl8O3r5dnBQXt0ji2hC6mlwRA09TyVXra +TdZMgpHjJYVkqOU3I9ersBEDEewK/yXcX2/h0AV7dZmnbUQKTRekIh7cKgQeQfhEWndQy6U 4PScRD4aXLfDtHZQKQ2njALz7mq+P3lpyVuQ== X-Talos-CUID: 9a23:9cnGRm17LVjllPQs7lePEbxfJd0hbk3X7k/sek6oUDpGFeXFUEXK0fYx X-Talos-MUID: 9a23:Hm69qAYJBOW1V+BTsxvrjWpNEMdR6LmzV0Uzr7Qkl9ukOnkl X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.21,301,1763424000"; d="scan'208";a="688112520" Received: from rcdn-l-core-04.cisco.com ([173.37.255.141]) by alln-iport-3.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 20 Feb 2026 05:34:45 +0000 Received: from sjc-ads-8556.cisco.com (sjc-ads-8556.cisco.com [171.68.222.95]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by rcdn-l-core-04.cisco.com (Postfix) with ESMTPS id 2EBD718000189; Fri, 20 Feb 2026 05:34:45 +0000 (GMT) Received: by sjc-ads-8556.cisco.com (Postfix, from userid 1847788) id 93240CC8CFD; Thu, 19 Feb 2026 21:34:44 -0800 (PST) From: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Cc: xe-linux-external@cisco.com, vchavda@cisco.com Subject: [openembedded-core] [scarthgap] [PATCH v1 13/34] cve-check: Fix errors in log lines Date: Thu, 19 Feb 2026 21:34:22 -0800 Message-Id: <20260220053443.3006180-13-hetpat@cisco.com> X-Mailer: git-send-email 2.35.6 In-Reply-To: <20260220053443.3006180-1-hetpat@cisco.com> References: <20260220053443.3006180-1-hetpat@cisco.com> MIME-Version: 1.0 X-Outbound-SMTP-Client: 171.68.222.95, sjc-ads-8556.cisco.com X-Outbound-Node: rcdn-l-core-04.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 20 Feb 2026 05:34:50 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/231466 From: Colin McAllister Two warning lines in cve_check.py reference a variable that doesn't exist. These would cause a runtime error if the conditions they are hidden in were to be entered. The log lines have been updated to no longer reference an undefined variable. Signed-off-by: Colin McAllister Signed-off-by: Richard Purdie (cherry picked from commit c9d059e8a362b3c9d604f7ebe8fd1dd994f0af6b) Signed-off-by: Het Patel --- meta/lib/oe/cve_check.py | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py index cd152df69a..8e676bcc74 100644 --- a/meta/lib/oe/cve_check.py +++ b/meta/lib/oe/cve_check.py @@ -253,7 +253,10 @@ def decode_cve_status(d, cve): description = status_split[4].strip() elif len(status_split) >= 2 and status_split[1].strip() == "cpe": # Malformed CPE - bb.warn('Invalid CPE information for CVE_STATUS[%s] = "%s", not setting CPE' % (detail, cve, status)) + bb.warn( + 'Invalid CPE information for CVE_STATUS[%s] = "%s", not setting CPE' + % (cve, status) + ) else: # Other case: no CPE, the syntax is then: # detail: description @@ -263,9 +266,13 @@ def decode_cve_status(d, cve): status_out["product"] = product status_out["description"] = description - status_mapping = d.getVarFlag("CVE_CHECK_STATUSMAP", status_out['detail']) + detail = status_out["detail"] + status_mapping = d.getVarFlag("CVE_CHECK_STATUSMAP", detail) if status_mapping is None: - bb.warn('Invalid detail "%s" for CVE_STATUS[%s] = "%s", fallback to Unpatched' % (detail, cve, status)) + bb.warn( + 'Invalid detail "%s" for CVE_STATUS[%s] = "%s", fallback to Unpatched' + % (detail, cve, status) + ) status_mapping = "Unpatched" status_out["mapping"] = status_mapping From patchwork Fri Feb 20 05:34:23 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 81463 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7E383C55170 for ; Fri, 20 Feb 2026 05:34:50 +0000 (UTC) Received: from alln-iport-5.cisco.com (alln-iport-5.cisco.com [173.37.142.92]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.32338.1771565685765362574 for ; Thu, 19 Feb 2026 21:34:46 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=KYbWX0dV; spf=pass (domain: cisco.com, ip: 173.37.142.92, mailfrom: hetpat@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=14505; q=dns/txt; s=iport01; t=1771565686; x=1772775286; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=aRexKGyrTpvfMEiwL0zxw3Jwy4CRqyS77N3otej5uCg=; b=KYbWX0dVLmzb1XVf8G3XMtHgmaufEdOg0Cs/RtRS1C6aMe0Jew06j3tZ 6JTFmEgq6+B/qWoUQHe52XMDS5fQrEolptG6sXIWjSGDKvfOX7S6mVGNV nf4R3Co0VKzfJvM5MBCYj3G3yr0gz5wgx5dHdq/RwfmddWBuLoqhPPdj3 eX5O016pgZpwYsgjxuYRDCDaSKtKvtv0Ll3S7z1iDo0dmUJmBDQHft7fu nhYuk3ayp7K2IGYQyfT6BMePZkXCyDQszL3/RMBls3yBRF1pvsau/yM/b BIQD0FxLFm3Pw8MQyPNEG7Wq3WI1zzogYwkLajTxYQVoSPcCTAogbW7Pg Q==; X-CSE-ConnectionGUID: lVVXVgqzTYqL1DaGKwJcjw== X-CSE-MsgGUID: phRrhl0VS3qwM3zjdQIH7A== X-IPAS-Result: A0BBBAC68Zdp/5P/Ja1aglmCSA+BUEJJlksDgROKUZI2gX8PAQEBD1EEAQGFBwKNHwImNAkOAQIEAQEBAQMCAwEBAQEBAQEBAQEBCwEBBQEBAQIBBwWBDhOGXIZbAgEDMgFGECAxIAsrGYMCgjsDNgIBp0+CLIEBhHzYRw2CUgELFAGBOIU8gnmFIFoahHonGxuBcoEUAYJydoIfgkqGHgSDMI1Chg1IgR4DWSwBVRMNCgsHBYFmAzUSKhVuMh2BIz4XgQsbBwWHUw+JBXhugSCBGwMLGA1IESw3FBsEPm4Hji8/gUFzASwmOwElHQkCWRZsUZMMOxOPV4IhgTWeG01xCiiDdJtchXwaM4QElBWSUpkGgliPOpFeMjeEaIFoPIFZcBU7gmdSGQ/NGSI1AjoCBwsBAQMJk2cBAQ IronPort-Data: A9a23:YFR7MqICDFJsXprTFE+RhpQlxSXFcZb7ZxGr2PjKsXjdYENS12EHx zAYWziEO/uNN2Smc4skOYux/BxT6MWGyoVhSQUd+CA2RRqmiyZq6fd1j6vUF3nPRiEWZBs/t 63yUvGZcoZsCCSa/kvxWlTYhSEU/bmSQbbhA/LzNCl0RAt1IA8skhsLd9QR2uaEuvDnRVnU0 T/Oi5eHYgH9gWQsajl8B5+r8XuDgtyj4Fv0gXRmDRx7lAe2v2UYCpsZOZawIxPQKqFIHvS3T vr017qw+GXU5X8FUrtJRZ6iLyXm6paLVeS/oiI+t5qK23CulQRuukoPD8fwXG8M49m/c3+d/ /0W3XC4YV9B0qQhA43xWTEAe811FfUuFLMqvRFTvOTLp3AqfUcAzN1qMn8GA4IB6NpGGEUX2 fU3Cy8vZRKc0rfeLLKTEoGAh+w5J8XteYdasXZ6wHSAVbAtQIvIROPB4towMDUY358VW62BI ZBENHw2MEuojx5nYj/7DLo+kfuwj2XXeDxDo1XTrq0yi4TW5FIuiuOybIeIJ7RmQ+1NnnyCp maewV+iGw4/b86dxQOk0i2F07qncSTTHdh6+KeD3vlyjVuew2YeBBEbWR6wpuO0okq/QM5Eb UsM9ywjqKI/+ECmQp/6RRLQnZKflgQXV9wVF6gx7xuAj/OMpQ2YHWMDCDVGbbTKqfMLeNDj7 XfR9/uBONClmOT9pa61nltMkQ6PBA== IronPort-HdrOrdr: A9a23:+78UCaoCOkmWC18FVmdHRSEaV5oseYIsimQD101hICG9vPb2qy nIpoV96faaslcssR0b9OxofZPwI080lqQFhbX5Q43DYOCOggLBR+tfBMnZsljd8kbFmNK1u5 0NT0EHMqySMbC/5vyKmTVR1L0bsb+6zJw= X-Talos-CUID: 9a23:vx+MN29ZdaK3mBc5oYeVv0oqJPAbfWTP8EbJBxaUAElKV5+eS0DFrQ== X-Talos-MUID: 9a23:5B0SSAlInE4o9Zv8p2Umdnp6NP1y46D2NntWiIoj4NuGORVRG2i02WE= X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.21,301,1763424000"; d="scan'208";a="672374555" Received: from rcdn-l-core-10.cisco.com ([173.37.255.147]) by alln-iport-5.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 20 Feb 2026 05:34:45 +0000 Received: from sjc-ads-8556.cisco.com (sjc-ads-8556.cisco.com [171.68.222.95]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by rcdn-l-core-10.cisco.com (Postfix) with ESMTPS id 2F34D180008B4; Fri, 20 Feb 2026 05:34:45 +0000 (GMT) Received: by sjc-ads-8556.cisco.com (Postfix, from userid 1847788) id 9839ACC8CFE; Thu, 19 Feb 2026 21:34:44 -0800 (PST) From: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Cc: xe-linux-external@cisco.com, vchavda@cisco.com Subject: [openembedded-core] [scarthgap] [PATCH v1 14/34] cve-check: Rework patch parsing Date: Thu, 19 Feb 2026 21:34:23 -0800 Message-Id: <20260220053443.3006180-14-hetpat@cisco.com> X-Mailer: git-send-email 2.35.6 In-Reply-To: <20260220053443.3006180-1-hetpat@cisco.com> References: <20260220053443.3006180-1-hetpat@cisco.com> MIME-Version: 1.0 X-Outbound-SMTP-Client: 171.68.222.95, sjc-ads-8556.cisco.com X-Outbound-Node: rcdn-l-core-10.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 20 Feb 2026 05:34:50 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/231463 From: Colin McAllister The cve_check functionality to parse CVE IDs from the patch filename and patch contents have been reworked to improve parsing and also utilize tests. This ensures that the parsing works as intended. Additionally, the new patched_cves dict has a few issues I tried to fix as well. If multiple patch files exist for a single CVE ID, only the last one will show up with the "resource" key. The value for the "resource" key has been updated to hold a list and return all patch files associated with a given CVE ID. Also, at the end of get_patch_cves, CVE_STATUS can overwrite an existing entry in the dict. This could cause an issue, for example, if a CVE has been addressed via a patch, but a CVE_STATUS line also exists that ignores the given CVE ID. A warning has been added if this ever happens. Signed-off-by: Colin McAllister Signed-off-by: Richard Purdie (cherry picked from commit 87c6da681609b4f8e048eca2a27ae8e068c724e1) Signed-off-by: Het Patel --- meta/lib/oe/cve_check.py | 166 ++++++++++++------ meta/lib/oeqa/selftest/cases/cve_check.py | 205 ++++++++++++++++++++++ 2 files changed, 317 insertions(+), 54 deletions(-) diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py index 8e676bcc74..c1f36db775 100644 --- a/meta/lib/oe/cve_check.py +++ b/meta/lib/oe/cve_check.py @@ -5,9 +5,11 @@ # import collections -import re -import itertools import functools +import itertools +import os.path +import re +import oe.patch _Version = collections.namedtuple( "_Version", ["release", "patch_l", "pre_l", "pre_v"] @@ -71,76 +73,132 @@ def _cmpkey(release, patch_l, pre_l, pre_v): return _release, _patch, _pre -def get_patched_cves(d): +def parse_cve_from_filename(patch_filename): """ - Get patches that solve CVEs using the "CVE: " tag. + Parses CVE ID from the filename + + Matches the last "CVE-YYYY-ID" in the file name, also if written + in lowercase. Possible to have multiple CVE IDs in a single + file name, but only the last one will be detected from the file name. + + Returns the last CVE ID foudn in the filename. If no CVE ID is found + an empty string is returned. """ + cve_file_name_match = re.compile(r".*(CVE-\d{4}-\d{4,})", re.IGNORECASE) - import re - import oe.patch + # Check patch file name for CVE ID + fname_match = cve_file_name_match.search(patch_filename) + return fname_match.group(1).upper() if fname_match else "" - cve_match = re.compile(r"CVE:( CVE-\d{4}-\d+)+") - # Matches the last "CVE-YYYY-ID" in the file name, also if written - # in lowercase. Possible to have multiple CVE IDs in a single - # file name, but only the last one will be detected from the file name. - # However, patch files contents addressing multiple CVE IDs are supported - # (cve_match regular expression) - cve_file_name_match = re.compile(r".*(CVE-\d{4}-\d+)", re.IGNORECASE) +def parse_cves_from_patch_contents(patch_contents): + """ + Parses CVE IDs from patch contents + Matches all CVE IDs contained on a line that starts with "CVE: ". Any + delimiter (',', '&', "and", etc.) can be used without any issues. Multiple + "CVE:" lines can also exist. + + Returns a set of all CVE IDs found in the patch contents. + """ + cve_ids = set() + cve_match = re.compile(r"CVE-\d{4}-\d{4,}") + # Search for one or more "CVE: " lines + for line in patch_contents.split("\n"): + if not line.startswith("CVE:"): + continue + cve_ids.update(cve_match.findall(line)) + return cve_ids + + +def parse_cves_from_patch_file(patch_file): + """ + Parses CVE IDs associated with a particular patch file, using both the filename + and patch contents. + + Returns a set of all CVE IDs found in the patch filename and contents. + """ + cve_ids = set() + filename_cve = parse_cve_from_filename(patch_file) + if filename_cve: + bb.debug(2, "Found %s from patch file name %s" % (filename_cve, patch_file)) + cve_ids.add(parse_cve_from_filename(patch_file)) + + # Remote patches won't be present and compressed patches won't be + # unpacked, so say we're not scanning them + if not os.path.isfile(patch_file): + bb.note("%s is remote or compressed, not scanning content" % patch_file) + return cve_ids + + with open(patch_file, "r", encoding="utf-8") as f: + try: + patch_text = f.read() + except UnicodeDecodeError: + bb.debug( + 1, + "Failed to read patch %s using UTF-8 encoding" + " trying with iso8859-1" % patch_file, + ) + f.close() + with open(patch_file, "r", encoding="iso8859-1") as f: + patch_text = f.read() + + cve_ids.update(parse_cves_from_patch_contents(patch_text)) + + if not cve_ids: + bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file) + else: + bb.debug(2, "Patch %s solves %s" % (patch_file, ", ".join(sorted(cve_ids)))) + + return cve_ids + + +def get_patched_cves(d): + """ + Determines the CVE IDs that have been solved by either patches incuded within + SRC_URI or by setting CVE_STATUS. + + Returns a dictionary with the CVE IDs as keys and an associated dictonary of + relevant metadata as the value. + """ patched_cves = {} patches = oe.patch.src_patches(d) bb.debug(2, "Scanning %d patches for CVEs" % len(patches)) + + # Check each patch file for url in patches: patch_file = bb.fetch.decodeurl(url)[2] - - # Check patch file name for CVE ID - fname_match = cve_file_name_match.search(patch_file) - if fname_match: - cve = fname_match.group(1).upper() - patched_cves[cve] = {"abbrev-status": "Patched", "status": "fix-file-included", "resource": patch_file} - bb.debug(2, "Found %s from patch file name %s" % (cve, patch_file)) - - # Remote patches won't be present and compressed patches won't be - # unpacked, so say we're not scanning them - if not os.path.isfile(patch_file): - bb.note("%s is remote or compressed, not scanning content" % patch_file) - continue - - with open(patch_file, "r", encoding="utf-8") as f: - try: - patch_text = f.read() - except UnicodeDecodeError: - bb.debug(1, "Failed to read patch %s using UTF-8 encoding" - " trying with iso8859-1" % patch_file) - f.close() - with open(patch_file, "r", encoding="iso8859-1") as f: - patch_text = f.read() - - # Search for one or more "CVE: " lines - text_match = False - for match in cve_match.finditer(patch_text): - # Get only the CVEs without the "CVE: " tag - cves = patch_text[match.start()+5:match.end()] - for cve in cves.split(): - bb.debug(2, "Patch %s solves %s" % (patch_file, cve)) - patched_cves[cve] = {"abbrev-status": "Patched", "status": "fix-file-included", "resource": patch_file} - text_match = True - - if not fname_match and not text_match: - bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file) + for cve_id in parse_cves_from_patch_file(patch_file): + if cve_id not in patched_cves: + { + "abbrev-status": "Patched", + "status": "fix-file-included", + "resource": [patch_file], + } + else: + patched_cves[cve_id]["resource"].append(patch_file) # Search for additional patched CVEs - for cve in (d.getVarFlags("CVE_STATUS") or {}): - decoded_status = decode_cve_status(d, cve) + for cve_id in d.getVarFlags("CVE_STATUS") or {}: + decoded_status = decode_cve_status(d, cve_id) products = d.getVar("CVE_PRODUCT") - if has_cve_product_match(decoded_status, products) == True: - patched_cves[cve] = { + if has_cve_product_match(decoded_status, products): + if cve_id in patched_cves: + bb.warn( + 'CVE_STATUS[%s] = "%s" is overwriting previous status of "%s: %s"' + % ( + cve_id, + d.getVarFlag("CVE_STATUS", cve_id), + patched_cves[cve_id]["abbrev-status"], + patched_cves[cve_id]["status"], + ) + ) + patched_cves[cve_id] = { "abbrev-status": decoded_status["mapping"], "status": decoded_status["detail"], "justification": decoded_status["description"], "affected-vendor": decoded_status["vendor"], - "affected-product": decoded_status["product"] + "affected-product": decoded_status["product"], } return patched_cves diff --git a/meta/lib/oeqa/selftest/cases/cve_check.py b/meta/lib/oeqa/selftest/cases/cve_check.py index 3dd3e89d3e..511e4b81b4 100644 --- a/meta/lib/oeqa/selftest/cases/cve_check.py +++ b/meta/lib/oeqa/selftest/cases/cve_check.py @@ -120,6 +120,211 @@ class CVECheck(OESelftestTestCase): self.assertEqual(has_cve_product_match(status, "test glibca:glibc"), True) self.assertEqual(has_cve_product_match(status, "glibca:glibc test"), True) + def test_parse_cve_from_patch_filename(self): + from oe.cve_check import parse_cve_from_filename + + # Patch filename without CVE ID + self.assertEqual(parse_cve_from_filename("0001-test.patch"), "") + + # Patch with single CVE ID + self.assertEqual( + parse_cve_from_filename("CVE-2022-12345.patch"), "CVE-2022-12345" + ) + + # Patch with multiple CVE IDs + self.assertEqual( + parse_cve_from_filename("CVE-2022-41741-CVE-2022-41742.patch"), + "CVE-2022-41742", + ) + + # Patches with CVE ID and appended text + self.assertEqual( + parse_cve_from_filename("CVE-2023-3019-0001.patch"), "CVE-2023-3019" + ) + self.assertEqual( + parse_cve_from_filename("CVE-2024-21886-1.patch"), "CVE-2024-21886" + ) + + # Patch with CVE ID and prepended text + self.assertEqual( + parse_cve_from_filename("grep-CVE-2012-5667.patch"), "CVE-2012-5667" + ) + self.assertEqual( + parse_cve_from_filename("0001-CVE-2012-5667.patch"), "CVE-2012-5667" + ) + + # Patch with CVE ID and both prepended and appended text + self.assertEqual( + parse_cve_from_filename( + "0001-tpm2_import-fix-fixed-AES-key-CVE-2021-3565-0001.patch" + ), + "CVE-2021-3565", + ) + + # Only grab the last CVE ID in the filename + self.assertEqual( + parse_cve_from_filename("CVE-2012-5667-CVE-2012-5668.patch"), + "CVE-2012-5668", + ) + + # Test invalid CVE ID with incorrect length (must be at least 4 digits) + self.assertEqual( + parse_cve_from_filename("CVE-2024-001.patch"), + "", + ) + + # Test valid CVE ID with very long length + self.assertEqual( + parse_cve_from_filename("CVE-2024-0000000000000000000000001.patch"), + "CVE-2024-0000000000000000000000001", + ) + + def test_parse_cve_from_patch_contents(self): + import textwrap + from oe.cve_check import parse_cves_from_patch_contents + + # Standard patch file excerpt without any patches + self.assertEqual( + parse_cves_from_patch_contents( + textwrap.dedent("""\ + remove "*" for root since we don't have a /etc/shadow so far. + + Upstream-Status: Inappropriate [configuration] + + Signed-off-by: Scott Garman + + --- base-passwd/passwd.master~nobash + +++ base-passwd/passwd.master + @@ -1,4 +1,4 @@ + -root:*:0:0:root:/root:/bin/sh + +root::0:0:root:/root:/bin/sh + daemon:*:1:1:daemon:/usr/sbin:/bin/sh + bin:*:2:2:bin:/bin:/bin/sh + sys:*:3:3:sys:/dev:/bin/sh + """) + ), + set(), + ) + + # Patch file with multiple CVE IDs (space-separated) + self.assertEqual( + parse_cves_from_patch_contents( + textwrap.dedent("""\ + There is an assertion in function _cairo_arc_in_direction(). + + CVE: CVE-2019-6461 CVE-2019-6462 + Upstream-Status: Pending + Signed-off-by: Ross Burton + + diff --git a/src/cairo-arc.c b/src/cairo-arc.c + index 390397bae..1bde774a4 100644 + --- a/src/cairo-arc.c + +++ b/src/cairo-arc.c + @@ -186,7 +186,8 @@ _cairo_arc_in_direction (cairo_t *cr, + if (cairo_status (cr)) + return; + + - assert (angle_max >= angle_min); + + if (angle_max < angle_min) + + return; + + if (angle_max - angle_min > 2 * M_PI * MAX_FULL_CIRCLES) { + angle_max = fmod (angle_max - angle_min, 2 * M_PI); + """), + ), + {"CVE-2019-6461", "CVE-2019-6462"}, + ) + + # Patch file with multiple CVE IDs (comma-separated w/ both space and no space) + self.assertEqual( + parse_cves_from_patch_contents( + textwrap.dedent("""\ + There is an assertion in function _cairo_arc_in_direction(). + + CVE: CVE-2019-6461,CVE-2019-6462, CVE-2019-6463 + Upstream-Status: Pending + Signed-off-by: Ross Burton + + diff --git a/src/cairo-arc.c b/src/cairo-arc.c + index 390397bae..1bde774a4 100644 + --- a/src/cairo-arc.c + +++ b/src/cairo-arc.c + @@ -186,7 +186,8 @@ _cairo_arc_in_direction (cairo_t *cr, + if (cairo_status (cr)) + return; + + - assert (angle_max >= angle_min); + + if (angle_max < angle_min) + + return; + + if (angle_max - angle_min > 2 * M_PI * MAX_FULL_CIRCLES) { + angle_max = fmod (angle_max - angle_min, 2 * M_PI); + + """), + ), + {"CVE-2019-6461", "CVE-2019-6462", "CVE-2019-6463"}, + ) + + # Patch file with multiple CVE IDs (&-separated) + self.assertEqual( + parse_cves_from_patch_contents( + textwrap.dedent("""\ + There is an assertion in function _cairo_arc_in_direction(). + + CVE: CVE-2019-6461 & CVE-2019-6462 + Upstream-Status: Pending + Signed-off-by: Ross Burton + + diff --git a/src/cairo-arc.c b/src/cairo-arc.c + index 390397bae..1bde774a4 100644 + --- a/src/cairo-arc.c + +++ b/src/cairo-arc.c + @@ -186,7 +186,8 @@ _cairo_arc_in_direction (cairo_t *cr, + if (cairo_status (cr)) + return; + + - assert (angle_max >= angle_min); + + if (angle_max < angle_min) + + return; + + if (angle_max - angle_min > 2 * M_PI * MAX_FULL_CIRCLES) { + angle_max = fmod (angle_max - angle_min, 2 * M_PI); + """), + ), + {"CVE-2019-6461", "CVE-2019-6462"}, + ) + + # Patch file with multiple lines with CVE IDs + self.assertEqual( + parse_cves_from_patch_contents( + textwrap.dedent("""\ + There is an assertion in function _cairo_arc_in_direction(). + + CVE: CVE-2019-6461 & CVE-2019-6462 + + CVE: CVE-2019-6463 & CVE-2019-6464 + Upstream-Status: Pending + Signed-off-by: Ross Burton + + diff --git a/src/cairo-arc.c b/src/cairo-arc.c + index 390397bae..1bde774a4 100644 + --- a/src/cairo-arc.c + +++ b/src/cairo-arc.c + @@ -186,7 +186,8 @@ _cairo_arc_in_direction (cairo_t *cr, + if (cairo_status (cr)) + return; + + - assert (angle_max >= angle_min); + + if (angle_max < angle_min) + + return; + + if (angle_max - angle_min > 2 * M_PI * MAX_FULL_CIRCLES) { + angle_max = fmod (angle_max - angle_min, 2 * M_PI); + + """), + ), + {"CVE-2019-6461", "CVE-2019-6462", "CVE-2019-6463", "CVE-2019-6464"}, + ) def test_recipe_report_json(self): config = """ From patchwork Fri Feb 20 05:34:24 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 81466 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 91A5FC55176 for ; Fri, 20 Feb 2026 05:34:50 +0000 (UTC) Received: from alln-iport-8.cisco.com (alln-iport-8.cisco.com [173.37.142.95]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.32606.1771565685734441813 for ; Thu, 19 Feb 2026 21:34:46 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=EQx93Mqj; spf=pass (domain: cisco.com, ip: 173.37.142.95, mailfrom: hetpat@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=976; q=dns/txt; s=iport01; t=1771565686; x=1772775286; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=XM6RtQ3rz7ZAFNH5Ph/J3G7eO/F8qWbVnCC1/xu865M=; b=EQx93Mqjw9Y3EWQobdQfVMoPBHRNK3UwQ+y0oHnGEg7QedFQazPVW4vH 9vFYUnw9gH9u9qFiImhfaVX/4ho7riVNP+gcy0hfC62X/ckEjTlMgygop SnGC+QUAEInQiXnAnMYTJnlpk6+HQ7zlhp5M4sdlisfGK8LrqIGzAblXV +SFXW/4uWmViVZnTNN4AiVIBRp2N9hAUEmk/REi2X5qrqTaicrnPq1JmE 5QBs9jDEbrikQDEgMt/2ZAPqjTnUhCVbjqvqyF8vrVGABf73n5wh7DAcd A5X12Lq8hhTtUV8z+HqHSd/JpXaWpNX8LqCEE6PHwYyf/ofApNiEYn6LI g==; X-CSE-ConnectionGUID: k2SmLZhjSLOGSmugqtcWpw== X-CSE-MsgGUID: feQ28yY9T3Ws8BXqb2x6cA== X-IPAS-Result: A0A/BABB8Zdp/43/Ja1aglmCSA+BUEJJlk6eGoF/DwEBAQ9RBAEBhQcCjR8CJjQJDgECBAEBAQEDAgMBAQEBAQEBAQEBAQsBAQUBAQECAQcFgQ4ThlyGWwIBAzIBRhAgJgsrKxmDAoJ0AgGnVoIsgQHgIgELFAGBOIU8iBl0hHonGxuBcoR9hAqBBoV3BIIigQ6TT0iBHgNZLAFVEw0KCwcFgWYDNRIqFW4yHYEjPheBCxsHBYdTD4kFeG6BIIEbAwsYDUgRLDcUGwQ+bgeOLz+CNAGBDYEfpy2hDgoog3ShWBozhASmZy6YWIJYogGEaIFoPIFZcBWDIlIZD45fvhoiNQI6AgcLAQEDCZFqgX0BAQ IronPort-Data: A9a23:R4i6PqKfeiZAMkHtFE+RhpQlxSXFcZb7ZxGr2PjKsXjdYENS1jcFn DMdDWzTafjbYGOgL9p3PYi2oU5TusWAm4dgGQQd+CA2RRqmiyZq6fd1j6vUF3nPRiEWZBs/t 63yUvGZcoZsCCSa/kvxWlTYhSEU/bmSQbbhA/LzNCl0RAt1IA8skhsLd9QR2uaEuvDnRVnU0 T/Oi5eHYgH9gWQsajl8B5+r8XuDgtyj4Fv0gXRmDRx7lAe2v2UYCpsZOZawIxPQKqFIHvS3T vr017qw+GXU5X8FUrtJRZ6iLyXm6paLVeS/oiI+t5qK23CulQRuukoPD8fwXG8M49m/c3+d/ /0W3XC4YV9B0qQhA43xWTEAe811FfUuFLMqvRFTvOTLp3AqfUcAzN1tVnozGb8Y+N1TJk518 OEXMSwGUQic0rfeLLKTEoGAh+w5J8XteYdasXZ6wHSBUbAtQIvIROPB4towMDUY358VW62BI ZBENHw2ME2ojx5nYj/7DLo+kfuwj2XXeDxDo1XTrq0yi4TW5FIuiei8b4WOKrRmQ+1bk3/C9 nP3rliiPQpKHuyGw2CVrHmF07qncSTTHdh6+KeD3vlyjVuew2YeBBEbWR6wpuO0okq/QM5Eb UsM9ywjqKI/+ECmQp/6RRLQnZKflgQXV9wVF6gx7xuAj/KIpQ2YHWMDCDVGbbTKqfMLeNDj7 XfR9/uBONClmOT9pa61nltMkQ6PBA== IronPort-HdrOrdr: A9a23:H6b2LqnGMGyErKIA0XppD9Lxm3LpDfIr3DAbv31ZSRFFG/FwWf rAoB19726StN9/YhAdcLy7VZVoBEmsl6KdgrNhWYtKIjOHhILAFugLhuHfKn/bakjDH4Vmu5 uIHZITNDSJNykYsS4/izPIaurJB7K8gcaVuds= X-Talos-CUID: 9a23:OKqj/GsfH7EksqpiaPFdX6uL6IsmKEbY6EXQIXScLklSTaCaUEObx7t7xp8= X-Talos-MUID: 9a23:xZACzwtvvywbds1x282nijxbbpd50vWSU38Wwb82osPeJXJ7EmLI X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.21,301,1763424000"; d="scan'208";a="671897738" Received: from rcdn-l-core-04.cisco.com ([173.37.255.141]) by alln-iport-8.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 20 Feb 2026 05:34:45 +0000 Received: from sjc-ads-8556.cisco.com (sjc-ads-8556.cisco.com [171.68.222.95]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by rcdn-l-core-04.cisco.com (Postfix) with ESMTPS id 34E51180001BE; Fri, 20 Feb 2026 05:34:45 +0000 (GMT) Received: by sjc-ads-8556.cisco.com (Postfix, from userid 1847788) id 9CFB2CC8D00; Thu, 19 Feb 2026 21:34:44 -0800 (PST) From: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Cc: xe-linux-external@cisco.com, vchavda@cisco.com Subject: [openembedded-core] [scarthgap] [PATCH v1 15/34] meta/lib/oe/cve_check.py: fix patched_cves not updated Date: Thu, 19 Feb 2026 21:34:24 -0800 Message-Id: <20260220053443.3006180-15-hetpat@cisco.com> X-Mailer: git-send-email 2.35.6 In-Reply-To: <20260220053443.3006180-1-hetpat@cisco.com> References: <20260220053443.3006180-1-hetpat@cisco.com> MIME-Version: 1.0 X-Outbound-SMTP-Client: 171.68.222.95, sjc-ads-8556.cisco.com X-Outbound-Node: rcdn-l-core-04.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 20 Feb 2026 05:34:50 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/231465 From: hongxu Due to commit [cve-check: Rework patch parsing] applied, it missed to update patched_cves dictionary if cve_id not in patched_cves Signed-off-by: Hongxu Jia Signed-off-by: Richard Purdie (cherry picked from commit 08796a8153666d93bb622c6a7497a85cef4def42) Signed-off-by: Het Patel --- meta/lib/oe/cve_check.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py index c1f36db775..8da03b6865 100644 --- a/meta/lib/oe/cve_check.py +++ b/meta/lib/oe/cve_check.py @@ -170,7 +170,7 @@ def get_patched_cves(d): patch_file = bb.fetch.decodeurl(url)[2] for cve_id in parse_cves_from_patch_file(patch_file): if cve_id not in patched_cves: - { + patched_cves[cve_id] = { "abbrev-status": "Patched", "status": "fix-file-included", "resource": [patch_file], From patchwork Fri Feb 20 05:34:25 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 81461 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A91EEC55180 for ; Fri, 20 Feb 2026 05:34:50 +0000 (UTC) Received: from alln-iport-4.cisco.com (alln-iport-4.cisco.com [173.37.142.91]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.32608.1771565686056322342 for ; Thu, 19 Feb 2026 21:34:46 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=XoX0sfIG; spf=pass (domain: cisco.com, ip: 173.37.142.91, mailfrom: hetpat@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=2569; q=dns/txt; s=iport01; t=1771565686; x=1772775286; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=6YQkSxJwRwX56wPeLchYyY2ISqIY0413NcYJZRvl+nk=; b=XoX0sfIGlw48VeKgYvtHP9fk/ALbOMHgA6ELVMqeifawGOTAGkqNfsor a/eLwlny02oAkJhfdeA7I7jCZzGJ2x0RrTAKBwLdsbkR1WDxfp0IhGztF 6aO3FMdzWX0x1oNuvd1i9166O6lOoZAvwl1xvXKSUpsVY1rjRHLr38oAJ yDEJ7JqnsAP/PIrlZ5gq1s3vDFmMpyQhUWutStAQRKJuStKpiMRlWIMA8 SM+usqSKJuRaCwyMgh6qEUeqqgax0X23poFlMbPwt033HJFlNJRX1pdxV Rav0G/ItWLlIytGipKGH6rYgM4QKddyoHe1pW77dop8O0tKzd1zycA6gy g==; X-CSE-ConnectionGUID: KMWBTmceQ1i7dMw7XW00iw== X-CSE-MsgGUID: C8bOxNoXSsufeOG4BcMYBA== X-IPAS-Result: A0BBBADP8Jdp/4v/Ja1aglmCSA+BUEJJlksDi2SSNoF/DwEBAQ9RBAEBhQcCjR8CJjQJDgECBAEBAQEDAgMBAQEBAQEBAQEBAQsBAQUBAQECAQcFgQ4ThlyGWwIBAzIBRhAgMSALKxmDAoI7AzYCAadUgiyBAYR82EcNglIBCxQBgTiFPIJ5hSBaGoR6JxsbgXKBFYNogh+CcYV3BIIigQ6CAJFPSIEeA1ksAVUTDQoLBwWBZgM1EioVbjIdgSM+F4ELGwcFh1MPiQV4boEggRsDCxgNSBEsNxQbBD5uB44vP4ItBwF6EwF/pSuCIaAdcQoog3SbXIV8GjOEBKZnmQaCWI86kkeEaIFoPEaBE3AVgyJSGQ/MeSI1PAIHCwEBAwmTZwEB IronPort-Data: A9a23:zMkqLawmL4SkpLRvimx6t+dgxyrEfRIJ4+MujC+fZmUNrF6WrkUBy WdOD2qObvvfNjCnco9+ad639RlXscPUxoNgHAFs/FhgHilAwSbn6Xt1DatR0we6dJCroJdPt p1GAjX4BJlqCCea/VH1buSJQUBUjcmgXqD7BPPPJhd/TAplTDZJoR94kobVuKYw6TSCK13L4 4qaT/H3Ygf/hWYuaDpMsMpvlTs21BjMkGJA1rABTagjUG/2zxE9EJ8ZLKetGHr0KqE8NvK6X evK0Iai9Wrf+Ro3Yvv9+losWhRXKlJ6FVHmZkt+A8BOsDAbzsAB+vpT2M4nVKtio27hc+adZ zl6ncfYpQ8BZsUgkQmGOvVSO3kW0aZuoNcrLZUj2CCe5xWuTpfi/xlhJGITAqck/+16ODhPq vA9N289UUjbhv3jldpXSsE07igiBNPgMIVavjRryivUSK58B5vCWK7No9Rf2V/chOgXQq2YP JVfM2cyKk2bMnWjOX9PYH46tOelmmH2bxVTqUmeouw85G27IAlZjue0aIaLIYDVLSlTtm3Ir EXW2WPJOQoHOtG45mav+VedrMaayEsXX6pXTtVU7MVCh0WewGEWAhAaWVa35PK+kEOWX9NEN 1dS/TIjq6U3/kGnQtTxGRqirxa5UgU0QdFcFag+rQqK0KeRu1zfDWkfRTkHY9sj3CMreQEXO payt4uBLVRSXHe9ExpxKp/8QeuOBBUo IronPort-HdrOrdr: A9a23:F2oTIKGaH/ZINT4wpLqE78eALOsnbusQ8zAXPo5KJiC9Ffbo8P xG88576faZslsssTQb6LK90cq7MBfhHOBOgbX5VI3KNGKNhILrFvAG0WKI+VPd8kPFmtK1rZ 0QEJSXzLbLfCFHZQGQ2njfL+od X-Talos-CUID: 9a23:sPz7OW+UX7W8+uONhGqVv20xJeoZd3bQ9S7RfEOdFjlZd+XNSEDFrQ== X-Talos-MUID: 9a23:kOAnIARm+Iqu7t4jRXTH1DtFJOFv05+1FU4AtrpakcKhBAZZbmI= X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.21,301,1763424000"; d="scan'208";a="671046347" Received: from rcdn-l-core-02.cisco.com ([173.37.255.139]) by alln-iport-4.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 20 Feb 2026 05:34:45 +0000 Received: from sjc-ads-8556.cisco.com (sjc-ads-8556.cisco.com [171.68.222.95]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by rcdn-l-core-02.cisco.com (Postfix) with ESMTPS id 822231800022B; Fri, 20 Feb 2026 05:34:45 +0000 (GMT) Received: by sjc-ads-8556.cisco.com (Postfix, from userid 1847788) id A1EEBCC8D01; Thu, 19 Feb 2026 21:34:44 -0800 (PST) From: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Cc: xe-linux-external@cisco.com, vchavda@cisco.com Subject: [openembedded-core] [scarthgap] [PATCH v1 16/34] cve-check: allow feed choice Date: Thu, 19 Feb 2026 21:34:25 -0800 Message-Id: <20260220053443.3006180-16-hetpat@cisco.com> X-Mailer: git-send-email 2.35.6 In-Reply-To: <20260220053443.3006180-1-hetpat@cisco.com> References: <20260220053443.3006180-1-hetpat@cisco.com> MIME-Version: 1.0 X-Outbound-SMTP-Client: 171.68.222.95, sjc-ads-8556.cisco.com X-Outbound-Node: rcdn-l-core-02.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 20 Feb 2026 05:34:50 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/231469 From: Marta Rybczynska Allow choice of one of three feeds and update task dependencies accordingly. All feeds contain data from NVD and are stored in different files. Set the NVD_DB_VERSION variable to choose feed: NVD2 (default) - the NVD feed with API version 2 NVD1 - the NVD JSON feed (deprecated) FKIE - the FKIE-CAD feed reconstruction In case of malformed database feed name, we default to NVD2 and show an error. Signed-off-by: Marta Rybczynska Signed-off-by: Richard Purdie (cherry picked from commit f265812bfb6797aee10e7be42865736c9ff3478f) Signed-off-by: Het Patel --- meta/classes/cve-check.bbclass | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 8aa7293368..234eeae7d4 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -31,7 +31,12 @@ CVE_PRODUCT ??= "${BPN}" CVE_VERSION ??= "${PV}" -CVE_CHECK_DB_FILENAME ?= "nvdcve_2-2.db" +# Possible database sources: NVD1, NVD2, FKIE +NVD_DB_VERSION ?= "NVD2" + +# Use different file names for each database source, as they synchronize at different moments, so may be slightly different +CVE_CHECK_DB_FILENAME ?= "${@'nvdcve_2-2.db' if d.getVar('NVD_DB_VERSION') == 'NVD2' else 'nvdcve_1-3.db' if d.getVar('NVD_DB_VERSION') == 'NVD1' else 'nvdfkie_1-1.db'}" +CVE_CHECK_DB_FETCHER ?= "${@'cve-update-nvd2-native' if d.getVar('NVD_DB_VERSION') == 'NVD2' else 'cve-update-db-native'}" CVE_CHECK_DB_DIR ?= "${STAGING_DIR}/CVE_CHECK" CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/${CVE_CHECK_DB_FILENAME}" CVE_CHECK_DB_FILE_LOCK ?= "${CVE_CHECK_DB_FILE}.lock" @@ -101,6 +106,11 @@ CVE_VERSION_SUFFIX ??= "" python () { from oe.cve_check import extend_cve_status extend_cve_status(d) + + nvd_database_type = d.getVar("NVD_DB_VERSION") + if nvd_database_type not in ("NVD1", "NVD2", "FKIE"): + bb.erroronce("Malformed NVD_DB_VERSION, must be one of: NVD1, NVD2, FKIE. Defaulting to NVD2") + d.setVar("NVD_DB_VERSION", "NVD2") } def generate_json_report(d, out_path, link_path): @@ -171,7 +181,7 @@ python do_cve_check () { addtask cve_check before do_build do_cve_check[vardeps] += "CVE_STATUS CVE_CHECK_STATUSMAP" -do_cve_check[depends] = "cve-update-nvd2-native:do_unpack" +do_cve_check[depends] = "${CVE_CHECK_DB_FETCHER}:do_unpack" do_cve_check[nostamp] = "1" python cve_check_cleanup () { From patchwork Fri Feb 20 05:34:26 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 81434 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8504AC5321C for ; Fri, 20 Feb 2026 05:34:49 +0000 (UTC) Received: from alln-iport-5.cisco.com (alln-iport-5.cisco.com [173.37.142.92]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.32338.1771565685765362574 for ; Thu, 19 Feb 2026 21:34:48 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=Gn8U0hFm; spf=pass (domain: cisco.com, ip: 173.37.142.92, mailfrom: hetpat@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=10050; q=dns/txt; s=iport01; t=1771565687; x=1772775287; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=4WvjtNU3JgcD1vNx3aAX/gEZU5Qr8xOZ3ohStlhZ1Ec=; b=Gn8U0hFm9gzSpZM0Y2p0m30Bh6n/BuI6iw2U8lWUEIBrNfuyceUWK2tk BhTSuilKWqNElRjN6QDNred4OA15FRTXaSlfr7SQT4cXLepMTQmNZAVNW QECdf6fNrhUCrynR0sGtXr4o/0vBvZ6gWDXXojaqjVNvxRtLjzpHYsRnW bIu9r8PM+wRtOE0L4updvltHXSLjvmVE2JhtcWU1d2qMB6AFLjSKC5xi0 nXigFV8b2fF0twgWZez/MvXEjDLwo/kQ6jDinWPUhCFDzbms8F8zl85XA KRc9dDlehRaep+CT1liKnBDeXXEvKbBS0R3cXesv1EkDDmkura3obn3u2 w==; X-CSE-ConnectionGUID: E93hg9u1SkaSbk3KdItTcQ== X-CSE-MsgGUID: ROYTymjTT6edUnAjpEI3AQ== X-IPAS-Result: A0BQBgC68Zdp/5L/Ja1aglmCSIEAX0JJA5ZIA4tkkjaBfw8BAQEPPRQEAQGFBwKNHwImNAkOAQIEAQEBAQMCAwEBAQEBAQEBAQEBCwEBBQEBAQIBBwWBDhOGTw2GWwIBAzIBRhAgMSALKxmDAgGCOgM2AgERBqZnGjeCLIEBhHzYRw2CUwsUAYE4hTyCeYUgawmEeicbG4FygRWDaIIfiGgEgiKBDoIAgQuHEIMnhg1IgR4DWSwBVRMNCgsHBYFmAzUSKhVuMh2BIz4XgQsbBwWCQoURD4kFeG6BIIEbAwsYDUgRLDcUGwQ+bgeOLz+CLQcBFRcQPhMBKxV8D10OBDAJMpJgOxADkWYSgTWeaHEKKIN0jB6PPoV8GjOEBJQViyGHMZkGgliLMYQJkXcZN4RogWg8RoETcBWDIglJGQ+QfIMkuHkiNQIBECkCBwsBAQMJkWoscWABAQ IronPort-Data: A9a23:+ImbZ65asAZzQfXAMrO+pwxRtG/GchMFZxGqfqrLsTDasY5as4F+v mceDWqPO/6DZTT2cox0OYi0p0lSsZCDy9QyTlFl+X0yZn8b8sCt6fZ1gavT04J+CuWZESqLO u1HMoGowPgcFyGa/lH2dOC98RGQ7InQLpLkEunIJyttcgFtTSYlmHpLlvUw6mJSqYDR7zil5 5Wo+qUzBHf/g2QqajhOs/rYwP9SlK2aVA0w7wRWic9j5Dcyp1FNZLoDKKe4KWfPQ4U8NoaSW +bZwbilyXjS9hErB8nNuu6TnpoiG+O60aCm0xK6aoD66vRwjnVaPpUTaJLwXXxqZwChxLid/ jniWauYEm/FNoWU8AgUvoIx/ytWZcWq85efSZSzXFD6I0DuKxPRL/tS4E4eENxD+ukmHDh19 vUjIjNWTRyim969+efuIgVsrpxLwMjDJogTvDRkiDreF/tjGcGFSKTR7tge1zA17ixMNa+BP IxCNnw1MUmGOkERUrsUIMpWcOOAhnTjazREgFmUvqEwpWPUyWSd1ZCzb4COJYDXGJo9ckCwn EX3w3X8AC0matGT9Dys8GqBp7TmpHauMG4VPPjinhJwu3WU3mEVBRgcWFe3rPX8gUmkVvpbK lcI4WwptaU0+UmhQ9XxUhH+p2SL1iPwQPJKGOE8rQXIwa3O7kPBVy4PTyVKb5ots8peqSEW6 2JlVujBXVRH2IB5g1rHnltIhVte4RQoEFI= IronPort-HdrOrdr: A9a23:aV7OCKNU0dRIzMBcTsajsMiBIKoaSvp037Dk7S9MoHtuA6ulfq +V/cjzuSWYtN9VYgBDpTniAtjlfZqjz/5ICOAqVN/INjUO+lHYSb2KhrGN/9SPIUHDH5ZmpM Rdm2wUMqyIMbC85vyKhjWFLw== X-Talos-CUID: 9a23:N992HG4+MuMBYk7x/9ss2R9PGs90byTmz37rKUzjKmpIVIGecArF X-Talos-MUID: 9a23:hrbkNAbCWeVQmuBTjRjduCBnNvtUvamiNUYkk40rmpKtDHkl X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.21,301,1763424000"; d="scan'208";a="672374557" Received: from rcdn-l-core-09.cisco.com ([173.37.255.146]) by alln-iport-5.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 20 Feb 2026 05:34:45 +0000 Received: from sjc-ads-8556.cisco.com (sjc-ads-8556.cisco.com [171.68.222.95]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by rcdn-l-core-09.cisco.com (Postfix) with ESMTPS id 814661800022C; Fri, 20 Feb 2026 05:34:45 +0000 (GMT) Received: by sjc-ads-8556.cisco.com (Postfix, from userid 1847788) id A6AD2CC8D02; Thu, 19 Feb 2026 21:34:44 -0800 (PST) From: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Cc: xe-linux-external@cisco.com, vchavda@cisco.com Subject: [openembedded-core] [scarthgap] [PATCH v1 17/34] cve-update-db-native: restore Date: Thu, 19 Feb 2026 21:34:26 -0800 Message-Id: <20260220053443.3006180-17-hetpat@cisco.com> X-Mailer: git-send-email 2.35.6 In-Reply-To: <20260220053443.3006180-1-hetpat@cisco.com> References: <20260220053443.3006180-1-hetpat@cisco.com> MIME-Version: 1.0 X-Outbound-SMTP-Client: 171.68.222.95, sjc-ads-8556.cisco.com X-Outbound-Node: rcdn-l-core-09.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 20 Feb 2026 05:34:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/231486 From: Marta Rybczynska Restore cve-update-db from kirkstone Use cve-update-db-native.bb from OE 8c10f4a4dc12f65212576e6e568fa4369014aaa0 Signed-off-by: Marta Rybczynska Signed-off-by: Richard Purdie (cherry picked from commit c84e19edc15b622bfe4d7e268ca5cb18312f09d6) Signed-off-by: Het Patel --- .../recipes-core/meta/cve-update-db-native.bb | 291 ++++++++++++++++++ 1 file changed, 291 insertions(+) create mode 100644 meta/recipes-core/meta/cve-update-db-native.bb diff --git a/meta/recipes-core/meta/cve-update-db-native.bb b/meta/recipes-core/meta/cve-update-db-native.bb new file mode 100644 index 0000000000..e042e67b09 --- /dev/null +++ b/meta/recipes-core/meta/cve-update-db-native.bb @@ -0,0 +1,291 @@ +SUMMARY = "Updates the NVD CVE database" +LICENSE = "MIT" + +INHIBIT_DEFAULT_DEPS = "1" + +inherit native + +deltask do_unpack +deltask do_patch +deltask do_configure +deltask do_compile +deltask do_install +deltask do_populate_sysroot + +NVDCVE_URL ?= "https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-" +# CVE database update interval, in seconds. By default: once a day (24*60*60). +# Use 0 to force the update +# Use a negative value to skip the update +CVE_DB_UPDATE_INTERVAL ?= "86400" + +# Timeout for blocking socket operations, such as the connection attempt. +CVE_SOCKET_TIMEOUT ?= "60" + +CVE_DB_TEMP_FILE ?= "${CVE_CHECK_DB_DIR}/temp_nvdcve_1.1.db" + +python () { + if not bb.data.inherits_class("cve-check", d): + raise bb.parse.SkipRecipe("Skip recipe when cve-check class is not loaded.") +} + +python do_fetch() { + """ + Update NVD database with json data feed + """ + import bb.utils + import bb.progress + import shutil + + bb.utils.export_proxies(d) + + db_file = d.getVar("CVE_CHECK_DB_FILE") + db_dir = os.path.dirname(db_file) + db_tmp_file = d.getVar("CVE_DB_TEMP_FILE") + + cleanup_db_download(db_file, db_tmp_file) + + # The NVD database changes once a day, so no need to update more frequently + # Allow the user to force-update + try: + import time + update_interval = int(d.getVar("CVE_DB_UPDATE_INTERVAL")) + if update_interval < 0: + bb.note("CVE database update skipped") + return + if time.time() - os.path.getmtime(db_file) < update_interval: + bb.debug(2, "Recently updated, skipping") + return + + except OSError: + pass + + bb.utils.mkdirhier(db_dir) + if os.path.exists(db_file): + shutil.copy2(db_file, db_tmp_file) + + if update_db_file(db_tmp_file, d) == True: + # Update downloaded correctly, can swap files + shutil.move(db_tmp_file, db_file) + else: + # Update failed, do not modify the database + bb.note("CVE database update failed") + os.remove(db_tmp_file) +} + +do_fetch[lockfiles] += "${CVE_CHECK_DB_FILE_LOCK}" +do_fetch[file-checksums] = "" +do_fetch[vardeps] = "" + +def cleanup_db_download(db_file, db_tmp_file): + """ + Cleanup the download space from possible failed downloads + """ + + # Clean up the updates done on the main file + # Remove it only if a journal file exists - it means a complete re-download + if os.path.exists("{0}-journal".format(db_file)): + # If a journal is present the last update might have been interrupted. In that case, + # just wipe any leftovers and force the DB to be recreated. + os.remove("{0}-journal".format(db_file)) + + if os.path.exists(db_file): + os.remove(db_file) + + # Clean-up the temporary file downloads, we can remove both journal + # and the temporary database + if os.path.exists("{0}-journal".format(db_tmp_file)): + # If a journal is present the last update might have been interrupted. In that case, + # just wipe any leftovers and force the DB to be recreated. + os.remove("{0}-journal".format(db_tmp_file)) + + if os.path.exists(db_tmp_file): + os.remove(db_tmp_file) + +def update_db_file(db_tmp_file, d): + """ + Update the given database file + """ + import bb.utils, bb.progress + from datetime import date + import urllib, gzip, sqlite3 + + YEAR_START = 2002 + cve_socket_timeout = int(d.getVar("CVE_SOCKET_TIMEOUT")) + + # Connect to database + conn = sqlite3.connect(db_tmp_file) + initialize_db(conn) + + with bb.progress.ProgressHandler(d) as ph, open(os.path.join(d.getVar("TMPDIR"), 'cve_check'), 'a') as cve_f: + total_years = date.today().year + 1 - YEAR_START + for i, year in enumerate(range(YEAR_START, date.today().year + 1)): + bb.debug(2, "Updating %d" % year) + ph.update((float(i + 1) / total_years) * 100) + year_url = (d.getVar('NVDCVE_URL')) + str(year) + meta_url = year_url + ".meta" + json_url = year_url + ".json.gz" + + # Retrieve meta last modified date + try: + response = urllib.request.urlopen(meta_url, timeout=cve_socket_timeout) + except urllib.error.URLError as e: + cve_f.write('Warning: CVE db update error, Unable to fetch CVE data.\n\n') + bb.warn("Failed to fetch CVE data (%s)" % e) + import socket + result = socket.getaddrinfo("nvd.nist.gov", 443, proto=socket.IPPROTO_TCP) + bb.warn("Host IPs are %s" % (", ".join(t[4][0] for t in result))) + return False + + if response: + for l in response.read().decode("utf-8").splitlines(): + key, value = l.split(":", 1) + if key == "lastModifiedDate": + last_modified = value + break + else: + bb.warn("Cannot parse CVE metadata, update failed") + return False + + # Compare with current db last modified date + cursor = conn.execute("select DATE from META where YEAR = ?", (year,)) + meta = cursor.fetchone() + cursor.close() + + if not meta or meta[0] != last_modified: + bb.debug(2, "Updating entries") + # Clear products table entries corresponding to current year + conn.execute("delete from PRODUCTS where ID like ?", ('CVE-%d%%' % year,)).close() + + # Update db with current year json file + try: + response = urllib.request.urlopen(json_url, timeout=cve_socket_timeout) + if response: + update_db(conn, gzip.decompress(response.read()).decode('utf-8')) + conn.execute("insert or replace into META values (?, ?)", [year, last_modified]).close() + except urllib.error.URLError as e: + cve_f.write('Warning: CVE db update error, CVE data is outdated.\n\n') + bb.warn("Cannot parse CVE data (%s), update failed" % e.reason) + return False + else: + bb.debug(2, "Already up to date (last modified %s)" % last_modified) + # Update success, set the date to cve_check file. + if year == date.today().year: + cve_f.write('CVE database update : %s\n\n' % date.today()) + + conn.commit() + conn.close() + return True + +def initialize_db(conn): + with conn: + c = conn.cursor() + + c.execute("CREATE TABLE IF NOT EXISTS META (YEAR INTEGER UNIQUE, DATE TEXT)") + + c.execute("CREATE TABLE IF NOT EXISTS NVD (ID TEXT UNIQUE, SUMMARY TEXT, \ + SCOREV2 TEXT, SCOREV3 TEXT, MODIFIED INTEGER, VECTOR TEXT)") + + c.execute("CREATE TABLE IF NOT EXISTS PRODUCTS (ID TEXT, \ + VENDOR TEXT, PRODUCT TEXT, VERSION_START TEXT, OPERATOR_START TEXT, \ + VERSION_END TEXT, OPERATOR_END TEXT)") + c.execute("CREATE INDEX IF NOT EXISTS PRODUCT_ID_IDX on PRODUCTS(ID);") + + c.close() + +def parse_node_and_insert(conn, node, cveId): + # Parse children node if needed + for child in node.get('children', ()): + parse_node_and_insert(conn, child, cveId) + + def cpe_generator(): + for cpe in node.get('cpe_match', ()): + if not cpe['vulnerable']: + return + cpe23 = cpe.get('cpe23Uri') + if not cpe23: + return + cpe23 = cpe23.split(':') + if len(cpe23) < 6: + return + vendor = cpe23[3] + product = cpe23[4] + version = cpe23[5] + + if cpe23[6] == '*' or cpe23[6] == '-': + version_suffix = "" + else: + version_suffix = "_" + cpe23[6] + + if version != '*' and version != '-': + # Version is defined, this is a '=' match + yield [cveId, vendor, product, version + version_suffix, '=', '', ''] + elif version == '-': + # no version information is available + yield [cveId, vendor, product, version, '', '', ''] + else: + # Parse start version, end version and operators + op_start = '' + op_end = '' + v_start = '' + v_end = '' + + if 'versionStartIncluding' in cpe: + op_start = '>=' + v_start = cpe['versionStartIncluding'] + + if 'versionStartExcluding' in cpe: + op_start = '>' + v_start = cpe['versionStartExcluding'] + + if 'versionEndIncluding' in cpe: + op_end = '<=' + v_end = cpe['versionEndIncluding'] + + if 'versionEndExcluding' in cpe: + op_end = '<' + v_end = cpe['versionEndExcluding'] + + if op_start or op_end or v_start or v_end: + yield [cveId, vendor, product, v_start, op_start, v_end, op_end] + else: + # This is no version information, expressed differently. + # Save processing by representing as -. + yield [cveId, vendor, product, '-', '', '', ''] + + conn.executemany("insert into PRODUCTS values (?, ?, ?, ?, ?, ?, ?)", cpe_generator()).close() + +def update_db(conn, jsondata): + import json + root = json.loads(jsondata) + + for elt in root['CVE_Items']: + if not elt['impact']: + continue + + accessVector = None + cveId = elt['cve']['CVE_data_meta']['ID'] + cveDesc = elt['cve']['description']['description_data'][0]['value'] + date = elt['lastModifiedDate'] + try: + accessVector = elt['impact']['baseMetricV2']['cvssV2']['accessVector'] + cvssv2 = elt['impact']['baseMetricV2']['cvssV2']['baseScore'] + except KeyError: + cvssv2 = 0.0 + try: + accessVector = accessVector or elt['impact']['baseMetricV3']['cvssV3']['attackVector'] + cvssv3 = elt['impact']['baseMetricV3']['cvssV3']['baseScore'] + except KeyError: + accessVector = accessVector or "UNKNOWN" + cvssv3 = 0.0 + + conn.execute("insert or replace into NVD values (?, ?, ?, ?, ?, ?)", + [cveId, cveDesc, cvssv2, cvssv3, date, accessVector]).close() + + configurations = elt['configurations']['nodes'] + for config in configurations: + parse_node_and_insert(conn, config, cveId) + + +do_fetch[nostamp] = "1" + +EXCLUDE_FROM_WORLD = "1" From patchwork Fri Feb 20 05:34:27 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 81439 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BB759C54F54 for ; Fri, 20 Feb 2026 05:34:49 +0000 (UTC) Received: from alln-iport-8.cisco.com (alln-iport-8.cisco.com [173.37.142.95]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.32606.1771565685734441813 for ; Thu, 19 Feb 2026 21:34:46 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=bwPiw9f9; spf=pass (domain: cisco.com, ip: 173.37.142.95, mailfrom: hetpat@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=4186; q=dns/txt; s=iport01; t=1771565686; x=1772775286; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=AhyZZafUbhpfkjZfg6JAESe88U4/jNix8aF7XCCzffQ=; b=bwPiw9f9+kGY8MEils+2KUNi5kb2vL3bc2Xlqnq9qmVYUNKHtiGMW8tK KpkeDJeoLGViYv3fdneq+CEFAidf+0O0I1RdO/qsBYNZn/6GD9w4Xbw0p I3uDyzZy6hUN6W85ewt/0R1nRnYF43PNRNnSf+aTrFg7Mx9GlmTTgu9y2 Rn6iVLrddJbSyWJNtZE9eN3y7ZFag5+WTT5RwhifQHgDaSiMvwKoZFWfd mKPyYXn1TEVRB4H3sIvkfqFA/QiH4IA802y8eTzJsGRrVRRcY7LwP06GG Ykh1yPjHUS/QTdQf3OeOAKNgNK2PVEgdQ1lWAFikn31u4olDStCIQa9pZ w==; X-CSE-ConnectionGUID: MKn8/nfvT0OGY3H+x8fSqA== X-CSE-MsgGUID: Q1Wq4uTySuS+V550zEZ9uQ== X-IPAS-Result: A0BEBABB8Zdp/4v/Ja1aglmCSA9xX0JJA5ZIA4tkkjaBfw8BAQEPNxoEAQGFBwKNHwImNAkOAQIEAQEBAQMCAwEBAQEBAQEBAQEBCwEBBQEBAQIBBwWBDhOGTw2GWwIBAzIBRhAgMSALKxmDAgGCOgM2AgGnBRo3giyBAYR82EcNglIBCxQBgTiFPIJ5hSBrCYR6JxsbgXKEfYIfiGgEgiKBDoIAi0KGDUiBHgNZLAFVEw0KCwcFgWYDNRIqFW4yHYEjPheBCxsHBYJChREPiQV4boEggRsDCxgNSBEsNxQbBD5uB44vP4I0ASwQUYEAgSmTXTsTkXiBNZ5ocQoog3SMHo8+hXwaM4QEpmeZBoJYjzqSR4RogWg8RoETcBWDIglJGQ+OX4Idu30iNRMpAgcLAQEDCZFqLIFRAQE IronPort-Data: A9a23:DLDlCq+6fMqiqReRUAHPDrUD13+TJUtcMsCJ2f8bNWPcYEJGY0x3z DYZWmqBaPaOZmWhc9wibIrkp0oO7MXUxoU2HlM/qytEQiMRo6IpJzg2wmQcns+2BpeeJK6yx 5xGMrEsFOhtEDmE4EzrauS9xZVF/fngbqLmD+LZMTxGSwZhSSMw4TpugOdRbrRA2bBVOCvT/ 4mryyHjEAX9gWAsaDhMs/nrRC5H5ZwehhtJ5jTSWtgT1LPuvyF9JI4SI6i3M0z5TuF8dsamR /zOxa2O5WjQ+REgELuNyt4XpWVTH9Y+lSDX4pZnc/DKbipq/0Te4Y5nXBYoUnq7vh3S9zxHJ HqhgrTrIeshFvWkdO3wyHC0GQkmVUFN0OevzXRSLaV/wmWeG0YAzcmCA2kTHotIveB5H10W0 tMpcxBOfkCNvPuflefTpulE3qzPLeHxN48Z/3UlxjbDALN+G9bIQr7B4plT2zJYasJmRKmFI ZFGL2AyMVKZOEwn1lQ/UPrSmM+oi2XneiFwo1OOrq1x6G/WpOB0+OayaYqEJYPRFK25mG6h/ 13fo3nFEyoHD5+hlGfd4F+e1/L2yHaTtIU6UefQGuRRqFqLy2oeDRcbWVe2rbyyjVSzc9ZeM FAPvC02oK4/8UamQtXwU1u/unHsg/IHc8BbH+t/7ESGzbDZpl7DQGMFVTVGLtchsafaWAAX6 7NApPuxbRQHjVFfYSj1Gmu8xd9qBRUoEA== IronPort-HdrOrdr: A9a23:gYuVCqH2kPz9UOlipLqE78eALOsnbusQ8zAXPo5KJiC9Ffbo8P xG88576faZslsssTQb6LK90cq7MBfhHOBOgbX5VI3KNGKNhILrFvAG0WKI+VPd8kPFmtK1rZ 0QEJSXzLbLfCFHZQGQ2njfL+od X-Talos-CUID: 9a23:l6X+smw4LRRfphnHboh3BgUxOcZ1NXvT0kuIBGCJUkYqWO2bcka5rfY= X-Talos-MUID: 9a23:yUWBbwQtHGmbREjHRXTV3Q57aNpU8p+zMwMzzMheqeS2ZDFJbmI= X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.21,301,1763424000"; d="scan'208";a="671897739" Received: from rcdn-l-core-02.cisco.com ([173.37.255.139]) by alln-iport-8.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 20 Feb 2026 05:34:45 +0000 Received: from sjc-ads-8556.cisco.com (sjc-ads-8556.cisco.com [171.68.222.95]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by rcdn-l-core-02.cisco.com (Postfix) with ESMTPS id 826601800023F; Fri, 20 Feb 2026 05:34:45 +0000 (GMT) Received: by sjc-ads-8556.cisco.com (Postfix, from userid 1847788) id ABB46CC8D03; Thu, 19 Feb 2026 21:34:44 -0800 (PST) From: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Cc: xe-linux-external@cisco.com, vchavda@cisco.com Subject: [openembedded-core] [scarthgap] [PATCH v1 18/34] cve-update-db-native: update structure Date: Thu, 19 Feb 2026 21:34:27 -0800 Message-Id: <20260220053443.3006180-18-hetpat@cisco.com> X-Mailer: git-send-email 2.35.6 In-Reply-To: <20260220053443.3006180-1-hetpat@cisco.com> References: <20260220053443.3006180-1-hetpat@cisco.com> MIME-Version: 1.0 X-Outbound-SMTP-Client: 171.68.222.95, sjc-ads-8556.cisco.com X-Outbound-Node: rcdn-l-core-02.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 20 Feb 2026 05:34:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/231472 From: Marta Rybczynska Update the database structure and tasks to fit the current YP master. This means: - add the unpack task - update the database structure (CVSS, vector string) - use the temporary database in the same directory as the download However, the old feed does not include CVSS4 Signed-off-by: Marta Rybczynska Signed-off-by: Richard Purdie (cherry picked from commit dd249921a5d6b8e472242b57415de3f210dc81f1) Signed-off-by: Het Patel --- .../recipes-core/meta/cve-update-db-native.bb | 28 ++++++++++++++----- 1 file changed, 21 insertions(+), 7 deletions(-) diff --git a/meta/recipes-core/meta/cve-update-db-native.bb b/meta/recipes-core/meta/cve-update-db-native.bb index e042e67b09..3a9d43943c 100644 --- a/meta/recipes-core/meta/cve-update-db-native.bb +++ b/meta/recipes-core/meta/cve-update-db-native.bb @@ -5,7 +5,6 @@ INHIBIT_DEFAULT_DEPS = "1" inherit native -deltask do_unpack deltask do_patch deltask do_configure deltask do_compile @@ -21,7 +20,10 @@ CVE_DB_UPDATE_INTERVAL ?= "86400" # Timeout for blocking socket operations, such as the connection attempt. CVE_SOCKET_TIMEOUT ?= "60" -CVE_DB_TEMP_FILE ?= "${CVE_CHECK_DB_DIR}/temp_nvdcve_1.1.db" +CVE_CHECK_DB_DLDIR_FILE ?= "${DL_DIR}/CVE_CHECK2/${CVE_CHECK_DB_FILENAME}" +CVE_CHECK_DB_DLDIR_LOCK ?= "${CVE_CHECK_DB_DLDIR_FILE}.lock" + +CVE_DB_TEMP_FILE ?= "${CVE_CHECK_DB_DLDIR_FILE}.tmp" python () { if not bb.data.inherits_class("cve-check", d): @@ -38,7 +40,7 @@ python do_fetch() { bb.utils.export_proxies(d) - db_file = d.getVar("CVE_CHECK_DB_FILE") + db_file = d.getVar("CVE_CHECK_DB_DLDIR_FILE") db_dir = os.path.dirname(db_file) db_tmp_file = d.getVar("CVE_DB_TEMP_FILE") @@ -72,10 +74,16 @@ python do_fetch() { os.remove(db_tmp_file) } -do_fetch[lockfiles] += "${CVE_CHECK_DB_FILE_LOCK}" +do_fetch[lockfiles] += "${CVE_CHECK_DB_DLDIR_LOCK}" do_fetch[file-checksums] = "" do_fetch[vardeps] = "" +python do_unpack() { + import shutil + shutil.copyfile(d.getVar("CVE_CHECK_DB_DLDIR_FILE"), d.getVar("CVE_CHECK_DB_FILE")) +} +do_unpack[lockfiles] += "${CVE_CHECK_DB_DLDIR_LOCK} ${CVE_CHECK_DB_FILE_LOCK}" + def cleanup_db_download(db_file, db_tmp_file): """ Cleanup the download space from possible failed downloads @@ -183,7 +191,7 @@ def initialize_db(conn): c.execute("CREATE TABLE IF NOT EXISTS META (YEAR INTEGER UNIQUE, DATE TEXT)") c.execute("CREATE TABLE IF NOT EXISTS NVD (ID TEXT UNIQUE, SUMMARY TEXT, \ - SCOREV2 TEXT, SCOREV3 TEXT, MODIFIED INTEGER, VECTOR TEXT)") + SCOREV2 TEXT, SCOREV3 TEXT, SCOREV4 TEXT, MODIFIED INTEGER, VECTOR TEXT, VECTORSTRING TEXT)") c.execute("CREATE TABLE IF NOT EXISTS PRODUCTS (ID TEXT, \ VENDOR TEXT, PRODUCT TEXT, VERSION_START TEXT, OPERATOR_START TEXT, \ @@ -263,23 +271,29 @@ def update_db(conn, jsondata): continue accessVector = None + vectorString = None + cvssv2 = 0.0 + cvssv3 = 0.0 + cvssv4 = 0.0 cveId = elt['cve']['CVE_data_meta']['ID'] cveDesc = elt['cve']['description']['description_data'][0]['value'] date = elt['lastModifiedDate'] try: accessVector = elt['impact']['baseMetricV2']['cvssV2']['accessVector'] + vectorString = elt['impact']['baseMetricV2']['cvssV2']['vectorString'] cvssv2 = elt['impact']['baseMetricV2']['cvssV2']['baseScore'] except KeyError: cvssv2 = 0.0 try: accessVector = accessVector or elt['impact']['baseMetricV3']['cvssV3']['attackVector'] + vectorString = vectorString or elt['impact']['baseMetricV3']['cvssV3']['vectorString'] cvssv3 = elt['impact']['baseMetricV3']['cvssV3']['baseScore'] except KeyError: accessVector = accessVector or "UNKNOWN" cvssv3 = 0.0 - conn.execute("insert or replace into NVD values (?, ?, ?, ?, ?, ?)", - [cveId, cveDesc, cvssv2, cvssv3, date, accessVector]).close() + conn.execute("insert or replace into NVD values (?, ?, ?, ?, ?, ?, ?, ?)", + [cveId, cveDesc, cvssv2, cvssv3, cvssv4, date, accessVector, vectorString]).close() configurations = elt['configurations']['nodes'] for config in configurations: From patchwork Fri Feb 20 05:34:28 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 81445 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 09822C54F9B for ; Fri, 20 Feb 2026 05:34:50 +0000 (UTC) Received: from alln-iport-8.cisco.com (alln-iport-8.cisco.com [173.37.142.95]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.32339.1771565686650014442 for ; Thu, 19 Feb 2026 21:34:46 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=dfyBZjoy; spf=pass (domain: cisco.com, ip: 173.37.142.95, mailfrom: hetpat@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=7348; q=dns/txt; s=iport01; t=1771565686; x=1772775286; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=AX7kXvadqDLRhFf5yZdubNq47Rl/Du14En8hVLayhqE=; b=dfyBZjoyuoN1ilUT9Sv7APx1NuUfuCsjAuJuoKwTDtiYVc4Xdq+Xu1fg Yiy0OjeugydBEEWMMKTgKzzZXcg4O9Myy5cvY6KNc6klnfhtTBUFXdx8V l8w51Tu1wmK9Z927cc6IPHH8XghlwrGC6UcBGO+AuBuY2tCWlhojrgEiu GCatRHph/sx/V3dvM0rAUGgPTIMX/MJXtFLKw9km/m2m1J4Ms6yHS9+/z D9r30ppcaxduLBmcNiU2SVtDivYeScwPTVf5fLQ3RbxBF7RWQQCigPJ8/ ebWRnxz4lTMfuFikOMTQjFQ8tbT7I3ftv58gRw87rl77gDX8AK+z+yTTJ Q==; X-CSE-ConnectionGUID: jiQxOEnxSqefmM+Cy3m17A== X-CSE-MsgGUID: kQXBsv8UTH2/RogNfJ+hlA== X-IPAS-Result: A0AFBgBB8Zdp/5H/Ja1aglmCSA9xX0JJA5ZIA4tklDUPAQEBD0QNBAEBhEFGAo0fAiY3Bg4BAgQBAQEBAwIDAQEBAQEBAQEBAQELAQEFAQEBAgEHBYEOE4ZPDYZbAgEDMgFGECAxIAsrGYMCAYI6AzYCAREGpm4aN4IsgQGEfNhHDYJSAQsUAYE4hTyCeYUgawmEeicbG4FygRWDaIIfQgKIJASCIoEOgwuFVgaEW4YNSIEeA1ksAVUTDQoLBwWBZgM1EioVbjIdgSM+F4ELGwcFgkKFEQ+JBXhugSCBGwMLGA1IESw3FBsEPm4Hji8/gjQtThMsgX0SLgI7kmAHHRcHCQORZhKBNZ5ocQoog3SMHo8+hXwaM4QEgVeSPpJSmQaCWIheglOECZF3GTeEaIF+JkaBE3AVgyIJSRkPjl+CHYElgX+4WSI1AgEQKQIHCwEBAwmTB2ABAQ IronPort-Data: A9a23:zX+n4KM4z3sQ0GjvrR3ylsFynXyQoLVcMsEvi/4bfWQNrUolhTdTz GQZC2vQaa2MN2uhLdoiO96wpEpSsJHUytJhQHM5pCpnJ55oRWUpJjg4wmPYZX76whjrFRo/h ykmQoCeaphyFTmE+kvF3oHJ9RFUzbuPSqf3FNnKMyVwQR4MYCo6gHqPocZh6mJTqYb/WVrlV e/a+ZWFZgf/gWYsaQr41orawP9RlKWq0N8nlgRWicBj5Df2i3QTBZQDEqC9R1OQapVUBOOzW 9HYx7i/+G7Dlz91Yj9yuu+mGqGiaue60Tmm0hK6aYD76vRxjnBaPpIACRYpQRw/ZwNlMDxG4 I4lWZSYEW/FN0BX8QgXe0Ew/ypWZcWq9FJbSJSymZT78qHIT5fj6/dvNVEREIsIwf96D2Rrt tcJczVUMTnW0opawJrjIgVtrt4oIM+uOMYUvWttiGmJS/0nWpvEBa7N4Le03h9p2ZsIRqmYP ZdEL2MzMXwsYDUXUrsTIJIzgP+hmlH0ciZTrxSeoq9fD237klMogOmyb4aNEjCMbcZsrmyDu DL7w0SjRSsdO/qR63mF9lv504cjmgu+Aur+DoaQ8eZnhlCWzGEfBBAaEFC8u/SRjk+lR8kZL FQZ/Ccrp6U++EGnCN7nUHWFTGWspBUQXZ9UVuY98gzIkvqS6AeCDW9CRTlEADA7iPILqfUR/ gfht7vU6fZH6tV5lVr1Gm+okA6P IronPort-HdrOrdr: A9a23:FuDwx6mhgUGwrn05CL/SIvk7GlLpDfIr3DAbv31ZSRFFG/FwWf rAoB19726StN9/YhAdcLy7VZVoBEmsl6KdgrNhWYtKIjOHhILAFugLhuHfKn/bakjDH4Vmu5 uIHZITNDSJNykYsS4/izPIaurJB7K8gcaVuds= X-Talos-CUID: 9a23:YVsGgG3B480/bZQHzNO0oLxfGMEcYlrwymfrOkK2DEMqY6zOTAbP0fYx X-Talos-MUID: 9a23:pqTstg/2yOcotdaZIDP9GlqQf8RR0461FhAwrbVc/PODOgp+GXSdiB3iFw== X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.21,301,1763424000"; d="scan'208";a="671897740" Received: from rcdn-l-core-08.cisco.com ([173.37.255.145]) by alln-iport-8.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 20 Feb 2026 05:34:45 +0000 Received: from sjc-ads-8556.cisco.com (sjc-ads-8556.cisco.com [171.68.222.95]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by rcdn-l-core-08.cisco.com (Postfix) with ESMTPS id 863C1180001C1; Fri, 20 Feb 2026 05:34:45 +0000 (GMT) Received: by sjc-ads-8556.cisco.com (Postfix, from userid 1847788) id B04DACC8D04; Thu, 19 Feb 2026 21:34:44 -0800 (PST) From: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Cc: xe-linux-external@cisco.com, vchavda@cisco.com Subject: [openembedded-core] [scarthgap] [PATCH v1 19/34] cve-update-db-native: add the fkie source Date: Thu, 19 Feb 2026 21:34:28 -0800 Message-Id: <20260220053443.3006180-19-hetpat@cisco.com> X-Mailer: git-send-email 2.35.6 In-Reply-To: <20260220053443.3006180-1-hetpat@cisco.com> References: <20260220053443.3006180-1-hetpat@cisco.com> MIME-Version: 1.0 X-Outbound-SMTP-Client: 171.68.222.95, sjc-ads-8556.cisco.com X-Outbound-Node: rcdn-l-core-08.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 20 Feb 2026 05:34:50 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/231475 From: Marta Rybczynska Add support for FKIE-CAD reconstruction of NVD feed from https://github.com/fkie-cad/nvd-json-data-feeds We download this feed directly from github releases. Signed-off-by: Marta Rybczynska Signed-off-by: Richard Purdie (cherry picked from commit f6253ac8189db09fbe87141aca1733cb37a4d78f) Signed-off-by: Het Patel --- .../recipes-core/meta/cve-update-db-native.bb | 126 ++++++++++++++++-- 1 file changed, 113 insertions(+), 13 deletions(-) diff --git a/meta/recipes-core/meta/cve-update-db-native.bb b/meta/recipes-core/meta/cve-update-db-native.bb index 3a9d43943c..792252f510 100644 --- a/meta/recipes-core/meta/cve-update-db-native.bb +++ b/meta/recipes-core/meta/cve-update-db-native.bb @@ -12,6 +12,8 @@ deltask do_install deltask do_populate_sysroot NVDCVE_URL ?= "https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-" +FKIE_URL ?= "https://github.com/fkie-cad/nvd-json-data-feeds/releases/latest/download/CVE-" + # CVE database update interval, in seconds. By default: once a day (24*60*60). # Use 0 to force the update # Use a negative value to skip the update @@ -109,6 +111,30 @@ def cleanup_db_download(db_file, db_tmp_file): if os.path.exists(db_tmp_file): os.remove(db_tmp_file) +def db_file_names(d, year, is_nvd): + if is_nvd: + year_url = d.getVar('NVDCVE_URL') + str(year) + meta_url = year_url + ".meta" + json_url = year_url + ".json.gz" + return json_url, meta_url + year_url = d.getVar('FKIE_URL') + str(year) + meta_url = year_url + ".meta" + json_url = year_url + ".json.xz" + return json_url, meta_url + +def host_db_name(d, is_nvd): + if is_nvd: + return "nvd.nist.gov" + return "github.com" + +def db_decompress(d, data, is_nvd): + import gzip, lzma + + if is_nvd: + return gzip.decompress(data).decode('utf-8') + # otherwise + return lzma.decompress(data) + def update_db_file(db_tmp_file, d): """ Update the given database file @@ -119,6 +145,7 @@ def update_db_file(db_tmp_file, d): YEAR_START = 2002 cve_socket_timeout = int(d.getVar("CVE_SOCKET_TIMEOUT")) + is_nvd = d.getVar("NVD_DB_VERSION") == "NVD1" # Connect to database conn = sqlite3.connect(db_tmp_file) @@ -129,9 +156,7 @@ def update_db_file(db_tmp_file, d): for i, year in enumerate(range(YEAR_START, date.today().year + 1)): bb.debug(2, "Updating %d" % year) ph.update((float(i + 1) / total_years) * 100) - year_url = (d.getVar('NVDCVE_URL')) + str(year) - meta_url = year_url + ".meta" - json_url = year_url + ".json.gz" + json_url, meta_url = db_file_names(d, year, is_nvd) # Retrieve meta last modified date try: @@ -140,7 +165,7 @@ def update_db_file(db_tmp_file, d): cve_f.write('Warning: CVE db update error, Unable to fetch CVE data.\n\n') bb.warn("Failed to fetch CVE data (%s)" % e) import socket - result = socket.getaddrinfo("nvd.nist.gov", 443, proto=socket.IPPROTO_TCP) + result = socket.getaddrinfo(host_db_name(d, is_nvd), 443, proto=socket.IPPROTO_TCP) bb.warn("Host IPs are %s" % (", ".join(t[4][0] for t in result))) return False @@ -168,7 +193,7 @@ def update_db_file(db_tmp_file, d): try: response = urllib.request.urlopen(json_url, timeout=cve_socket_timeout) if response: - update_db(conn, gzip.decompress(response.read()).decode('utf-8')) + update_db(d, conn, db_decompress(d, response.read(), is_nvd)) conn.execute("insert or replace into META values (?, ?)", [year, last_modified]).close() except urllib.error.URLError as e: cve_f.write('Warning: CVE db update error, CVE data is outdated.\n\n') @@ -200,16 +225,22 @@ def initialize_db(conn): c.close() -def parse_node_and_insert(conn, node, cveId): +def parse_node_and_insert(conn, node, cveId, is_nvd): # Parse children node if needed for child in node.get('children', ()): - parse_node_and_insert(conn, child, cveId) + parse_node_and_insert(conn, child, cveId, is_nvd) + + def cpe_generator(is_nvd): + match_string = "cpeMatch" + cpe_string = 'criteria' + if is_nvd: + match_string = "cpe_match" + cpe_string = 'cpe23Uri' - def cpe_generator(): - for cpe in node.get('cpe_match', ()): + for cpe in node.get(match_string, ()): if not cpe['vulnerable']: return - cpe23 = cpe.get('cpe23Uri') + cpe23 = cpe.get(cpe_string) if not cpe23: return cpe23 = cpe23.split(':') @@ -260,9 +291,9 @@ def parse_node_and_insert(conn, node, cveId): # Save processing by representing as -. yield [cveId, vendor, product, '-', '', '', ''] - conn.executemany("insert into PRODUCTS values (?, ?, ?, ?, ?, ?, ?)", cpe_generator()).close() + conn.executemany("insert into PRODUCTS values (?, ?, ?, ?, ?, ?, ?)", cpe_generator(is_nvd)).close() -def update_db(conn, jsondata): +def update_db_nvdjson(conn, jsondata): import json root = json.loads(jsondata) @@ -297,8 +328,77 @@ def update_db(conn, jsondata): configurations = elt['configurations']['nodes'] for config in configurations: - parse_node_and_insert(conn, config, cveId) + parse_node_and_insert(conn, config, cveId, True) + +def update_db_fkie(conn, jsondata): + import json + root = json.loads(jsondata) + + for elt in root['cve_items']: + if not 'vulnStatus' in elt or elt['vulnStatus'] == 'Rejected': + continue + + if not 'configurations' in elt: + continue + + accessVector = None + vectorString = None + cvssv2 = 0.0 + cvssv3 = 0.0 + cvssv4 = 0.0 + cveId = elt['id'] + cveDesc = elt['descriptions'][0]['value'] + date = elt['lastModified'] + try: + for m in elt['metrics']['cvssMetricV2']: + if m['type'] == 'Primary': + accessVector = m['cvssData']['accessVector'] + vectorString = m['cvssData']['vectorString'] + cvssv2 = m['cvssData']['baseScore'] + except KeyError: + cvssv2 = 0.0 + try: + for m in elt['metrics']['cvssMetricV30']: + if m['type'] == 'Primary': + accessVector = m['cvssData']['accessVector'] + vectorString = m['cvssData']['vectorString'] + cvssv3 = m['cvssData']['baseScore'] + except KeyError: + accessVector = accessVector or "UNKNOWN" + cvssv3 = 0.0 + try: + for m in elt['metrics']['cvssMetricV31']: + if m['type'] == 'Primary': + accessVector = m['cvssData']['accessVector'] + vectorString = m['cvssData']['vectorString'] + cvssv3 = m['cvssData']['baseScore'] + except KeyError: + accessVector = accessVector or "UNKNOWN" + cvssv3 = 0.0 + try: + for m in elt['metrics']['cvssMetricV40']: + if m['type'] == 'Primary': + accessVector = m['cvssData']['accessVector'] + vectorString = m['cvssData']['vectorString'] + cvssv4 = m['cvssData']['baseScore'] + except KeyError: + accessVector = accessVector or "UNKNOWN" + cvssv4 = 0.0 + conn.execute("insert or replace into NVD values (?, ?, ?, ?, ?, ?, ?, ?)", + [cveId, cveDesc, cvssv2, cvssv3, cvssv4, date, accessVector, vectorString]).close() + + for config in elt['configurations']: + # This is suboptimal as it doesn't handle AND/OR and negate, but is better than nothing + for node in config["nodes"]: + parse_node_and_insert(conn, node, cveId, False) + + +def update_db(d, conn, jsondata): + if (d.getVar("NVD_DB_VERSION") == "FKIE"): + return update_db_fkie(conn, jsondata) + else: + return update_db_nvdjson(conn, jsondata) do_fetch[nostamp] = "1" From patchwork Fri Feb 20 05:34:29 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 81441 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E5F3EC54F5D for ; Fri, 20 Feb 2026 05:34:49 +0000 (UTC) Received: from alln-iport-4.cisco.com (alln-iport-4.cisco.com [173.37.142.91]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.32608.1771565686056322342 for ; Thu, 19 Feb 2026 21:34:46 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=CxhnnyJD; spf=pass (domain: cisco.com, ip: 173.37.142.91, mailfrom: hetpat@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=1252; q=dns/txt; s=iport01; t=1771565686; x=1772775286; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=0sp4lL/ykYh2De6xzOC/1eVtCE0pySieXOsQTgtFooA=; b=CxhnnyJDVYYiOXrT+taex+X7+hSXfQoLgaWQNvEHZia5MRTDZ2QunCHV 9/F+rNLuDHEtBmmAPAvkFLzuwb/jKWZD6zKqlPJjxu4GbOs2m7i4rqKip wgr58TrcSdiqd8iTrQ0jnrCAiLNCtRAbuEO3qq0ALVrOK/QGssuHjiXff h7YxrbGgspsiAOyf9gFL75+E68lx+aE8J7Z/W1/lDmBK0rc/0kx0PGu2t wodx3OWtyF2vkbJSn28tIzNfo+rXsL+wf23i7Rf4crurpjZYvgsKmVAAU MV44gHAXYABopWg1zKHZMvlBevLfaZs+NXYgJVCp7uJND9auQn0mqHx/J g==; X-CSE-ConnectionGUID: QqKLvcOhSpemtRdz+NtfPA== X-CSE-MsgGUID: 0KaShTaaQjysJEYvQOcUbg== X-IPAS-Result: A0A/BADP8Jdp/5L/Ja1aglmCSA+BUEJJlk6LZJI2gX8PAQEBD1EEAQGFBwKNHwImNAkOAQIEAQEBAQMCAwEBAQEBAQEBAQEBCwEBBQEBAQIBBwWBDhOGXIZbAgEDMgFGECAxIAsrGYMCgjsDNgIBp1SCLIEBhHzYRw2CUgELFAGBOIU8gnmFIFoahHonGxuBcoEVg2iCH4FrgQaFdwSCIoEOggCRT0iBHgNZLAFVEw0KCwcFgWYDNRIqFW4yHYEjPheBCxsHBYdTD4kFeG6BIIEbAwsYDUgRLDcUGwQ+bgeOLz+CMwEBgQ2oTKAdcQoog3SbXIV8GjOqa5kGkhKSR4RogWg8RoETcBWDIlIZD45fvhoiNTwCBwsBAQMJkWqBfQEB IronPort-Data: A9a23:+gDY+qLZjuLDqT89FE+RhpQlxSXFcZb7ZxGr2PjKsXjdYENSgTFTm GRMCGCPO/eKazf8Ko1+bIvg8U4O65HVy4M2HAAd+CA2RRqmiyZq6fd1j6vUF3nPRiEWZBs/t 63yUvGZcoZsCCSa/kvxWlTYhSEU/bmSQbbhA/LzNCl0RAt1IA8skhsLd9QR2uaEuvDnRVnU0 T/Oi5eHYgH9gWQsajl8B5+r8XuDgtyj4Fv0gXRmDRx7lAe2v2UYCpsZOZawIxPQKqFIHvS3T vr017qw+GXU5X8FUrtJRZ6iLyXm6paLVeS/oiI+t5qK23CulQRuukoPD8fwXG8M49m/c3+d/ /0W3XC4YV9B0qQhA43xWTEAe811FfUuFLMqvRFTvOTLp3AqfUcAzN1XFWISI4Y/+t1vDGRSz /AKaxYRYCiq0rfeLLKTEoGAh+w5J8XteYdasXZ6wHSBXLAtQIvIROPB4towMDUY358VW62BI ZBENHw2MEqojx5nYj/7DLo+kfuwj2XXeDxDo1XTrq0yi4TW5FIuieCxboGJK7RmQ+0NvU+jp l7P9l37Ewo4Ge2B8B2Oz3ij07qncSTTHdh6+KeD3vlyjVuew2YeBBEbWR6wpuO0okq/QM5Eb UsM9ywjqKI/+ECmQp/6RRLQnZKflgQXV9wVF6gx7xuAj/KFpQ2YHWMDCDVGbbTKqfMLeNDj7 XfR9/uBONClmOf9pa61nltMkQ6PBA== IronPort-HdrOrdr: A9a23:v5ydt6zSZ+6skbgVoNDrKrPwK71zdoMgy1knxilNoNJuHfBw8P re+8jzuiWUtN98YhwdcJW7Scu9qBDnhPpICPcqXYtKNTOO0ADDEGgh1/qG/9SKIUPDH4BmuZ uIC5IOa+EZyTNB/L/HCM7SKadH/OW6 X-Talos-CUID: 9a23:+NkfYm4Q0wi0CsaqTdsszVc3Pt4uVX3m1HrVP3W0GyVPVLOtYArF X-Talos-MUID: 9a23:tHEUSwuakotx25EBK82n3BJrD8dU6q2XClEWs7g3pfCjPhF6NGLI X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.21,301,1763424000"; d="scan'208";a="671046349" Received: from rcdn-l-core-09.cisco.com ([173.37.255.146]) by alln-iport-4.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 20 Feb 2026 05:34:45 +0000 Received: from sjc-ads-8556.cisco.com (sjc-ads-8556.cisco.com [171.68.222.95]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by rcdn-l-core-09.cisco.com (Postfix) with ESMTPS id 86BD018000202; Fri, 20 Feb 2026 05:34:45 +0000 (GMT) Received: by sjc-ads-8556.cisco.com (Postfix, from userid 1847788) id B49D8CC8D05; Thu, 19 Feb 2026 21:34:44 -0800 (PST) From: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Cc: xe-linux-external@cisco.com, vchavda@cisco.com Subject: [openembedded-core] [scarthgap] [PATCH v1 20/34] cve-check: change the default feed Date: Thu, 19 Feb 2026 21:34:29 -0800 Message-Id: <20260220053443.3006180-20-hetpat@cisco.com> X-Mailer: git-send-email 2.35.6 In-Reply-To: <20260220053443.3006180-1-hetpat@cisco.com> References: <20260220053443.3006180-1-hetpat@cisco.com> MIME-Version: 1.0 X-Outbound-SMTP-Client: 171.68.222.95, sjc-ads-8556.cisco.com X-Outbound-Node: rcdn-l-core-09.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 20 Feb 2026 05:34:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/231474 From: Marta Rybczynska Move to the FKIE feed by default, as it is showing better stability than NVD2. Content of the feed should be the same. Signed-off-by: Marta Rybczynska Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Richard Purdie (cherry picked from commit 10580a6d36aa1366732f9c030345bd4590eb9f74) Signed-off-by: Het Patel --- meta/classes/cve-check.bbclass | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 234eeae7d4..3555a74c42 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -32,7 +32,7 @@ CVE_PRODUCT ??= "${BPN}" CVE_VERSION ??= "${PV}" # Possible database sources: NVD1, NVD2, FKIE -NVD_DB_VERSION ?= "NVD2" +NVD_DB_VERSION ?= "FKIE" # Use different file names for each database source, as they synchronize at different moments, so may be slightly different CVE_CHECK_DB_FILENAME ?= "${@'nvdcve_2-2.db' if d.getVar('NVD_DB_VERSION') == 'NVD2' else 'nvdcve_1-3.db' if d.getVar('NVD_DB_VERSION') == 'NVD1' else 'nvdfkie_1-1.db'}" From patchwork Fri Feb 20 05:34:30 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 81457 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6C994C5516D for ; Fri, 20 Feb 2026 05:34:50 +0000 (UTC) Received: from alln-iport-2.cisco.com (alln-iport-2.cisco.com [173.37.142.89]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.32609.1771565686307896284 for ; Thu, 19 Feb 2026 21:34:47 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=HMl12DwL; spf=pass (domain: cisco.com, ip: 173.37.142.89, mailfrom: hetpat@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=2360; q=dns/txt; s=iport01; t=1771565687; x=1772775287; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=qQF7MV+QFxdCrzr3V3Nq1N46pCFkwHT60VjzoMRzcEI=; b=HMl12DwLh9mAGz/nR2Z+9ihoJSWxHLQWFmAQLLMps8MOldffook13i2/ ESnNRiZ73AAghLxHJeeRswC2PdjUzUn9Dcn3y5aYbIK2U0/8I7zXP4ni4 t4a8I26xxy1BHNC2tqUrMbEpXdKJBqu5vjrnd2LzeI2WA29WgDWFft0MZ w5+CFoashRPtjjrWfO74inxBKJf0GUr8pRmhwx4lYMbAe5qzlijpLcHpR JRWbx2LOxQ+iX8CyZhtE62isclf3S6r34YM0S4K/HanpK9BGQJcTJRgGf 8PbGlSw1Fig67LPZMzjrzxlNpJvSv1/Euf5Q2ovIjru8MTjvOBSgVkq5p w==; X-CSE-ConnectionGUID: fkaRtDUeTCK2aSUCLp0gKA== X-CSE-MsgGUID: C6nkBhKsSOmAOHHJVAh/3Q== X-IPAS-Result: A0A/BAC68Zdp/4//Ja1aglmCGDAPgVBCSZZLA54agX8PAQEBD1EEAQGFBwKNHwImNAkOAQIEAQEBAQMCAwEBAQEBAQEBAQEBCwEBBQEBAQIBBwWBDhOGXIZbAgEDMgFGECAxKysZgwKCdAIBp0+CLIEBhHzbJgELFAGBOIU8iBlaGoR6JxsbgXKEfYUQhXcEgiKBDpNPSIEeA1ksAVUTDQoLBwWBZgM1EioVbjIdgSM+F4ELGwcFh1MPiQV4boEggRsDCxgNSBEsNxQbBD5uB44vP4IzAQGBDTCCO6VhoQ4KKIN0oVgaM4QEpmeZBoJYoUo3hGiBaDyBWXAVgyJSGQ+PVQEHvTwiNTwCBwsBAQMJk2cBAQ IronPort-Data: A9a23:0pMR9qLSlFZFOo4DFE+RhpQlxSXFcZb7ZxGr2PjKsXjdYENS3jcBy TcaWWmHM/qDNGqhLosjYYS0pBtXvpLcz4VrSwUd+CA2RRqmiyZq6fd1j6vUF3nPRiEWZBs/t 63yUvGZcoZsCCSa/kvxWlTYhSEU/bmSQbbhA/LzNCl0RAt1IA8skhsLd9QR2uaEuvDnRVnU0 T/Oi5eHYgH9gWQsajl8B5+r8XuDgtyj4Fv0gXRmDRx7lAe2v2UYCpsZOZawIxPQKqFIHvS3T vr017qw+GXU5X8FUrtJRZ6iLyXm6paLVeS/oiI+t5qK23CulQRuukoPD8fwXG8M49m/c3+d/ /0W3XC4YV9B0qQhA43xWTEAe811FfUuFLMqvRFTvOTLp3AqfUcAzN1gD0gMIaEl99pcIjtHz sEzDChVYTOq0rfeLLKTEoGAh+w5J8XteYdasXZ6wHSBU7AtQIvIROPB4towMDUY358VW62BI ZBENHw2ME+ojx5nYj/7DLo+kfuwj2XXeDxDo1XTrq0yi4TW5FIvgOK2bYqLJrRmQ+1+wECbj GLl5F/eBzg9FPy99xOFtSmV07qncSTTHdh6+KeD3vlyjVuew2YeBBEbWR6wpuO0okq/QM5Eb UsM9ywjqKI/+ECmQp/6RRLQnZKflgQXV9wVF6gx7xuAj/KKpQ2YHWMDCDVGbbTKqfMLeNDj7 XfR9/uBONClmOf9pa61nltMkQ6PBA== IronPort-HdrOrdr: A9a23:Ic13I6P+pHoGacBcTsajsMiBIKoaSvp037Dk7S9MoHtuA6ulfq +V/cjzuSWYtN9VYgBDpTniAtjlfZqjz/5ICOAqVN/INjUO+lHYSb2KhrGN/9SPIUHDH5ZmpM Rdm2wUMqyIMbC85vyKhjWFLw== X-Talos-CUID: 9a23:xSZIdm2U48vi8oWvfM8dvbxfFMMsSGHx8XrsCGziAF1UY5mNEVCz0fYx X-Talos-MUID: 9a23:2HiAoQbenfKgY+BTnGHqhxtiF9xTxKGHL2Ats6svu47fDHkl X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.21,301,1763424000"; d="scan'208";a="668235864" Received: from rcdn-l-core-06.cisco.com ([173.37.255.143]) by alln-iport-2.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 20 Feb 2026 05:34:46 +0000 Received: from sjc-ads-8556.cisco.com (sjc-ads-8556.cisco.com [171.68.222.95]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by rcdn-l-core-06.cisco.com (Postfix) with ESMTPS id 894A618000246; Fri, 20 Feb 2026 05:34:45 +0000 (GMT) Received: by sjc-ads-8556.cisco.com (Postfix, from userid 1847788) id B8E96CC8D06; Thu, 19 Feb 2026 21:34:44 -0800 (PST) From: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Cc: xe-linux-external@cisco.com, vchavda@cisco.com Subject: [openembedded-core] [scarthgap] [PATCH v1 21/34] cve-check: fix debug message Date: Thu, 19 Feb 2026 21:34:30 -0800 Message-Id: <20260220053443.3006180-21-hetpat@cisco.com> X-Mailer: git-send-email 2.35.6 In-Reply-To: <20260220053443.3006180-1-hetpat@cisco.com> References: <20260220053443.3006180-1-hetpat@cisco.com> MIME-Version: 1.0 X-Outbound-SMTP-Client: 171.68.222.95, sjc-ads-8556.cisco.com X-Outbound-Node: rcdn-l-core-06.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 20 Feb 2026 05:34:50 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/231485 From: Daniel Turull Debug level was not added as a parameter, causing a warning. Signed-off-by: Daniel Turull Signed-off-by: Richard Purdie (cherry picked from commit 40157fcbd9066f261812ba665ec963b2e496aa53) Signed-off-by: Het Patel --- meta/classes/cve-check.bbclass | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 3555a74c42..1641ed4aff 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -279,7 +279,7 @@ def cve_update(d, cve_data, cve, entry): cve_data[cve] = entry return # If we are updating, there might be change in the status - bb.debug("Trying CVE entry update for %s from %s to %s" % (cve, cve_data[cve]['abbrev-status'], entry['abbrev-status'])) + bb.debug(1, "Trying CVE entry update for %s from %s to %s" % (cve, cve_data[cve]['abbrev-status'], entry['abbrev-status'])) if cve_data[cve]['abbrev-status'] == "Unknown": cve_data[cve] = entry return @@ -290,16 +290,16 @@ def cve_update(d, cve_data, cve, entry): if entry['status'] == "version-in-range" and cve_data[cve]['status'] == "version-not-in-range": # New result from the scan, vulnerable cve_data[cve] = entry - bb.debug("CVE entry %s update from Patched to Unpatched from the scan result" % cve) + bb.debug(1, "CVE entry %s update from Patched to Unpatched from the scan result" % cve) return if entry['abbrev-status'] == "Patched" and cve_data[cve]['abbrev-status'] == "Unpatched": if entry['status'] == "version-not-in-range" and cve_data[cve]['status'] == "version-in-range": # Range does not match the scan, but we already have a vulnerable match, ignore - bb.debug("CVE entry %s update from Patched to Unpatched from the scan result - not applying" % cve) + bb.debug(1, "CVE entry %s update from Patched to Unpatched from the scan result - not applying" % cve) return # If we have an "Ignored", it has a priority if cve_data[cve]['abbrev-status'] == "Ignored": - bb.debug("CVE %s not updating because Ignored" % cve) + bb.debug(1, "CVE %s not updating because Ignored" % cve) return bb.warn("Unhandled CVE entry update for %s from %s to %s" % (cve, cve_data[cve], entry)) From patchwork Fri Feb 20 05:34:31 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 81459 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9E35DC55178 for ; Fri, 20 Feb 2026 05:34:50 +0000 (UTC) Received: from alln-iport-7.cisco.com (alln-iport-7.cisco.com [173.37.142.94]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.32605.1771565685725808830 for ; Thu, 19 Feb 2026 21:34:46 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=bfpUhJqj; spf=pass (domain: cisco.com, ip: 173.37.142.94, mailfrom: hetpat@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=2849; q=dns/txt; s=iport01; t=1771565686; x=1772775286; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=ScEQZ/2RKcPpf1BxUyo12Hs3F62CAxs51YoH8o7deN8=; b=bfpUhJqj2MDxrWSTnFzY1sMcLlMjwscaKIR7ncdb213jbQvrXbcLe0/4 zg2khl9ExO4VfJ84phvx4eDIviw09xdjSvx1jUtA0RDHaeWVO5WoBr0Pt QLZ50CnO6YN2fSil0vEgevJCQpULnS30YMqVTZuW4dnnJdeGMWIlIKDm7 vHdf+mpT/RQhcr99fYWRJt7Jj19zyDn8/KRCF9R38LqU+UMQPF+6eugML SP2QxZjg9CNKYNmf3PWxGaz5bK5EK13B6p2W4XqLknTNiO4tsQXpXyLIb /36xXD5aucihUQchtpVWJhtYQWVw3rpM2l66NcXgAxABWWkzzguLuMiwN Q==; X-CSE-ConnectionGUID: rP2lBZ0eQ6mUdJcZs9oXFg== X-CSE-MsgGUID: 5ksK4FDjQr68N2eaURtprw== X-IPAS-Result: A0BBBAC68Zdp/4z/Ja1aglmCSA+BUEJJlk6LZJI2gX8PAQEBD1EEAQGFBwKNHwImNAkOAQIEAQEBAQMCAwEBAQEBAQEBAQEBCwEBBQEBAQIBBwWBDhOGXIZbAgEDMgFGECAxIAsdAQ0ZgwKCOwM2AgGnT4IsgQHdQw2CUgELFAGBOIU8gnmFIHSEeicbG4FyhA5vgh+CcYV3BIIigQ6TT0iBHgNZLAFVEw0KCwcFgWYDNRIqFW4yHYEjPheBCxsHBYdTD4kFeG6BIIEbAwsYDUgRLDcUGwQ+bgeOLz+CNAGBDoFLlEuSNaAdcQoog3SbXIV8GjOqa5kGkhKRXmmEaIFoPIFZcBWDIlIZD45fvjoiNTwCBwsBAQMJk2cBAQ IronPort-Data: A9a23:os9f1aj1UipBF7UxpdnA7ZBkX161NxEKZh0ujC45NGQN5FlHY01je htvCjjUP/mKZWb2fNlyPNm/8E5S78CAmtdjHgNq+S1mHihjpJueD7x1DKtf0wB+jyHnZBg6h ynLQoCYdKjYdleF+FH1dOOn9SUgvU2xbuKUIPbePSxsThNTRi4kiBZy88Y0mYcAbeKRW2thg vus5ZeGULOZ82QsaDxMsfjb8EgHUMna4Vv0gHRvPZing3eG/5UlJMp3Db28KXL+Xr5VEoaSL 87fzKu093/u5BwkDNWoiN7TKiXmlZaLYGBiIlIPM0STqkAqSh4ai87XB9JAAatjsAhlqvgqo Dl7WTNcfi9yVkHEsLx1vxC1iEiSN4UekFPMCSDXXcB+UyQqflO0q8iCAn3aMqUCwrxzK1MW+ MVGLQ0BTBuxnLOx8Jy0H7wEasQLdKEHPasFsX1miDWcBvE8TNWbGOPB5MRT23E7gcUm8fT2P pVCL2EwKk6dPlsWZg9/5JEWxI9EglH/fiFAoU69rqss6G+Vxwt0uFToGISKIoTRFJkMzi50o Eqb/H/aXj82NuWFl2qjqH+lu9XThTnkDdd6+LqQs6QCbEeo7msLBRsbUFG2rfW0hgu1XMhSA 0gV4TY1668q+UqmS9PwUxG1rDiDpBF0ZjZLO/cx5AfIzu/f5ByUQzBfCDVAc9ch8sQxQFTGy 2O0oj8gPhQ32JX9dJ5X3u78Qe+aUcTNEVI/WA== IronPort-HdrOrdr: A9a23:+q8GmKqt9rYpyNCmkyZXj5EaV5oseYIsimQD101hICG9vPb2qy nIpoV96faaslcssR0b9OxofZPwI080lqQFhbX5Q43DYOCOggLBR+tfBMnZsljd8kbFmNK1u5 0NT0EHMqySMbC/5vyKmTVR1L0bsb+6zJw= X-Talos-CUID: 9a23:1auwu2E82IFfml7RqmJ9zBQQMPJ9f0SDyUrcAUSKEjdueJOaHAo= X-Talos-MUID: 9a23:n2l21ATjYuqYk+IxRXSxhypBaOlE4Z20VhAry5gPhvOYLTZvbmI= X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.21,301,1763424000"; d="scan'208";a="670039418" Received: from rcdn-l-core-03.cisco.com ([173.37.255.140]) by alln-iport-7.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 20 Feb 2026 05:34:45 +0000 Received: from sjc-ads-8556.cisco.com (sjc-ads-8556.cisco.com [171.68.222.95]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by rcdn-l-core-03.cisco.com (Postfix) with ESMTPS id 8CFE0180005A3; Fri, 20 Feb 2026 05:34:45 +0000 (GMT) Received: by sjc-ads-8556.cisco.com (Postfix, from userid 1847788) id BD78ECC8D07; Thu, 19 Feb 2026 21:34:44 -0800 (PST) From: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Cc: xe-linux-external@cisco.com, vchavda@cisco.com Subject: [openembedded-core] [scarthgap] [PATCH v1 22/34] spdx30: Allow VEX Justification to be configurable Date: Thu, 19 Feb 2026 21:34:31 -0800 Message-Id: <20260220053443.3006180-22-hetpat@cisco.com> X-Mailer: git-send-email 2.35.6 In-Reply-To: <20260220053443.3006180-1-hetpat@cisco.com> References: <20260220053443.3006180-1-hetpat@cisco.com> MIME-Version: 1.0 X-Outbound-SMTP-Client: 171.68.222.95, sjc-ads-8556.cisco.com X-Outbound-Node: rcdn-l-core-03.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 20 Feb 2026 05:34:50 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/231467 From: Joshua Watt Instead of hard coding the VEX justifications for "Ignored" CVE status, add a map that configures what justification should be used for each status. This allows other justifications to be easily added, and also ensures that status fields added externally (by downstream) can set an appropriate justification if necessary. Signed-off-by: Joshua Watt Signed-off-by: Richard Purdie (cherry picked from commit c0fa3d92cefa74fa57c6c48c94acc64aa454e781) Signed-off-by: Het Patel --- meta/conf/cve-check-map.conf | 4 ++++ meta/lib/oe/spdx30_tasks.py | 33 ++++++++++++++++----------------- 2 files changed, 20 insertions(+), 17 deletions(-) diff --git a/meta/conf/cve-check-map.conf b/meta/conf/cve-check-map.conf index ac956379d1..fc49fe0a50 100644 --- a/meta/conf/cve-check-map.conf +++ b/meta/conf/cve-check-map.conf @@ -28,8 +28,12 @@ CVE_CHECK_STATUSMAP[cpe-incorrect] = "Ignored" CVE_CHECK_STATUSMAP[disputed] = "Ignored" # use when vulnerability depends on build or runtime configuration which is not used CVE_CHECK_STATUSMAP[not-applicable-config] = "Ignored" +CVE_CHECK_VEX_JUSTIFICATION[not-applicable-config] = "vulnerableCodeNotPresent" + # use when vulnerability affects other platform (e.g. Windows or Debian) CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored" +CVE_CHECK_VEX_JUSTIFICATION[not-applicable-platform] = "vulnerableCodeNotPresent" + # use when upstream acknowledged the vulnerability but does not plan to fix it CVE_CHECK_STATUSMAP[upstream-wontfix] = "Ignored" diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py index a3d848ceb1..c6bb3bd964 100644 --- a/meta/lib/oe/spdx30_tasks.py +++ b/meta/lib/oe/spdx30_tasks.py @@ -719,24 +719,23 @@ def create_spdx(d): impact_statement=description, ) - if detail in ( - "ignored", - "cpe-incorrect", - "disputed", - "upstream-wontfix", - ): - # VEX doesn't have justifications for this - pass - elif detail in ( - "not-applicable-config", - "not-applicable-platform", - ): - for v in spdx_vex: - v.security_justificationType = ( - oe.spdx30.security_VexJustificationType.vulnerableCodeNotPresent + vex_just_type = d.getVarFlag( + "CVE_CHECK_VEX_JUSTIFICATION", detail + ) + if vex_just_type: + if ( + vex_just_type + not in oe.spdx30.security_VexJustificationType.NAMED_INDIVIDUALS + ): + bb.fatal( + f"Unknown vex justification '{vex_just_type}', detail '{detail}', for ignored {cve}" ) - else: - bb.fatal(f"Unknown detail '{detail}' for ignored {cve}") + + for v in spdx_vex: + v.security_justificationType = oe.spdx30.security_VexJustificationType.NAMED_INDIVIDUALS[ + vex_just_type + ] + else: bb.fatal(f"Unknown {cve} status '{status}'") From patchwork Fri Feb 20 05:34:32 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 81444 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0EC8EC54F5F for ; Fri, 20 Feb 2026 05:34:50 +0000 (UTC) Received: from alln-iport-2.cisco.com (alln-iport-2.cisco.com [173.37.142.89]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.32609.1771565686307896284 for ; Thu, 19 Feb 2026 21:34:46 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=NQUY2tEi; spf=pass (domain: cisco.com, ip: 173.37.142.89, mailfrom: hetpat@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=1689; q=dns/txt; s=iport01; t=1771565686; x=1772775286; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=dnLui5VxMHB3tI9xn7ldnubgvUeeB3edEqlZY3PxlMI=; b=NQUY2tEiV7iiSX4mTCOf0r/Yo5biNX5Pj8VPI25iOL0ZIcSpE75oj4jP DsJDWUM4riR7RKoAiRiErYnVyLekRAsu+PJdZ5AF7t9+yZu6zOwWoJEyJ MZ2QghIHUewIjTp67VsRVCAoLoUj9U+zqKWq2N31MN4lYGNpwOFbd2A/+ RjdUA3/yIRTm4iyC441AOldbR6VRGVXGADpgCau4SXKkWb77a8KOjY1Ub fNdEDHtkrX/BlDNpGV+4brh6Yyah9Q2uMcqXDqaAjFNbzFARlDU5UINPr ERfZ0uLwdx6Lx42m56f/yvnPJhX7J0R1iuRqa5fgWbeBOC3zzbflaVrDe w==; X-CSE-ConnectionGUID: P93MDucrThiUiJkTRFTJQw== X-CSE-MsgGUID: VcIed4+WQzKFd5zBv/Ff0A== X-IPAS-Result: A0BCBAC68Zdp/4z/Ja1aglmCSA9xX0JJA5ZLnhqBfw8BAQEPNxoEAQGFBwKNHwImNAkOAQIEAQEBAQMCAwEBAQEBAQEBAQEBCwEBBQEBAQIBBwWBDhOGTw2GWwIBAzIBRhAgJgsrKxmDAgGCcwIBp0+CLIEB4CIBCxQBgTiFPIgZawmEeicbG4FygRWDaIQKgQaFdwSCIoEOk09IgR4DWSwBVRMNCgsHBYFmAzUSKhVuMh2BIz4XgQsbBwWCQoURD4kFeG6BIIEbAwsYDUgRLDcUGwQ+bgeOLz+CNHsTlg2SP6EOCiiDdIwelToaM4QEpmeZBoJYoSRdhGiBaDyBWXAVgyIJSRkPjl+CHbwdIjUTKQIHCwEBAwmRaoF9AQE IronPort-Data: A9a23:b5/rQKtvPP035jjl/oJWqcZkPefnVAFfMUV32f8akzHdYApBsoF/q tZmKWrTOq7fajekL9AgPI+39k5VvsCAn9JiHAZv+Xs1QywagMeUXt7xwmUckM+xwmwvaGo9s q3yv/GZdJhcokf0/0nrav666yEgiclkf5KkYMbcICd9WAR4fykojBNnioYRj5Vh6TSDK1vlV eja/YuFYTdJ5xYuajhKs/jZ8Es01BjPkGpwUmIWNKgjUGD2zxH5PLpHTYmtIn3xRJVjH+LSb 47r0LGj82rFyAwmA9Wjn6yTWhVirmn6ZFXmZtJ+AsBOszAazsAA+v9T2Mk0NS+7vw60c+VZk 72hg3AfpTABZcUgkMxFO/VR/roX0aduoNcrKlDn2SCfItGvn3bEm51T4E8K0YIwwrcsJE1T/ uYkKDEwbzKAu9iY/JCCVbw57igjBJGD0II3oHpsy3TdSP0hW52GG/6M7t5D1zB2jcdLdRrcT 5NGMnw0M1KaPkAJYwtPYH49tL/Aan3XczBEsFuJjaE2+GPUigd21dABNfKLJIzQHpgFwxvwS mTuwW/YDx1Gd+Om2xmr/i++rPGIsy2jcddHfFG/3rsw6LGJ/UQUEBAQWF6xrPW1h0L7UNVFJ mQQ+zEytu417EGtQ9z3UhG0rXLCuQQTM+e8CMUg4w2Lj66R6AGDCy1cFXhKaccts4k9QjlCO kK1ou4FzAdH6NW9IU9xPJ/Pxd9uEUD59VM/WBI= IronPort-HdrOrdr: A9a23:63AmaaDOAKP8B23lHemr55DYdb4zR+YMi2TDGXofdfUzSL3+qy nAppUmPHPP5Qr5HUtQ++xoW5PwJU80i6QU3WB5B97LN2PbUSmTXeRfBODZrQEIdReTygck79 YCT0C7Y+eAdGSTSq3BkW+FL+o= X-Talos-CUID: 9a23:Mio63mCJ+xGLsjr6ExE2r2s4B8s/Tn3c8XbyIHOCJ1pLcaLAHA== X-Talos-MUID: 9a23:lVk4tQWZJOobkVnq/AHnpTxuaIRX2raNJkxQg78Y/OeKbQUlbg== X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.21,301,1763424000"; d="scan'208";a="668235855" Received: from rcdn-l-core-03.cisco.com ([173.37.255.140]) by alln-iport-2.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 20 Feb 2026 05:34:45 +0000 Received: from sjc-ads-8556.cisco.com (sjc-ads-8556.cisco.com [171.68.222.95]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by rcdn-l-core-03.cisco.com (Postfix) with ESMTPS id 8DF32180005A9; Fri, 20 Feb 2026 05:34:45 +0000 (GMT) Received: by sjc-ads-8556.cisco.com (Postfix, from userid 1847788) id C2675CC8CB9; Thu, 19 Feb 2026 21:34:44 -0800 (PST) From: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Cc: xe-linux-external@cisco.com, vchavda@cisco.com Subject: [openembedded-core] [scarthgap] [PATCH v1 23/34] cve-update-db-native: fix fetcher for CVEs missing nodes Date: Thu, 19 Feb 2026 21:34:32 -0800 Message-Id: <20260220053443.3006180-23-hetpat@cisco.com> X-Mailer: git-send-email 2.35.6 In-Reply-To: <20260220053443.3006180-1-hetpat@cisco.com> References: <20260220053443.3006180-1-hetpat@cisco.com> MIME-Version: 1.0 X-Outbound-SMTP-Client: 171.68.222.95, sjc-ads-8556.cisco.com X-Outbound-Node: rcdn-l-core-03.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 20 Feb 2026 05:34:50 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/231476 From: Peter Marko As of now, update of CVE DB from FKIE source (which is the defailt) fails with following error: File: '/poky/meta/recipes-core/meta/cve-update-db-native.bb', lineno: 393, function: update_db_fkie 0389: [cveId, cveDesc, cvssv2, cvssv3, cvssv4, date, accessVector, vectorString]).close() 0390: 0391: for config in elt['configurations']: 0392: # This is suboptimal as it doesn't handle AND/OR and negate, but is better than nothing *** 0393: for node in config["nodes"]: 0394: parse_node_and_insert(conn, node, cveId, False) 0395: 0396:def update_db(d, conn, jsondata): 0397: if (d.getVar("NVD_DB_VERSION") == "FKIE"): Exception: KeyError: 'nodes' Entry for new CVE-2025-32915 is broken. Signed-off-by: Peter Marko Signed-off-by: Mathieu Dubois-Briand (cherry picked from commit 152be29f6a732b2ba1c95bcf465455d2a5a3f33a) Signed-off-by: Het Patel --- meta/recipes-core/meta/cve-update-db-native.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-core/meta/cve-update-db-native.bb b/meta/recipes-core/meta/cve-update-db-native.bb index 792252f510..320bd452f1 100644 --- a/meta/recipes-core/meta/cve-update-db-native.bb +++ b/meta/recipes-core/meta/cve-update-db-native.bb @@ -390,7 +390,7 @@ def update_db_fkie(conn, jsondata): for config in elt['configurations']: # This is suboptimal as it doesn't handle AND/OR and negate, but is better than nothing - for node in config["nodes"]: + for node in config.get("nodes") or []: parse_node_and_insert(conn, node, cveId, False) From patchwork Fri Feb 20 05:34:33 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 81440 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id DB5F7C54F5B for ; Fri, 20 Feb 2026 05:34:49 +0000 (UTC) Received: from alln-iport-6.cisco.com (alln-iport-6.cisco.com [173.37.142.93]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.32610.1771565686797469924 for ; Thu, 19 Feb 2026 21:34:46 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=O+QfC3ZF; spf=pass (domain: cisco.com, ip: 173.37.142.93, mailfrom: hetpat@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=1778; q=dns/txt; s=iport01; t=1771565686; x=1772775286; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=0ONI+jmWZSeQTpNw23S3FhRfSDI//ORfiDr5hsJ6lSo=; b=O+QfC3ZFnwoyw5MrTKWLFdspMZgfjS4fLVpJAHKB2k+ShucUc0hmX97d AhC85o/OSXtff3XHk2ZsieMrrkEvGNZtbpq0p80suql/RBRCtCsULu5At LegnHrRiiPOAvtcIhGoNXyrMqhmxr33YQteiyVpYQpZgXfeHlduWairhb o8bfd5bgdEYq8/MD1wqizo2lDCHFj+yShhNCPyl4HMN048YAwr20IrYK/ KCD4ZbMfK/duxYTSRFJnZdchTXgNDz+ikH8Ho0OnwTxFm5GI4J2XHhlcF W1sp8IsUerK7pliApjxUCO4cl+XLHvslMUdNQhtQu/0U3+XMWMNVKYLQP w==; X-CSE-ConnectionGUID: Cp1xi8iLRAWk4KesuzgXSA== X-CSE-MsgGUID: j4uVcOeiTMiINihAJOYr4Q== X-IPAS-Result: A0BDBABB8Zdp/4r/Ja1aglmCSA9xX0JJA5ZIA54agX8PAQEBDzcaBAEBhQcCjR8CJjQJDgECBAEBAQEDAgMBAQEBAQEBAQEBAQsBAQUBAQECAQcFgQ4Thk8NhlsCAQMyAUYQICYLKysZgwIBgnMCAadWgiyBAeAiAQsUAYE4hTyIGWsJhHonGxuBcoQOb4UQhXcEgiKBDoIAkU9IgR4DWSwBVRMNCgsHBYFmAzUSKhVuMh2BIz4XgQsbBwWCQoURD4kFeG6BIIEbAwsYDUgRLDcUGwQ+bgeOLz+CNAEwXYEATC2mU6EOCiiDdIwelToaM4QEpmeZBoJYogGEaIFoPEaBE3AVgyIJSRkPjl+CHbt9IjUTKQIHCwEBAwmRaiyBUQEB IronPort-Data: A9a23:Sc1lwq1+c0o2OBD0bvbD5YRwkn2cJEfYwER7XKvMYLTBsI5bpzUBn GYeWWmCP/nfYzP8ftt2OYTkpxgB78fQx4BkHARr3Hw8FHgiRegpqji6wuYcGwvIc6UvmWo+t 512huHodZ5yFjmH4E/xbtANlFEkvYmQXL3wFeXYDS54QA5gWU8JhAlq8wIDqtYAbeORXUXX4 Lsen+WFYAX7g2QuajpPg06+gEoHUMra6WtwUmMWPZinjHeG/1EJAZQWI72GLneQauF8Au6gS u/f+6qy92Xf8g1FIovNfmHTKxBirhb6ZGBiu1IOM0SQqkEqSh8ajs7XAMEhhXJ/0F1lqTzeJ OJl7vRcQS9xVkHFdX90vxNwS0mSNoUekFPLzOTWXcG7lyX7n3XQL/pGJ1lvLYxI+8JNKF5Nq d8VMy0fYSC4rrfjqF67YrEEasULNsLnOsYb/3pn1zycVa9gSpHYSKKM7thdtNsyrpkRRrCFO IxDNGcpNU+QC/FMEg9/5JYWnOq0nnDjWzZZs1mS46Ew5gA/ySQvj+C3bIqOJY3iqcN9nBqFm Gnh8mXFJxA7Et2f4Biiw2jwv7qa9c/8cMdIfFGizdZtmFCVy2kZBREaWFf+qv6jh2a6WslDM AoT4icooK04+UCnQ9W7WAe3yENopTYGUNZWVul/4waXx++MukCSB3MPSXhKb9lOWNIKeAHGH 2Shx7vBbQGDepXIIZ5B3t94dQ+PBBU= IronPort-HdrOrdr: A9a23:uvvZ/aG3hFFKSYlZpLqE78eALOsnbusQ8zAXPo5KJiC9Ffbo8P xG88576faZslsssTQb6LK90cq7MBfhHOBOgbX5VI3KNGKNhILrFvAG0WKI+VPd8kPFmtK1rZ 0QEJSXzLbLfCFHZQGQ2njfL+od X-Talos-CUID: 9a23:ZZowL2n8T1gEqMOb0qfISGoH+W3XOVbFlWfRc06cM09WS+G2RESN6qxUqOM7zg== X-Talos-MUID: 9a23:W6i+jgn1Yn1WGzHppy5HdnpgaNpW6IOjCXwokLQgusmtFwtBIWuk2WE= X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.21,301,1763424000"; d="scan'208";a="670248379" Received: from rcdn-l-core-01.cisco.com ([173.37.255.138]) by alln-iport-6.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 20 Feb 2026 05:34:45 +0000 Received: from sjc-ads-8556.cisco.com (sjc-ads-8556.cisco.com [171.68.222.95]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by rcdn-l-core-01.cisco.com (Postfix) with ESMTPS id 8DAE8180001C1; Fri, 20 Feb 2026 05:34:45 +0000 (GMT) Received: by sjc-ads-8556.cisco.com (Postfix, from userid 1847788) id C7807CC8CF2; Thu, 19 Feb 2026 21:34:44 -0800 (PST) From: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Cc: xe-linux-external@cisco.com, vchavda@cisco.com Subject: [openembedded-core] [scarthgap] [PATCH v1 24/34] cve-update-db-native: Use a local copy of the database during builds Date: Thu, 19 Feb 2026 21:34:33 -0800 Message-Id: <20260220053443.3006180-24-hetpat@cisco.com> X-Mailer: git-send-email 2.35.6 In-Reply-To: <20260220053443.3006180-1-hetpat@cisco.com> References: <20260220053443.3006180-1-hetpat@cisco.com> MIME-Version: 1.0 X-Outbound-SMTP-Client: 171.68.222.95, sjc-ads-8556.cisco.com X-Outbound-Node: rcdn-l-core-01.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 20 Feb 2026 05:34:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/231478 From: Peter Marko OE-Core rev: 03596904392d257572a905a182b92c780d636744 This seems to be misimplemented when re-adding update from nvd1 feed. Use file in temporary directory instead of downloads directory for update process. Signed-off-by: Peter Marko Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Richard Purdie (cherry picked from commit e5b0a74810fdd3f72fe61e0ae1f859a444dc1fa5) Signed-off-by: Het Patel --- meta/recipes-core/meta/cve-update-db-native.bb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/meta/recipes-core/meta/cve-update-db-native.bb b/meta/recipes-core/meta/cve-update-db-native.bb index 320bd452f1..1a38d6be3f 100644 --- a/meta/recipes-core/meta/cve-update-db-native.bb +++ b/meta/recipes-core/meta/cve-update-db-native.bb @@ -24,8 +24,7 @@ CVE_SOCKET_TIMEOUT ?= "60" CVE_CHECK_DB_DLDIR_FILE ?= "${DL_DIR}/CVE_CHECK2/${CVE_CHECK_DB_FILENAME}" CVE_CHECK_DB_DLDIR_LOCK ?= "${CVE_CHECK_DB_DLDIR_FILE}.lock" - -CVE_DB_TEMP_FILE ?= "${CVE_CHECK_DB_DLDIR_FILE}.tmp" +CVE_CHECK_DB_TEMP_FILE ?= "${CVE_CHECK_DB_FILE}.tmp" python () { if not bb.data.inherits_class("cve-check", d): @@ -44,7 +43,7 @@ python do_fetch() { db_file = d.getVar("CVE_CHECK_DB_DLDIR_FILE") db_dir = os.path.dirname(db_file) - db_tmp_file = d.getVar("CVE_DB_TEMP_FILE") + db_tmp_file = d.getVar("CVE_CHECK_DB_TEMP_FILE") cleanup_db_download(db_file, db_tmp_file) @@ -64,6 +63,7 @@ python do_fetch() { pass bb.utils.mkdirhier(db_dir) + bb.utils.mkdirhier(os.path.dirname(db_tmp_file)) if os.path.exists(db_file): shutil.copy2(db_file, db_tmp_file) From patchwork Fri Feb 20 05:34:34 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 81438 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id ADE1EC54F52 for ; Fri, 20 Feb 2026 05:34:49 +0000 (UTC) Received: from alln-iport-2.cisco.com (alln-iport-2.cisco.com [173.37.142.89]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.32609.1771565686307896284 for ; Thu, 19 Feb 2026 21:34:47 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=U0on8L2+; spf=pass (domain: cisco.com, ip: 173.37.142.89, mailfrom: hetpat@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=1615; q=dns/txt; s=iport01; t=1771565687; x=1772775287; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=ewu+66LAyh3eltVHFk05F4gvz8aL/n9UMTo4fDJLPdA=; b=U0on8L2+vzvJt9oDCptafyqfjQmDVQTReeyre1BGJ3+PvynM5rohA617 80cj6PnhFtGbWh5bK2BpVETzXu70uyJle5wb9moJcpZPDwzRQnUynE6pl s4XEGOhT2plpMVduCdd3dDSi6TzKKFQDzNipCTAXdfQhd1UF5tp4ghEMa BBsCC4Rpshz2GVjY3tceq73dNcavQkxdo4D6oRpRfsIhLYxHAfRzOAdVE 2OzEoagB1LbSUcEnQMfMYsKT2TBM4TZNQFvvpwGeCcNsNVpixkAeJH2dH RGPf2MSvRJAFNYJoUqNQWhIlB84NkZxjfvfAFpXofmgmtpEgYBVDfvOTG w==; X-CSE-ConnectionGUID: hGc+Y7nTRKS8ykJWnLZZPw== X-CSE-MsgGUID: n9GlYn9YTASyhUoxbW34Jg== X-IPAS-Result: A0BCBAC68Zdp/47/Ja1aglmCSA9xX0JJA5ZLnhqBfw8BAQEPNxoEAQGFBwKNHwImNAkOAQIEAQEBAQMCAwEBAQEBAQEBAQEBCwEBBQEBAQIBBwWBDhOGTw2GWwIBAzIBRhAgJgsrKxmDAgGCcwIBpn4aN4IsgQHgIgELFAGBOIU8iBlrCYR6JxsbgXKEfYUQhXcEgiKBDpNPSIEeA1ksAVUTDQoLBwWBZgM1EioVbjIdgSM+F4ELGwcFgkKFEQ+JBXhugSCBGwMLGA1IESw3FBsEPm4Hji8/gjRZIhOBTJRBki0SoQ4KKIN0jB6VOhozhASmZy6HZZBzglihJF2EaIFoPEaBE3AVgyIJSRkPjl+CHbwdIjUTKQIHCwEBAwmTZwEB IronPort-Data: A9a23:bjsI3qh89AEAGctp88SI32CIX161NxEKZh0ujC45NGQN5FlHY01je htvWG+BbP+IMDejc9Bybtvi9k8P68CDnNMxTwJs+S81FHljpJueD7x1DKtf0wB+jyHnZBg6h ynLQoCYdKjYdleF+FH1dOOn9SUgvU2xbuKUIPbePSxsThNTRi4kiBZy88Y0mYcAbeKRW2thg vus5ZeGULOZ82QsaDxMsfjb8EgHUMna4Vv0gHRvPZing3eG/5UlJMp3Db28KXL+Xr5VEoaSL 87fzKu093/u5BwkDNWoiN7TKiXmlZaLYGBiIlIPM0STqkAqSh4ai87XB9JAAatjsAhlqvgqo Dl7WTNcfi9yVkHEsLx1vxC1iEiSN4UekFPMCSDXXcB+UyQqflO0q8iCAn3aMqUY1e00MD5Iy cY7E2AcbTK8gcaE8oqkH7wEasQLdKEHPasFsX1miDWcBvE8TNWbHuPB5MRT23E7gcUm8fT2P pVCL2EwKk6dPlsWZg1/5JEWxI9EglH/fiFAoU69rqss6G+Vxwt0uFToGISLKobRGJUIwC50o ErArkv9MxdLBeC28iuFz3W8jNCUwQH0Ddd6+LqQs6QCbEeo7msLBRsbUFG2rfW0hgu1XMhSA 0gV4TY1668q+UqmS9PwUxG1rDiDpBF0ZjZLO/cx5AfIzu/f5ByUQzBZCDVAc9ch8sQxQFTGy 2O0oj8gPhQ32JX9dJ5X3uz8Qe+aUcTNEVI/WA== IronPort-HdrOrdr: A9a23:vrAF9asD3GanFkhIjxGuxqxs7skDcdV00zEX/kB9WHVpmwKj+P xG+85rsiMc5wxxZJhNo7290ey7MBHhHP1OkO0s1MmZPDUO0VHAROoJ0WKh+UyEJ8SUzIBgPM lbH5SWcOeAbmSTSa3BkXCF+xFK+qjgzJyV X-Talos-CUID: 9a23:2Be3GW5thVJBpbFhOdss9GEfWfF6dEHn70yAMkyaNmBNeo+tVgrF X-Talos-MUID: 9a23:mzVICwXhqtVfv8Xq/Dm9qzVTMpZZ342VGUAwloUMhJLYFyMlbg== X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.21,301,1763424000"; d="scan'208";a="668235856" Received: from rcdn-l-core-05.cisco.com ([173.37.255.142]) by alln-iport-2.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 20 Feb 2026 05:34:45 +0000 Received: from sjc-ads-8556.cisco.com (sjc-ads-8556.cisco.com [171.68.222.95]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by rcdn-l-core-05.cisco.com (Postfix) with ESMTPS id 8F06318000225; Fri, 20 Feb 2026 05:34:45 +0000 (GMT) Received: by sjc-ads-8556.cisco.com (Postfix, from userid 1847788) id CC1A1CC8CF4; Thu, 19 Feb 2026 21:34:44 -0800 (PST) From: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Cc: xe-linux-external@cisco.com, vchavda@cisco.com Subject: [openembedded-core] [scarthgap] [PATCH v1 25/34] cve-update-db-native: Handle BB_NO_NETWORK and missing db Date: Thu, 19 Feb 2026 21:34:34 -0800 Message-Id: <20260220053443.3006180-25-hetpat@cisco.com> X-Mailer: git-send-email 2.35.6 In-Reply-To: <20260220053443.3006180-1-hetpat@cisco.com> References: <20260220053443.3006180-1-hetpat@cisco.com> MIME-Version: 1.0 X-Outbound-SMTP-Client: 171.68.222.95, sjc-ads-8556.cisco.com X-Outbound-Node: rcdn-l-core-05.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 20 Feb 2026 05:34:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/231482 From: Peter Marko OE-Core rev: 337c0806d2784d74bee8d6420fb8b4d48795d5fa This commit was not applied on nvd1/fkie fetcher. Signed-off-by: Peter Marko Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Richard Purdie (cherry picked from commit 749c8e266ded2fa81e0e0ebbfa8f1ba164a062f2) Signed-off-by: Het Patel --- meta/recipes-core/meta/cve-update-db-native.bb | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/meta/recipes-core/meta/cve-update-db-native.bb b/meta/recipes-core/meta/cve-update-db-native.bb index 1a38d6be3f..2677f71792 100644 --- a/meta/recipes-core/meta/cve-update-db-native.bb +++ b/meta/recipes-core/meta/cve-update-db-native.bb @@ -54,6 +54,8 @@ python do_fetch() { update_interval = int(d.getVar("CVE_DB_UPDATE_INTERVAL")) if update_interval < 0: bb.note("CVE database update skipped") + if not os.path.exists(db_file): + bb.error("CVE database %s not present, database fetch/update skipped" % db_file) return if time.time() - os.path.getmtime(db_file) < update_interval: bb.debug(2, "Recently updated, skipping") @@ -62,6 +64,9 @@ python do_fetch() { except OSError: pass + if bb.utils.to_boolean(d.getVar("BB_NO_NETWORK")): + bb.error("BB_NO_NETWORK attempted to disable fetch, this recipe uses CVE_DB_UPDATE_INTERVAL to control download, set to '-1' to disable fetch or update") + bb.utils.mkdirhier(db_dir) bb.utils.mkdirhier(os.path.dirname(db_tmp_file)) if os.path.exists(db_file): From patchwork Fri Feb 20 05:34:35 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 81462 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8ADD1C55173 for ; Fri, 20 Feb 2026 05:34:50 +0000 (UTC) Received: from alln-iport-8.cisco.com (alln-iport-8.cisco.com [173.37.142.95]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.32340.1771565688258024399 for ; Thu, 19 Feb 2026 21:34:48 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=FbP4hfON; spf=pass (domain: cisco.com, ip: 173.37.142.95, mailfrom: hetpat@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=2204; q=dns/txt; s=iport01; t=1771565688; x=1772775288; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=djFJvtmYdcZfPVEeUlH4cXvctlFR3vWwiptXt6VTjXY=; b=FbP4hfONZVEZLiVJOKz2PR1aqZopLQJhhYYL657bKv9HixuBq5b8kUfV S5pKsBuUpBiHRT7A7+NVxz8l1pFqb1ACjAuuVyCEvWE8NY4nSNYRbxnPV +0oFS8dRhl0Anl+TkQVe4ClRXYxIbueTnq5AI508qy7G60gtfbgO5vj4y jwOd/euL5Q8OynAJzQTKmab2i9j6jX0p8Ilm1aaBnJjEc35a0JqIf/u2j tejm7Qgu+hQV77PW9YFeNxhbb/By3Vj4+c6QhIlsA6khdREIT2jdg14mP 0cPjqpu5T6qHPvUORsspjJuhgwmtfCpaJ3QudTgKMZ1Lqf8YAWhn0Ut/c A==; X-CSE-ConnectionGUID: VYU8mKzfRfqB8B+772Ajiw== X-CSE-MsgGUID: 6DHLRal2QAK/Wq1Et8RuMQ== X-IPAS-Result: A0A0BQBB8Zdp/5L/Ja1aglmCSA9xX0JJA5ZIA54agX8PAQEBDzcaBAEBhQcCjR8CJjUIDgECBAEBAQEDAgMBAQEBAQEBAQEBAQsBAQUBAQECAQcFgQ4Thk8NhlsCAQMyAUYQIDErKxmDAgGCcwIBp1aCLIEBhHzbJgELFAGBOIU8iBlrCYR6JxsbgXKEfYUQhXcEgiKBDoMLhxCJNEiBHgNZLAFVEw0KCwcFgWYDNRIqFW4yHYEjPheBCxsHBYJChREPiQV4boEggRsDCxgNSBEsNxQbBD5uB44vP4I0PT4TgT1sQpMbOxCRaRKBNZ9ZCiiDdIwelToaM4QEpmeZBoJYogGEaIFpATpGgRNwFYMiCUkZD45fgh27fSI1EykCBwsBAQMJk2cBAQ IronPort-Data: A9a23:NuD7TaOeRjkKMCbvrR3ylsFynXyQoLVcMsEvi/4bfWQNrUoi1TEEm 2cWWTuOb/uIMzD2KYgkOYzn808H6sfUm9A3SHM5pCpnJ55oRWUpJjg4wmPYZX76whjrFRo/h ykmQoCeaphyFTmE+kvF3oHJ9RFUzbuPSqf3FNnKMyVwQR4MYCo6gHqPocZh6mJTqYb/WVrlV e/a+ZWFZgf/gWYsaQr41orawP9RlKWq0N8nlgRWicBj5Df2i3QTBZQDEqC9R1OQapVUBOOzW 9HYx7i/+G7Dlz91Yj9yuu+mGqGiaue60Tmm0hK6aYD76vRxjnBaPpIACRYpQRw/ZwNlMDxG4 I4lWZSYEW/FN0BX8QgXe0Ew/ypWZcWq9FJbSJSymZT78qHIT5fj68tfMREzHp8WwOhuKzFkt qNHchkPbw/W0opawJrjIgVtrt4oIM+uOMYUvWttiGmIS/0nWpvEBa7N4Le03h9p2ZsIRqmYP ZdEL2MzMnwsYDUXUrsTIJIzgP+hmlH0ciZTrxSeoq9fD237klMogOmyb4aOEjCMbZt5vmKir 2acxk3aRS4DbfGDmQCY10v504cjmgu+Aur+DoaQ8eZnhlCWzGEfBBAaEFC8u/SRjk+lR8kZL FQZ/Ccrp6U++EGnCN7nUHWFTGWspBUQXZ9UVuY98gzIkvuS6AeCDW9CRTlEADA7iPILqfUR/ gfht7vU6fZH7dV5lVr1Gm+okA6P IronPort-HdrOrdr: A9a23:Xdd3JqFnEilPKcenpLqE78eALOsnbusQ8zAXPo5KJiC9Ffbo8P xG88576faZslsssTQb6LK90cq7MBfhHOBOgbX5VI3KNGKNhILrFvAG0WKI+VPd8kPFmtK1rZ 0QEJSXzLbLfCFHZQGQ2njfL+od X-Talos-CUID: 9a23:ZZahe2EThOQpsAFJqmJZxXNEH+M3fEfT1V2ACQznVjxASryKHAo= X-Talos-MUID: 9a23:M5ujoQTNB0HlV/7KRXSyqBFGDs5suZ2HKwcyiMwrp5m+KAlJbmI= X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.21,301,1763424000"; d="scan'208";a="671897743" Received: from rcdn-l-core-09.cisco.com ([173.37.255.146]) by alln-iport-8.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 20 Feb 2026 05:34:45 +0000 Received: from sjc-ads-8556.cisco.com (sjc-ads-8556.cisco.com [171.68.222.95]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by rcdn-l-core-09.cisco.com (Postfix) with ESMTPS id 8EC1C180004A7; Fri, 20 Feb 2026 05:34:45 +0000 (GMT) Received: by sjc-ads-8556.cisco.com (Postfix, from userid 1847788) id D0D7BCC8CF3; Thu, 19 Feb 2026 21:34:44 -0800 (PST) From: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Cc: xe-linux-external@cisco.com, vchavda@cisco.com Subject: [openembedded-core] [scarthgap] [PATCH v1 26/34] cve-update-db-native: log a little more Date: Thu, 19 Feb 2026 21:34:35 -0800 Message-Id: <20260220053443.3006180-26-hetpat@cisco.com> X-Mailer: git-send-email 2.35.6 In-Reply-To: <20260220053443.3006180-1-hetpat@cisco.com> References: <20260220053443.3006180-1-hetpat@cisco.com> MIME-Version: 1.0 X-Outbound-SMTP-Client: 171.68.222.95, sjc-ads-8556.cisco.com X-Outbound-Node: rcdn-l-core-09.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 20 Feb 2026 05:34:50 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/231487 From: Peter Marko OE-Core rev: b64a869b9c5e1d504f1011da16b5c5ff721afbf0 This commit was not applied on nvd1/fkie fetcher. Signed-off-by: Peter Marko Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Richard Purdie (cherry picked from commit dd5efc4a242ec918dd276d10da8c68f606ba8809) Signed-off-by: Het Patel --- meta/recipes-core/meta/cve-update-db-native.bb | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/meta/recipes-core/meta/cve-update-db-native.bb b/meta/recipes-core/meta/cve-update-db-native.bb index 2677f71792..d9fc331f1b 100644 --- a/meta/recipes-core/meta/cve-update-db-native.bb +++ b/meta/recipes-core/meta/cve-update-db-native.bb @@ -58,7 +58,7 @@ python do_fetch() { bb.error("CVE database %s not present, database fetch/update skipped" % db_file) return if time.time() - os.path.getmtime(db_file) < update_interval: - bb.debug(2, "Recently updated, skipping") + bb.note("CVE database recently updated, skipping") return except OSError: @@ -77,7 +77,7 @@ python do_fetch() { shutil.move(db_tmp_file, db_file) else: # Update failed, do not modify the database - bb.note("CVE database update failed") + bb.warn("CVE database update failed") os.remove(db_tmp_file) } @@ -159,7 +159,7 @@ def update_db_file(db_tmp_file, d): with bb.progress.ProgressHandler(d) as ph, open(os.path.join(d.getVar("TMPDIR"), 'cve_check'), 'a') as cve_f: total_years = date.today().year + 1 - YEAR_START for i, year in enumerate(range(YEAR_START, date.today().year + 1)): - bb.debug(2, "Updating %d" % year) + bb.note("Updating %d" % year) ph.update((float(i + 1) / total_years) * 100) json_url, meta_url = db_file_names(d, year, is_nvd) @@ -190,7 +190,7 @@ def update_db_file(db_tmp_file, d): cursor.close() if not meta or meta[0] != last_modified: - bb.debug(2, "Updating entries") + bb.note("Updating entries") # Clear products table entries corresponding to current year conn.execute("delete from PRODUCTS where ID like ?", ('CVE-%d%%' % year,)).close() From patchwork Fri Feb 20 05:34:36 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 81446 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 16C94C54FD0 for ; Fri, 20 Feb 2026 05:34:50 +0000 (UTC) Received: from alln-iport-1.cisco.com (alln-iport-1.cisco.com [173.37.142.88]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.32611.1771565686811283342 for ; Thu, 19 Feb 2026 21:34:46 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=BuOT99Fg; spf=pass (domain: cisco.com, ip: 173.37.142.88, mailfrom: hetpat@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=2564; q=dns/txt; s=iport01; t=1771565686; x=1772775286; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=Qu+b42oHrWztYLY/OeB/dA7Y18bWZ0TCpMMzEUeNer8=; b=BuOT99Fgp6XMXwzLQJwTjHVWL15GnNFADoUr7kKLIwVjlVKlUFgMkfJa AORch7VAQL+DbHegS0fSkKOHWAelLfta/oE4mr3hPzFmr0YCnTpmzKG/W 69uLZYrTnRol32PJUTejYkPFKLyHof7zBPSjZULXUmWZTJ4m4gwPqkR8b y9RCve5pc8n4LA3YTwo8J/hqTZyjn+K/Fg2eRVPM7ZS9AryWnUx+mTVgz gmdxuAgIXq/f91GW93t0sxsmF1esYaDWOR/049Y3dTWeRzdQ7G+3SR0Rk De/+qt5b92D4kfF15aJmhETQgI4nNG/26CmY82EAyTf0KfevqZA86Y2LM A==; X-CSE-ConnectionGUID: rZ0nUQUwRG21DiAy4DptCA== X-CSE-MsgGUID: uWEqn3G1QByI60LsgRnd0w== X-IPAS-Result: A0BDBABB8Zdp/5H/Ja1aglmCSA9xX0JJA5ZIA54agX8PAQEBD0QNBAEBhEFGAo0fAiY0CQ4BAgQBAQEBAwIDAQEBAQEBAQEBAQELAQEFAQEBAgEHBYEOE4ZPDYZbAgEDMgFGECAxKysZgwIBgnMCAREGpm4aN4IsgQHgIgELFAGBOIU8iBlrCYR6JxsbgXKEfYJhAoIthXcEgiKBDos0gg6GDUiBHgNZLAFVEw0KCwcFgWYDNRIqFW4yHYEjPheBCxsHBYJChREPiQV4boEggRsDCxgNSBEsNxQbBD5uB44vP4I0gQ8nBII3k0eSEBKhDgoog3SMHpU6GjOEBKZnmQaCWIsxllCEaIFoPEaBE3AVgyIJSRkPWI4Hgh2BJYF/uFkiNQIBECkCBwsBAQMJk2cBAQ IronPort-Data: A9a23:goFMyK5ztytb8hyHCCaPdQxRtG/GchMFZxGqfqrLsTDasY5as4F+v mcfX22POanba2Gneth+b4uz9R9XuZ+By9dqSQBrrS1kZn8b8sCt6fZ1gavT04J+CuWZESqLO u1HMoGowPgcFyGa/lH2dOC98RGQ7InQLpLkEunIJyttcgFtTSYlmHpLlvUw6mJSqYDR7zil5 5Wo+qUzBHf/g2QqajhOs/rYwP9SlK2aVA0w7wRWic9j5Dcyp1FNZLoDKKe4KWfPQ4U8NoaSW +bZwbilyXjS9hErB8nNuu6TnpoiG+O60aCm0xK6aoD66vRwjnVaPpUTaJLwXXxqZwChxLid/ jniWauYEm/FNoWU8AgUvoIx/ytWZcWq85efSZSzXFD6I0DuKxPRL/tS4E4eJ79A/NtOPH502 qZBBDEkf0yvn/6d6efuIgVsrpxLwMjDJogTvDRkiDreF/tjGcCFSKTR7tge1zA17ixMNa+BP IxCNnw1MUmGOkESUrsUIMpWcOOAhnTjazREgFmUvqEwpWPUyWSd1ZCzb4SJI43WFJ49ckCwu 13r5mKiLUgjHs2+l2Kh6X2WgOOXgnauMG4VPPjinhJwu3WU3mEVBRgcWFe3rPX8gUmkVvpbK lcI4WwptaU0+UmhQ9XxUhH+p2SL1iPwQPJKGOE8rQXIwa3O7kPBVi4PTyVKb5ots8peqSEW6 2JlVujBXVRH2IB5g1rHnltIhVte4RQoEFI= IronPort-HdrOrdr: A9a23:L+ZQYq1opMd/RJ9oaEMB+QqjBLUkLtp133Aq2lEZdPWaSKOlfq eV7ZMmPHDP6Qr5NEtMpTnEAtjjfZq+z+8Q3WBuB9eftWDd0QPCRr2Kr7GSpgEIcBeRygcy78 tdmtBFeb7N5ZwQt7eC3OF+eOxQpuW6zA== X-Talos-CUID: 9a23:05UOfG2HCJDXuJ1PbgLB37xfAPJ9dEDk8WjqDBXhJWdAWeG5UUO70fYx X-Talos-MUID: 9a23:e3vbPQyhlHLI6a0jIHYgaziqPy+aqLmRJVkLyrpfguOVFHIoHyyStjK7GpByfw== X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.21,301,1763424000"; d="scan'208";a="676419493" Received: from rcdn-l-core-08.cisco.com ([173.37.255.145]) by alln-iport-1.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 20 Feb 2026 05:34:45 +0000 Received: from sjc-ads-8556.cisco.com (sjc-ads-8556.cisco.com [171.68.222.95]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by rcdn-l-core-08.cisco.com (Postfix) with ESMTPS id 91DCB18000472; Fri, 20 Feb 2026 05:34:45 +0000 (GMT) Received: by sjc-ads-8556.cisco.com (Postfix, from userid 1847788) id D672CCC8CF5; Thu, 19 Feb 2026 21:34:44 -0800 (PST) From: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Cc: xe-linux-external@cisco.com, vchavda@cisco.com Subject: [openembedded-core] [scarthgap] [PATCH v1 27/34] cve-update: decrease update interval to 23 hours Date: Thu, 19 Feb 2026 21:34:36 -0800 Message-Id: <20260220053443.3006180-27-hetpat@cisco.com> X-Mailer: git-send-email 2.35.6 In-Reply-To: <20260220053443.3006180-1-hetpat@cisco.com> References: <20260220053443.3006180-1-hetpat@cisco.com> MIME-Version: 1.0 X-Outbound-SMTP-Client: 171.68.222.95, sjc-ads-8556.cisco.com X-Outbound-Node: rcdn-l-core-08.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 20 Feb 2026 05:34:50 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/231477 From: Peter Marko If the job runs every day at the same time, it usually updates only every second day, because it takes non-0 time for DB update and set the timestamp. So it does not take full 24-hours from time when the DB was updated until the next job starts. Signed-off-by: Peter Marko Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Richard Purdie (cherry picked from commit 4a82ae1315b034b6386a82127e1ec8d6f504ec89) Signed-off-by: Het Patel --- meta/recipes-core/meta/cve-update-db-native.bb | 4 ++-- meta/recipes-core/meta/cve-update-nvd2-native.bb | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/meta/recipes-core/meta/cve-update-db-native.bb b/meta/recipes-core/meta/cve-update-db-native.bb index d9fc331f1b..5a5eb20e41 100644 --- a/meta/recipes-core/meta/cve-update-db-native.bb +++ b/meta/recipes-core/meta/cve-update-db-native.bb @@ -14,10 +14,10 @@ deltask do_populate_sysroot NVDCVE_URL ?= "https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-" FKIE_URL ?= "https://github.com/fkie-cad/nvd-json-data-feeds/releases/latest/download/CVE-" -# CVE database update interval, in seconds. By default: once a day (24*60*60). +# CVE database update interval, in seconds. By default: once a day (23*60*60). # Use 0 to force the update # Use a negative value to skip the update -CVE_DB_UPDATE_INTERVAL ?= "86400" +CVE_DB_UPDATE_INTERVAL ?= "82800" # Timeout for blocking socket operations, such as the connection attempt. CVE_SOCKET_TIMEOUT ?= "60" diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb b/meta/recipes-core/meta/cve-update-nvd2-native.bb index 32a14a932b..83876c7467 100644 --- a/meta/recipes-core/meta/cve-update-nvd2-native.bb +++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb @@ -20,10 +20,10 @@ NVDCVE_URL ?= "https://services.nvd.nist.gov/rest/json/cves/2.0" # then setting this to get higher rate limits. NVDCVE_API_KEY ?= "" -# CVE database update interval, in seconds. By default: once a day (24*60*60). +# CVE database update interval, in seconds. By default: once a day (23*60*60). # Use 0 to force the update # Use a negative value to skip the update -CVE_DB_UPDATE_INTERVAL ?= "86400" +CVE_DB_UPDATE_INTERVAL ?= "82800" # CVE database incremental update age threshold, in seconds. If the database is # older than this threshold, do a full re-download, else, do an incremental From patchwork Fri Feb 20 05:34:37 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 81456 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 606F1C55169 for ; Fri, 20 Feb 2026 05:34:50 +0000 (UTC) Received: from alln-iport-2.cisco.com (alln-iport-2.cisco.com [173.37.142.89]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.32612.1771565687382722979 for ; Thu, 19 Feb 2026 21:34:47 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=S0Z3Qlcr; spf=pass (domain: cisco.com, ip: 173.37.142.89, mailfrom: hetpat@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=4284; q=dns/txt; s=iport01; t=1771565687; x=1772775287; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=HidCLpJqW6XD9JCYzIxmpnF6Uq9YDPWr28u/t+6X8bI=; b=S0Z3QlcrhesYKNz8tmG1aa8FEbhiMsmnIEAqVVnOORKvPAta5alcDg3F uaKQjM2kMWJ4qvodSAdRcMwpoTZ/VgONavrVADzS+gzcTadFeJyLmyCip TLFkHi8HjiPlVCugCWHzaUchR2Leh6/HeUGy1R8hauEHZ5dHREVuzXGWO staWt/p7yhpMeHQitYbJ4ixMfyQtaI02SacJCCfg23LGWc6uFoafSV3Uu Io2/AuxD0JKlY1BxXuSBFLnISJgJmSpAMNq27Gb9nNowY49307us45w9C Uok4T4ym1ONrmCTBAm8zLp9AveK2i5hsltU6EKH10E8HYPg+92dc3ll2T A==; X-CSE-ConnectionGUID: 83fkLGqXQC2XXJI+ZdqOtQ== X-CSE-MsgGUID: ZTBC4uLVRn+GEdmi6VPI5w== X-IPAS-Result: A0CWBQC68Zdp/5H/Ja1aglmCSA9xX0JJA5ZIA54aFIFrDwEBAQ83GgQBAYUHAo0fAiY2Bw4BAgQBAQEBAwIDAQEBAQEBAQEBAQELAQEFAQEBAgEHBYEOE4ZPDYZbAgEDMgFGECAxKysZgwIBgnMCAaZ+GjeCLIEB4CIBCxQBgTiFPIgZawmEeicbG4FyhH2EKYY8IgSCIoEOggCRT0iBHgNZLAFVEw0KCwcFgWYDNRIqFW4yHYEjPheBCxsHBYJChREPiQV4boEggRsDCxgNSBEsNxQbBD5uB44vP4ItBxZ4AUCBaEuTEhGSNYE1n1kKKIN0jB6VOhozhASmZy6YWIJYogGEaIFvCC1GgRNwFYMiCUkZD45fgh28HSI1EykCBwsBAQMJkWosgVEBAQ IronPort-Data: A9a23:BaVkjK0uiNwyfHE8XvbD5YRwkn2cJEfYwER7XKvMYLTBsI5bp2MPn GVKXTqGaauMMzTyLdh0aI3j9EMGusCAy9NmTQtq3Hw8FHgiRegpqji6wuYcGwvIc6UvmWo+t 512huHodZ5yFjmH4E/xbtANlFEkvYmQXL3wFeXYDS54QA5gWU8JhAlq8wIDqtYAbeORXUXX4 Lsen+WFYAX7g2QuajpPg06+gEoHUMra6WtwUmMWPZinjHeG/1EJAZQWI72GLneQauF8Au6gS u/f+6qy92Xf8g1FIovNfmHTKxBirhb6ZGBiu1IOM0SQqkEqSh8ajs7XAMEhhXJ/0F1lqTzeJ OJl7vRcQS9xVkHFdX90vxNwS0mSNoUekFPLzOTWXcG7lyX7n3XQL/pGXBo4Pqk349ZOKjt+x d45awIBdzefvrfjqF67YrEEasULNsLnOsYb/3pn1zycVaZgSpHYSKKM7thdtNsyrpkRRrCFO IxDNGcpNUidC/FMEg9/5JYWnOq0nnDjWzZZs1mS46Ew5gA/ySQvjui3a4eFJ4ziqcN9rHqyj T7b21rDBFI1GdCayGS7ylPxmbqa9c/8cMdIfFGizdZtmFCVy2kZBREaWFf+qv6jh2a6WslDM AoT4icooK04+UCnQ9W7WAe3yENopTYGUNZWVul/4waXx++Ms0CSB3MPSXhKb9lOWNIKeAHGH 2Shx7vBbQGDepXIIZ5B3t94dQ+PBBU= IronPort-HdrOrdr: A9a23:VFP946H2cIEio55kpLqE78eALOsnbusQ8zAXPo5KJiC9Ffbo8P xG88576faZslsssTQb6LK90cq7MBfhHOBOgbX5VI3KNGKNhILrFvAG0WKI+VPd8kPFmtK1rZ 0QEJSXzLbLfCFHZQGQ2njfL+od X-Talos-CUID: 9a23:/3vB1m4AzYJiG8q0ntsspBUaGeQKa03k5y3gE22ZSlRlUZqJcArF X-Talos-MUID: 9a23:rGdqNA1pLlsVlXXUzfdVGDVqKzUj0ZiEIxwQtas8vYqrGCB1OmmjtBXqXdpy X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.21,301,1763424000"; d="scan'208";a="668235858" Received: from rcdn-l-core-08.cisco.com ([173.37.255.145]) by alln-iport-2.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 20 Feb 2026 05:34:45 +0000 Received: from sjc-ads-8556.cisco.com (sjc-ads-8556.cisco.com [171.68.222.95]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by rcdn-l-core-08.cisco.com (Postfix) with ESMTPS id 986931800047D; Fri, 20 Feb 2026 05:34:45 +0000 (GMT) Received: by sjc-ads-8556.cisco.com (Postfix, from userid 1847788) id DD77DCC8D08; Thu, 19 Feb 2026 21:34:44 -0800 (PST) From: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Cc: xe-linux-external@cisco.com, vchavda@cisco.com Subject: [openembedded-core] [scarthgap] [PATCH v1 28/34] cve-update: remove cleanup of db_file in downloads Date: Thu, 19 Feb 2026 21:34:37 -0800 Message-Id: <20260220053443.3006180-28-hetpat@cisco.com> X-Mailer: git-send-email 2.35.6 In-Reply-To: <20260220053443.3006180-1-hetpat@cisco.com> References: <20260220053443.3006180-1-hetpat@cisco.com> MIME-Version: 1.0 X-Outbound-SMTP-Client: 171.68.222.95, sjc-ads-8556.cisco.com X-Outbound-Node: rcdn-l-core-08.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 20 Feb 2026 05:34:50 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/231484 From: Peter Marko Since the code was changed to update the DB in temporary file, code cleaning the final file in downloads is never executed. Remove it. Since the code always removes both files in temporary directory, remove also comment which is trying to differentiate this code from code just removed. Signed-off-by: Peter Marko Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Richard Purdie (cherry picked from commit bece6dbf5d0e89b2e846587e1b89766e16dd9253) Signed-off-by: Het Patel --- meta/recipes-core/meta/cve-update-db-native.bb | 17 ++--------------- .../recipes-core/meta/cve-update-nvd2-native.bb | 17 ++--------------- 2 files changed, 4 insertions(+), 30 deletions(-) diff --git a/meta/recipes-core/meta/cve-update-db-native.bb b/meta/recipes-core/meta/cve-update-db-native.bb index 5a5eb20e41..a0494aa329 100644 --- a/meta/recipes-core/meta/cve-update-db-native.bb +++ b/meta/recipes-core/meta/cve-update-db-native.bb @@ -45,7 +45,7 @@ python do_fetch() { db_dir = os.path.dirname(db_file) db_tmp_file = d.getVar("CVE_CHECK_DB_TEMP_FILE") - cleanup_db_download(db_file, db_tmp_file) + cleanup_db_download(db_tmp_file) # The NVD database changes once a day, so no need to update more frequently # Allow the user to force-update @@ -91,28 +91,15 @@ python do_unpack() { } do_unpack[lockfiles] += "${CVE_CHECK_DB_DLDIR_LOCK} ${CVE_CHECK_DB_FILE_LOCK}" -def cleanup_db_download(db_file, db_tmp_file): +def cleanup_db_download(db_tmp_file): """ Cleanup the download space from possible failed downloads """ - # Clean up the updates done on the main file - # Remove it only if a journal file exists - it means a complete re-download - if os.path.exists("{0}-journal".format(db_file)): - # If a journal is present the last update might have been interrupted. In that case, - # just wipe any leftovers and force the DB to be recreated. - os.remove("{0}-journal".format(db_file)) - - if os.path.exists(db_file): - os.remove(db_file) - # Clean-up the temporary file downloads, we can remove both journal # and the temporary database if os.path.exists("{0}-journal".format(db_tmp_file)): - # If a journal is present the last update might have been interrupted. In that case, - # just wipe any leftovers and force the DB to be recreated. os.remove("{0}-journal".format(db_tmp_file)) - if os.path.exists(db_tmp_file): os.remove(db_tmp_file) diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb b/meta/recipes-core/meta/cve-update-nvd2-native.bb index 83876c7467..f7a306c995 100644 --- a/meta/recipes-core/meta/cve-update-nvd2-native.bb +++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb @@ -57,7 +57,7 @@ python do_fetch() { db_dir = os.path.dirname(db_file) db_tmp_file = d.getVar("CVE_CHECK_DB_TEMP_FILE") - cleanup_db_download(db_file, db_tmp_file) + cleanup_db_download(db_tmp_file) # By default let's update the whole database (since time 0) database_time = 0 @@ -106,28 +106,15 @@ python do_unpack() { } do_unpack[lockfiles] += "${CVE_CHECK_DB_DLDIR_LOCK} ${CVE_CHECK_DB_FILE_LOCK}" -def cleanup_db_download(db_file, db_tmp_file): +def cleanup_db_download(db_tmp_file): """ Cleanup the download space from possible failed downloads """ - # Clean up the updates done on the main file - # Remove it only if a journal file exists - it means a complete re-download - if os.path.exists("{0}-journal".format(db_file)): - # If a journal is present the last update might have been interrupted. In that case, - # just wipe any leftovers and force the DB to be recreated. - os.remove("{0}-journal".format(db_file)) - - if os.path.exists(db_file): - os.remove(db_file) - # Clean-up the temporary file downloads, we can remove both journal # and the temporary database if os.path.exists("{0}-journal".format(db_tmp_file)): - # If a journal is present the last update might have been interrupted. In that case, - # just wipe any leftovers and force the DB to be recreated. os.remove("{0}-journal".format(db_tmp_file)) - if os.path.exists(db_tmp_file): os.remove(db_tmp_file) From patchwork Fri Feb 20 05:34:38 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 81449 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 30854C54FD4 for ; Fri, 20 Feb 2026 05:34:50 +0000 (UTC) Received: from alln-iport-1.cisco.com (alln-iport-1.cisco.com [173.37.142.88]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.32607.1771565685880906200 for ; Thu, 19 Feb 2026 21:34:46 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=Ujhl+gfM; spf=pass (domain: cisco.com, ip: 173.37.142.88, mailfrom: hetpat@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=1897; q=dns/txt; s=iport01; t=1771565686; x=1772775286; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=ROHVtplBOLmYHK66CK7hXBwnyzAi48+GF5LKcUuvrtY=; b=Ujhl+gfMUeFowhF87MI+xE55kkWxW/tZFlxxIt0s2yVtSBLsAJva9JUd KaL5tSBnIZz57uX5l+GDRKQMrfLoJbi2Ntuvv10b+eLFoqFkJz6qpBTOg d6/0T5POoNJ0HgK1XcPHL7/Af5CInZQqzTWs5Onkux8BPNFJ9xigCddOK HrbOHzQfp2O46aLnt7KkFgfEy1vUwwv8FAHzj5cUpt6uK7nX12qz22OFv O399txP9+BbCPNPUq1a1IuTqdB33lk5iBMVUXyregusy0SbPlSacpD791 PXZZXB2hjHT+Bi4OCx5+JhOcHJF+Qa0y4uPY0ONMpB/zHbeBUiLnz+8gU Q==; X-CSE-ConnectionGUID: kNeFVB10TvKN0dve6zQpfQ== X-CSE-MsgGUID: r5aDJLo/RgesuV92LII66g== X-IPAS-Result: A0BCBABB8Zdp/5L/Ja1aglmCSA9xX0JJA5ZLnhqBfw8BAQEPNxoEAQGFBwKNHwImNAkOAQIEAQEBAQMCAwEBAQEBAQEBAQEBCwEBBQEBAQIBBwWBDhOGTw2GWwIBAzIBRhAgJgsrKxmDAgGCcwIBp1aCLIEB4CIBCxQBgTiFPIgZawmEeicbG4FyhH2FEIV3BIMwk09IgR4DWSwBVRMNCgsHBYFmAzUSKhVuMh2BIz4XgQsbBwWCQoURD4kFeG6BIIEbAwsYDUgRLDcUGwQ+bgeOLz+CNIEOVad3oQ4KKIN0jB6VOhozhASmZ5kGgliiAYRogWg8gVlwFYMiCUkZD45fgh27fSI1EykCBwsBAQMJk2cBAQ IronPort-Data: A9a23:VTOBkqD+s/VycxVW/37iw5YqxClBgxIJ4kV8jS/XYbTApDoj1DwDy zFJCmjTbviKMTH0Koh1O97iphtX7JXRzINiOVdlrnsFo1CmBibm6XV1Cm+qYkt+++WaFBoPA /02M4eGdIZvCCeA+n9BC5C5xVFkz6aEW7HgP+DNPyF1VGdMRTwo4f5Zs7ZRbrVA357jWmthh fuo+5eBYAX/g2YvWo4pw/vrRC1H7ayaVAww5jTSVdgT1HfCmn8cCo4oJK3ZBxPQXolOE+emc P3Ixbe/83mx109F5gSNy+uTnuUiG9Y+DCDW4pZkc/HKbitq+kTe5p0G2M80Mi+7vdkmc+dZk 72hvbToIesg0zaldO41C3G0GAkmVUFKFSOuzXWX6aSuI0P6n3TEwNNjIn8cZNUk5MVRWW1Q+ KIKESgDV0XW7w626OrTpuhEnM8vKozveYgYoHwllWCfBvc9SpeFSKLPjTNa9G5v3YYVQrCEO pdfMGYxBPjDS0Un1lM/CJ8ihO60rnL+aDZf7lmSoMLb5kCNk1ItiemxYYe9ltqiX5hcsmS8o SX88GniHy9Lbvi+6GTb/Sf57gPItWahMG4IL5W/7vNsjViZy2AfBRFTXlyhrNG9i1WiQJRYM 0ES9y8koKQ++UDtScPyNyBUu1aetRIaHt4VGOog5UTVm+zf4h2SAS4PSTsphMEaifLajAcCj jeh9+4FzxQ02FFJYRpxLoupkA4= IronPort-HdrOrdr: A9a23:cLxJfKyMd20xMtSmSZydKrPwK71zdoMgy1knxilNoNJuHfBw8P re+8jzuiWUtN98YhwdcJW7Scu9qBDnhPpICPcqXYtKNTOO0ADDEGgh1/qG/9SKIUPDH4BmuZ uIC5IOa+EZyTNB/L/HCM7SKadH/OW6 X-Talos-CUID: 9a23:kTV4HGAR3hibNcr6EypB+WAqMJl9TmP+6i/cPULmG19xRoTAHA== X-Talos-MUID: 9a23:r6xhIQhQp+EpUTzdWPEbK8MpLpphz4aKDwc3npgdpvfVbwhRGmnDg2Hi X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.21,301,1763424000"; d="scan'208";a="676419495" Received: from rcdn-l-core-09.cisco.com ([173.37.255.146]) by alln-iport-1.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 20 Feb 2026 05:34:45 +0000 Received: from sjc-ads-8556.cisco.com (sjc-ads-8556.cisco.com [171.68.222.95]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by rcdn-l-core-09.cisco.com (Postfix) with ESMTPS id 979A4180005A2; Fri, 20 Feb 2026 05:34:45 +0000 (GMT) Received: by sjc-ads-8556.cisco.com (Postfix, from userid 1847788) id E25E4CC8D09; Thu, 19 Feb 2026 21:34:44 -0800 (PST) From: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Cc: xe-linux-external@cisco.com, vchavda@cisco.com Subject: [openembedded-core] [scarthgap] [PATCH v1 29/34] cve-update-db-native: Fix FKIE CVE accessVector parsing Date: Thu, 19 Feb 2026 21:34:38 -0800 Message-Id: <20260220053443.3006180-29-hetpat@cisco.com> X-Mailer: git-send-email 2.35.6 In-Reply-To: <20260220053443.3006180-1-hetpat@cisco.com> References: <20260220053443.3006180-1-hetpat@cisco.com> MIME-Version: 1.0 X-Outbound-SMTP-Client: 171.68.222.95, sjc-ads-8556.cisco.com X-Outbound-Node: rcdn-l-core-09.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 20 Feb 2026 05:34:50 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/231479 From: Jonathan Schnitzler Use "attackVector" for CVSS >= 3 as it only CVSS v2 uses "accessVector". Signed-off-by: Jonathan Schnitzler Signed-off-by: Peter Marko Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Richard Purdie (cherry picked from commit 7e4d566445a8cbe1e540e20837d45692d81af77f) Signed-off-by: Het Patel --- meta/recipes-core/meta/cve-update-db-native.bb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/meta/recipes-core/meta/cve-update-db-native.bb b/meta/recipes-core/meta/cve-update-db-native.bb index a0494aa329..39a26a2481 100644 --- a/meta/recipes-core/meta/cve-update-db-native.bb +++ b/meta/recipes-core/meta/cve-update-db-native.bb @@ -352,7 +352,7 @@ def update_db_fkie(conn, jsondata): try: for m in elt['metrics']['cvssMetricV30']: if m['type'] == 'Primary': - accessVector = m['cvssData']['accessVector'] + accessVector = m['cvssData']['attackVector'] vectorString = m['cvssData']['vectorString'] cvssv3 = m['cvssData']['baseScore'] except KeyError: @@ -361,7 +361,7 @@ def update_db_fkie(conn, jsondata): try: for m in elt['metrics']['cvssMetricV31']: if m['type'] == 'Primary': - accessVector = m['cvssData']['accessVector'] + accessVector = m['cvssData']['attackVector'] vectorString = m['cvssData']['vectorString'] cvssv3 = m['cvssData']['baseScore'] except KeyError: @@ -370,7 +370,7 @@ def update_db_fkie(conn, jsondata): try: for m in elt['metrics']['cvssMetricV40']: if m['type'] == 'Primary': - accessVector = m['cvssData']['accessVector'] + accessVector = m['cvssData']['attackVector'] vectorString = m['cvssData']['vectorString'] cvssv4 = m['cvssData']['baseScore'] except KeyError: From patchwork Fri Feb 20 05:34:39 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 81442 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id CC11DC54F56 for ; Fri, 20 Feb 2026 05:34:49 +0000 (UTC) Received: from alln-iport-3.cisco.com (alln-iport-3.cisco.com [173.37.142.90]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.32604.1771565685718979248 for ; Thu, 19 Feb 2026 21:34:46 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=jdC5pler; spf=pass (domain: cisco.com, ip: 173.37.142.90, mailfrom: hetpat@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=3697; q=dns/txt; s=iport01; t=1771565686; x=1772775286; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=uu63rp130Co2U8bM5TBz5yzMBIwtq+1c9+6UplpKaY4=; b=jdC5plergb+oxH3pBut+tY2FiyKPXCsFc7ZCK92YVNf8876dwJCzEIOo FQAE8uQu9MuDijphkQVNBN7awa5vqztxRSt6F8INcZ0kfhIlI/uSZcGdS 08w6r9jTeihuTKflfD/tRI5cCJXctaXQ/oHDPAayjq3N6NNXEkxc2d6K0 1g51WIpe9fxGCTd9XPGRDrdeXthOTREwO1LEnOlKPF+DxNIrta+zPMSjD M97hLJGFGwhPkVzE53TaviYcawdubCYtcPT8kMSy5Dud+iYJS4/5+gcrD jfvd8KjTBUY/EPs7CGVyByvkm2dH97rTEBgK2v6XZDjZfom0/wjY+q7ul Q==; X-CSE-ConnectionGUID: ovWd0XnORKK+APEV4x0dEg== X-CSE-MsgGUID: 5p0Gnid+Ro60F/wMauXs9Q== X-IPAS-Result: A0BFBACY8Jdp/5L/Ja1agjQQGoJED3FfQkkDlkueGoF/DwEBAQ83GgQBAYUHAo0fAiY0CQ4BAgQBAQEBAwIDAQEBAQEBAQEBAQEBCgEBBQEBAQIBBwWBDhOGTw2GWwIBAzIBRhAgJgsrKxmDAgGCcwIBqgaCLIEBugQBCxQBgTiFPIgZawmEeicbG4FyhH2LBwSDMJNPSIEeA1ksAVUTDQoLBwWBZgM1EioVbjIdgSM+F4ELGwcFgkKFEQ+JBXhugSCBGwMLGA1IESw3FBsEPm4Hji8/gjSBDlWnd6EOCiiDdIwelToaM4QEpmeZBoJYogGEaIFoPIFZcBWDIglJGQ+OX4Idx2YiNRMpAgcLAQEDCZNnAQE IronPort-Data: A9a23:HfFj0awXomm/pT4Y+k16t+eNxCrEfRIJ4+MujC+fZmUNrF6WrkUEm DYXXGqCbKqDN2Sgc9kjad619k4D7ZDVzIBhQANt/lhgHilAwSbn6Xt1DatR0we6dJCroJdPt p1GAjX4BJlqCCKa/lH2b+mJQUBUjcmgXqD7BPPPJhd/TAplTDZJoR94kobVuKYw6TSCK13L4 4qaT/H3Ygf/hWYuaDpMsspvlTs21BjMkGJA1rABTagjUG/2zxE9EJ8ZLKetGHr0KqE88jmSH rurIBmRpws1zj91Yj+Xuu+Tnn4iHtY+CTOzZk9+AMBOtPTtShsaic7XPNJEAateZq7gc9pZk L2hvrToIesl0zGldOk1C3Fl/y9C0aJu/6H4LSCPt+up7G6FWkPB/al+VE0bMthNkgp3KTkmG f0wMjsBaFWHwumx2r/+ErgqjcU4J86tN4Qa0p1i5WiGVrB9HtaZHviMvIMGtNszrpgm8fL2Z 8cFcTNzRB/BeBZIfFwQDfrSmc/21immKmcF8wv9SawfvnCL4wpw3PvXN4SNVJuVYMxIrl3Jn zeTl4j+KlRAXDCF8hKC6n+qi+rFkC/3VY5XH7qi+9ZugUaP3SoUEBAQWF6xrPW1h0L4XMhQQ 3H44QI0pqQ0sUjuRd7nUljg8TiPvwUXXJxbFOhSBByx95c4Kj2xXgAsJgOtovR/3CPqbVTGD mO0ou4= IronPort-HdrOrdr: A9a23:Dmy92aDvWqoolGflHemr55DYdb4zR+YMi2TDGXofdfUzSL3+qy nAppUmPHPP5Qr5HUtQ++xoW5PwJU80i6QU3WB5B97LN2PbUSmTXeRfBODZrQEIdReTygck79 YCT0C7Y+eAdGSTSq3BkW+FL+o= X-Talos-CUID: 9a23:sw3CgmNiOKYWRe5DXzdY+BYkHOcfUV6e5U/9HROoUWpER+jA X-Talos-MUID: 9a23:LSWn/ghWcztR8Nvs2AJsHcMpad8wzKKvBAM3lstelY6bECVtCyzMtWHi X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.21,301,1763424000"; d="scan'208";a="688112531" Received: from rcdn-l-core-09.cisco.com ([173.37.255.146]) by alln-iport-3.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 20 Feb 2026 05:34:45 +0000 Received: from sjc-ads-8556.cisco.com (sjc-ads-8556.cisco.com [171.68.222.95]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by rcdn-l-core-09.cisco.com (Postfix) with ESMTPS id 98674180005A3; Fri, 20 Feb 2026 05:34:45 +0000 (GMT) Received: by sjc-ads-8556.cisco.com (Postfix, from userid 1847788) id E9400CC8D0A; Thu, 19 Feb 2026 21:34:44 -0800 (PST) From: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Cc: xe-linux-external@cisco.com, vchavda@cisco.com Subject: [openembedded-core] [scarthgap] [PATCH v1 30/34] cve-update-db-native: FKIE CVE parsing: Use Secondary metric Date: Thu, 19 Feb 2026 21:34:39 -0800 Message-Id: <20260220053443.3006180-30-hetpat@cisco.com> X-Mailer: git-send-email 2.35.6 In-Reply-To: <20260220053443.3006180-1-hetpat@cisco.com> References: <20260220053443.3006180-1-hetpat@cisco.com> MIME-Version: 1.0 X-Outbound-SMTP-Client: 171.68.222.95, sjc-ads-8556.cisco.com X-Outbound-Node: rcdn-l-core-09.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 20 Feb 2026 05:34:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/231473 From: Jonathan Schnitzler If there is no primary metric use the Secondary one. Signed-off-by: Jonathan Schnitzler Signed-off-by: Peter Marko Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Richard Purdie (cherry picked from commit 5ad0516aba120d9eba5f10afa3a4de3d25fd31fc) Signed-off-by: Het Patel --- .../recipes-core/meta/cve-update-db-native.bb | 53 ++++++++++++------- 1 file changed, 33 insertions(+), 20 deletions(-) diff --git a/meta/recipes-core/meta/cve-update-db-native.bb b/meta/recipes-core/meta/cve-update-db-native.bb index 39a26a2481..9d21d10157 100644 --- a/meta/recipes-core/meta/cve-update-db-native.bb +++ b/meta/recipes-core/meta/cve-update-db-native.bb @@ -322,6 +322,15 @@ def update_db_nvdjson(conn, jsondata): for config in configurations: parse_node_and_insert(conn, config, cveId, True) +def get_metric_entry(metric): + primaries = [c for c in metric if c['type'] == "Primary"] + secondaries = [c for c in metric if c['type'] == "Secondary"] + if len(primaries) > 0: + return primaries[0] + elif len(secondaries)>0: + return secondaries[0] + return None + def update_db_fkie(conn, jsondata): import json root = json.loads(jsondata) @@ -342,37 +351,41 @@ def update_db_fkie(conn, jsondata): cveDesc = elt['descriptions'][0]['value'] date = elt['lastModified'] try: - for m in elt['metrics']['cvssMetricV2']: - if m['type'] == 'Primary': - accessVector = m['cvssData']['accessVector'] - vectorString = m['cvssData']['vectorString'] - cvssv2 = m['cvssData']['baseScore'] + if 'cvssMetricV2' in elt['metrics']: + entry = get_metric_entry(elt['metrics']['cvssMetricV2']) + if entry: + accessVector = entry['cvssData']['accessVector'] + vectorString = entry['cvssData']['vectorString'] + cvssv2 = entry['cvssData']['baseScore'] except KeyError: cvssv2 = 0.0 try: - for m in elt['metrics']['cvssMetricV30']: - if m['type'] == 'Primary': - accessVector = m['cvssData']['attackVector'] - vectorString = m['cvssData']['vectorString'] - cvssv3 = m['cvssData']['baseScore'] + if 'cvssMetricV30' in elt['metrics']: + entry = get_metric_entry(elt['metrics']['cvssMetricV30']) + if entry: + accessVector = entry['cvssData']['attackVector'] + vectorString = entry['cvssData']['vectorString'] + cvssv3 = entry['cvssData']['baseScore'] except KeyError: accessVector = accessVector or "UNKNOWN" cvssv3 = 0.0 try: - for m in elt['metrics']['cvssMetricV31']: - if m['type'] == 'Primary': - accessVector = m['cvssData']['attackVector'] - vectorString = m['cvssData']['vectorString'] - cvssv3 = m['cvssData']['baseScore'] + if 'cvssMetricV31' in elt['metrics']: + entry = get_metric_entry(elt['metrics']['cvssMetricV31']) + if entry: + accessVector = entry['cvssData']['attackVector'] + vectorString = entry['cvssData']['vectorString'] + cvssv3 = entry['cvssData']['baseScore'] except KeyError: accessVector = accessVector or "UNKNOWN" cvssv3 = 0.0 try: - for m in elt['metrics']['cvssMetricV40']: - if m['type'] == 'Primary': - accessVector = m['cvssData']['attackVector'] - vectorString = m['cvssData']['vectorString'] - cvssv4 = m['cvssData']['baseScore'] + if 'cvssMetricV40' in elt['metrics']: + entry = get_metric_entry(elt['metrics']['cvssMetricV40']) + if entry: + accessVector = entry['cvssData']['attackVector'] + vectorString = entry['cvssData']['vectorString'] + cvssv4 = entry['cvssData']['baseScore'] except KeyError: accessVector = accessVector or "UNKNOWN" cvssv4 = 0.0 From patchwork Fri Feb 20 05:34:40 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 81460 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B2996C55184 for ; Fri, 20 Feb 2026 05:34:50 +0000 (UTC) Received: from alln-iport-5.cisco.com (alln-iport-5.cisco.com [173.37.142.92]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.32338.1771565685765362574 for ; Thu, 19 Feb 2026 21:34:46 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=dfrxWFS+; spf=pass (domain: cisco.com, ip: 173.37.142.92, mailfrom: hetpat@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=2630; q=dns/txt; s=iport01; t=1771565686; x=1772775286; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=XWajsCpyuXj7kD5s6TS0c5hh2FGzUlkiK6tZ0gKkoQ8=; b=dfrxWFS+8Z1JzC33xJCo6JSfUE6Y0zsWzXboWFVIzh0dAf7t5sVVZg6O RrJka3VMROOkyEgcywqEfgtJNDJnpVCeTkBn+0E3wQwbQmB1nH1owVPNo SGsNBWGNm+im1cHXLE8IAL52UlV1t7bGWsuLGe93terVuiNIrGQUYJvZI nWzy9XzPw0Yp/5aqgwmTaPgonW0tnULbLYmaZnGHZ8ZSYW0jiCVZ4KJJJ prw3B/IMAA4WFP+0CkKxsCmD/6FrOrT4n3K7wNm1oLS8sCb77FD6RvI2d HnO75mnvxgd5yj3JKKrFGlrCj3hdJL60pBKc/4JEKrAyoH4QxLfZJz4ol Q==; X-CSE-ConnectionGUID: wUkBIGPmT7Sa+lZ4O+uJoA== X-CSE-MsgGUID: PvKmwjqmQ3K0fhElpbOrvg== X-IPAS-Result: A0BDBAC68Zdp/4r/Ja1aglmCSA9xX0JJA5ZIA54agX8PAQEBDzcaBAEBhQcCjR8CJjQJDgECBAEBAQEDAgMBAQEBAQEBAQEBAQsBAQUBAQECAQcFgQ4Thk8NhlsCAQMyAUYQICYLKysZgwIBgnMCAadPgiyBAeAiAQsUAYE4hTyIGWsJhHonGxuBcoR9hRCFdwSCIoEOgWKJUogbSIEeA1ksAVUTDQoLBwWBZgM1EioVMjwyHYEjPheBCxsHBYJChREPiQV4boEggRsDCxgNSBEsNxQbBD5uB44vP4I0PT4UgQFKJaZboQ4KKIN0jB6VOhozhASmZyyYWoJYogGEaIFoPEaBE3AVgyIJSRkPjl+CHbwdIjUTKQIHCwEBAwmTZwEB IronPort-Data: A9a23:ZAHnBKh3+zAPE0mefR4KC4duX161NxEKZh0ujC45NGQN5FlHY01je htvCjrXaa3fMDDzctEkat7l9h4EvpTczYJlTlRvrylmQn9jpJueD7x1DKtf0wB+jyHnZBg6h ynLQoCYdKjYdleF+FH1dOOn9SUgvU2xbuKUIPbePSxsThNTRi4kiBZy88Y0mYcAbeKRW2thg vus5ZeGULOZ82QsaDxMsfjb8EgHUMna4Vv0gHRvPZing3eG/5UlJMp3Db28KXL+Xr5VEoaSL 87fzKu093/u5BwkDNWoiN7TKiXmlZaLYGBiIlIPM0STqkAqSh4ai87XB9JAAatjsAhlqvgqo Dl7WTNcfi9yVkHEsLx1vxC1iEiSN4UekFPMCSDXXcB+UyQqflO0q8iCAn3aMqUHx+VdIE528 MBHEzlOaiLfoKGr4rWSH7wEasQLdKEHPasFsX1miDWcBvE8TNWbGuPB5MRT23E7gcUm8fT2P pVCL2EwKk6dPlsWYQd/5JEWxI9EglH/fiFAoU69rqss6G+Vxwt0uFToGISKIIfVGZgLxy50o Er+4Uf8HRMDMeXE6mKL8l+onuXohz30Ddd6+LqQs6QCbEeo7msLBRsbUFG2rfW0hgu1XMhSA 0gV4TY1668q+UqmS9PwUxG1rDiDpBF0ZjZLO/cx5AfIzu/f5ByUQzBdCDVAc9ch8sQxQFTGy 2O0oj8gPhQ32JX9dJ5X3u38Qe+aUcTNEVI/WA== IronPort-HdrOrdr: A9a23:7MKjVqP4LJmSVMBcTsajsMiBIKoaSvp037Dk7S9MoHtuA6ulfq +V/cjzuSWYtN9VYgBDpTniAtjlfZqjz/5ICOAqVN/INjUO+lHYSb2KhrGN/9SPIUHDH5ZmpM Rdm2wUMqyIMbC85vyKhjWFLw== X-Talos-CUID: 9a23:+ykSPm/5HqMEZ0sTZTeVv1EpGeoEXUXY8CjrKgy8OzpOC6C3TnbFrQ== X-Talos-MUID: 9a23:z6C3vAiKB9hge5nE2QRwwMMpDNlL5rusEUU0yrZetcmpMTR6HC2Dg2Hi X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.21,301,1763424000"; d="scan'208";a="672374561" Received: from rcdn-l-core-01.cisco.com ([173.37.255.138]) by alln-iport-5.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 20 Feb 2026 05:34:45 +0000 Received: from sjc-ads-8556.cisco.com (sjc-ads-8556.cisco.com [171.68.222.95]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by rcdn-l-core-01.cisco.com (Postfix) with ESMTPS id 99BD3180002BC; Fri, 20 Feb 2026 05:34:45 +0000 (GMT) Received: by sjc-ads-8556.cisco.com (Postfix, from userid 1847788) id F234ECC8D0B; Thu, 19 Feb 2026 21:34:44 -0800 (PST) From: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Cc: xe-linux-external@cisco.com, vchavda@cisco.com Subject: [openembedded-core] [scarthgap] [PATCH v1 31/34] cve-update: log timestamps and add force update for future time Date: Thu, 19 Feb 2026 21:34:40 -0800 Message-Id: <20260220053443.3006180-31-hetpat@cisco.com> X-Mailer: git-send-email 2.35.6 In-Reply-To: <20260220053443.3006180-1-hetpat@cisco.com> References: <20260220053443.3006180-1-hetpat@cisco.com> MIME-Version: 1.0 X-Outbound-SMTP-Client: 171.68.222.95, sjc-ads-8556.cisco.com X-Outbound-Node: rcdn-l-core-01.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 20 Feb 2026 05:34:50 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/231470 From: Peter Marko CVE update is currently not working properly on autobuilder. This improves logging for problem analysis. Future time is something which could be reason for current autobuilder problems since the DB was not updated for more than 3 months by now. Signed-off-by: Peter Marko Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Richard Purdie (cherry picked from commit 0098a05116624d019f8c5107940e910d867f3afc) Signed-off-by: Het Patel --- meta/recipes-core/meta/cve-update-db-native.bb | 7 ++++++- meta/recipes-core/meta/cve-update-nvd2-native.bb | 9 +++++++-- 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/meta/recipes-core/meta/cve-update-db-native.bb b/meta/recipes-core/meta/cve-update-db-native.bb index 9d21d10157..962b600e3b 100644 --- a/meta/recipes-core/meta/cve-update-db-native.bb +++ b/meta/recipes-core/meta/cve-update-db-native.bb @@ -57,7 +57,12 @@ python do_fetch() { if not os.path.exists(db_file): bb.error("CVE database %s not present, database fetch/update skipped" % db_file) return - if time.time() - os.path.getmtime(db_file) < update_interval: + curr_time = time.time() + database_time = os.path.getmtime(db_file) + bb.note("Current time: %s; DB time: %s" % (time.ctime(curr_time), time.ctime(database_time))) + if curr_time < database_time: + bb.warn("Database time is in the future, force DB update") + elif curr_time - database_time < update_interval: bb.note("CVE database recently updated, skipping") return diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb b/meta/recipes-core/meta/cve-update-nvd2-native.bb index f7a306c995..1411d16e20 100644 --- a/meta/recipes-core/meta/cve-update-nvd2-native.bb +++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb @@ -71,10 +71,15 @@ python do_fetch() { if not os.path.exists(db_file): bb.error("CVE database %s not present, database fetch/update skipped" % db_file) return - if time.time() - os.path.getmtime(db_file) < update_interval: + curr_time = time.time() + database_time = os.path.getmtime(db_file) + bb.note("Current time: %s; DB time: %s" % (time.ctime(curr_time), time.ctime(database_time))) + if curr_time < database_time: + bb.warn("Database time is in the future, force DB update") + database_time = 0 + elif curr_time - database_time < update_interval: bb.note("CVE database recently updated, skipping") return - database_time = os.path.getmtime(db_file) except OSError: pass From patchwork Fri Feb 20 05:34:41 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 81451 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4839FC55164 for ; Fri, 20 Feb 2026 05:34:50 +0000 (UTC) Received: from alln-iport-4.cisco.com (alln-iport-4.cisco.com [173.37.142.91]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.32608.1771565686056322342 for ; Thu, 19 Feb 2026 21:34:47 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=eOyvzEL9; spf=pass (domain: cisco.com, ip: 173.37.142.91, mailfrom: hetpat@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=2924; q=dns/txt; s=iport01; t=1771565687; x=1772775287; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=RZVea6YMe0lNyezlexxvqPekQvvoCWKe+fwMO3w994I=; b=eOyvzEL9ScDBg66FtIDkaCNg/zSxuTQ/gTRMomeO7wL6hdxhasPqtbPQ MJKYlxCjjq5OPJW7GzgEdrHY4M5GT0RXYgTgGbIePynfFs/d3bJ6E+h7S NrgS7J13GhdV5rQj1HfqNalPU/PaNqvuGN2cAuWhGW0sK3P+KIpMXSYpR It1dL5AdYYiYP/en5+Cw/RcGQ6Kl3oRL98GbFzP8uxqWdHvdhnE4NiWvF nl6Mt+HiFtmobO+Z2S/6XV9/ii/hNc9OHsUdHG5HN2B82xAn9IK7mUnA0 lWBcRZ6rAov2Z/KZfYuSYSENzvP1z7eWZkfz1v0W7G4AolAK5uVAMLR5i g==; X-CSE-ConnectionGUID: Dacm3X1cQz65alm/YdIeRw== X-CSE-MsgGUID: 7+SRkP7BS2m/ORhbJFwzpQ== X-IPAS-Result: A0BBBADP8Jdp/5D/Ja1aglmCSA9xX0JJA5ZLnhqBfw8BAQEPNxoEAQGFBwKNHwImNAkOAQIEAQEBAQMCAwEBAQEBAQEBAQEBCwEBBQEBAQIBBwWBDhOGTw2GWwIBAzIBRhAgMSsrGYMCAYJzAgGnVIIsgQGEfNsmAQsUAYE4hTyIGWsJhHonGxuBcoR9hRCFdwSCIoEOk09IgR4DWSwBVRMNCgsHBYFmAzUSKhVuMh2BIz4XgQsbBwWCQoURD4kFeG6BIIEbAwsYDUgRLDcUGwQ+bgeOLz+CNC1hAYEmlSGPY4IhgTWfWQoog3SMHpU6GjOEBJQVklKZBoJYoSRdhGiBaDxGgRNwFYMiCUkZD45fgh27fSI1EykCBwsBAQMJk2cBAQ IronPort-Data: A9a23:dSDEhK96zVYIXYVTUf2nDrUD13+TJUtcMsCJ2f8bNWPcYEJGY0x3n zFKWTiHPanbM2H8c9F3aIzgo04Pv8Ldn9A3HQJu+ShEQiMRo6IpJzg2wmQcns+2BpeeJK6yx 5xGMrEsFOhtEDmE4EzrauS9xZVF/fngbqLmD+LZMTxGSwZhSSMw4TpugOdRbrRA2bBVOCvT/ 4mryyHjEAX9gWAsaDhMs/nrRC5H5ZwehhtJ5jTSWtgT1LPuvyF9JI4SI6i3M0z5TuF8dsamR /zOxa2O5WjQ+REgELuNyt4XpWVTH9Y+lSDX4pZnc/DKbipq/0Te4Y5nXBYoUnq7vh3S9zxHJ HqhgrTrIeshFvWkdO3wyHC0GQkmVUFN0OevzXRSLaV/wmWeG0YAzcmCA2kaNIYdodYuClhcq 6ERLDVKXxyiitiplefTpulE3qzPLeHxN48Z/3UlxjbDALN+HtbIQr7B4plT2zJYasJmRKmFI ZFGL2AyMVKZP0En1lQ/UPrSmM+oi2XneiFwo1OOrq1x6G/WpOB0+OayaYKJJIfXH625mG7H5 Vn8/FymKCpAMZu48zqP0FyzlPf2yHaTtIU6UefQGuRRqFqLy2oeDRcbWVe2rbyyjVSzc9ZeM FAPvC02oK4/8UamQtXwU1u/unHsg/IHc8BbH+t/7ESGzbDZpl7GQGMFVTVGLtchsafaWAAX6 7NApPuxbRQHjVFfYS71Gmu8xd9qBRUoEA== IronPort-HdrOrdr: A9a23:55exS62qzwMX+9FVRK6AIAqjBLUkLtp133Aq2lEZdPWaSKOlfq eV7ZMmPHDP6Qr5NEtMpTnEAtjjfZq+z+8Q3WBuB9eftWDd0QPCRr2Kr7GSpgEIcBeRygcy78 tdmtBFeb7N5ZwQt7eC3OF+eOxQpuW6zA== X-Talos-CUID: 9a23:Davurm52w6xQZ5Jomdss2EcfH5sVK3bk3imNKku9TldlabCvVgrF X-Talos-MUID: 9a23:n45xbAkxWmsRAfgbOeC4dno9d/xS4JzxIntXlNIhgcmOFwJvKS+k2WE= X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.21,301,1763424000"; d="scan'208";a="671046352" Received: from rcdn-l-core-07.cisco.com ([173.37.255.144]) by alln-iport-4.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 20 Feb 2026 05:34:45 +0000 Received: from sjc-ads-8556.cisco.com (sjc-ads-8556.cisco.com [171.68.222.95]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by rcdn-l-core-07.cisco.com (Postfix) with ESMTPS id 9D6C018000203; Fri, 20 Feb 2026 05:34:45 +0000 (GMT) Received: by sjc-ads-8556.cisco.com (Postfix, from userid 1847788) id 02FB5CC8D0C; Thu, 19 Feb 2026 21:34:45 -0800 (PST) From: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Cc: xe-linux-external@cisco.com, vchavda@cisco.com Subject: [openembedded-core] [scarthgap] [PATCH v1 32/34] cve-update-db-native: pycodestyle fixes Date: Thu, 19 Feb 2026 21:34:41 -0800 Message-Id: <20260220053443.3006180-32-hetpat@cisco.com> X-Mailer: git-send-email 2.35.6 In-Reply-To: <20260220053443.3006180-1-hetpat@cisco.com> References: <20260220053443.3006180-1-hetpat@cisco.com> MIME-Version: 1.0 X-Outbound-SMTP-Client: 171.68.222.95, sjc-ads-8556.cisco.com X-Outbound-Node: rcdn-l-core-07.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 20 Feb 2026 05:34:50 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/231481 From: Niko Mauno Fixes following pycodestyle complaints: cve-update-db-native.bb:80:39: E712 comparison to True should be 'if cond is True:' or 'if cond:' cve-update-db-native.bb:128:20: E401 multiple imports on one line cve-update-db-native.bb:130:18: E401 multiple imports on one line cve-update-db-native.bb:171:21: E741 ambiguous variable name 'l' cve-update-db-native.bb:335:26: E225 missing whitespace around operator cve-update-db-native.bb:344:12: E713 test for membership should be 'not in' cve-update-db-native.bb:347:12: E713 test for membership should be 'not in' Also leaves out a redundant 'gzip' import in update_db_file(). Signed-off-by: Niko Mauno Signed-off-by: Mathieu Dubois-Briand (cherry picked from commit c3b0d276992f234b09a7f0fd652dc26e20d00616) Signed-off-by: Het Patel --- meta/recipes-core/meta/cve-update-db-native.bb | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/meta/recipes-core/meta/cve-update-db-native.bb b/meta/recipes-core/meta/cve-update-db-native.bb index 962b600e3b..6edf705704 100644 --- a/meta/recipes-core/meta/cve-update-db-native.bb +++ b/meta/recipes-core/meta/cve-update-db-native.bb @@ -77,7 +77,7 @@ python do_fetch() { if os.path.exists(db_file): shutil.copy2(db_file, db_tmp_file) - if update_db_file(db_tmp_file, d) == True: + if update_db_file(db_tmp_file, d): # Update downloaded correctly, can swap files shutil.move(db_tmp_file, db_file) else: @@ -136,9 +136,11 @@ def update_db_file(db_tmp_file, d): """ Update the given database file """ - import bb.utils, bb.progress + import bb.progress + import bb.utils from datetime import date - import urllib, gzip, sqlite3 + import sqlite3 + import urllib YEAR_START = 2002 cve_socket_timeout = int(d.getVar("CVE_SOCKET_TIMEOUT")) @@ -167,8 +169,8 @@ def update_db_file(db_tmp_file, d): return False if response: - for l in response.read().decode("utf-8").splitlines(): - key, value = l.split(":", 1) + for line in response.read().decode("utf-8").splitlines(): + key, value = line.split(":", 1) if key == "lastModifiedDate": last_modified = value break @@ -332,7 +334,7 @@ def get_metric_entry(metric): secondaries = [c for c in metric if c['type'] == "Secondary"] if len(primaries) > 0: return primaries[0] - elif len(secondaries)>0: + elif len(secondaries) > 0: return secondaries[0] return None @@ -341,10 +343,10 @@ def update_db_fkie(conn, jsondata): root = json.loads(jsondata) for elt in root['cve_items']: - if not 'vulnStatus' in elt or elt['vulnStatus'] == 'Rejected': + if 'vulnStatus' not in elt or elt['vulnStatus'] == 'Rejected': continue - if not 'configurations' in elt: + if 'configurations' not in elt: continue accessVector = None From patchwork Fri Feb 20 05:34:42 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 81448 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3CAFEC55162 for ; Fri, 20 Feb 2026 05:34:50 +0000 (UTC) Received: from alln-iport-8.cisco.com (alln-iport-8.cisco.com [173.37.142.95]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.32606.1771565685734441813 for ; Thu, 19 Feb 2026 21:34:47 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=Dl9mihY8; spf=pass (domain: cisco.com, ip: 173.37.142.95, mailfrom: hetpat@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=3386; q=dns/txt; s=iport01; t=1771565686; x=1772775286; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=vJTDVm6pO8cZOHBZfaU1cbhfOM6kh3pnZGcG+qIFdho=; b=Dl9mihY86fnY1pVV3p04bi8Xg2GRKMIzsNhCTpv3PBrTXZjzUcHHbNdt SVnWky6JA4PxN5PDm3U8Ar9b5AIdCbHfdi2ZohLpWualZBWGVMk6wueEN +UsFZVWvBu//ZPOk4fwd0507tQs1JL/R4uvO8O7ZIEr8h8x0AuI2KqY7N ykMjTKulvworbRuAfMVzhC//Ctf9Y72eRPl536LoR8KUIjMZsjysTYB9B tyQlQ8vh/TZKduFMkBwJhYYTL395T4mzU1gqwtDzTFjCoGeQSj7t7hbZ7 NHqyJHrnQFQDCs0WxfK9hJ666EYX00OhSK/iE5SVVY9F3vgfNbCVGW2l3 Q==; X-CSE-ConnectionGUID: hpGojx7ARMKp7cKOtE8LjQ== X-CSE-MsgGUID: GtzWlC9EQByEZ6kYY0cEyQ== X-IPAS-Result: A0B1BwBB8Zdp/43/Ja1aHQEBKwsGAQUFAQIBCQGBZQKCRg9xX0JJA5ZIA54agX8PAQEBDxQCIRoEAQGFBwKNHwImNAkOAQIEAQEBAQMCAwEBAQEBAQEBAQEBCwEBBQEBAQIBBwWBDhOGTw2GWwIBAzIBRhAgMSsrGYMCAYJzAgGnVoIsgQGEfNsmAQsUAYE4AYU7iBlrCYR6JxsbgXKCUIItiwcEgiKBDpNPSIEeA1ksAVUTDQoLBwWBZgM1EioVbjIdgSM+F4ELGwcFgkKFEQ+JBXhugSCBGwMLGA1IESw3FBsEPm4Hji8/gXFDgQ4BgSZwEpQYB5IEgTWfWQoog3SMHpU6GjOEBKZnmQaCWKIBhGiBaDxGgRNwFYMiCUkZD45fgh27fSI1EykCBwsBAQMJk2cBAQ IronPort-Data: A9a23:dHQmeqx0Si3xjoZ/rZ96t+dgxyrEfRIJ4+MujC+fZmUNrF6WrkVTx zAXCmuAaK2PZWfzLd5/aovlo0hTv8PXzdVlQQJv+1hgHilAwSbn6Xt1DatR0we6dJCroJdPt p1GAjX4BJlqCCea/VH1buSJQUBUjcmgXqD7BPPPJhd/TAplTDZJoR94kobVuKYw6TSCK13L4 4qaT/H3Ygf/hWYuaDpMsMpvlTs21BjMkGJA1rABTagjUG/2zxE9EJ8ZLKetGHr0KqE8NvK6X evK0Iai9Wrf+Ro3Yvv9+losWhRXKlJ6FVHmZkt+A8BOsDAbzsAB+vpT2M4nVKtio27hc+adZ zl6ncfYpQ8BZsUgkQmGOvVSO3kW0aZuoNcrLZUj2CCe5xWuTpfi/xlhJEEuEooa6rleO0Rt7 aMTCxcRQ0CnhdvjldpXSsE07igiBNPgMIVavjRryivUSK56B5vCWK7No9Rf2V/chOgXQq2YP JVfM2cyKk2cOnWjOX9PYH46tOelmmH2bxVTqUmeouw85G27IAlZjue0YIuKJYDTLSlTtmmEt F3C1DXUOzsLGe7Bygu0qnmBl9aayEsXX6pXTtVU7MVCh0WewGEWAhAaWVa35PK+kEOWX9NEN 1dS/TIjq6U3/kGnQtTxGRqirxa5UgU0QdFcFag+rQqK0KeRu1rfDWkfRTkHY9sj3CMreQEXO payt4uBLVRSXHe9FRpxKp/8QeuOBBUo IronPort-HdrOrdr: A9a23:vUn5qq+et2g18ZZi8b5uk+DfI+orL9Y04lQ7vn2ZhyY7TiX+rb HIoB11737JYVoqNU3I3OrwWpVoIkmskaKdn7NwAV7KZmCP0wGVxcNZnO7fKlbbdREWmNQw6U 4ZSdkcNDU1ZmIK9PoTJ2KDYrAd/OU= X-Talos-CUID: 9a23:uhutQ23gBCvzYA0/0Tz17bxfGtgKdX/Nk17qBmygVm1Kb6G4GXuSwfYx X-Talos-MUID: 9a23:sCoJkQQW4Vgeeus+RXTDmCNdMOw5zp2EGW0/z5Y3ipGPGD1JbmI= X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.21,301,1763424000"; d="scan'208";a="671897741" Received: from rcdn-l-core-04.cisco.com ([173.37.255.141]) by alln-iport-8.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 20 Feb 2026 05:34:45 +0000 Received: from sjc-ads-8556.cisco.com (sjc-ads-8556.cisco.com [171.68.222.95]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by rcdn-l-core-04.cisco.com (Postfix) with ESMTPS id A0584180004BA; Fri, 20 Feb 2026 05:34:45 +0000 (GMT) Received: by sjc-ads-8556.cisco.com (Postfix, from userid 1847788) id 0751BCC8D0D; Thu, 19 Feb 2026 21:34:45 -0800 (PST) From: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Cc: xe-linux-external@cisco.com, vchavda@cisco.com Subject: [openembedded-core] [scarthgap] [PATCH v1 33/34] cve-update-nvd2-native: pycodestyle fixes Date: Thu, 19 Feb 2026 21:34:42 -0800 Message-Id: <20260220053443.3006180-33-hetpat@cisco.com> X-Mailer: git-send-email 2.35.6 In-Reply-To: <20260220053443.3006180-1-hetpat@cisco.com> References: <20260220053443.3006180-1-hetpat@cisco.com> MIME-Version: 1.0 X-Outbound-SMTP-Client: 171.68.222.95, sjc-ads-8556.cisco.com X-Outbound-Node: rcdn-l-core-04.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 20 Feb 2026 05:34:50 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/231480 From: Niko Mauno Fixes following pycodestyle complaints: cve-update-nvd2-native.bb:95:54: E712 comparison to True should be 'if cond is True:' or 'if cond:' cve-update-nvd2-native.bb:127:15: E211 whitespace before '(' cve-update-nvd2-native.bb:127:17: E201 whitespace after '(' cve-update-nvd2-native.bb:127:19: E201 whitespace after '(' cve-update-nvd2-native.bb:127:44: E202 whitespace before ')' cve-update-nvd2-native.bb:127:46: E203 whitespace before ',' cve-update-nvd2-native.bb:174:20: E401 multiple imports on one line cve-update-nvd2-native.bb:183:29: E203 whitespace before ':' cve-update-nvd2-native.bb:236:16: E111 indentation is not a multiple of 4 cve-update-nvd2-native.bb:241:16: E111 indentation is not a multiple of 4 cve-update-nvd2-native.bb:336:39: E222 multiple spaces after operator Signed-off-by: Niko Mauno Signed-off-by: Mathieu Dubois-Briand (cherry picked from commit 680428ab19860417e6bee6a57ccf2e25ddbaa4cb) Signed-off-by: Het Patel --- meta/recipes-core/meta/cve-update-nvd2-native.bb | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb b/meta/recipes-core/meta/cve-update-nvd2-native.bb index 1411d16e20..abcbcffcc6 100644 --- a/meta/recipes-core/meta/cve-update-nvd2-native.bb +++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb @@ -92,7 +92,7 @@ python do_fetch() { if os.path.exists(db_file): shutil.copy2(db_file, db_tmp_file) - if update_db_file(db_tmp_file, d, database_time) == True: + if update_db_file(db_tmp_file, d, database_time): # Update downloaded correctly, can swap files shutil.move(db_tmp_file, db_file) else: @@ -124,7 +124,7 @@ def cleanup_db_download(db_tmp_file): os.remove(db_tmp_file) def nvd_request_wait(attempt, min_wait): - return min ( ( (2 * attempt) + min_wait ) , 30) + return min(((2 * attempt) + min_wait), 30) def nvd_request_next(url, attempts, api_key, args, min_wait): """ @@ -171,7 +171,8 @@ def update_db_file(db_tmp_file, d, database_time): """ Update the given database file """ - import bb.utils, bb.progress + import bb.progress + import bb.utils import datetime import sqlite3 import json @@ -180,7 +181,7 @@ def update_db_file(db_tmp_file, d, database_time): conn = sqlite3.connect(db_tmp_file) initialize_db(conn) - req_args = {'startIndex' : 0} + req_args = {'startIndex': 0} incr_update_threshold = int(d.getVar("CVE_DB_INCR_UPDATE_AGE_THRES")) if database_time != 0: @@ -233,12 +234,12 @@ def update_db_file(db_tmp_file, d, database_time): per_page = data["resultsPerPage"] bb.note("Got %d entries" % per_page) for cve in data["vulnerabilities"]: - update_db(conn, cve) + update_db(conn, cve) index += per_page ph.update((float(index) / (total+1)) * 100) if index >= total: - break + break # Recommended by NVD time.sleep(wait_time) @@ -333,7 +334,7 @@ def update_db(conn, elt): accessVector = None vectorString = None cveId = elt['cve']['id'] - if elt['cve'].get('vulnStatus') == "Rejected": + if elt['cve'].get('vulnStatus') == "Rejected": c = conn.cursor() c.execute("delete from PRODUCTS where ID = ?;", [cveId]) c.execute("delete from NVD where ID = ?;", [cveId]) From patchwork Fri Feb 20 05:34:43 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 81453 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 607A1C5516A for ; Fri, 20 Feb 2026 05:34:50 +0000 (UTC) Received: from alln-iport-6.cisco.com (alln-iport-6.cisco.com [173.37.142.93]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.32610.1771565686797469924 for ; Thu, 19 Feb 2026 21:34:47 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=dOZhz/ql; spf=pass (domain: cisco.com, ip: 173.37.142.93, mailfrom: hetpat@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=3140; q=dns/txt; s=iport01; t=1771565687; x=1772775287; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=ktQnFTFyEve/PMXoWN8ISWhBxFFALaw7GtVpHdTY6BQ=; b=dOZhz/qlBmFs0NW5uIH4O9z4Zqn1thjxJBRQvfLMtm0o0NoJOiPMzi2l ATLb9NJJAHK4GMUI+qHtwdojCXBG4+uo2e59xkhbabhlsSMidfHwTLQFM 0f6ezWUYVIf30Qh4I4likUsBfyzKJ/uEJ8tEXjb8NBE/kBVus3sOYOJ2C MciVKuqn9gtSYrVD1SPIu5ruPI3J2S8I1f8rbM6OpwDomWMnyrjMs9cOh Js4L/hKY+rcM5VO2K+RX7+jNUlPoUttO2s1djsXADcWnvlKWnM8BfT136 +6RRpXq8MWxntCUujUL7H/mNvGzEbj4fqGCiOu4yCfFS5ewB8rpgp78XI g==; X-CSE-ConnectionGUID: geeCAMptRT+4UxPed/fJKQ== X-CSE-MsgGUID: ViDhSTgpRXWVESd0Z5qi3w== X-IPAS-Result: A0CVBQBB8Zdp/5D/Ja1aglmCSA9xX0JJA5ZIA54agX8PAQEBDzcaBAEBhQcCjR8CJjYHDgECBAEBAQEDAgMBAQEBAQEBAQEBAQsBAQUBAQECAQcFgQ4Thk8NhlsCAQMyAUYQIDErKxmDAgGCcwIBp1aCLIEBhHzbJgELFAGBOIU8iBlrCYR6JxsbgXKEfYsHBIINFYEOihuBGYgbSIEeA1ksAVUTDQoLBwWBZgM1EioVbjIdgSM+F4ELGwcFgkKFEQ+JBXhugSCBGwMLGA1IESw3FBsEPm4Hji8/gjR0GgEwHWM+eJMCHZI0EoE1n1kKKIN0jB6VOhozhASUFZJSmQaCWJQqjVeEaIFvATRGgRNwFYMiCUkZD45fgh2GArV7IjUTKQIHCwEBAwmTZwEB IronPort-Data: A9a23:nvSTnaC6QEpJYRVW/37iw5YqxClBgxIJ4kV8jS/XYbTApGwnhjcBx jMdDz3QO/2INDShe9h1YNng80oHv5/Ry4NhOVdlrnsFo1CmBibm6XV1Cm+qYkt+++WaFBoPA /02M4eGdIZvCCeA+n9BC5C5xVFkz6aEW7HgP+DNPyF1VGdMRTwo4f5Zs7ZRbrVA357jWmthh fuo+5eBYAX/g2YvWo4pw/vrRC1H7ayaVAww5jTSVdgT1HfCmn8cCo4oJK3ZBxPQXolOE+emc P3Ixbe/83mx109F5gSNy+uTnuUiG9Y+DCDW4pZkc/HKbitq+kTe5p0G2M80Mi+7vdkmc+dZk 72hvbToIesg0zaldO41C3G0GAkmVUFKFSOuzXWX6aSuI0P6n3TEzPhjJ2gTJZEixqUrPHF2+ PBfJhIuV0XW7w626OrTpuhEnM8vKozveYgYoHwllW6fBvc9SpeFSKLPjTNa9G5v3YYVQrCEO pdfMGYzBPjDS0Un1lM/CJ8ihO60rnL+aDZf7lmSoMLb5kCNk1QrjOi2YIO9ltqie8R5nn2kq Xr8z1vHLyoWbO7C0Dve7Sf57gPItWahMG4IL5W/7vNsjViZy2AfBRFTXlyhrNG9i1WiQJRYM 0ES9y8koKQ++UDtScPyNyBUu1aetRIaHt4VGOog5UTVlezf4h2SAS4PSTsphMEaifLajAcCj jeh9+4FzxQ02FFJYRpxLoupkA4= IronPort-HdrOrdr: A9a23:tttHLqi1k+6Pb1RGtdtK3z3C+XBQXt0ji2hC6mlwRA09TyVXra +TdZMgpHjJYVkqOU3I9ersBEDEewK/yXcX2/h0AV7dZmnbUQKTRekIh7cKgQeQfhEWndQy6U 4PScRD4aXLfDtHZQKQ2njALz7mq+P3lpyVuQ== X-Talos-CUID: 9a23:9HCLlWllEh82zQkr83HQLm0IauzXOXLQwVz5BlekM1oqFICFcVKcv61GsPM7zg== X-Talos-MUID: 9a23:7MvMewUYnzdu0zHq/AHtqDFZCMhw2ZSRNm02nc005tCFbjMlbg== X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.21,301,1763424000"; d="scan'208";a="670248381" Received: from rcdn-l-core-07.cisco.com ([173.37.255.144]) by alln-iport-6.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 20 Feb 2026 05:34:45 +0000 Received: from sjc-ads-8556.cisco.com (sjc-ads-8556.cisco.com [171.68.222.95]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by rcdn-l-core-07.cisco.com (Postfix) with ESMTPS id A45B418000210; Fri, 20 Feb 2026 05:34:45 +0000 (GMT) Received: by sjc-ads-8556.cisco.com (Postfix, from userid 1847788) id 0BCAACC8D0E; Thu, 19 Feb 2026 21:34:45 -0800 (PST) From: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Cc: xe-linux-external@cisco.com, vchavda@cisco.com Subject: [openembedded-core] [scarthgap] [PATCH v1 34/34] cve-update: Avoid NFS caching issues Date: Thu, 19 Feb 2026 21:34:43 -0800 Message-Id: <20260220053443.3006180-34-hetpat@cisco.com> X-Mailer: git-send-email 2.35.6 In-Reply-To: <20260220053443.3006180-1-hetpat@cisco.com> References: <20260220053443.3006180-1-hetpat@cisco.com> MIME-Version: 1.0 X-Outbound-SMTP-Client: 171.68.222.95, sjc-ads-8556.cisco.com X-Outbound-Node: rcdn-l-core-07.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 20 Feb 2026 05:34:50 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/231483 From: Paul Barker When moving the updated CVE database file to the downloads directory, ensure that it has a different inode number to the previous version of this file. We have seen "sqlite3.DatabaseError: database disk image is malformed" exceptions on our autobuilder when trying to read the CVE database in do_cve_check tasks. The context here is that the downloads directory (where the updated database file is copied to) is shared between workers as an NFS mount. Different autobuilder workers were seeing different checksums for the database file, which indicates that a mix of both new and stale data was being read. Forcing each new version of the database file to have a different inode number will prevent stale data from being read from local caches. This should fix [YOCTO #16086]. Signed-off-by: Paul Barker Signed-off-by: Richard Purdie (cherry picked from commit f63622bbec1cfaca6d0b3e05e11466e4c10fa86e) Signed-off-by: Het Patel --- meta/recipes-core/meta/cve-update-db-native.bb | 9 +++++++-- meta/recipes-core/meta/cve-update-nvd2-native.bb | 9 +++++++-- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/meta/recipes-core/meta/cve-update-db-native.bb b/meta/recipes-core/meta/cve-update-db-native.bb index 6edf705704..b0272cdddd 100644 --- a/meta/recipes-core/meta/cve-update-db-native.bb +++ b/meta/recipes-core/meta/cve-update-db-native.bb @@ -78,8 +78,13 @@ python do_fetch() { shutil.copy2(db_file, db_tmp_file) if update_db_file(db_tmp_file, d): - # Update downloaded correctly, can swap files - shutil.move(db_tmp_file, db_file) + # Update downloaded correctly, we can swap files. To avoid potential + # NFS caching issues, ensure that the destination file has a new inode + # number. We do this in two steps as the downloads directory may be on + # a different filesystem to tmpdir we're working in. + new_file = "%s.new" % (db_file) + shutil.move(db_tmp_file, new_file) + os.rename(new_file, db_file) else: # Update failed, do not modify the database bb.warn("CVE database update failed") diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb b/meta/recipes-core/meta/cve-update-nvd2-native.bb index abcbcffcc6..8c8148dd92 100644 --- a/meta/recipes-core/meta/cve-update-nvd2-native.bb +++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb @@ -93,8 +93,13 @@ python do_fetch() { shutil.copy2(db_file, db_tmp_file) if update_db_file(db_tmp_file, d, database_time): - # Update downloaded correctly, can swap files - shutil.move(db_tmp_file, db_file) + # Update downloaded correctly, we can swap files. To avoid potential + # NFS caching issues, ensure that the destination file has a new inode + # number. We do this in two steps as the downloads directory may be on + # a different filesystem to tmpdir we're working in. + new_file = "%s.new" % (db_file) + shutil.move(db_tmp_file, new_file) + os.rename(new_file, db_file) else: # Update failed, do not modify the database bb.warn("CVE database update failed")