From: ValentinBoudevin <valentin.boudevin@gmail.com>
To: openembedded-core@lists.openembedded.org
Cc: daniel.turull@ericsson.com, jerome.oufella@savoirfairelinux.com,
antonin.godard@bootlin.com,
ValentinBoudevin <valentin.boudevin@gmail.com>
Subject: [PATCH 1/1] improve_kerne_cve_report: Add a bbclass support
Date: Fri, 16 Jan 2026 14:05:15 -0500 [thread overview]
Message-ID: <20260116190520.118714-1-valentin.boudevin@gmail.com> (raw)
In-Reply-To: <188AFCD98EA3E578.3200434@lists.openembedded.org>
The script improve_kernel_cve_report.py doesn't have a bbclass.
It can be usefull to have one to generate improved cve-check files at
every run.
This new class can be used to generate a new file in tmp/deploy/images
with a .scouted.json in addition to the existing .json cve-check file.
The new .scouted.json is based on the cve-check file and the SBOM (SPDX3
mandatory) to generate this improved cve-check file with extra entries
found by the script improve_kernel_cve_report.py.
It only requires an inherit on an image recipe (e.g. "inherit
improve_kernel_cve_report" in core-image-minimal).
It can be add to core-image-minimal in a second step if revelant.
Signed-off-by: Valentin Boudevin <valentin.boudevin@gmail.com>
---
.../classes/improve_kernel_cve_report.bbclass | 71 +++++++++++++++++++
1 file changed, 71 insertions(+)
create mode 100644 meta/classes/improve_kernel_cve_report.bbclass
diff --git a/meta/classes/improve_kernel_cve_report.bbclass b/meta/classes/improve_kernel_cve_report.bbclass
new file mode 100644
index 0000000000..5c496252b4
--- /dev/null
+++ b/meta/classes/improve_kernel_cve_report.bbclass
@@ -0,0 +1,71 @@
+python do_clean:append() {
+ import os, glob
+ if bb.utils.contains('INHERIT', 'create-spdx-2.2', 'false', 'true', d):
+ deploy_dir = d.expand('${DEPLOY_DIR_IMAGE}')
+ for f in glob.glob(os.path.join(deploy_dir, '*scouted.json')):
+ bb.note("Removing " + f)
+ os.remove(f)
+}
+
+python do_clone_kernel_cve() {
+ import subprocess
+ import shutil, os
+ check_spdx = d.getVar("INHERIT")
+ rootdir = os.path.join(d.getVar("WORKDIR"), "vulns")
+ # Check if the feature is enabled and if SPDX 2.2 is not used
+ if "create-spdx-2.2" not in check_spdx:
+ d.setVar("SRC_URI", "git://git.kernel.org/pub/scm/linux/security/vulns.git;branch=master;protocol=https")
+ d.setVar("SRCREV", "${AUTOREV}")
+ src_uri = (d.getVar('SRC_URI') or "").split()
+ # Fetch the kernel vulnerabilities sources
+ fetcher = bb.fetch2.Fetch(src_uri, d)
+ fetcher.download()
+ # Unpack into the standard work directory
+ fetcher.unpack(rootdir)
+ # Remove the folder ${PN} set by unpack
+ subdirs = [d for d in os.listdir(rootdir) if os.path.isdir(os.path.join(rootdir, d))]
+ if len(subdirs) == 1:
+ srcdir = os.path.join(rootdir, subdirs[0])
+ for f in os.listdir(srcdir):
+ shutil.move(os.path.join(srcdir, f), rootdir)
+ shutil.rmtree(srcdir)
+ bb.note("Vulnerabilities repo unpacked into: %s" % rootdir)
+ elif "create-spdx-2.2" in check_spdx:
+ bb.warn(f"improve_kernel_cve_report: Extra Kernel CVEs Scouting is desactivate because incompatible with SPDX 2.2.")
+}
+do_clone_kernel_cve[network] = "1"
+do_clone_kernel_cve[nostamp] = "1"
+do_clone_kernel_cve[doc] = "Clone the latest kernel vulnerabilities from https://git.kernel.org/pub/scm/linux/security/vulns.git"
+addtask clone_kernel_cve after
+
+do_scout_extra_kernel_vulns() {
+ spdx_file="${SPDXIMAGEDEPLOYDIR}/${IMAGE_LINK_NAME}.spdx.json"
+ original_cve_check_file="${DEPLOY_DIR_IMAGE}/${IMAGE_LINK_NAME}.json"
+ new_cve_report_file="${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}.scouted.json"
+ improve_kernel_cve_script="${COREBASE}/scripts/contrib/improve_kernel_cve_report.py"
+
+ if ${@bb.utils.contains('INHERIT', 'create-spdx-2.2', 'true', 'false', d)}; then
+ bbwarn "improve_kernel_cve_report: Skipping extra kernel vulnerabilities scouting because incompatible with SPDX 2."
+ return 0
+ elif [ ! -f "${spdx_file}" ]; then
+ bbwarn "improve_kernel_cve_report: SPDX file not found: ${spdx_file}. Skipping extra kernel vulnerabilities scoutings."
+ return 0
+ elif [ ! -f "${original_cve_check_file}" ]; then
+ bbwarn "improve_kernel_cve_report: CVE_CHECK file not found: ${original_cve_check_file}. Skipping extra kernel vulnerabilities scouting."
+ return 0
+ fi
+
+ #Launch the new script to improve the cve report
+ python3 "${improve_kernel_cve_script}" \
+ --spdx "${spdx_file}" \
+ --old-cve-report "${original_cve_check_file}" \
+ --new-cve-report "${new_cve_report_file}" \
+ --datadir "${WORKDIR}/vulns"
+ bbplain "Improve CVE report with extra kernel cves: ${new_cve_report_file}"
+
+ #Create a symlink as every other JSON file in tmp/deploy/images
+ ln -sf ${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}.scouted.json ${DEPLOY_DIR_IMAGE}/${IMAGE_BASENAME}${IMAGE_MACHINE_SUFFIX}${IMAGE_NAME_SUFFIX}.scouted.json
+}
+do_scout_extra_kernel_vulns[nostamp] = "1"
+do_scout_extra_kernel_vulns[doc] = "Scout extra kernel vulnerabilities and create a new enhanced version of the cve_check file in the deploy directory"
+addtask scout_extra_kernel_vulns after do_create_image_sbom_spdx before do_build
\ No newline at end of file
next parent reply other threads:[~2026-01-16 19:12 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <188AFCD98EA3E578.3200434@lists.openembedded.org>
2026-01-16 19:05 ` ValentinBoudevin [this message]
2026-01-16 19:05 ` [PATCH v5 0/4] generate-cve-exclusions: Add a .bbclass ValentinBoudevin
2026-01-19 10:44 ` Daniel Turull
2026-01-16 19:05 ` [PATCH v5 1/4] generate-cve-exclusions: Add --output-json option ValentinBoudevin
2026-01-16 19:05 ` [PATCH v5 2/4] generate-cve-exclusions: Add a .bbclass ValentinBoudevin
2026-01-17 13:36 ` [OE-core] " Peter Kjellerstedt
2026-01-19 10:40 ` Daniel Turull
2026-01-16 19:05 ` [PATCH v5 3/4] generate-cve-exclusions: Move python script ValentinBoudevin
2026-01-16 19:05 ` [PATCH v5 4/4] linux: Add inherit on generate-cve-exclusions ValentinBoudevin
2026-01-17 13:38 ` [OE-core] " Peter Kjellerstedt
2026-01-19 9:35 ` [PATCH 1/1] improve_kerne_cve_report: Add a bbclass support Daniel Turull
2026-01-29 21:10 ` [PATCH v6 0/4] generate-cve-exclusions: Add a .bbclass ValentinBoudevin
2026-01-29 21:10 ` [PATCH v6 1/4] generate-cve-exclusions: Add output format option ValentinBoudevin
2026-01-29 21:10 ` [PATCH v6 2/4] cvelistv5: add a new recipe ValentinBoudevin
2026-02-01 11:56 ` [OE-core] " Mathieu Dubois-Briand
2026-02-01 15:12 ` Richard Purdie
2026-02-02 13:48 ` vboudevin
2026-02-02 14:04 ` [OE-core] " Marta Rybczynska
2026-02-02 19:54 ` vboudevin
2026-01-29 21:10 ` [PATCH v6 3/4] kernel-generate-cve-exclusions: Add a .bbclass ValentinBoudevin
2026-01-29 21:10 ` [PATCH v6 4/4] generate-cve-exclusions: Move python script ValentinBoudevin
2026-01-06 21:02 [PATCH 1/1] improve_kerne_cve_report: Add a bbclass support ValentinBoudevin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260116190520.118714-1-valentin.boudevin@gmail.com \
--to=valentin.boudevin@gmail.com \
--cc=antonin.godard@bootlin.com \
--cc=daniel.turull@ericsson.com \
--cc=jerome.oufella@savoirfairelinux.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox