From: ValentinBoudevin <valentin.boudevin@gmail.com>
To: openembedded-core@lists.openembedded.org
Cc: daniel.turull@ericsson.com, jerome.oufella@savoirfairelinux.com,
ValentinBoudevin <valentin.boudevin@gmail.com>
Subject: [PATCH v5 2/2] improve_kernel_cve_report: Add a bbclass support
Date: Wed, 28 Jan 2026 11:38:27 -0500 [thread overview]
Message-ID: <20260128163827.386933-3-valentin.boudevin@gmail.com> (raw)
In-Reply-To: <20260128163827.386933-1-valentin.boudevin@gmail.com>
The script improve_kernel_cve_report.py doesn't have a bbclass.
It can be useful to have one to generate improved cve-check files at
every run.
This commit contains three classes:
-improve_kernel_cve_report-base.bbclass: Base class which contains the
tasks to perform improve_kernel_cve_report.py initialization and
execution.
-improve_kernel_cve_report-spdx-2.2.bbclass: Set
IMPROVE_KERNEL_SPDX_FILE variable for SPDX-2.2 builds and set
IMPROVE_KERNEL_PREFERRED_PROVIDER to require "create-spdx-2.2" in
INHERIT.
-improve_kernel_cve_report-spdx-3.0.bbclass: Set
IMPROVE_KERNEL_SPDX_FILE variable for SPDX-3.0 project, and set
IMPROVE_KERNEL_PREFERRED_PROVIDER to "create-spdx" to requires it in
INHERIT.
-improve_kernel_cve_report.bbclass: Include this class when you don't
care what version of SPDX you get.
These three new .bbclass files can be used to generate a new output in
tmp/deploy/images with a .scouted.json file in addition to the existing
.json cve-check file.
The new .scouted.json is based on the cve-check file and the SBOM to
generate this improved cve-check file with extra entries found by the
script improve_kernel_cve_report.py.
It only requires to use "inherit" on an image recipe (e.g. on
core-image-minimal).
The bbclass "improve_kernel_cve_report-spdx-2.2.bbclass" can be used if
"create-spdx-2.2" is configured in INHERIT, and "create-spdx" is
removed.
INHERIT:remove = "create-spdx"
INHERIT:append = " create-spdx-2.2"
By default, projects use SPDX-3.0 and don't require any additional
configuration.
Signed-off-by: Valentin Boudevin <valentin.boudevin@gmail.com>
---
.../improve_kernel_cve_report-base.bbclass | 60 +++++++++++++++++++
...improve_kernel_cve_report-spdx-2.2.bbclass | 4 ++
...improve_kernel_cve_report-spdx-3.0.bbclass | 4 ++
.../classes/improve_kernel_cve_report.bbclass | 3 +
4 files changed, 71 insertions(+)
create mode 100644 meta/classes/improve_kernel_cve_report-base.bbclass
create mode 100644 meta/classes/improve_kernel_cve_report-spdx-2.2.bbclass
create mode 100644 meta/classes/improve_kernel_cve_report-spdx-3.0.bbclass
create mode 100644 meta/classes/improve_kernel_cve_report.bbclass
diff --git a/meta/classes/improve_kernel_cve_report-base.bbclass b/meta/classes/improve_kernel_cve_report-base.bbclass
new file mode 100644
index 0000000000..e78722c59c
--- /dev/null
+++ b/meta/classes/improve_kernel_cve_report-base.bbclass
@@ -0,0 +1,60 @@
+# Settings for SPDX support
+
+# Setting to specify preferred provider for kernel SPDX file ("create-spdx" or "create-spdx-2.2")
+IMPROVE_KERNEL_PREFERRED_PROVIDER ?= ""
+# Setting to specify the path to the SPDX file to be used for extra kernel vulnerabilities scouting
+IMPROVE_KERNEL_SPDX_FILE ?= ""
+
+python __anonymous() {
+ if bb.data.inherits_class("create-spdx-2.2", d):
+ bb.build.addtask("do_scout_extra_kernel_vulns", "do_build", "do_rootfs", d)
+ elif bb.data.inherits_class("create-spdx", d):
+ bb.build.addtask('do_scout_extra_kernel_vulns', 'do_build', 'do_create_image_sbom_spdx', d)
+}
+
+python do_clean:append() {
+ import os, glob
+ deploy_dir = d.expand('${DEPLOY_DIR_IMAGE}')
+ for f in glob.glob(os.path.join(deploy_dir, '*scouted.json')):
+ bb.note("Removing " + f)
+ os.remove(f)
+}
+
+do_scout_extra_kernel_vulns() {
+ new_cve_report_file="${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}.scouted.json"
+ improve_kernel_cve_script="${COREBASE}/scripts/contrib/improve_kernel_cve_report.py"
+
+ # Check that IMPROVE_KERNEL_SPDX_FILE is set and the file exists
+ if [ -z "${IMPROVE_KERNEL_SPDX_FILE}" ] || [ ! -f "${IMPROVE_KERNEL_SPDX_FILE}" ]; then
+ bbwarn "improve_kernel_cve: IMPROVE_KERNEL_SPDX_FILE is empty or file not found: ${IMPROVE_KERNEL_SPDX_FILE}"
+ return 0
+ fi
+ if [ ! -f "${CVE_CHECK_MANIFEST_JSON}" ]; then
+ bbwarn "improve_kernel_cve: CVE_CHECK file not found: ${CVE_CHECK_MANIFEST_JSON}. Skipping extra kernel vulnerabilities scouting."
+ return 0
+ fi
+ if [ ! -f "${improve_kernel_cve_script}" ]; then
+ bbwarn "improve_kernel_cve: improve_kernel_cve_report.py not found in ${COREBASE}."
+ return 0
+ fi
+ if [ ! -d "${STAGING_DATADIR_NATIVE}/vulns-native" ]; then
+ bbwarn "improve_kernel_cve: Vulnerabilities data not found in ${STAGING_DATADIR_NATIVE}/vulns-native."
+ return 0
+ fi
+
+ #Run the improve_kernel_cve_report.py script
+ bbplain "improve_kernel_cve: Using SPDX file for extra kernel vulnerabilities scouting: ${IMPROVE_KERNEL_SPDX_FILE}"
+ python3 "${improve_kernel_cve_script}" \
+ --spdx "${IMPROVE_KERNEL_SPDX_FILE}" \
+ --old-cve-report "${CVE_CHECK_MANIFEST_JSON}" \
+ --new-cve-report "${new_cve_report_file}" \
+ --datadir "${STAGING_DATADIR_NATIVE}/vulns-native"
+ bbplain "Improve CVE report with extra kernel cves: ${new_cve_report_file}"
+
+ #Create a symlink as every other JSON file in tmp/deploy/images
+ ln -sf ${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}.scouted.json ${DEPLOY_DIR_IMAGE}/${IMAGE_BASENAME}${IMAGE_MACHINE_SUFFIX}${IMAGE_NAME_SUFFIX}.scouted.json
+}
+do_scout_extra_kernel_vulns[depends] += "vulns-native:do_populate_sysroot"
+do_scout_extra_kernel_vulns[nostamp] = "1"
+do_scout_extra_kernel_vulns[doc] = "Scout extra kernel vulnerabilities and create a new enhanced version of the cve_check file in the deploy directory"
+addtask scout_extra_kernel_vulnsate_cve_exclusions after do_prepare_recipe_sysroot
\ No newline at end of file
diff --git a/meta/classes/improve_kernel_cve_report-spdx-2.2.bbclass b/meta/classes/improve_kernel_cve_report-spdx-2.2.bbclass
new file mode 100644
index 0000000000..45b483134d
--- /dev/null
+++ b/meta/classes/improve_kernel_cve_report-spdx-2.2.bbclass
@@ -0,0 +1,4 @@
+IMPROVE_KERNEL_PREFERRED_PROVIDER = "create-spdx-2.2"
+IMPROVE_KERNEL_SPDX_FILE = "${DEPLOY_DIR}/spdx/2.2/${@d.getVar('MACHINE').replace('-', '_')}/recipes/recipe-${PREFERRED_PROVIDER_virtual/kernel}.spdx.json"
+
+inherit improve_kernel_cve_report-base
\ No newline at end of file
diff --git a/meta/classes/improve_kernel_cve_report-spdx-3.0.bbclass b/meta/classes/improve_kernel_cve_report-spdx-3.0.bbclass
new file mode 100644
index 0000000000..3849f66aaf
--- /dev/null
+++ b/meta/classes/improve_kernel_cve_report-spdx-3.0.bbclass
@@ -0,0 +1,4 @@
+IMPROVE_KERNEL_PREFERRED_PROVIDER = "create-spdx"
+IMPROVE_KERNEL_SPDX_FILE = "${SPDXIMAGEDEPLOYDIR}/${IMAGE_LINK_NAME}.spdx.json"
+
+inherit improve_kernel_cve_report-base
\ No newline at end of file
diff --git a/meta/classes/improve_kernel_cve_report.bbclass b/meta/classes/improve_kernel_cve_report.bbclass
new file mode 100644
index 0000000000..7b237d1e22
--- /dev/null
+++ b/meta/classes/improve_kernel_cve_report.bbclass
@@ -0,0 +1,3 @@
+# Include this class when you don't care what version of SPDX you get; it will
+# be updated to the latest stable version that is supported
+inherit improve_kernel_cve_report-spdx-3.0
\ No newline at end of file
next prev parent reply other threads:[~2026-01-28 16:38 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <188AFD4FCC1313A8.2683732@lists.openembedded.org>
2026-01-19 18:40 ` [PATCH v4 0/1] improve_kernel_cve_report: Add a bbclass support ValentinBoudevin
2026-01-19 18:40 ` [PATCH v4 1/1] " ValentinBoudevin
2026-01-20 15:00 ` Daniel Turull
2026-01-22 12:58 ` Benjamin ROBIN
2026-01-26 12:56 ` [OE-core] " Ross Burton
2026-01-28 16:38 ` [PATCH v5 0/2] " ValentinBoudevin
2026-01-28 16:38 ` [PATCH v5 1/2] vulns: add a new recipe ValentinBoudevin
2026-01-31 17:59 ` [OE-core] " Mathieu Dubois-Briand
2026-01-28 16:38 ` ValentinBoudevin [this message]
2026-01-29 11:01 ` [PATCH v5 0/2] improve_kernel_cve_report: Add a bbclass support Daniel Turull
2026-01-29 16:34 ` vboudevin
2026-02-01 15:54 ` [OE-core] " Marta Rybczynska
2026-02-02 21:08 ` [PATCH v6 " ValentinBoudevin
2026-02-02 21:08 ` [PATCH v6 1/2] vulns: add a new recipe ValentinBoudevin
2026-02-02 21:08 ` [PATCH v6 2/2] improve_kernel_cve_report: Add a bbclass support ValentinBoudevin
2026-02-04 14:58 ` [PATCH v6 0/2] " Daniel Turull
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260128163827.386933-3-valentin.boudevin@gmail.com \
--to=valentin.boudevin@gmail.com \
--cc=daniel.turull@ericsson.com \
--cc=jerome.oufella@savoirfairelinux.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.