From: ValentinBoudevin <valentin.boudevin@gmail.com>
To: openembedded-core@lists.openembedded.org
Cc: daniel.turull@ericsson.com, jerome.oufella@savoirfairelinux.com,
ValentinBoudevin <valentin.boudevin@gmail.com>
Subject: [PATCH v7 3/4] kernel-generate-cve-exclusions: Add a .bbclass
Date: Mon, 2 Feb 2026 15:52:29 -0500 [thread overview]
Message-ID: <20260202205231.2134908-4-valentin.boudevin@gmail.com> (raw)
In-Reply-To: <20260202205231.2134908-1-valentin.boudevin@gmail.com>
Add a new class named kernel-generate-cve-exclusions.bbclass to
generate-cve-exclusions to use this script at every run.
Two steps for testing:
1) inherit this class in the kernel recipe with "inherit
kernel-generate-cve-exclusions.bbclass"
2) Use the following command to generate cve exclusions .json, and .inc
file : "bitbake linux-yocto -c "do_generate_cve_exclusions"
This class contains several methods:
*do_generate_cve_exclusions: Use the script generate-cve-exclusions.py.
It uses the new "--output-json-file" argument to generate a JSON file as
an output stored in ${GENERATE_CVE_EXCLUSIONS_OUTPUT_JSON}, and a .inc
file in ${GENERATE_CVE_EXCLUSIONS_OUTPUT_INC}
*do_cve_check:prepend: Parse the previously generated JSON file to set
the variable CVE_STATUS corretly
The class also provides some variables:
*GENERATE_CVE_EXCLUSIONS_OUTPUT_JSON: path of the output JSON file used
to set CVE_STATUS
*GENERATE_CVE_EXCLUSIONS_OUTPUT_INC: cve exclusions .inc file output
path. Not used directly by this class (needs to be inherit manually).
Signed-off-by: Valentin Boudevin <valentin.boudevin@gmail.com>
---
.../kernel-generate-cve-exclusions.bbclass | 46 +++++++++++++++++++
1 file changed, 46 insertions(+)
create mode 100644 meta/classes/kernel-generate-cve-exclusions.bbclass
diff --git a/meta/classes/kernel-generate-cve-exclusions.bbclass b/meta/classes/kernel-generate-cve-exclusions.bbclass
new file mode 100644
index 0000000000..8efa32f6a1
--- /dev/null
+++ b/meta/classes/kernel-generate-cve-exclusions.bbclass
@@ -0,0 +1,46 @@
+# Generate CVE exclusions for the kernel build (set to "1" to enable)
+GENERATE_CVE_EXCLUSIONS_OUTPUT_JSON = "${WORKDIR}/temp/cve-exclusion_${LINUX_VERSION}.json"
+GENERATE_CVE_EXCLUSIONS_OUTPUT_INC = "${WORKDIR}/temp//cve-exclusion_${LINUX_VERSION}.inc"
+
+do_generate_cve_exclusions() {
+ # Check for required files and directories
+ generate_cve_exclusions_script=${COREBASE}/scripts/contrib/generate-cve-exclusions.py
+ if [ ! -f "${generate_cve_exclusions_script}" ]; then
+ bbwarn "generate-cve-exclusions.py not found in ${generate_cve_exclusions_script}."
+ return 0
+ fi
+ if [ ! -d "${STAGING_DATADIR_NATIVE}/cvelistv5-native" ]; then
+ bbwarn "CVE exclusions source directory not found in ${STAGING_DATADIR_NATIVE}/cvelistv5-native."
+ return 0
+ fi
+ # Generate the CVE exclusions JSON & INC file
+ python3 "${generate_cve_exclusions_script}" \
+ "${STAGING_DATADIR_NATIVE}/cvelistv5-native" \
+ ${LINUX_VERSION} \
+ --output-json-file "${GENERATE_CVE_EXCLUSIONS_OUTPUT_JSON}" \
+ --output-inc-file "${GENERATE_CVE_EXCLUSIONS_OUTPUT_INC}"
+ bbplain "CVE exclusions generated for kernel version ${LINUX_VERSION} at ${GENERATE_CVE_EXCLUSIONS_OUTPUT_INC} and ${GENERATE_CVE_EXCLUSIONS_OUTPUT_JSON}."
+}
+do_generate_cve_exclusions[depends] += "cvelistv5-native:do_populate_sysroot"
+do_generate_cve_exclusions[nostamp] = "1"
+do_generate_cve_exclusions[doc] = "Generate CVE exclusions for the kernel build. (e.g., cve-exclusion_6.12.json)"
+addtask generate_cve_exclusions after do_prepare_recipe_sysroot before do_cve_check
+
+python do_cve_check:prepend() {
+ import os
+ import json
+ workdir = d.getVar("${STAGING_DATADIR_NATIVE}/cvelistv5-native")
+ kernel_version = d.getVar("LINUX_VERSION")
+ json_input_file = d.getVar("GENERATE_CVE_EXCLUSIONS_OUTPUT_JSON")
+ if os.path.exists(json_input_file):
+ with open(json_input_file, 'r', encoding='utf-8') as f:
+ cve_data = json.load(f)
+ cve_status_dict = cve_data.get("cve_status", {})
+ count = 0
+ for cve_id, info in cve_status_dict.items():
+ if info.get("active", True):
+ continue
+ d.setVarFlag("CVE_STATUS", cve_id, info.get("message", ""))
+ count += 1
+ bb.note("Loaded %d CVE_STATUS entries from JSON output for kernel %s" % (count, kernel_version))
+}
next prev parent reply other threads:[~2026-02-02 20:55 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <188B4BEFFC6C387A.3271208@lists.openembedded.org>
2026-02-02 20:52 ` [PATCH v7 0/4] generate-cve-exclusions: Add a .bbclass ValentinBoudevin
2026-02-02 20:52 ` [PATCH v7 1/4] generate-cve-exclusions: Add output format option ValentinBoudevin
2026-02-02 20:52 ` [PATCH v7 2/4] cvelistv5: add a new recipe ValentinBoudevin
2026-02-02 20:52 ` ValentinBoudevin [this message]
2026-02-04 14:28 ` [PATCH v7 3/4] kernel-generate-cve-exclusions: Add a .bbclass Daniel Turull
2026-02-02 20:52 ` [PATCH v7 4/4] generate-cve-exclusions: Move python script ValentinBoudevin
2026-02-04 14:30 ` [PATCH v7 0/4] generate-cve-exclusions: Add a .bbclass Daniel Turull
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260202205231.2134908-4-valentin.boudevin@gmail.com \
--to=valentin.boudevin@gmail.com \
--cc=daniel.turull@ericsson.com \
--cc=jerome.oufella@savoirfairelinux.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox