[[PATCH v2] 1/4] generate-cve-exclusions: Add --output-json option

[[PATCH v2] 1/4] generate-cve-exclusions: Add --output-json option

[ValentinBoudevin]

This option "--output-json" can be used to return a json file instead of
the standard .inc file provided.
The JSON file can easily be manipulated contrary to the .inc file.

Example output structure of the JSON file:

```json
{
  "cve_status": {
    "CVE-2019-25160": {
      "active": false,
      "message": "fixed-version: Fixed from version 5.0"
    },
    "CVE-2019-25162": {
      "active": false,
      "message": "fixed-version: Fixed from version 6.0"
    },
...
```

Also, this commit doesn't affect or modify any existing behaviour of the
script.
---
 .../linux/generate-cve-exclusions.py          | 64 +++++++++++++++----
 1 file changed, 50 insertions(+), 14 deletions(-)

diff --git a/meta/recipes-kernel/linux/generate-cve-exclusions.py b/meta/recipes-kernel/linux/generate-cve-exclusions.py
index dfc16663a5..5a0a947e06 100755
--- a/meta/recipes-kernel/linux/generate-cve-exclusions.py
+++ b/meta/recipes-kernel/linux/generate-cve-exclusions.py
@@ -91,6 +91,7 @@ def main(argp=None):
     parser = argparse.ArgumentParser()
     parser.add_argument("datadir", type=pathlib.Path, help="Path to a clone of https://github.com/CVEProject/cvelistV5 or https://git.kernel.org/pub/scm/linux/security/vulns.git")
     parser.add_argument("version", type=Version, help="Kernel version number to generate data for, such as 6.1.38")
+    parser.add_argument("--output-json", action="store_true", help="Return CVE_STATUS mapping as JSON")
 
     args = parser.parse_args(argp)
     datadir = args.datadir.resolve()
@@ -99,7 +100,10 @@ def main(argp=None):
 
     data_version = subprocess.check_output(("git", "describe", "--tags", "HEAD"), cwd=datadir, text=True)
 
-    print(f"""
+    cve_status = {}
+
+    if not args.output_json:
+        print(f"""
 # Auto-generated CVE metadata, DO NOT EDIT BY HAND.
 # Generated at {datetime.datetime.now(datetime.timezone.utc)} for kernel version {version}
 # From {datadir.name} {data_version}
@@ -131,26 +135,58 @@ do_cve_check[prefuncs] += "check_kernel_cve_status_version"
             continue
         first_affected, fixed, backport_ver = get_fixed_versions(cve_info, base_version)
         if not fixed:
-            print(f"# {cve} has no known resolution")
+            cve_status[cve] = {
+                "active": True,
+                "message": "no known resolution"
+            }
+            if not args.output_json:
+                print(f"# {cve} has no known resolution")
         elif first_affected and version < first_affected:
-            print(f'CVE_STATUS[{cve}] = "fixed-version: only affects {first_affected} onwards"')
+            cve_status[cve] = {
+                "active": False,
+                "message": f"fixed-version: only affects {first_affected} onwards"
+            }
+            if not args.output_json:
+                print(f'CVE_STATUS[{cve}] = "fixed-version: only affects {first_affected} onwards"')
         elif fixed <= version:
-            print(
-                f'CVE_STATUS[{cve}] = "fixed-version: Fixed from version {fixed}"'
-            )
+            cve_status[cve] = {
+                "active": False,
+                "message": f"fixed-version: Fixed from version {fixed}"
+            }
+            if not args.output_json:
+                print(f'CVE_STATUS[{cve}] = "fixed-version: Fixed from version {fixed}"')
         else:
             if backport_ver:
                 if backport_ver <= version:
-                    print(
-                        f'CVE_STATUS[{cve}] = "cpe-stable-backport: Backported in {backport_ver}"'
-                    )
+                    cve_status[cve] = {
+                        "active": False,
+                        "message": f"cpe-stable-backport: Backported in {backport_ver}"
+                    }
+                    if not args.output_json:
+                        print(f'CVE_STATUS[{cve}] = "cpe-stable-backport: Backported in {backport_ver}"')
                 else:
-                    print(f"# {cve} may need backporting (fixed from {backport_ver})")
+                    cve_status[cve] = {
+                        "active": True,
+                        "message": f"May need backporting (fixed from {backport_ver})"
+                    }
+                    if not args.output_json:
+                        print(f"# {cve} may need backporting (fixed from {backport_ver})")
             else:
-                print(f"# {cve} needs backporting (fixed from {fixed})")
-
-        print()
-
+                cve_status[cve] = {
+                    "active": True,
+                    "message": f"#Needs backporting (fixed from {fixed})"
+                }
+                if not args.output_json:
+                    print(f"# {cve} needs backporting (fixed from {fixed})")
+
+        if not args.output_json:
+            print()
+
+    # Emit structured output if --ret-struct was requested
+    if args.output_json:
+        print(json.dumps({
+            "cve_status": cve_status,
+        }, indent=2))
 
 if __name__ == "__main__":
     main()
-- 
2.43.0

[[PATCH v2] 2/4] generate-cve-exclusions: Add a .bbclass

[ValentinBoudevin]

Add a .bbclass to generate-cve-exclusions to use this script at every
run.

Two steps for testing:
1) Inherit this class in the kernel recipe with "inherit
   generate-cve-exclusions.bbclass"
2) Use the following command to generate a cvelistV5 entry with a JSON
   file in in ${WORKDIR}/cvelistV5/ :
   "bitbake linux-yocto -c generate-cve-exclusions"

The JSON file can then be parsed in the following run by cve-check.

This class contains several methods:

*do_clone_cvelistV5: Clone the cvelistV5 repo in
${WORKDIR}/cvelistV5/git

(e.g. bitbake-builds/poky-master/build/tmp/work/qemux86_64-poky-linux/
linux-yocto/6.18.1+git/cvelistV5/git)

*do_generate_cve_exclusions: Use the script generate-cve-exclusions.py.
It uses the new "--output-json" argument to generate a JSON file as an
output stored in ${WORKDIR}/cvelistV5//cve-exclusion_${LINUX_VERSION}.json

*do_cve_check:prepend: Parse the previously generated JSON file to set
the variable CVE_STATUS corretly
---
 meta/classes/generate-cve-exclusions.bbclass | 67 ++++++++++++++++++++
 1 file changed, 67 insertions(+)
 create mode 100644 meta/classes/generate-cve-exclusions.bbclass

diff --git a/meta/classes/generate-cve-exclusions.bbclass b/meta/classes/generate-cve-exclusions.bbclass
new file mode 100644
index 0000000000..254ea5531d
--- /dev/null
+++ b/meta/classes/generate-cve-exclusions.bbclass
@@ -0,0 +1,67 @@
+CVE_EXCLUSIONS_WORKDIR ?= "${WORKDIR}/cvelistV5"
+CVELISTV5_PATH ?= "${CVE_EXCLUSIONS_WORKDIR}/git"
+
+python do_clone_cvelistV5() {
+    import subprocess
+    import shutil, os
+    rootdir = d.getVar("CVELISTV5_PATH")
+    d.setVar("SRC_URI", "git://github.com/CVEProject/cvelistV5.git;branch=main;protocol=https")
+    d.setVar("SRCREV", "${AUTOREV}")
+    src_uri = (d.getVar('SRC_URI') or "").split()
+    # Fetch the kernel vulnerabilities sources
+    fetcher = bb.fetch2.Fetch(src_uri, d)
+    fetcher.download()
+    # Unpack into the standard work directory
+    fetcher.unpack(rootdir)
+    # Remove the folder ${PN} set by unpack
+    subdirs = [d for d in os.listdir(rootdir) if os.path.isdir(os.path.join(rootdir, d))]
+    if len(subdirs) == 1:
+        srcdir = os.path.join(rootdir, subdirs[0])
+        for f in os.listdir(srcdir):
+            shutil.move(os.path.join(srcdir, f), rootdir)
+        shutil.rmtree(srcdir)
+    bb.note("Vulnerabilities repo unpacked into: %s" % rootdir)
+}
+do_clone_cvelistV5[network] = "1"
+do_clone_cvelistV5[nostamp] = "1"
+do_clone_cvelistV5[doc] = "Clone CVE information from the CVE Project: https://github.com/CVEProject/cvelistV5.git"
+addtask clone_cvelistV5 before do_generate_cve_exclusions
+
+do_generate_cve_exclusions() {
+    generate_cve_exclusions_script=$(find ${COREBASE} -name "generate-cve-exclusions.py")
+    if [ -z "${generate_cve_exclusions_script}" ]; then
+        bbfatal "generate-cve-exclusions.py not found in ${COREBASE}."
+    fi
+    python3 "${generate_cve_exclusions_script}" \
+        ${CVELISTV5_PATH} \
+        ${LINUX_VERSION} \
+        --output-json > ${CVE_EXCLUSIONS_WORKDIR}/cve-exclusion_${LINUX_VERSION}.json
+}
+do_generate_cve_exclusions[nostamp] = "1"
+do_generate_cve_exclusions[doc] = "Generate CVE exclusions for the kernel build. (e.g., cve-exclusion_6.12.inc)"
+addtask generate_cve_exclusions after do_clone_cvelistV5
+
+python do_cve_check:prepend() {
+    import os
+    import json
+
+    workdir = d.getVar("CVE_EXCLUSIONS_WORKDIR")
+    kernel_version = d.getVar("LINUX_VERSION")
+    json_input_file = os.path.join(workdir, "cve-exclusion_%s.json" % kernel_version)
+
+    if os.path.exists(json_input_file):
+        with open(json_input_file, 'r', encoding='utf-8') as f:
+            cve_data = json.load(f)
+        cve_status_dict = cve_data.get("cve_status", {})
+        count = 0
+        for cve_id, info in cve_status_dict.items():
+            if info.get("active", True):
+                # Skip active CVEs
+                continue
+            d.setVarFlag("CVE_STATUS", cve_id, info.get("message", ""))
+            count += 1
+
+        bb.note("Loaded %d CVE_STATUS entries from JSON output for kernel %s" % (count, kernel_version))
+    else:
+        bb.warn("CVE exclusion JSON not found: %s. Skipping CVE_STATUS updates" % json_input_file)
+}
\ No newline at end of file
-- 
2.43.0

[[PATCH v2] 3/4] generate-cve-exclusions: Move python script

[ValentinBoudevin]

The script should be located with other scripts in scripts/contrib
instead of staying in meta/classes/.

Update the new .bbclass to match this modification
---
 meta/classes/generate-cve-exclusions.bbclass                    | 2 +-
 .../linux => scripts/contrib}/generate-cve-exclusions.py        | 0
 2 files changed, 1 insertion(+), 1 deletion(-)
 rename {meta/recipes-kernel/linux => scripts/contrib}/generate-cve-exclusions.py (100%)

diff --git a/meta/classes/generate-cve-exclusions.bbclass b/meta/classes/generate-cve-exclusions.bbclass
index 254ea5531d..100d2e99b6 100644
--- a/meta/classes/generate-cve-exclusions.bbclass
+++ b/meta/classes/generate-cve-exclusions.bbclass
@@ -28,7 +28,7 @@ do_clone_cvelistV5[doc] = "Clone CVE information from the CVE Project: https://g
 addtask clone_cvelistV5 before do_generate_cve_exclusions
 
 do_generate_cve_exclusions() {
-    generate_cve_exclusions_script=$(find ${COREBASE} -name "generate-cve-exclusions.py")
+    generate_cve_exclusions_script=${COREBASE}/scripts/contrib/generate-cve-exclusions.py
     if [ -z "${generate_cve_exclusions_script}" ]; then
         bbfatal "generate-cve-exclusions.py not found in ${COREBASE}."
     fi
diff --git a/meta/recipes-kernel/linux/generate-cve-exclusions.py b/scripts/contrib/generate-cve-exclusions.py
similarity index 100%
rename from meta/recipes-kernel/linux/generate-cve-exclusions.py
rename to scripts/contrib/generate-cve-exclusions.py
-- 
2.43.0

RE: [OE-core] [[PATCH v2] 3/4] generate-cve-exclusions: Move python script

[Daniel Turull]

Hi Valentin,
Make sure to update the documentation to point to the new location once this gets merged.

https://docs.yoctoproject.org/dev/dev-manual/vulnerabilities.html#linux-kernel-vulnerabilities

I was also going to comment to have Bruce aware of the changes, since he runs the script when the kernel gets updated but he already replied to it.

Daniel

> -----Original Message-----
> From: openembedded-core@lists.openembedded.org <openembedded-
> core@lists.openembedded.org> On Behalf Of vboudevin via
> lists.openembedded.org
> Sent: Tuesday, 6 January 2026 20:10
> To: openembedded-core@lists.openembedded.org
> Cc: ValentinBoudevin <valentin.boudevin@gmail.com>
> Subject: [OE-core] [[PATCH v2] 3/4] generate-cve-exclusions: Move python script
> 
> The script should be located with other scripts in scripts/contrib instead of staying
> in meta/classes/.
> 
> Update the new .bbclass to match this modification
> ---
>  meta/classes/generate-cve-exclusions.bbclass                    | 2 +-
>  .../linux => scripts/contrib}/generate-cve-exclusions.py        | 0
>  2 files changed, 1 insertion(+), 1 deletion(-)  rename {meta/recipes-kernel/linux
> => scripts/contrib}/generate-cve-exclusions.py (100%)
> 
> diff --git a/meta/classes/generate-cve-exclusions.bbclass
> b/meta/classes/generate-cve-exclusions.bbclass
> index 254ea5531d..100d2e99b6 100644
> --- a/meta/classes/generate-cve-exclusions.bbclass
> +++ b/meta/classes/generate-cve-exclusions.bbclass
> @@ -28,7 +28,7 @@ do_clone_cvelistV5[doc] = "Clone CVE information from the
> CVE Project: https://g  addtask clone_cvelistV5 before
> do_generate_cve_exclusions
> 
>  do_generate_cve_exclusions() {
> -    generate_cve_exclusions_script=$(find ${COREBASE} -name "generate-cve-
> exclusions.py")
> +
> + generate_cve_exclusions_script=${COREBASE}/scripts/contrib/generate-cv
> + e-exclusions.py
>      if [ -z "${generate_cve_exclusions_script}" ]; then
>          bbfatal "generate-cve-exclusions.py not found in ${COREBASE}."
>      fi
> diff --git a/meta/recipes-kernel/linux/generate-cve-exclusions.py
> b/scripts/contrib/generate-cve-exclusions.py
> similarity index 100%
> rename from meta/recipes-kernel/linux/generate-cve-exclusions.py
> rename to scripts/contrib/generate-cve-exclusions.py
> --
> 2.43.0

Re: [[PATCH v2] 3/4] generate-cve-exclusions: Move python script

[vboudevin]

[-- Attachment #1: Type: text/plain, Size: 325 bytes --]

Hi Daniel,

I updated the class based on your recommendations: https://lists.openembedded.org/g/openembedded-core/message/229427

Now it works with a custom repo/a fixed SRCREV for deterministic purposes (also integrated an offline mode based on DL_DIR content).

Keep me informed if you see something else to modify.

[-- Attachment #2: Type: text/html, Size: 537 bytes --]

RE: [OE-core] [[PATCH v2] 3/4] generate-cve-exclusions: Move python script

[Daniel Turull]

[-- Attachment #1: Type: text/plain, Size: 3828 bytes --]

Thank you Valentin, please add me in cc for future review, so it goes directly into the main inbox, and for any people that you want to review your changes. Also reply to the patch, so it is easy to comment in the same thread.

I have applied the series into a master build without direct internet connectivity. It breaks the build by default since the class is inherit in your patch 4.

WARNING: yocto-master/meta/recipes-kernel/linux/linux-yocto_6.12.bb: Exception during build_dependencies for fetcher_hashes_dummyfunc                                         | ETA:  0:00:31
WARNING: yocto-master/meta/recipes-kernel/linux/linux-yocto_6.12.bb: Error during finalise of /local/edaturu/yocto-master/meta/recipes-kernel/linux/linux-yocto_6.12.bb
WARNING: yocto-master/meta/recipes-kernel/linux/linux-yocto_6.16.bb: Exception during build_dependencies for fetcher_hashes_dummyfunc
WARNING: yocto-master/meta/recipes-kernel/linux/linux-yocto_6.16.bb: Error during finalise of /local/edaturu/yocto-master/meta/recipes-kernel/linux/linux-yocto_6.16.bb
WARNING: yocto-master/meta/recipes-kernel/linux/linux-yocto_6.18.bb: Exception during build_dependencies for fetcher_hashes_dummyfunc                                         | ETA:  0:00:29
WARNING: yocto-master/meta/recipes-kernel/linux/linux-yocto_6.18.bb: Error during finalise of /local/edaturu/yocto-master/meta/recipes-kernel/linux/linux-yocto_6.18.bb
ERROR: ExpansionError during parsing  /yocto-master/meta/recipes-kernel/linux/linux-yocto_6.18.bb###########################                                                    | ETA:  0:00:02
bb.data_smart.ExpansionError: Failure expanding variable fetcher_hashes_dummyfunc[vardepvalue], expression was ${@bb.fetch.get_hashvalue(d)}<mailto:$%7b@bb.fetch.get_hashvalue(d)%7d> which triggered exception UntrustedUrl: git -c gc.autoDetach=false -c core.pager=cat -c safe.bareRepository=all -c clone.defaultRemoteName=origin ls-remote https://github.com/CVEProject/cvelistV5.git
The variable dependency chain for the failure is: fetcher_hashes_dummyfunc[vardepvalue]

ERROR: Parsing halted due to errors, see error messages above


You should make sure that nothing is executed by default. You could set a new variable to enable the initialization, for example ENABLE_KERNEL_CVE_EXCLUSIONS = “1” but it is defaulted to ENABLE_KERNEL_CVE_EXCLUSIONS ?= “0”



The problem is that you are adding into the linux-yocto recipe since it is inhering the class. I had exactly the same problem in my original patch.

https://patchwork.yoctoproject.org/project/oe-core/patch/20250429143904.634082-2-daniel.turull@ericsson.com/



Since you have the SRC_URI defined, bitbake verifies that the SRCREV is valid. If you don’t have internet connection, cannot be verified and the build fails.



SRC_URI:append = " ${GENERATE_CVE_EXCLUSIONS_SRC_URI};name=generate-cve-exclusions"

SRCREV_generate-cve-exclusions = "${GENERATE_CVE_EXCLUSIONS_SRCREV}"



Probably it needs to be conditionally initialize only if it is the intended behaviour. It also add the source in the kernel tree, which probably is not the intended behaviour.

Best regards,
Daniel

From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of vboudevin via lists.openembedded.org
Sent: Thursday, 15 January 2026 20:06
To: openembedded-core@lists.openembedded.org
Subject: Re: [OE-core] [[PATCH v2] 3/4] generate-cve-exclusions: Move python script

Hi Daniel,

I updated the class based on your recommendations: https://lists.openembedded.org/g/openembedded-core/message/229427

Now it works with a custom repo/a fixed SRCREV for deterministic purposes (also integrated an offline mode based on DL_DIR content).

Keep me informed if you see something else to modify.

[-- Attachment #2: Type: text/html, Size: 10718 bytes --]

[[PATCH v2] 4/4] linux: Add inherit on generate-cve-exclusions

[ValentinBoudevin]

All kernel recipes can use generate-cve-exclusions class to perform CVE
exclusions.
---
 meta/recipes-kernel/linux/linux-yocto-rt_6.12.bb   | 3 +++
 meta/recipes-kernel/linux/linux-yocto-rt_6.16.bb   | 3 +++
 meta/recipes-kernel/linux/linux-yocto-rt_6.18.bb   | 3 +++
 meta/recipes-kernel/linux/linux-yocto-tiny_6.12.bb | 3 +++
 meta/recipes-kernel/linux/linux-yocto-tiny_6.16.bb | 3 +++
 meta/recipes-kernel/linux/linux-yocto-tiny_6.18.bb | 3 +++
 meta/recipes-kernel/linux/linux-yocto_6.12.bb      | 3 +++
 meta/recipes-kernel/linux/linux-yocto_6.16.bb      | 3 +++
 meta/recipes-kernel/linux/linux-yocto_6.18.bb      | 3 +++
 9 files changed, 27 insertions(+)

diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_6.12.bb b/meta/recipes-kernel/linux/linux-yocto-rt_6.12.bb
index 9ac8507f9f..5cc735ae93 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_6.12.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_6.12.bb
@@ -5,6 +5,9 @@ require recipes-kernel/linux/linux-yocto.inc
 # CVE exclusions
 include recipes-kernel/linux/cve-exclusion_6.12.inc
 
+# Generate Dynamic CVE Exclusions
+inherit generate-cve-exclusions
+
 # Skip processing of this recipe if it is not explicitly specified as the
 # PREFERRED_PROVIDER for virtual/kernel. This avoids errors when trying
 # to build multiple virtual/kernel providers, e.g. as dependency of
diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_6.16.bb b/meta/recipes-kernel/linux/linux-yocto-rt_6.16.bb
index 1230e4e805..53532b4e7e 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_6.16.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_6.16.bb
@@ -5,6 +5,9 @@ require recipes-kernel/linux/linux-yocto.inc
 # CVE exclusions
 include recipes-kernel/linux/cve-exclusion_6.16.inc
 
+# Generate Dynamic CVE Exclusions
+inherit generate-cve-exclusions
+
 # Skip processing of this recipe if it is not explicitly specified as the
 # PREFERRED_PROVIDER for virtual/kernel. This avoids errors when trying
 # to build multiple virtual/kernel providers, e.g. as dependency of
diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_6.18.bb b/meta/recipes-kernel/linux/linux-yocto-rt_6.18.bb
index 32ed29f25e..e95264d99d 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_6.18.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_6.18.bb
@@ -5,6 +5,9 @@ require recipes-kernel/linux/linux-yocto.inc
 # CVE exclusions
 include recipes-kernel/linux/cve-exclusion_6.18.inc
 
+# Generate Dynamic CVE Exclusions
+inherit generate-cve-exclusions
+
 # Skip processing of this recipe if it is not explicitly specified as the
 # PREFERRED_PROVIDER for virtual/kernel. This avoids errors when trying
 # to build multiple virtual/kernel providers, e.g. as dependency of
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_6.12.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_6.12.bb
index 940561352c..6b17c2ff7f 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_6.12.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_6.12.bb
@@ -8,6 +8,9 @@ require recipes-kernel/linux/linux-yocto.inc
 # CVE exclusions
 include recipes-kernel/linux/cve-exclusion_6.12.inc
 
+# Generate Dynamic CVE Exclusions
+inherit generate-cve-exclusions
+
 LINUX_VERSION ?= "6.12.62"
 LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
 
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_6.16.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_6.16.bb
index ffa15b0c1b..02e502faed 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_6.16.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_6.16.bb
@@ -8,6 +8,9 @@ require recipes-kernel/linux/linux-yocto.inc
 # CVE exclusions
 include recipes-kernel/linux/cve-exclusion_6.16.inc
 
+# Generate Dynamic CVE Exclusions
+inherit generate-cve-exclusions
+
 LINUX_VERSION ?= "6.16.11"
 LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
 
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_6.18.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_6.18.bb
index 2afdc02467..e36a7fb028 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_6.18.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_6.18.bb
@@ -8,6 +8,9 @@ require recipes-kernel/linux/linux-yocto.inc
 # CVE exclusions
 include recipes-kernel/linux/cve-exclusion_6.18.inc
 
+# Generate Dynamic CVE Exclusions
+inherit generate-cve-exclusions
+
 LINUX_VERSION ?= "6.18.1"
 LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
 
diff --git a/meta/recipes-kernel/linux/linux-yocto_6.12.bb b/meta/recipes-kernel/linux/linux-yocto_6.12.bb
index 84419f8c78..b6ac5f9b90 100644
--- a/meta/recipes-kernel/linux/linux-yocto_6.12.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_6.12.bb
@@ -6,6 +6,9 @@ require recipes-kernel/linux/linux-yocto.inc
 include recipes-kernel/linux/cve-exclusion.inc
 include recipes-kernel/linux/cve-exclusion_6.12.inc
 
+# Generate Dynamic CVE Exclusions
+inherit generate-cve-exclusions
+
 # board specific branches
 KBRANCH:qemuarm  ?= "v6.12/standard/arm-versatile-926ejs"
 KBRANCH:qemuarm64 ?= "v6.12/standard/base"
diff --git a/meta/recipes-kernel/linux/linux-yocto_6.16.bb b/meta/recipes-kernel/linux/linux-yocto_6.16.bb
index 408f14b451..947de4186e 100644
--- a/meta/recipes-kernel/linux/linux-yocto_6.16.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_6.16.bb
@@ -6,6 +6,9 @@ require recipes-kernel/linux/linux-yocto.inc
 include recipes-kernel/linux/cve-exclusion.inc
 include recipes-kernel/linux/cve-exclusion_6.16.inc
 
+# Generate Dynamic CVE Exclusions
+inherit generate-cve-exclusions
+
 # board specific branches
 KBRANCH:qemuarm  ?= "v6.16/standard/arm-versatile-926ejs"
 KBRANCH:qemuarm64 ?= "v6.16/standard/base"
diff --git a/meta/recipes-kernel/linux/linux-yocto_6.18.bb b/meta/recipes-kernel/linux/linux-yocto_6.18.bb
index 562a997020..66320f7123 100644
--- a/meta/recipes-kernel/linux/linux-yocto_6.18.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_6.18.bb
@@ -6,6 +6,9 @@ require recipes-kernel/linux/linux-yocto.inc
 include recipes-kernel/linux/cve-exclusion.inc
 include recipes-kernel/linux/cve-exclusion_6.18.inc
 
+# Generate Dynamic CVE Exclusions
+inherit generate-cve-exclusions
+
 # board specific branches
 KBRANCH:qemuarm  ?= "v6.18/standard/arm-versatile-926ejs"
 KBRANCH:qemuarm64 ?= "v6.18/standard/base"
-- 
2.43.0

Re: [OE-core] [[PATCH v2] 4/4] linux: Add inherit on generate-cve-exclusions

[Bruce Ashfield]

[-- Attachment #1: Type: text/plain, Size: 7818 bytes --]

Apologies for not commenting on this in v1, I was
focused on the overhead of the task.

Rather than updating all the .bb files, why not just
have this in the linux-yocto.inc ? Otherwise, I'll surely
forget it at some point :)

Now that the task is optional, there's no risk of it
in the .inc, since other .inc users won't get overhead
that they don't expect.

Bruce

On Tue, Jan 6, 2026 at 2:10 PM vboudevin via lists.openembedded.org
<valentin.boudevin=gmail.com@lists.openembedded.org> wrote:

> All kernel recipes can use generate-cve-exclusions class to perform CVE
> exclusions.
> ---
>  meta/recipes-kernel/linux/linux-yocto-rt_6.12.bb   | 3 +++
>  meta/recipes-kernel/linux/linux-yocto-rt_6.16.bb   | 3 +++
>  meta/recipes-kernel/linux/linux-yocto-rt_6.18.bb   | 3 +++
>  meta/recipes-kernel/linux/linux-yocto-tiny_6.12.bb | 3 +++
>  meta/recipes-kernel/linux/linux-yocto-tiny_6.16.bb | 3 +++
>  meta/recipes-kernel/linux/linux-yocto-tiny_6.18.bb | 3 +++
>  meta/recipes-kernel/linux/linux-yocto_6.12.bb      | 3 +++
>  meta/recipes-kernel/linux/linux-yocto_6.16.bb      | 3 +++
>  meta/recipes-kernel/linux/linux-yocto_6.18.bb      | 3 +++
>  9 files changed, 27 insertions(+)
>
> diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_6.12.bb
> b/meta/recipes-kernel/linux/linux-yocto-rt_6.12.bb
> index 9ac8507f9f..5cc735ae93 100644
> --- a/meta/recipes-kernel/linux/linux-yocto-rt_6.12.bb
> +++ b/meta/recipes-kernel/linux/linux-yocto-rt_6.12.bb
> @@ -5,6 +5,9 @@ require recipes-kernel/linux/linux-yocto.inc
>  # CVE exclusions
>  include recipes-kernel/linux/cve-exclusion_6.12.inc
>
> +# Generate Dynamic CVE Exclusions
> +inherit generate-cve-exclusions
> +
>  # Skip processing of this recipe if it is not explicitly specified as the
>  # PREFERRED_PROVIDER for virtual/kernel. This avoids errors when trying
>  # to build multiple virtual/kernel providers, e.g. as dependency of
> diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_6.16.bb
> b/meta/recipes-kernel/linux/linux-yocto-rt_6.16.bb
> index 1230e4e805..53532b4e7e 100644
> --- a/meta/recipes-kernel/linux/linux-yocto-rt_6.16.bb
> +++ b/meta/recipes-kernel/linux/linux-yocto-rt_6.16.bb
> @@ -5,6 +5,9 @@ require recipes-kernel/linux/linux-yocto.inc
>  # CVE exclusions
>  include recipes-kernel/linux/cve-exclusion_6.16.inc
>
> +# Generate Dynamic CVE Exclusions
> +inherit generate-cve-exclusions
> +
>  # Skip processing of this recipe if it is not explicitly specified as the
>  # PREFERRED_PROVIDER for virtual/kernel. This avoids errors when trying
>  # to build multiple virtual/kernel providers, e.g. as dependency of
> diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_6.18.bb
> b/meta/recipes-kernel/linux/linux-yocto-rt_6.18.bb
> index 32ed29f25e..e95264d99d 100644
> --- a/meta/recipes-kernel/linux/linux-yocto-rt_6.18.bb
> +++ b/meta/recipes-kernel/linux/linux-yocto-rt_6.18.bb
> @@ -5,6 +5,9 @@ require recipes-kernel/linux/linux-yocto.inc
>  # CVE exclusions
>  include recipes-kernel/linux/cve-exclusion_6.18.inc
>
> +# Generate Dynamic CVE Exclusions
> +inherit generate-cve-exclusions
> +
>  # Skip processing of this recipe if it is not explicitly specified as the
>  # PREFERRED_PROVIDER for virtual/kernel. This avoids errors when trying
>  # to build multiple virtual/kernel providers, e.g. as dependency of
> diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_6.12.bb
> b/meta/recipes-kernel/linux/linux-yocto-tiny_6.12.bb
> index 940561352c..6b17c2ff7f 100644
> --- a/meta/recipes-kernel/linux/linux-yocto-tiny_6.12.bb
> +++ b/meta/recipes-kernel/linux/linux-yocto-tiny_6.12.bb
> @@ -8,6 +8,9 @@ require recipes-kernel/linux/linux-yocto.inc
>  # CVE exclusions
>  include recipes-kernel/linux/cve-exclusion_6.12.inc
>
> +# Generate Dynamic CVE Exclusions
> +inherit generate-cve-exclusions
> +
>  LINUX_VERSION ?= "6.12.62"
>  LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
>
> diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_6.16.bb
> b/meta/recipes-kernel/linux/linux-yocto-tiny_6.16.bb
> index ffa15b0c1b..02e502faed 100644
> --- a/meta/recipes-kernel/linux/linux-yocto-tiny_6.16.bb
> +++ b/meta/recipes-kernel/linux/linux-yocto-tiny_6.16.bb
> @@ -8,6 +8,9 @@ require recipes-kernel/linux/linux-yocto.inc
>  # CVE exclusions
>  include recipes-kernel/linux/cve-exclusion_6.16.inc
>
> +# Generate Dynamic CVE Exclusions
> +inherit generate-cve-exclusions
> +
>  LINUX_VERSION ?= "6.16.11"
>  LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
>
> diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_6.18.bb
> b/meta/recipes-kernel/linux/linux-yocto-tiny_6.18.bb
> index 2afdc02467..e36a7fb028 100644
> --- a/meta/recipes-kernel/linux/linux-yocto-tiny_6.18.bb
> +++ b/meta/recipes-kernel/linux/linux-yocto-tiny_6.18.bb
> @@ -8,6 +8,9 @@ require recipes-kernel/linux/linux-yocto.inc
>  # CVE exclusions
>  include recipes-kernel/linux/cve-exclusion_6.18.inc
>
> +# Generate Dynamic CVE Exclusions
> +inherit generate-cve-exclusions
> +
>  LINUX_VERSION ?= "6.18.1"
>  LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
>
> diff --git a/meta/recipes-kernel/linux/linux-yocto_6.12.bb
> b/meta/recipes-kernel/linux/linux-yocto_6.12.bb
> index 84419f8c78..b6ac5f9b90 100644
> --- a/meta/recipes-kernel/linux/linux-yocto_6.12.bb
> +++ b/meta/recipes-kernel/linux/linux-yocto_6.12.bb
> @@ -6,6 +6,9 @@ require recipes-kernel/linux/linux-yocto.inc
>  include recipes-kernel/linux/cve-exclusion.inc
>  include recipes-kernel/linux/cve-exclusion_6.12.inc
>
> +# Generate Dynamic CVE Exclusions
> +inherit generate-cve-exclusions
> +
>  # board specific branches
>  KBRANCH:qemuarm  ?= "v6.12/standard/arm-versatile-926ejs"
>  KBRANCH:qemuarm64 ?= "v6.12/standard/base"
> diff --git a/meta/recipes-kernel/linux/linux-yocto_6.16.bb
> b/meta/recipes-kernel/linux/linux-yocto_6.16.bb
> index 408f14b451..947de4186e 100644
> --- a/meta/recipes-kernel/linux/linux-yocto_6.16.bb
> +++ b/meta/recipes-kernel/linux/linux-yocto_6.16.bb
> @@ -6,6 +6,9 @@ require recipes-kernel/linux/linux-yocto.inc
>  include recipes-kernel/linux/cve-exclusion.inc
>  include recipes-kernel/linux/cve-exclusion_6.16.inc
>
> +# Generate Dynamic CVE Exclusions
> +inherit generate-cve-exclusions
> +
>  # board specific branches
>  KBRANCH:qemuarm  ?= "v6.16/standard/arm-versatile-926ejs"
>  KBRANCH:qemuarm64 ?= "v6.16/standard/base"
> diff --git a/meta/recipes-kernel/linux/linux-yocto_6.18.bb
> b/meta/recipes-kernel/linux/linux-yocto_6.18.bb
> index 562a997020..66320f7123 100644
> --- a/meta/recipes-kernel/linux/linux-yocto_6.18.bb
> +++ b/meta/recipes-kernel/linux/linux-yocto_6.18.bb
> @@ -6,6 +6,9 @@ require recipes-kernel/linux/linux-yocto.inc
>  include recipes-kernel/linux/cve-exclusion.inc
>  include recipes-kernel/linux/cve-exclusion_6.18.inc
>
> +# Generate Dynamic CVE Exclusions
> +inherit generate-cve-exclusions
> +
>  # board specific branches
>  KBRANCH:qemuarm  ?= "v6.18/standard/arm-versatile-926ejs"
>  KBRANCH:qemuarm64 ?= "v6.18/standard/base"
> --
> 2.43.0
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#228920):
> https://lists.openembedded.org/g/openembedded-core/message/228920
> Mute This Topic: https://lists.openembedded.org/mt/117111078/1050810
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [
> bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>

-- 
- Thou shalt not follow the NULL pointer, for chaos and madness await thee
at its end
- "Use the force Harry" - Gandalf, Star Trek II

[-- Attachment #2: Type: text/html, Size: 13418 bytes --]