From patchwork Mon Mar 9 09:16:21 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Himanshu Jadon -X (hjadon - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 82855 X-Patchwork-Delegate: yoann.congal@smile.fr Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 219AEEFCD6A for ; Mon, 9 Mar 2026 09:16:32 +0000 (UTC) Received: from alln-iport-6.cisco.com (alln-iport-6.cisco.com [173.37.142.93]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.9893.1773047789573778090 for ; Mon, 09 Mar 2026 02:16:29 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=FdMR27dO; spf=pass (domain: cisco.com, ip: 173.37.142.93, mailfrom: hjadon@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=1371; q=dns/txt; s=iport01; t=1773047789; x=1774257389; h=from:to:subject:date:message-id:mime-version: content-transfer-encoding; bh=oTGeMSDE74aYa3kpA3OfULrCbOEMUO9KXkrn2/VjQlU=; b=FdMR27dO6Cn1H3cXz5u4aKldKUl6QJJAtMiZpRTLhJu+Tzs7cmMVUWrY v7zPY2MlaGXMSC+uBFydc38LxO8OFJHW4xMw9y8FEZxhgebLd1cD800hD TubIxRhA9QaXe3xlcdyK1pp91wHa5zMPxrac8BE9KOdROscug7FjzHtnx iU58OIPpoIo48TDfAljgdtPg+8icwEKGg3CBg2/OrqrtQBwBMby/N1LkV BB4288U2lC/wpgkl6ifPX4uYovqjap5EX8soj8MLQS16bAMeNy9qaC7Zd 7+kZuw87kzEmTC8gvtdsgF9on34rTUFQyILeITTQmRaK1fiDoaldXik5k w==; X-CSE-ConnectionGUID: 7waC/CjyQuecH0tXtKSmpQ== X-CSE-MsgGUID: /y7fVR46RICOV4pnKJrgSw== X-IPAS-Result: A0DpCAAjj65p/5L/Ja1aHgEBCxIMggULghgwD4FPQ0mTWgFPmmCFXoF/DwEBAQ9RBAEBkikCJjQJDgECBAEBAQEDAgMBAQEBAQEBAQEBAQsBAQUBAQECAQcFgQ4ThlyHEwF2JjZEgwKCdAOqbIIsgQHgIgELFAGBOIU8iBl0hHonGxuBcoR9hRCFdwSCIoEOjBaHBUiBHgNZLAFVEw0KCwcFgWYDNRIqFW4yHYEjPheBCxsHBYUgD4hydG6BE4MDAwsYDUgRLDcUGwQ+bgeNaj6CNIEOgQKBcpNgkXihDgoog3ShWBozhASmZy6HZZBzglihSjeEaIFoPIFZcBWDIlIZD45fdgEHy3AmMjwCBwsBAQMJk2cBAQ IronPort-Data: A9a23:23bvrqJAlHvX5yCHFE+RhpQlxSXFcZb7ZxGr2PjKsXjdYENShWcOz 2VOCzuEPvffajPxeNEgaozk/EMOscTUzYdnGwsd+CA2RRqmiyZq6fd1j6vUF3nPRiEWZBs/t 63yUvGZcoZsCCSa/kvxWlTYhSEU/bmSQbbhA/LzNCl0RAt1IA8skhsLd9QR2uaEuvDnRVnW0 T/Oi5eHYgH9gGYlajt8B5+r8XuDgtyj4Fv0gXRmDRx7lAe2v2UYCpsZOZawIxPQKqFIHvS3T vr017qw+GXU5X8FUrtJRZ6iLyXm6paLVeS/oiI+t5qK23CulQRuukoPD8fwXG8M49m/c3+d/ /0W3XC4YV9B0qQhA43xWTEAe811FfUuFLMqvRFTvOTLp3AqfUcAzN0xE0gdeqYa699qDGpur eAoNBM2awi60rfeLLKTEoGAh+w5J8XteYdasXZ6wHSBXLAtQIvIROPB4towMDUY358VW62BI ZBENHw2MEqojx5nYj/7DLo+nu6kgX/XeDxDo1XTrq0yi4TW5FIhjOS0bIOIJrRmQ+0SjxmWm FiaoV7YKTYkaMSZ6hif/Umz07qncSTTHdh6+KeD3vlyjVuew2YeBBEbWR6wpuO0okq/QM5Eb UsM9ywjqKI/+ECmQp/6RRLQnZKflgQXV9wVF6gx7xuAj/KFpQ2YHWMDCDVGbbTKqfMLeNDj7 XfR9/uBONClmOT9pa61nltMkQ6PBA== IronPort-HdrOrdr: A9a23:h/BG4ajgyPF3HHuXSujFxn/MNnBQXs8ji2hC6mlwRA09TyX+rb HNoB1173HJYVoqNU3I+urwW5VoP0m8yXcd2+B4Vt2ftWLd11dAQrsP0WKb+V3d8+mUzJ846U +mGJIObeHNMQ== X-Talos-CUID: 9a23:epSFPW60cCNE5PtuRtssq1EdMYcOcGzk0XrbAxekOXpKc7iNcArF X-Talos-MUID: 9a23:vNarqQStZgFmIQkZRXSrlW5sCv00vZ6PI2czzY0AmOueOhdvbmI= X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.23,109,1770595200"; d="scan'208";a="684414154" Received: from rcdn-l-core-09.cisco.com ([173.37.255.146]) by alln-iport-6.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 09 Mar 2026 09:16:28 +0000 Received: from sjc-ads-21441.cisco.com (sjc-ads-21441.cisco.com [10.128.164.182]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by rcdn-l-core-09.cisco.com (Postfix) with ESMTPS id 9C45D18000583 for ; Mon, 9 Mar 2026 09:16:28 +0000 (GMT) Received: by sjc-ads-21441.cisco.com (Postfix, from userid 1879343) id 4480BCC1288; Mon, 9 Mar 2026 02:16:28 -0700 (PDT) From: "Himanshu Jadon -X (hjadon - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Subject: [openembedded-core] [scarthgap] [PATCH 1/3] improve_kernel_cve_report: do not override backported-patch Date: Mon, 9 Mar 2026 02:16:21 -0700 Message-Id: <20260309091623.3506271-1-hjadon@cisco.com> X-Mailer: git-send-email 2.35.6 MIME-Version: 1.0 X-Outbound-SMTP-Client: 10.128.164.182, sjc-ads-21441.cisco.com X-Outbound-Node: rcdn-l-core-09.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 09 Mar 2026 09:16:32 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/232691 From: Daniel Turull If the user has a CVE_STATUS for their own backported patch, the backport takes priority over upstream vulnerable versions. Signed-off-by: Daniel Turull Signed-off-by: Antonin Godard Signed-off-by: Richard Purdie (cherry picked from commit 0beef05be119ea465ba06553a42edea03dfc9fd3) Signed-off-by: Himanshu Jadon --- scripts/contrib/improve_kernel_cve_report.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/scripts/contrib/improve_kernel_cve_report.py b/scripts/contrib/improve_kernel_cve_report.py index 829cc4cd30..a81aa0ff94 100755 --- a/scripts/contrib/improve_kernel_cve_report.py +++ b/scripts/contrib/improve_kernel_cve_report.py @@ -340,6 +340,10 @@ def cve_update(cve_data, cve, entry): if cve_data[cve]['status'] == entry['status']: return if entry['status'] == "Unpatched" and cve_data[cve]['status'] == "Patched": + # Backported-patch (e.g. vendor kernel repo with cherry-picked CVE patch) + # has priority over unpatch from CNA + if cve_data[cve]['detail'] == "backported-patch": + return logging.warning("CVE entry %s update from Patched to Unpatched from the scan result", cve) cve_data[cve] = copy_data(cve_data[cve], entry) return From patchwork Mon Mar 9 09:17:37 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Himanshu Jadon -X (hjadon - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 82856 X-Patchwork-Delegate: yoann.congal@smile.fr Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 28A1FEFCD6B for ; Mon, 9 Mar 2026 09:17:52 +0000 (UTC) Received: from alln-iport-3.cisco.com (alln-iport-3.cisco.com [173.37.142.90]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.9910.1773047863089181330 for ; Mon, 09 Mar 2026 02:17:43 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=j8f3NADP; spf=pass (domain: cisco.com, ip: 173.37.142.90, mailfrom: hjadon@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=1628; q=dns/txt; s=iport01; t=1773047863; x=1774257463; h=from:to:cc:subject:date:message-id:mime-version: content-transfer-encoding; bh=OlnS6maYNC1SPJbLzp4HWC2ctQi2jjd2BNRQRyLczcI=; b=j8f3NADPdJu3KO231Bxx4IvGoOMh7vKnem87cIyAdVuDBu60M6jolF+Z fZT6985I5JglwkLbdxuHpJvoDNa4ZzJqjE5lGTA2DrzzdbRvftZ2nW3VA UaXSqGvlyDW7Ii3yuGOnlHFg44Lzk3I8S8yXsrRyCa6rujpq422VB0ZiC W4xqXhJwShQezHmsGcY0HLwSFZbngpOSXPYgoQB5a7fl9eZqVFw4zMNOM hqO+hrzfaQinLfz9WiO/E4DWwrQTAZQsVp3n2b5AzGcnuRER8KFZhP2vN t0y0/4sWbzzP4Vl1IXPsl/qt7gSwKypHm5D7raRestJnCqVVikeSfJ1wZ A==; X-CSE-ConnectionGUID: icGBXs5nT6+MQ6ufqHSHtg== X-CSE-MsgGUID: jh5UQ0GxSeKntg4vv9cvFQ== X-IPAS-Result: A0DvCAAFj65p/4v/Ja1aHgEBCxIMgWsQDwuCRA+BT0NJk1oBmy+FXoF/DwEBAQ9RBAEBhQeNIgImNAkOAQIEAQEBAQMCAwEBAQEBAQEBAQEBAQoBAQUBAQECAQcFgQ4ThlyGXTYBRjBcRIMCgnQDrwKCLIEBugQBCxQBgTiFPIgZdIR6JxsbgXKEfYUQhXcEgiKBDpMbSIEeA1ksAVUTDQoLBwWBZgM1EioVbjIdgSM+F4ELGwcFhSAPiHJ0boETgwMDCxgNSBEsNxQbBD5uB41qPoI0LWFMNoEnS6VYoQ4KKIN0oVgaM6prLodlkHOkWYRogWg8gVlwFYMiUhkPjl/KAiYyPAIHCwEBAwmTZwEB IronPort-Data: A9a23:Mwf/8q6QQf1sU2K1rzrAgwxRtILFchMFZxGqfqrLsTDasY5as4F+v mBKWj/XP/qDNGKnedxxYYqz80sFu5eEyt8wSwM9r3g8Zn8b8sCt6fZ1gavT04J+CuWZESqLO u1HMoGowPgcFyGa+1H1dOO/9xGQ7InQLpLkEunIJyttcgFtTSYlmHpLlvUw6mJSqYDR7zil5 5Wo+KUzBHf/g2QqajlMuvrawP9SlK2aVA0w7wRWic9j5Dcyp1FNZLoDKKe4KWfPQ4U8NoZWk M6akdlVVkuAl/scIovNfoTTKyXmcZaOVeS6sUe6boD56vR0SoPe5Y5gXBYUQR8/ZzxkBLmdw v0V3XC7YV9B0qEhBI3xXjEAexySM5Gq95fGKleVgdfOyXGYMF7VnehgFWENHZEXr7Mf7WFmr ZT0KRgXZRyFwubzy7WhR6w03IIoLdLgO8UUvXQIITPxVKl9B8ucBf+XuJkBh2ZYasNmRZ4yY +IZazNjaxLoaBxUMVBRA5U79AutrianKWcH8w/O/MLb5UDRzFFM6eDCIOHYWdqWSplLgBeTu Ez/qjGR7hYycYb3JSC+2nW0i+nCmCn2VI4fGPiz8eRnqFmS3XAIThoOWF22pPO0hkKzV5RYM UN8x8Y1hbI5+EruSpz2WAe15Sbe+BUdQNFXVeY97Wlh15bp3upQPUBcJhYpVTDsnJZeqeACv rNRo+7UOA== IronPort-HdrOrdr: A9a23:wMzbta7GalGDgQJRhQPXwMPXdLJyesId70hD6qm+c3Nom6uj5q WTdZsgtCMc5Ax9ZJhCo6HjBED/exPhHPdOiOF7V4tKNzOJhILHFu1fBPPZsl7d8+mUzJ876U +mGJIObOHNMQ== X-Talos-CUID: 9a23:Hx/bcW0WVcZ8sWCfR4mTu7xfG8sKWE3GkXHsfQydMDh0RqS1cn+M9/Yx X-Talos-MUID: 9a23:hQukPAx4JzldasuS2t1bB7q4iGOaqKauVX00yboWgMSnMzB/ZymD3T+pbLZyfw== X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.23,110,1770595200"; d="scan'208";a="702273531" Received: from rcdn-l-core-02.cisco.com ([173.37.255.139]) by alln-iport-3.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 09 Mar 2026 09:17:42 +0000 Received: from sjc-ads-21441.cisco.com (sjc-ads-21441.cisco.com [10.128.164.182]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by rcdn-l-core-02.cisco.com (Postfix) with ESMTPS id 1BD8E1800035D; Mon, 9 Mar 2026 09:17:42 +0000 (GMT) Received: by sjc-ads-21441.cisco.com (Postfix, from userid 1879343) id BEAE2CC1288; Mon, 9 Mar 2026 02:17:41 -0700 (PDT) From: "Himanshu Jadon -X (hjadon - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Cc: xe-linux-external@cisco.com, vchavda@cisco.com Subject: [openembedded-core] [scarthgap] [PATCH 2/3] improve_kernel_cve_report: do not use custom version Date: Mon, 9 Mar 2026 02:17:37 -0700 Message-Id: <20260309091737.3507329-1-hjadon@cisco.com> X-Mailer: git-send-email 2.35.6 MIME-Version: 1.0 X-Outbound-SMTP-Client: 10.128.164.182, sjc-ads-21441.cisco.com X-Outbound-Node: rcdn-l-core-02.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 09 Mar 2026 09:17:52 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/232692 From: Daniel Turull When using the version specified in cve-summary.json, we need to remove the suffix containing the custom version to match the versions from the CVEs. This patch truncates the version from cve-summary.json to use only the base version of the kernel. This is only applicable for kernels where the user has added their own version. Signed-off-by: Daniel Turull Signed-off-by: Antonin Godard Signed-off-by: Richard Purdie (cherry picked from commit 3942d40e96989268e8d1030f9d8c3859044d9635) Signed-off-by: Himanshu Jadon --- scripts/contrib/improve_kernel_cve_report.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/scripts/contrib/improve_kernel_cve_report.py b/scripts/contrib/improve_kernel_cve_report.py index a81aa0ff94..5c39df05a5 100755 --- a/scripts/contrib/improve_kernel_cve_report.py +++ b/scripts/contrib/improve_kernel_cve_report.py @@ -445,10 +445,12 @@ def main(): is_kernel=True if not is_kernel: continue - + # We remove custom versions after - + upstream_version = Version(pkg["version"].split("-")[0]) + logging.info("Checking kernel %s", upstream_version) kernel_cves = get_kernel_cves(args.datadir, compiled_files, - Version(pkg["version"])) + upstream_version) logging.info("Total kernel cves from kernel CNA: %s", len(kernel_cves)) cves = {issue["id"]: issue for issue in pkg["issue"]} logging.info("Total kernel before processing cves: %s", len(cves)) From patchwork Mon Mar 9 09:18:11 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Himanshu Jadon -X (hjadon - E INFOCHIPS PRIVATE LIMITED at Cisco)" X-Patchwork-Id: 82857 X-Patchwork-Delegate: yoann.congal@smile.fr Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0F1AEEFCD6C for ; Mon, 9 Mar 2026 09:18:22 +0000 (UTC) Received: from alln-iport-1.cisco.com (alln-iport-1.cisco.com [173.37.142.88]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.9928.1773047897508850841 for ; Mon, 09 Mar 2026 02:18:17 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: message contains an insecure body length tag" header.i=@cisco.com header.s=iport01 header.b=HTjtqAd3; spf=pass (domain: cisco.com, ip: 173.37.142.88, mailfrom: hjadon@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=2453; q=dns/txt; s=iport01; t=1773047897; x=1774257497; h=from:to:cc:subject:date:message-id:mime-version: content-transfer-encoding; bh=5sG7IvzrUKM4B4PwWHl7fmozf0J+vhm0PsL1WcjLO+o=; b=HTjtqAd3BgcQjDz4SUvrA5kHcOFEtvgdu1PDUg80Pwp+106Rp3AQuh1N 71/qBhg14ivbg2iOBVVjsK72rHjEFMaqmqgKo+TkJq6cvxmgGmCLRpLOY AKzebI0rcaCx0Vs0vF8KCTCMnYV9DzdIdsY6b43AJLINMU2vFRtnJf4uI dnDchDES9RH06g4AKmdInYFx0y/x7lnYipjxLAl6wRB6psrjEkQs18zpj zepQ2MqoeeORcJBeKsiimFMZqg579ZNSnJABtzJDTnp70ayh4RDPgWWmR Wf/FFnBFjSqeww8jQ44xIKUtXAffvlvJK8Mrl61XVEgWnYfq7cubohCKg A==; X-CSE-ConnectionGUID: idbC0SqPRt2Cj1goDXenpw== X-CSE-MsgGUID: Qd1rhLgZQFCW8bDM5mhwBg== X-IPAS-Result: A0DbDQCbj65p/5L/Ja1ahSEPgU9DSZNaAYJwmD+HXQ8BAQEPUQQBAYUHjSICJjgTAQIEAQEBAQMCAwEBAQEBAQEBAQEBCwEBBQEBAQIBBwWBDhOGXIZdNgFGMCY2RIMCgnQDqmaCLIEB4CIBCxQBgTiFPIgZdIR6JxsbgXKEfYUQhXcEgiKBDpMbSIEeA1ksAVUTDQoLBwWBZgM1EioVbjIdgSM+F4ELGwcFhSAPiHJ0boETgwMDCxgNSBEsNxQbBD5uB41qPoFBc4EOAYEBO2wGph2hDgoog3ShWBozhASUFZJSLodlFpBdpFmEaIF/JYFZcBWDIlIZD45fzHMmMjwCBwsBAQMJk2cBAQ IronPort-Data: A9a23:MkibW6kyLBWdRglSfF7uuP7o5gzWJ0RdPkR7XQ2eYbSJt1+Wr1Gzt xJJWm3UMqyLZ2L2fdFya42xoRgPusKHyNNlHFdk+Xg0QltH+JHPbTi7wugcHM8zwunrFh8PA xA2M4GYRCwMZiaC4E/raf658SUUOZigHtLUEPTDNj16WThqQSIgjQMLs+Mii+aEu/Dha++2k Y20+Za31GONgWYubDpPs/Pb8XuDgdyr0N8mlg1mDRx0lAe2e0k9VPo3Oay3Jn3kdYhYdsbSb /rD1ryw4lTC9B4rDN6/+p6jGqHdauePVeQmoiM+t5mK2nCulARrukoIHKZ0hXNsttm8t4sZJ OOhGnCHYVxB0qXkwIzxWvTDes10FfUuFLTveRBTvSEPpqHLWyOE/hlgMK05FYwU8M0vOnh2z +BCAzJUYRevt++w2K3uH4GAhux7RCXqFJkUtnclyXTSCuwrBMiSBa7L/tRfmjw3g6iiH96HO JFfMmUpNkmdJUQTZD/7C7pm9Ausrnn9ejFfrnqepLE85C7YywkZPL3FbouNJ4DVG50J9qqej lvKpn75Jh4oDfK09mqP3lfxg+/QtyyuDer+E5X9rJaGmma7wXQeDhATX1a3rfS1z0W5Qd93L 00P5jFoqrA/8kGuRNTxUxC05nmesXYht8F4CeY27kSJj6HT+QvcXjlCRT9aY9tgv8gzLdA36 mK0cxrSLWQHmNWopbi1r994cRva1fApEFI/ IronPort-HdrOrdr: A9a23:wUyGYatArS4UkdKN7LjrqrrV7skDfdV00zEX/kB9WHVpmwKj+P xG+85rsCMc5wxxZJhNo7290cq7MBHhHOBOgbX5VI3KNGKNhILCFu9fBOXZrwEIYxeOldK0Ec xbAs9D4BqaNykfsfrH X-Talos-CUID: 9a23:C7JyZmh4jGErwXwNC75uJMSdRDJuc3HX5y/rOneCFTxCSuSaTnOg9aV8jJ87 X-Talos-MUID: 9a23:CH25BATLQ2sHYniNRXTViGh4NONn0Z2AI39dm7kj5syEKgZ/bmI= X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.23,109,1770595200"; d="scan'208";a="690547604" Received: from rcdn-l-core-09.cisco.com ([173.37.255.146]) by alln-iport-1.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 09 Mar 2026 09:18:16 +0000 Received: from sjc-ads-21441.cisco.com (sjc-ads-21441.cisco.com [10.128.164.182]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by rcdn-l-core-09.cisco.com (Postfix) with ESMTPS id 97EB2180004B1; Mon, 9 Mar 2026 09:18:16 +0000 (GMT) Received: by sjc-ads-21441.cisco.com (Postfix, from userid 1879343) id 46AF5CC1288; Mon, 9 Mar 2026 02:18:16 -0700 (PDT) From: "Himanshu Jadon -X (hjadon - E INFOCHIPS PRIVATE LIMITED at Cisco)" To: openembedded-core@lists.openembedded.org Cc: xe-linux-external@cisco.com, vchavda@cisco.com Subject: [openembedded-core] [scarthgap] [PATCH 3/3] improve_kernel_cve_report: add option to read debugsources.zstd Date: Mon, 9 Mar 2026 02:18:11 -0700 Message-Id: <20260309091811.3508300-1-hjadon@cisco.com> X-Mailer: git-send-email 2.35.6 MIME-Version: 1.0 X-Outbound-SMTP-Client: 10.128.164.182, sjc-ads-21441.cisco.com X-Outbound-Node: rcdn-l-core-09.cisco.com List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 09 Mar 2026 09:18:22 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/232693 From: Daniel Turull Adding option to be able to import debugsources.zstd directly. The linux-yocto-debugsources.zstd is generated in every build and does not require any additional configuration. In contrast, SPDX_INCLUDE_COMPILED_SOURCES needs to be explicitly added and increases build time. Signed-off-by: Daniel Turull Signed-off-by: Mathieu Dubois-Briand (cherry picked from commit c84a8958f30bbb982656ddcbe7476f6f81e1a6fb) Signed-off-by: Himanshu Jadon --- scripts/contrib/improve_kernel_cve_report.py | 27 ++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/scripts/contrib/improve_kernel_cve_report.py b/scripts/contrib/improve_kernel_cve_report.py index 5c39df05a5..3a15b1ed26 100755 --- a/scripts/contrib/improve_kernel_cve_report.py +++ b/scripts/contrib/improve_kernel_cve_report.py @@ -236,6 +236,26 @@ def read_spdx3(spdx): cfiles.add(filename) return cfiles +def read_debugsources(file_path): + ''' + Read zstd file from pkgdata to extract sources + ''' + import zstandard as zstd + import itertools + # Decompress the .zst file + cfiles = set() + with open(file_path, 'rb') as fh: + dctx = zstd.ZstdDecompressor() + with dctx.stream_reader(fh) as reader: + decompressed_bytes = reader.read() + json_data = json.loads(decompressed_bytes) + # We need to remove one level from the debug sources + for source_list in json_data.values(): + for source in source_list: + src = source.split("/",1)[1] + cfiles.add(src) + return cfiles + def check_kernel_compiled_files(compiled_files, cve_info): """ Return if a CVE affected us depending on compiled files @@ -372,6 +392,10 @@ def main(): "--spdx", help="SPDX2/3 for the kernel. Needs to include compiled sources", ) + parser.add_argument( + "--debug-sources-file", + help="Debug sources zstd file generated from Yocto", + ) parser.add_argument( "--datadir", type=pathlib.Path, @@ -415,6 +439,9 @@ def main(): if args.spdx: compiled_files = read_spdx(args.spdx) logging.info("Total compiled files %d", len(compiled_files)) + if args.debug_sources_file: + compiled_files = read_debugsources(args.debug_sources_file) + logging.info("Total compiled files %d", len(compiled_files)) if args.old_cve_report: with open(args.old_cve_report, encoding='ISO-8859-1') as f: