Re: [OE-core][scarthgap 21/25] improve_kernel_cve_report: add script for postprocesing of kernel CVE data

[Paul Barker <paul@pbarker.dev>]

[-- Attachment #1: Type: text/plain, Size: 2655 bytes --]

On Mon, 2026-02-09 at 10:29 +0100, Yoann Congal via
lists.openembedded.org wrote:
> From: Daniel Turull <daniel.turull@ericsson.com>
> 
> Adding postprocessing script to process data from linux CNA that includes more accurate metadata and it is updated directly by the source.
> 
> Example of enhanced CVE from a report from cve-check:
> 
> {
>   "id": "CVE-2024-26710",
>   "status": "Ignored",
>   "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26710",
>   "summary": "In the Linux kernel, the following vulnerability [...]",
>   "scorev2": "0.0",
>   "scorev3": "5.5",
>   "scorev4": "0.0",
>   "modified": "2025-03-17T15:36:11.620",
>   "vector": "LOCAL",
>   "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
>   "detail": "not-applicable-config",
>   "description": "Source code not compiled by config. ['arch/powerpc/include/asm/thread_info.h']"
> },
> 
> And same from a report generated with vex:
> {
>   "id": "CVE-2024-26710",
>   "status": "Ignored",
>   "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26710",
>   "detail": "not-applicable-config",
>   "description": "Source code not compiled by config. ['arch/powerpc/include/asm/thread_info.h']"
> },
> 
> For unpatched CVEs, provide more context in the description:
> Tested with 6.12.22 kernel
> {
>   "id": "CVE-2025-39728",
>   "status": "Unpatched",
>   "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39728",
>   "summary": "In the Linux kernel, the following vulnerability has been [...],
>   "scorev2": "0.0",
>   "scorev3": "0.0",
>   "scorev4": "0.0",
>   "modified": "2025-04-21T14:23:45.950",
>   "vector": "UNKNOWN",
>   "vectorString": "UNKNOWN",
>   "detail": "version-in-range",
>   "description": "Needs backporting (fixed from 6.12.23)"
> },
> 
> CC: Peter Marko <peter.marko@siemens.com>
> CC: Marta Rybczynska <rybczynska@gmail.com>
> Signed-off-by: Daniel Turull <daniel.turull@ericsson.com>
> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
> (cherry picked from commit e60b1759c1aea5b8f5317e46608f0a3e782ecf57)
> Signed-off-by: Suresh H A <suresh.ha@bmwtechworks.in>
> Signed-off-by: Yoann Congal <yoann.congal@smile.fr>

This looks like a backport of a new feature, if we're making an
exception to allow this to be backported then we should document the
reason why (apologies if this is somewhere on the list and I've missed
it).

If we do take this, we should also consider the other changes made to
this script since it was added to master.

Best regards,

-- 
Paul Barker


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 252 bytes --]