From: ValentinBoudevin <valentin.boudevin@gmail.com>
To: openembedded-core@lists.openembedded.org
Cc: ValentinBoudevin <valentin.boudevin@gmail.com>
Subject: [PATCH 1/4] generate-cve-exclusions: Add --output-json option
Date: Tue, 6 Jan 2026 13:28:19 -0500 [thread overview]
Message-ID: <20260106182822.3377881-1-valentin.boudevin@gmail.com> (raw)
This option "--output-json" can be used to return a json file instead of
the standard .inc file provided.
The JSON file can easily be manipulated contrary to the .inc file.
Example output structure of the JSON file:
```json
{
"cve_status": {
"CVE-2019-25160": {
"active": false,
"message": "fixed-version: Fixed from version 5.0"
},
"CVE-2019-25162": {
"active": false,
"message": "fixed-version: Fixed from version 6.0"
},
...
```
Also, this commit doesn't affect or modify any existing behaviour of the
script.
---
.../linux/generate-cve-exclusions.py | 64 +++++++++++++++----
1 file changed, 50 insertions(+), 14 deletions(-)
diff --git a/meta/recipes-kernel/linux/generate-cve-exclusions.py b/meta/recipes-kernel/linux/generate-cve-exclusions.py
index dfc16663a5..5a0a947e06 100755
--- a/meta/recipes-kernel/linux/generate-cve-exclusions.py
+++ b/meta/recipes-kernel/linux/generate-cve-exclusions.py
@@ -91,6 +91,7 @@ def main(argp=None):
parser = argparse.ArgumentParser()
parser.add_argument("datadir", type=pathlib.Path, help="Path to a clone of https://github.com/CVEProject/cvelistV5 or https://git.kernel.org/pub/scm/linux/security/vulns.git")
parser.add_argument("version", type=Version, help="Kernel version number to generate data for, such as 6.1.38")
+ parser.add_argument("--output-json", action="store_true", help="Return CVE_STATUS mapping as JSON")
args = parser.parse_args(argp)
datadir = args.datadir.resolve()
@@ -99,7 +100,10 @@ def main(argp=None):
data_version = subprocess.check_output(("git", "describe", "--tags", "HEAD"), cwd=datadir, text=True)
- print(f"""
+ cve_status = {}
+
+ if not args.output_json:
+ print(f"""
# Auto-generated CVE metadata, DO NOT EDIT BY HAND.
# Generated at {datetime.datetime.now(datetime.timezone.utc)} for kernel version {version}
# From {datadir.name} {data_version}
@@ -131,26 +135,58 @@ do_cve_check[prefuncs] += "check_kernel_cve_status_version"
continue
first_affected, fixed, backport_ver = get_fixed_versions(cve_info, base_version)
if not fixed:
- print(f"# {cve} has no known resolution")
+ cve_status[cve] = {
+ "active": True,
+ "message": "no known resolution"
+ }
+ if not args.output_json:
+ print(f"# {cve} has no known resolution")
elif first_affected and version < first_affected:
- print(f'CVE_STATUS[{cve}] = "fixed-version: only affects {first_affected} onwards"')
+ cve_status[cve] = {
+ "active": False,
+ "message": f"fixed-version: only affects {first_affected} onwards"
+ }
+ if not args.output_json:
+ print(f'CVE_STATUS[{cve}] = "fixed-version: only affects {first_affected} onwards"')
elif fixed <= version:
- print(
- f'CVE_STATUS[{cve}] = "fixed-version: Fixed from version {fixed}"'
- )
+ cve_status[cve] = {
+ "active": False,
+ "message": f"fixed-version: Fixed from version {fixed}"
+ }
+ if not args.output_json:
+ print(f'CVE_STATUS[{cve}] = "fixed-version: Fixed from version {fixed}"')
else:
if backport_ver:
if backport_ver <= version:
- print(
- f'CVE_STATUS[{cve}] = "cpe-stable-backport: Backported in {backport_ver}"'
- )
+ cve_status[cve] = {
+ "active": False,
+ "message": f"cpe-stable-backport: Backported in {backport_ver}"
+ }
+ if not args.output_json:
+ print(f'CVE_STATUS[{cve}] = "cpe-stable-backport: Backported in {backport_ver}"')
else:
- print(f"# {cve} may need backporting (fixed from {backport_ver})")
+ cve_status[cve] = {
+ "active": True,
+ "message": f"May need backporting (fixed from {backport_ver})"
+ }
+ if not args.output_json:
+ print(f"# {cve} may need backporting (fixed from {backport_ver})")
else:
- print(f"# {cve} needs backporting (fixed from {fixed})")
-
- print()
-
+ cve_status[cve] = {
+ "active": True,
+ "message": f"#Needs backporting (fixed from {fixed})"
+ }
+ if not args.output_json:
+ print(f"# {cve} needs backporting (fixed from {fixed})")
+
+ if not args.output_json:
+ print()
+
+ # Emit structured output if --ret-struct was requested
+ if args.output_json:
+ print(json.dumps({
+ "cve_status": cve_status,
+ }, indent=2))
if __name__ == "__main__":
main()
--
2.43.0
next reply other threads:[~2026-01-06 18:28 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-06 18:28 ValentinBoudevin [this message]
2026-01-06 18:28 ` [PATCH 2/4] generate-cve-exclusions: Add a .bbclass ValentinBoudevin
2026-01-06 18:39 ` [OE-core] " Bruce Ashfield
2026-01-06 18:52 ` vboudevin
2026-01-06 18:28 ` [PATCH 3/4] generate-cve-exclusions: Move python script ValentinBoudevin
2026-01-06 18:28 ` [PATCH 4/4] linux: Add inherit on generate-cve-exclusions ValentinBoudevin
2026-01-06 18:41 ` [OE-core] " Bruce Ashfield
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260106182822.3377881-1-valentin.boudevin@gmail.com \
--to=valentin.boudevin@gmail.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox