[Buildroot] [PATCH v2 1/5] support/scripts/cve-check: fix vulnerability timestamp to RFC 3339

[Buildroot] [PATCH v2 1/5] support/scripts/cve-check: fix vulnerability timestamp to RFC 3339

[Thomas Perale via buildroot]

Normalize vulnerability timestamps to RFC 3339 format with explicit UTC
timezone suffix for CycloneDX 1.6 compliance.
This fixes validation errors in sbom-utility and makes the generated
SBOM with vulnerabilities compatible with DependencyTrack VEX parsers.

The NVD JSON data feeds provide timestamps in ISO 8601 format without timezone
information (e.g., "1999-01-01T05:00:00.000"), but CycloneDX 1.6 requires
RFC 3339 format with explicit timezone designation (e.g.,
"1999-01-01T05:00:00.000Z").

Add nvd_datetime_to_rfc3339() helper function to convert timestamps before
serialization.

Validation results:

Before fix:
  $ sbom-utility validate -i cve/cve_report_current.json
  [INFO] BOM valid against JSON schema: 'false'
  [INFO] (234) schema errors detected.

  Error example:
  {
    "type": "format",
    "field": "vulnerabilities.0.updated",
    "context": "(root).vulnerabilities.0.updated",
    "description": "Does not match format 'date-time'",
    "value": "2025-04-03T01:03:51.193"
  }

After fix:
  $ sbom-utility validate -i cve/cve_report_update.json
  [INFO] BOM valid against JSON schema: 'true'

Tested-with: sbom-utility v0.18.1
Co-authored-by: Fabien Lehoussel <fabien.lehoussel@smile.fr>
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
---
v1 --> v2: add this patch at the base with comments from https://lore.kernel.org/r/<20260227091541.41760-1-thomas.perale@mind.be>
---
 support/scripts/cve-check | 24 +++++++++++++++++++++---
 1 file changed, 21 insertions(+), 3 deletions(-)

diff --git a/support/scripts/cve-check b/support/scripts/cve-check
index bcd970bad8..5047523ade 100755
--- a/support/scripts/cve-check
+++ b/support/scripts/cve-check
@@ -12,10 +12,10 @@
 from collections import defaultdict
 from pathlib import Path
 from typing import TypedDict
+from datetime import datetime, timezone
 import argparse
 import sys
 import json
-
 import cve as cvecheck
 
 
@@ -35,6 +35,24 @@ locally.
 brpath = Path(__file__).parent.parent.parent
 
 
+def datetime_to_rfc3339(dt_string):
+    """Normalize datetime string to RFC 3339 format with Z suffix.
+
+    NVD dates are already in ISO format, just need to add the Z suffix.
+
+    Input:  "1999-01-01T05:00:00.000"
+    Output: "1999-01-01T05:00:00.000Z"
+    """
+    dt = datetime.fromisoformat(dt_string.replace('Z', '+00:00'))
+
+    if dt.tzinfo is None:
+        dt = dt.replace(tzinfo=timezone.utc)
+    else:
+        dt = dt.astimezone(timezone.utc)
+
+    return dt.isoformat().replace('+00:00', 'Z')
+
+
 def cve_api_get_lang_from_list(values, lang="en") -> (str | None):
     for x in values:
         if x.get("lang") == lang:
@@ -134,10 +152,10 @@ def nvd_cve_to_cdx_vulnerability(nvd_cve):
             "url": f"https://nvd.nist.gov/vuln/detail/{nvd_cve['id']}"
         },
         **({
-            "published": nvd_cve["published"],
+            "published": datetime_to_rfc3339(nvd_cve["published"]),
         } if "published" in nvd_cve else {}),
         **({
-            "updated": nvd_cve["lastModified"],
+            "updated": datetime_to_rfc3339(nvd_cve["lastModified"]),
         } if "lastModified" in nvd_cve else {}),
         **({
             "cwes": nvd_cve_weaknesses_to_cdx(nvd_cve["weaknesses"]),
-- 
2.54.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH v2 2/5] support/scripts/cve-check: add indication how to run

[Thomas Perale via buildroot]

Always run this script from the output of 'generate-cyclonedx'. Do not re-run
this script over an already analysed SBOMs.

Signed-off-by: Thomas Perale <thomas.perale@mind.be>
---
 support/scripts/cve-check | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/support/scripts/cve-check b/support/scripts/cve-check
index 5047523ade..c045d7ea27 100755
--- a/support/scripts/cve-check
+++ b/support/scripts/cve-check
@@ -29,6 +29,9 @@ database.
 
 The NVD database is cloned using a mirror of it and the content is compared
 locally.
+
+Always run this script from the output of 'generate-cyclonedx'. Do not re-run
+this script over an already analysed SBOMs.
 """
 
 
-- 
2.54.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2 2/5] support/scripts/cve-check: add indication how to run

[Thomas Petazzoni via buildroot]

Hello,

On Fri, May 29, 2026 at 05:06:28PM +0200, Thomas Perale via buildroot wrote:
> Always run this script from the output of 'generate-cyclonedx'. Do not re-run
> this script over an already analysed SBOMs.

Minor nit: "an already analysed SBOM" (singular) or "already analysed
SBOMs" (plural). I've chosen the first form, in the commit message and
in the code itself.

Applied to master with this very minor nit fixed.

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2 2/5] support/scripts/cve-check: add indication how to run

[Thomas Perale via buildroot]

In reply of:
> Always run this script from the output of 'generate-cyclonedx'. Do not re-run
> this script over an already analysed SBOMs.
> 
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>

Applied to 2025.02.x & 2026.02.x. Thanks

> ---
>  support/scripts/cve-check | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/support/scripts/cve-check b/support/scripts/cve-check
> index 5047523ade..c045d7ea27 100755
> --- a/support/scripts/cve-check
> +++ b/support/scripts/cve-check
> @@ -29,6 +29,9 @@ database.
>  
>  The NVD database is cloned using a mirror of it and the content is compared
>  locally.
> +
> +Always run this script from the output of 'generate-cyclonedx'. Do not re-run
> +this script over an already analysed SBOMs.
>  """
>  
>  
> -- 
> 2.54.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH v2 3/5] support/scripts/cve-check: remove 'bom-ref' for vulnerabilities

[Thomas Perale via buildroot]

The 'bom-ref' are optionnal and since we don't reference the
vulnerabilities from anywhere else in the SBOM they are not necessary in
this case.

In the following commit, it will introduce multiple vulnerabilities that
have the same id. So using the vulnerability id as 'bom-ref' won't be
correct as the 'bom-ref' needs to be unique unlike the id property.

Signed-off-by: Thomas Perale <thomas.perale@mind.be>
---
 support/scripts/cve-check | 1 -
 1 file changed, 1 deletion(-)

diff --git a/support/scripts/cve-check b/support/scripts/cve-check
index c045d7ea27..881d9c03c0 100755
--- a/support/scripts/cve-check
+++ b/support/scripts/cve-check
@@ -147,7 +147,6 @@ def nvd_cve_to_cdx_vulnerability(nvd_cve):
     [1] https://cyclonedx.org/docs/1.6/json/#vulnerabilities
     """
     vulnerability = {
-        "bom-ref": nvd_cve["id"],
         "id": nvd_cve["id"],
         "description": cve_api_get_lang_from_list(nvd_cve.get("descriptions", [])) or "",
         "source": {
-- 
2.54.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2 3/5] support/scripts/cve-check: remove 'bom-ref' for vulnerabilities

[Thomas Petazzoni via buildroot]

On Fri, May 29, 2026 at 05:06:29PM +0200, Thomas Perale via buildroot wrote:
> The 'bom-ref' are optionnal and since we don't reference the
> vulnerabilities from anywhere else in the SBOM they are not necessary in
> this case.
> 
> In the following commit, it will introduce multiple vulnerabilities that
> have the same id. So using the vulnerability id as 'bom-ref' won't be
> correct as the 'bom-ref' needs to be unique unlike the id property.
> 
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>

Applied to master, thanks!

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH v2 4/5] support/scripts/cve-check: fix vulnerabilities with different analysis

[Thomas Perale via buildroot]

Before this commit, only one entry per vulnerability ID was added to the
output. In CycloneDX, if you need to provide different analyses for
different affected components with the same vulnerability ID, you must
create multiple entries with the same ID.

When running `cve-check` with the `--include-resolved` argument, the
analysis of some vulnerabilities would get overwritten, which led to
undefined analysis results.

This is especially true when running the analysis on multiple components
with the same name but different versions. For instance, if the input
SBOM includes both the `gnupg` and `gnupg2` packages, CVE-2025-68973
could be included. This CVE might be exploitable for the `gnupg` package
but resolved for `gnupg2`. Therefore, a single analysis entry cannot
cover both cases.

This commit fixes the logic for adding vulnerabilities to the output
SBOM. A vulnerability is now added as a new entry if:

1. A vulnerability with the same ID doesn't exist yet.
2. The affect of the new vulnerability is not the same as the one
   already present.

For the CVE-2025-68973 example this would result in the following
output:

```json
[
    {
        "id": "CVE-2025-68973",
        "analysis": {
            "state": "exploitable"
        }
        "affects": [
            {"ref": "gnupg"}
        ]
    },
    {
        "id": "CVE-2025-68973",
        "analysis": {
            "state": "resolved"
        }
        "affects": [
            {"ref": "gnupg2"}
        ]
    }
]
```

45 vulnerabilities were concerned by this bug over the Buildroot tree.

Co-Authored-By: Tim Soubry <tim.soubry@mind.be>
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
---
 support/scripts/cve-check | 76 +++++++++++++++++++--------------------
 1 file changed, 37 insertions(+), 39 deletions(-)

diff --git a/support/scripts/cve-check b/support/scripts/cve-check
index 881d9c03c0..9aafa5fcdf 100755
--- a/support/scripts/cve-check
+++ b/support/scripts/cve-check
@@ -175,55 +175,54 @@ def nvd_cve_to_cdx_vulnerability(nvd_cve):
 
 def vuln_append_or_update_affects_if_exists(vulnerabilities, vulnerability):
     """
-    Append 'vulnerability' passed as argument to the 'vulnerabilities' argument
-    if an entry with the same 'id' doesn't exist yet.
-    If the vulnerability already exists, the input reference is added to the
-    'affects' list of the existing entry.
+    Updates a matching 'vulnerability' from the 'vulnerabilities' list or
+    appends it as a new entry.
+
+    A vulnerability is considered 'matching' if it shares the same 'id' AND
+    either:
+
+    1. An identical 'affects' entry.
+    2. An identical 'analysis.state'.
 
     Args:
         vulnerabilities (list): The vulnerabilities array reference retrieved
             from the input CycloneDX SBOM
         vulnerability (dict): Vulnerability to add to the 'vulnerabilities' list.
     """
-    # Search if a vulnerability with the same identifier already exists in the
-    # SBOM vulnerability list.
-    matching_vuln = next(
-        (vuln for vuln in vulnerabilities if vuln.get("id") == vulnerability["id"]),
-        None
-    )
+    new_analysis = vulnerability.get("analysis", {}).get("state")
+    new_ref = next((a.get("ref") for a in vulnerability.get("affects", [])), None)
 
-    # bom-ref to the component is passed to the affects of the vulnerability
-    # passed as argument
-    bom_ref = next((a["ref"] for a in vulnerability.get("affects", [])), None)
+    # All vulnerabilities with same ID
+    matching_vulns = [v for v in vulnerabilities if v.get("id") == vulnerability.get("id")]
 
-    if matching_vuln is not None:
-        # Remove the affect to not use it while updating matching vuln.
-        if "affects" in vulnerability:
-            del vulnerability["affects"]
+    for curr_vuln in matching_vulns:
+        curr_vuln_analysis = curr_vuln.get("analysis", {}).get("state")
+        curr_vuln_refs = [a.get("ref") for a in curr_vuln.get("affects", [])]
 
-        if matching_vuln.get("analysis") is not None and "analysis" in vulnerability:
-            # We don't update vulnerabilities that already have an
-            # 'analysis'.
-            # Buildroot ignored vulnerabilities will already have
-            # an analysis and need to remain as such.
-            del vulnerability["analysis"]
+        is_same_ref = new_ref in curr_vuln_refs
+        is_same_analysis = curr_vuln_analysis == new_analysis
 
-        affects = matching_vuln.setdefault("affects", [])
+        if not (is_same_ref or is_same_analysis):
+            continue
 
-        if bom_ref is not None:
-            ref = next((a["ref"] for a in affects if a["ref"] == bom_ref), None)
-            if ref is None:
-                # Add a 'ref' (bom reference) to the component if not
-                # already present in the 'affects' list.
-                affects.append({
-                    "ref": bom_ref
-                })
+        if is_same_ref:
+            # If same vulnerability id and same affect ref, keep the previous
+            # analysis. This is the case where a vulnerability was ignored from
+            # the generated SBOM.
+            del vulnerability["analysis"]
+            del vulnerability["affects"]
+        else:
+            # The same analysis, add a new affect
+            # reference.
+            if new_ref is not None:
+                curr_vuln.setdefault("affects", []).append({"ref": new_ref})
+                del vulnerability["affects"]
 
-        # Update the metadata of the vulnerability with the one
-        # downloaded from the database.
-        matching_vuln.update(vulnerability)
-    else:
-        vulnerabilities.append(vulnerability)
+        curr_vuln.update(vulnerability)
+        return
+
+    # No same ID w/ same analysis or same ref.
+    vulnerabilities.append(vulnerability)
 
 
 def check_package_cve_affects(cve: cvecheck.CVE, cpe_product_pkgs, sbom, opt: Options):
@@ -297,8 +296,7 @@ def enrich_vulnerabilities(nvd_path: Path, sbom):
             print(f"Warning: '{vuln_id}' doesn't exist in NVD database.", file=sys.stderr)
             continue
 
-        vulnerability = nvd_cve_to_cdx_vulnerability(cve.nvd_cve)
-        vuln_append_or_update_affects_if_exists(vulnerabilities, vulnerability)
+        vuln.update(nvd_cve_to_cdx_vulnerability(cve.nvd_cve))
 
 
 def main():
-- 
2.54.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2 4/5] support/scripts/cve-check: fix vulnerabilities with different analysis

[Thomas Petazzoni via buildroot]

On Fri, May 29, 2026 at 05:06:30PM +0200, Thomas Perale via buildroot wrote:
> Before this commit, only one entry per vulnerability ID was added to the
> output. In CycloneDX, if you need to provide different analyses for
> different affected components with the same vulnerability ID, you must
> create multiple entries with the same ID.
> 
> When running `cve-check` with the `--include-resolved` argument, the
> analysis of some vulnerabilities would get overwritten, which led to
> undefined analysis results.
> 
> This is especially true when running the analysis on multiple components
> with the same name but different versions. For instance, if the input
> SBOM includes both the `gnupg` and `gnupg2` packages, CVE-2025-68973
> could be included. This CVE might be exploitable for the `gnupg` package
> but resolved for `gnupg2`. Therefore, a single analysis entry cannot
> cover both cases.
> 
> This commit fixes the logic for adding vulnerabilities to the output
> SBOM. A vulnerability is now added as a new entry if:
> 
> 1. A vulnerability with the same ID doesn't exist yet.
> 2. The affect of the new vulnerability is not the same as the one
>    already present.
> 
> For the CVE-2025-68973 example this would result in the following
> output:
> 
> ```json
> [
>     {
>         "id": "CVE-2025-68973",
>         "analysis": {
>             "state": "exploitable"
>         }
>         "affects": [
>             {"ref": "gnupg"}
>         ]
>     },
>     {
>         "id": "CVE-2025-68973",
>         "analysis": {
>             "state": "resolved"
>         }
>         "affects": [
>             {"ref": "gnupg2"}
>         ]
>     }
> ]
> ```
> 
> 45 vulnerabilities were concerned by this bug over the Buildroot tree.
> 
> Co-Authored-By: Tim Soubry <tim.soubry@mind.be>
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>

Applied to master, thanks!

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2 4/5] support/scripts/cve-check: fix vulnerabilities with different analysis

[Thomas Perale via buildroot]

In reply of:
> Before this commit, only one entry per vulnerability ID was added to the
> output. In CycloneDX, if you need to provide different analyses for
> different affected components with the same vulnerability ID, you must
> create multiple entries with the same ID.
> 
> When running `cve-check` with the `--include-resolved` argument, the
> analysis of some vulnerabilities would get overwritten, which led to
> undefined analysis results.
> 
> This is especially true when running the analysis on multiple components
> with the same name but different versions. For instance, if the input
> SBOM includes both the `gnupg` and `gnupg2` packages, CVE-2025-68973
> could be included. This CVE might be exploitable for the `gnupg` package
> but resolved for `gnupg2`. Therefore, a single analysis entry cannot
> cover both cases.
> 
> This commit fixes the logic for adding vulnerabilities to the output
> SBOM. A vulnerability is now added as a new entry if:
> 
> 1. A vulnerability with the same ID doesn't exist yet.
> 2. The affect of the new vulnerability is not the same as the one
>    already present.
> 
> For the CVE-2025-68973 example this would result in the following
> output:
> 
> ```json
> [
>     {
>         "id": "CVE-2025-68973",
>         "analysis": {
>             "state": "exploitable"
>         }
>         "affects": [
>             {"ref": "gnupg"}
>         ]
>     },
>     {
>         "id": "CVE-2025-68973",
>         "analysis": {
>             "state": "resolved"
>         }
>         "affects": [
>             {"ref": "gnupg2"}
>         ]
>     }
> ]
> ```
> 
> 45 vulnerabilities were concerned by this bug over the Buildroot tree.
> 
> Co-Authored-By: Tim Soubry <tim.soubry@mind.be>
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>

Applied to 2025.02.x & 2026.02.x. Thanks

> ---
>  support/scripts/cve-check | 76 +++++++++++++++++++--------------------
>  1 file changed, 37 insertions(+), 39 deletions(-)
> 
> diff --git a/support/scripts/cve-check b/support/scripts/cve-check
> index 881d9c03c0..9aafa5fcdf 100755
> --- a/support/scripts/cve-check
> +++ b/support/scripts/cve-check
> @@ -175,55 +175,54 @@ def nvd_cve_to_cdx_vulnerability(nvd_cve):
>  
>  def vuln_append_or_update_affects_if_exists(vulnerabilities, vulnerability):
>      """
> -    Append 'vulnerability' passed as argument to the 'vulnerabilities' argument
> -    if an entry with the same 'id' doesn't exist yet.
> -    If the vulnerability already exists, the input reference is added to the
> -    'affects' list of the existing entry.
> +    Updates a matching 'vulnerability' from the 'vulnerabilities' list or
> +    appends it as a new entry.
> +
> +    A vulnerability is considered 'matching' if it shares the same 'id' AND
> +    either:
> +
> +    1. An identical 'affects' entry.
> +    2. An identical 'analysis.state'.
>  
>      Args:
>          vulnerabilities (list): The vulnerabilities array reference retrieved
>              from the input CycloneDX SBOM
>          vulnerability (dict): Vulnerability to add to the 'vulnerabilities' list.
>      """
> -    # Search if a vulnerability with the same identifier already exists in the
> -    # SBOM vulnerability list.
> -    matching_vuln = next(
> -        (vuln for vuln in vulnerabilities if vuln.get("id") == vulnerability["id"]),
> -        None
> -    )
> +    new_analysis = vulnerability.get("analysis", {}).get("state")
> +    new_ref = next((a.get("ref") for a in vulnerability.get("affects", [])), None)
>  
> -    # bom-ref to the component is passed to the affects of the vulnerability
> -    # passed as argument
> -    bom_ref = next((a["ref"] for a in vulnerability.get("affects", [])), None)
> +    # All vulnerabilities with same ID
> +    matching_vulns = [v for v in vulnerabilities if v.get("id") == vulnerability.get("id")]
>  
> -    if matching_vuln is not None:
> -        # Remove the affect to not use it while updating matching vuln.
> -        if "affects" in vulnerability:
> -            del vulnerability["affects"]
> +    for curr_vuln in matching_vulns:
> +        curr_vuln_analysis = curr_vuln.get("analysis", {}).get("state")
> +        curr_vuln_refs = [a.get("ref") for a in curr_vuln.get("affects", [])]
>  
> -        if matching_vuln.get("analysis") is not None and "analysis" in vulnerability:
> -            # We don't update vulnerabilities that already have an
> -            # 'analysis'.
> -            # Buildroot ignored vulnerabilities will already have
> -            # an analysis and need to remain as such.
> -            del vulnerability["analysis"]
> +        is_same_ref = new_ref in curr_vuln_refs
> +        is_same_analysis = curr_vuln_analysis == new_analysis
>  
> -        affects = matching_vuln.setdefault("affects", [])
> +        if not (is_same_ref or is_same_analysis):
> +            continue
>  
> -        if bom_ref is not None:
> -            ref = next((a["ref"] for a in affects if a["ref"] == bom_ref), None)
> -            if ref is None:
> -                # Add a 'ref' (bom reference) to the component if not
> -                # already present in the 'affects' list.
> -                affects.append({
> -                    "ref": bom_ref
> -                })
> +        if is_same_ref:
> +            # If same vulnerability id and same affect ref, keep the previous
> +            # analysis. This is the case where a vulnerability was ignored from
> +            # the generated SBOM.
> +            del vulnerability["analysis"]
> +            del vulnerability["affects"]
> +        else:
> +            # The same analysis, add a new affect
> +            # reference.
> +            if new_ref is not None:
> +                curr_vuln.setdefault("affects", []).append({"ref": new_ref})
> +                del vulnerability["affects"]
>  
> -        # Update the metadata of the vulnerability with the one
> -        # downloaded from the database.
> -        matching_vuln.update(vulnerability)
> -    else:
> -        vulnerabilities.append(vulnerability)
> +        curr_vuln.update(vulnerability)
> +        return
> +
> +    # No same ID w/ same analysis or same ref.
> +    vulnerabilities.append(vulnerability)
>  
>  
>  def check_package_cve_affects(cve: cvecheck.CVE, cpe_product_pkgs, sbom, opt: Options):
> @@ -297,8 +296,7 @@ def enrich_vulnerabilities(nvd_path: Path, sbom):
>              print(f"Warning: '{vuln_id}' doesn't exist in NVD database.", file=sys.stderr)
>              continue
>  
> -        vulnerability = nvd_cve_to_cdx_vulnerability(cve.nvd_cve)
> -        vuln_append_or_update_affects_if_exists(vulnerabilities, vulnerability)
> +        vuln.update(nvd_cve_to_cdx_vulnerability(cve.nvd_cve))
>  
>  
>  def main():
> -- 
> 2.54.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH v2 5/5] package/pkg-generic.mk: replicate IGNORE_CVES to host packages

[Thomas Perale via buildroot]

For host packages, this commit adds the same `ignore_cves` list as their
target counterpart and make it available from the `show-info` output.

When generating a CycloneDX SBOM with `make show-info-all |
utils/generate-cyclonedx` and running an analysis over it with
`support/script/cve-check`, multiple vulnerabilities
entries would be created with different analysis for packages that have
both a host and target variant that include IGNORE_CVES entries.

This is the case for the grub2 package that include ignored
vulnerabilities that patch both the target and host package but aren't
declared as ignored for the host package. This resulted in
vulnerabilities marked as 'exploitable' for the host variant while it
is patched.

Signed-off-by: Thomas Perale <thomas.perale@mind.be>
---
 package/pkg-generic.mk | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/package/pkg-generic.mk b/package/pkg-generic.mk
index dd440e4062..e5e0d49a16 100644
--- a/package/pkg-generic.mk
+++ b/package/pkg-generic.mk
@@ -745,6 +745,13 @@ ifeq ($$($(2)_CPE_ID_VALID),YES)
  $(2)_CPE_ID = $$($(2)_CPE_ID_PREFIX):$$($(2)_CPE_ID_VENDOR):$$($(2)_CPE_ID_PRODUCT):$$($(2)_CPE_ID_VERSION):$$($(2)_CPE_ID_UPDATE):*:*:*:*:*:*
 endif # ifeq ($$($(2)_CPE_ID_VALID),YES)
 
+# replicate the target '_IGNORE_CVES' to the host variant
+ifndef $(2)_IGNORE_CVES
+ ifdef $(3)_IGNORE_CVES
+  $(2)_IGNORE_CVES = $$($(3)_IGNORE_CVES)
+ endif
+endif
+
 # When a target package is a toolchain dependency set this variable to
 # 'NO' so the 'toolchain' dependency is not added to prevent a circular
 # dependency.
-- 
2.54.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2 5/5] package/pkg-generic.mk: replicate IGNORE_CVES to host packages

[Thomas Petazzoni via buildroot]

Hello,

On Fri, May 29, 2026 at 05:06:31PM +0200, Thomas Perale via buildroot wrote:
> For host packages, this commit adds the same `ignore_cves` list as their
> target counterpart and make it available from the `show-info` output.
> 
> When generating a CycloneDX SBOM with `make show-info-all |
> utils/generate-cyclonedx` and running an analysis over it with
> `support/script/cve-check`, multiple vulnerabilities
> entries would be created with different analysis for packages that have
> both a host and target variant that include IGNORE_CVES entries.
> 
> This is the case for the grub2 package that include ignored
> vulnerabilities that patch both the target and host package but aren't
> declared as ignored for the host package. This resulted in
> vulnerabilities marked as 'exploitable' for the host variant while it
> is patched.
> 
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>

Applied to master, thanks!

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2 5/5] package/pkg-generic.mk: replicate IGNORE_CVES to host packages

[Thomas Perale via buildroot]

In reply of:
> For host packages, this commit adds the same `ignore_cves` list as their
> target counterpart and make it available from the `show-info` output.
> 
> When generating a CycloneDX SBOM with `make show-info-all |
> utils/generate-cyclonedx` and running an analysis over it with
> `support/script/cve-check`, multiple vulnerabilities
> entries would be created with different analysis for packages that have
> both a host and target variant that include IGNORE_CVES entries.
> 
> This is the case for the grub2 package that include ignored
> vulnerabilities that patch both the target and host package but aren't
> declared as ignored for the host package. This resulted in
> vulnerabilities marked as 'exploitable' for the host variant while it
> is patched.
> 
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>

Applied to 2025.02.x & 2026.02.x. Thanks

> ---
>  package/pkg-generic.mk | 7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/package/pkg-generic.mk b/package/pkg-generic.mk
> index dd440e4062..e5e0d49a16 100644
> --- a/package/pkg-generic.mk
> +++ b/package/pkg-generic.mk
> @@ -745,6 +745,13 @@ ifeq ($$($(2)_CPE_ID_VALID),YES)
>   $(2)_CPE_ID = $$($(2)_CPE_ID_PREFIX):$$($(2)_CPE_ID_VENDOR):$$($(2)_CPE_ID_PRODUCT):$$($(2)_CPE_ID_VERSION):$$($(2)_CPE_ID_UPDATE):*:*:*:*:*:*
>  endif # ifeq ($$($(2)_CPE_ID_VALID),YES)
>  
> +# replicate the target '_IGNORE_CVES' to the host variant
> +ifndef $(2)_IGNORE_CVES
> + ifdef $(3)_IGNORE_CVES
> +  $(2)_IGNORE_CVES = $$($(3)_IGNORE_CVES)
> + endif
> +endif
> +
>  # When a target package is a toolchain dependency set this variable to
>  # 'NO' so the 'toolchain' dependency is not added to prevent a circular
>  # dependency.
> -- 
> 2.54.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2 1/5] support/scripts/cve-check: fix vulnerability timestamp to RFC 3339

[Thomas Petazzoni via buildroot]

On Fri, May 29, 2026 at 05:06:27PM +0200, Thomas Perale via buildroot wrote:
> Normalize vulnerability timestamps to RFC 3339 format with explicit UTC
> timezone suffix for CycloneDX 1.6 compliance.
> This fixes validation errors in sbom-utility and makes the generated
> SBOM with vulnerabilities compatible with DependencyTrack VEX parsers.
> 
> The NVD JSON data feeds provide timestamps in ISO 8601 format without timezone
> information (e.g., "1999-01-01T05:00:00.000"), but CycloneDX 1.6 requires
> RFC 3339 format with explicit timezone designation (e.g.,
> "1999-01-01T05:00:00.000Z").
> 
> Add nvd_datetime_to_rfc3339() helper function to convert timestamps before
> serialization.
> 
> Validation results:
> 
> Before fix:
>   $ sbom-utility validate -i cve/cve_report_current.json
>   [INFO] BOM valid against JSON schema: 'false'
>   [INFO] (234) schema errors detected.
> 
>   Error example:
>   {
>     "type": "format",
>     "field": "vulnerabilities.0.updated",
>     "context": "(root).vulnerabilities.0.updated",
>     "description": "Does not match format 'date-time'",
>     "value": "2025-04-03T01:03:51.193"
>   }
> 
> After fix:
>   $ sbom-utility validate -i cve/cve_report_update.json
>   [INFO] BOM valid against JSON schema: 'true'
> 
> Tested-with: sbom-utility v0.18.1
> Co-authored-by: Fabien Lehoussel <fabien.lehoussel@smile.fr>
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>

Thanks, applied to master!

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2 1/5] support/scripts/cve-check: fix vulnerability timestamp to RFC 3339

[Thomas Perale via buildroot]

In reply of:
> Normalize vulnerability timestamps to RFC 3339 format with explicit UTC
> timezone suffix for CycloneDX 1.6 compliance.
> This fixes validation errors in sbom-utility and makes the generated
> SBOM with vulnerabilities compatible with DependencyTrack VEX parsers.
> 
> The NVD JSON data feeds provide timestamps in ISO 8601 format without timezone
> information (e.g., "1999-01-01T05:00:00.000"), but CycloneDX 1.6 requires
> RFC 3339 format with explicit timezone designation (e.g.,
> "1999-01-01T05:00:00.000Z").
> 
> Add nvd_datetime_to_rfc3339() helper function to convert timestamps before
> serialization.
> 
> Validation results:
> 
> Before fix:
>   $ sbom-utility validate -i cve/cve_report_current.json
>   [INFO] BOM valid against JSON schema: 'false'
>   [INFO] (234) schema errors detected.
> 
>   Error example:
>   {
>     "type": "format",
>     "field": "vulnerabilities.0.updated",
>     "context": "(root).vulnerabilities.0.updated",
>     "description": "Does not match format 'date-time'",
>     "value": "2025-04-03T01:03:51.193"
>   }
> 
> After fix:
>   $ sbom-utility validate -i cve/cve_report_update.json
>   [INFO] BOM valid against JSON schema: 'true'
> 
> Tested-with: sbom-utility v0.18.1
> Co-authored-by: Fabien Lehoussel <fabien.lehoussel@smile.fr>
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>

Applied to 2025.02.x & 2026.02.x. Thanks

> ---
> v1 --> v2: add this patch at the base with comments from https://lore.kernel.org/r/<20260227091541.41760-1-thomas.perale@mind.be>
> ---
>  support/scripts/cve-check | 24 +++++++++++++++++++++---
>  1 file changed, 21 insertions(+), 3 deletions(-)
> 
> diff --git a/support/scripts/cve-check b/support/scripts/cve-check
> index bcd970bad8..5047523ade 100755
> --- a/support/scripts/cve-check
> +++ b/support/scripts/cve-check
> @@ -12,10 +12,10 @@
>  from collections import defaultdict
>  from pathlib import Path
>  from typing import TypedDict
> +from datetime import datetime, timezone
>  import argparse
>  import sys
>  import json
> -
>  import cve as cvecheck
>  
>  
> @@ -35,6 +35,24 @@ locally.
>  brpath = Path(__file__).parent.parent.parent
>  
>  
> +def datetime_to_rfc3339(dt_string):
> +    """Normalize datetime string to RFC 3339 format with Z suffix.
> +
> +    NVD dates are already in ISO format, just need to add the Z suffix.
> +
> +    Input:  "1999-01-01T05:00:00.000"
> +    Output: "1999-01-01T05:00:00.000Z"
> +    """
> +    dt = datetime.fromisoformat(dt_string.replace('Z', '+00:00'))
> +
> +    if dt.tzinfo is None:
> +        dt = dt.replace(tzinfo=timezone.utc)
> +    else:
> +        dt = dt.astimezone(timezone.utc)
> +
> +    return dt.isoformat().replace('+00:00', 'Z')
> +
> +
>  def cve_api_get_lang_from_list(values, lang="en") -> (str | None):
>      for x in values:
>          if x.get("lang") == lang:
> @@ -134,10 +152,10 @@ def nvd_cve_to_cdx_vulnerability(nvd_cve):
>              "url": f"https://nvd.nist.gov/vuln/detail/{nvd_cve['id']}"
>          },
>          **({
> -            "published": nvd_cve["published"],
> +            "published": datetime_to_rfc3339(nvd_cve["published"]),
>          } if "published" in nvd_cve else {}),
>          **({
> -            "updated": nvd_cve["lastModified"],
> +            "updated": datetime_to_rfc3339(nvd_cve["lastModified"]),
>          } if "lastModified" in nvd_cve else {}),
>          **({
>              "cwes": nvd_cve_weaknesses_to_cdx(nvd_cve["weaknesses"]),
> -- 
> 2.54.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH v2 5/5] package/pkg-generic.mk: replicate IGNORE_CVES to host packages

[Thomas Perale via buildroot]

For host packages, this commit adds the same `ignore_cves` list as their
target counterpart and make it available from the `show-info` output.

When generating a CycloneDX SBOM with `make show-info-all |
utils/generate-cyclonedx` and running an analysis over it with
`support/script/cve-check`, multiple vulnerabilities
entries would be created with different analysis for packages that have
both a host and target variant that include IGNORE_CVES entries.

This is the case for the grub2 package that include ignored
vulnerabilities that patch both the target and host package but aren't
declared as ignored for the host package. This resulted in
vulnerabilities marked as 'exploitable' for the host variant while it
is patched.

Signed-off-by: Thomas Perale <thomas.perale@mind.be>
---
 package/pkg-generic.mk | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/package/pkg-generic.mk b/package/pkg-generic.mk
index dd440e4062..e5e0d49a16 100644
--- a/package/pkg-generic.mk
+++ b/package/pkg-generic.mk
@@ -745,6 +745,13 @@ ifeq ($$($(2)_CPE_ID_VALID),YES)
  $(2)_CPE_ID = $$($(2)_CPE_ID_PREFIX):$$($(2)_CPE_ID_VENDOR):$$($(2)_CPE_ID_PRODUCT):$$($(2)_CPE_ID_VERSION):$$($(2)_CPE_ID_UPDATE):*:*:*:*:*:*
 endif # ifeq ($$($(2)_CPE_ID_VALID),YES)
 
+# replicate the target '_IGNORE_CVES' to the host variant
+ifndef $(2)_IGNORE_CVES
+ ifdef $(3)_IGNORE_CVES
+  $(2)_IGNORE_CVES = $$($(3)_IGNORE_CVES)
+ endif
+endif
+
 # When a target package is a toolchain dependency set this variable to
 # 'NO' so the 'toolchain' dependency is not added to prevent a circular
 # dependency.
-- 
2.54.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot