From: ValentinBoudevin <valentin.boudevin@gmail.com>
To: openembedded-core@lists.openembedded.org
Cc: daniel.turull@ericsson.com, jerome.oufella@savoirfairelinux.com,
ValentinBoudevin <valentin.boudevin@gmail.com>
Subject: [PATCH v6 2/2] improve_kernel_cve_report: Add a bbclass support
Date: Mon, 2 Feb 2026 16:08:11 -0500 [thread overview]
Message-ID: <20260202210811.2136027-3-valentin.boudevin@gmail.com> (raw)
In-Reply-To: <20260202210811.2136027-1-valentin.boudevin@gmail.com>
The script improve_kernel_cve_report.py doesn't have a bbclass.
It can be useful to have one to generate improved cve-check files at
every run.
This commit contains three classes:
-improve_kernel_cve_report-base.bbclass: Base class which contains the
tasks to perform improve_kernel_cve_report.py initialization and
execution.
-improve_kernel_cve_report-spdx-2.2.bbclass: Set
IMPROVE_KERNEL_SPDX_FILE variable for SPDX-2.2 builds and set
IMPROVE_KERNEL_PREFERRED_PROVIDER to require "create-spdx-2.2" in
INHERIT.
-improve_kernel_cve_report-spdx-3.0.bbclass: Set
IMPROVE_KERNEL_SPDX_FILE variable for SPDX-3.0 project, and set
IMPROVE_KERNEL_PREFERRED_PROVIDER to "create-spdx" to requires it in
INHERIT.
-improve_kernel_cve_report.bbclass: Include this class when you don't
care what version of SPDX you get.
These three new .bbclass files can be used to generate a new output in
tmp/deploy/images with a .scouted.json file in addition to the existing
.json cve-check file.
The new .scouted.json is based on the cve-check file and the SBOM to
generate this improved cve-check file with extra entries found by the
script improve_kernel_cve_report.py.
It only requires to use "inherit" on an image recipe (e.g. on
core-image-minimal).
The bbclass "improve_kernel_cve_report-spdx-2.2.bbclass" can be used if
"create-spdx-2.2" is configured in INHERIT, and "create-spdx" is
removed.
INHERIT:remove = "create-spdx"
INHERIT:append = " create-spdx-2.2"
By default, projects use SPDX-3.0 and don't require any additional
configuration.
Signed-off-by: Valentin Boudevin <valentin.boudevin@gmail.com>
---
.../improve_kernel_cve_report-base.bbclass | 64 +++++++++++++++++++
...improve_kernel_cve_report-spdx-2.2.bbclass | 4 ++
...improve_kernel_cve_report-spdx-3.0.bbclass | 4 ++
.../classes/improve_kernel_cve_report.bbclass | 3 +
4 files changed, 75 insertions(+)
create mode 100644 meta/classes/improve_kernel_cve_report-base.bbclass
create mode 100644 meta/classes/improve_kernel_cve_report-spdx-2.2.bbclass
create mode 100644 meta/classes/improve_kernel_cve_report-spdx-3.0.bbclass
create mode 100644 meta/classes/improve_kernel_cve_report.bbclass
diff --git a/meta/classes/improve_kernel_cve_report-base.bbclass b/meta/classes/improve_kernel_cve_report-base.bbclass
new file mode 100644
index 0000000000..8bc6000903
--- /dev/null
+++ b/meta/classes/improve_kernel_cve_report-base.bbclass
@@ -0,0 +1,64 @@
+# Settings for SPDX support
+
+# Setting to specify preferred provider for kernel SPDX file ("create-spdx" or "create-spdx-2.2")
+IMPROVE_KERNEL_PREFERRED_PROVIDER ?= ""
+# Setting to specify the path to the SPDX file to be used for extra kernel vulnerabilities scouting
+IMPROVE_KERNEL_SPDX_FILE ?= ""
+
+python __anonymous() {
+ if bb.data.inherits_class("create-spdx-2.2", d):
+ if not d.getVar("IMPROVE_KERNEL_PREFERRED_PROVIDER") == "create-spdx-2.2":
+ bb.fatal("improve_kernel_cve_report: IMPROVE_KERNEL_PREFERRED_PROVIDER is set to '%s', but 'create-spdx-2.2' class is inherited. Please check your configuration." % d.getVar("IMPROVE_KERNEL_PREFERRED_PROVIDER"))
+ bb.build.addtask("do_scout_extra_kernel_vulns", "do_build", "do_rootfs", d)
+ elif bb.data.inherits_class("create-spdx", d):
+ if not d.getVar("IMPROVE_KERNEL_PREFERRED_PROVIDER") == "create-spdx":
+ bb.fatal("improve_kernel_cve_report: IMPROVE_KERNEL_PREFERRED_PROVIDER is set to '%s', but 'create-spdx' class is inherited. Please check your configuration." % d.getVar("IMPROVE_KERNEL_PREFERRED_PROVIDER"))
+ bb.build.addtask('do_scout_extra_kernel_vulns', 'do_build', 'do_create_image_sbom_spdx', d)
+}
+
+python do_clean:append() {
+ import os, glob
+ deploy_dir = d.expand('${DEPLOY_DIR_IMAGE}')
+ for f in glob.glob(os.path.join(deploy_dir, '*scouted.json')):
+ bb.note("Removing " + f)
+ os.remove(f)
+}
+
+do_scout_extra_kernel_vulns() {
+ new_cve_report_file="${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}.scouted.json"
+ improve_kernel_cve_script="${COREBASE}/scripts/contrib/improve_kernel_cve_report.py"
+
+ # Check that IMPROVE_KERNEL_SPDX_FILE is set and the file exists
+ if [ -z "${IMPROVE_KERNEL_SPDX_FILE}" ] || [ ! -f "${IMPROVE_KERNEL_SPDX_FILE}" ]; then
+ bbwarn "improve_kernel_cve: IMPROVE_KERNEL_SPDX_FILE is empty or file not found: ${IMPROVE_KERNEL_SPDX_FILE}"
+ return 0
+ fi
+ if [ ! -f "${CVE_CHECK_MANIFEST_JSON}" ]; then
+ bbwarn "improve_kernel_cve: CVE_CHECK file not found: ${CVE_CHECK_MANIFEST_JSON}. Skipping extra kernel vulnerabilities scouting."
+ return 0
+ fi
+ if [ ! -f "${improve_kernel_cve_script}" ]; then
+ bbwarn "improve_kernel_cve: improve_kernel_cve_report.py not found in ${COREBASE}."
+ return 0
+ fi
+ if [ ! -d "${STAGING_DATADIR_NATIVE}/vulns-native" ]; then
+ bbwarn "improve_kernel_cve: Vulnerabilities data not found in ${STAGING_DATADIR_NATIVE}/vulns-native."
+ return 0
+ fi
+
+ #Run the improve_kernel_cve_report.py script
+ bbplain "improve_kernel_cve: Using SPDX file for extra kernel vulnerabilities scouting: ${IMPROVE_KERNEL_SPDX_FILE}"
+ python3 "${improve_kernel_cve_script}" \
+ --spdx "${IMPROVE_KERNEL_SPDX_FILE}" \
+ --old-cve-report "${CVE_CHECK_MANIFEST_JSON}" \
+ --new-cve-report "${new_cve_report_file}" \
+ --datadir "${STAGING_DATADIR_NATIVE}/vulns-native"
+ bbplain "Improve CVE report with extra kernel cves: ${new_cve_report_file}"
+
+ #Create a symlink as every other JSON file in tmp/deploy/images
+ ln -sf ${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}.scouted.json ${DEPLOY_DIR_IMAGE}/${IMAGE_BASENAME}${IMAGE_MACHINE_SUFFIX}${IMAGE_NAME_SUFFIX}.scouted.json
+}
+do_scout_extra_kernel_vulns[depends] += "vulns-native:do_populate_sysroot"
+do_scout_extra_kernel_vulns[nostamp] = "1"
+do_scout_extra_kernel_vulns[doc] = "Scout extra kernel vulnerabilities and create a new enhanced version of the cve_check file in the deploy directory"
+addtask scout_extra_kernel_vulnsate_cve_exclusions after do_prepare_recipe_sysroot
\ No newline at end of file
diff --git a/meta/classes/improve_kernel_cve_report-spdx-2.2.bbclass b/meta/classes/improve_kernel_cve_report-spdx-2.2.bbclass
new file mode 100644
index 0000000000..45b483134d
--- /dev/null
+++ b/meta/classes/improve_kernel_cve_report-spdx-2.2.bbclass
@@ -0,0 +1,4 @@
+IMPROVE_KERNEL_PREFERRED_PROVIDER = "create-spdx-2.2"
+IMPROVE_KERNEL_SPDX_FILE = "${DEPLOY_DIR}/spdx/2.2/${@d.getVar('MACHINE').replace('-', '_')}/recipes/recipe-${PREFERRED_PROVIDER_virtual/kernel}.spdx.json"
+
+inherit improve_kernel_cve_report-base
\ No newline at end of file
diff --git a/meta/classes/improve_kernel_cve_report-spdx-3.0.bbclass b/meta/classes/improve_kernel_cve_report-spdx-3.0.bbclass
new file mode 100644
index 0000000000..3849f66aaf
--- /dev/null
+++ b/meta/classes/improve_kernel_cve_report-spdx-3.0.bbclass
@@ -0,0 +1,4 @@
+IMPROVE_KERNEL_PREFERRED_PROVIDER = "create-spdx"
+IMPROVE_KERNEL_SPDX_FILE = "${SPDXIMAGEDEPLOYDIR}/${IMAGE_LINK_NAME}.spdx.json"
+
+inherit improve_kernel_cve_report-base
\ No newline at end of file
diff --git a/meta/classes/improve_kernel_cve_report.bbclass b/meta/classes/improve_kernel_cve_report.bbclass
new file mode 100644
index 0000000000..7b237d1e22
--- /dev/null
+++ b/meta/classes/improve_kernel_cve_report.bbclass
@@ -0,0 +1,3 @@
+# Include this class when you don't care what version of SPDX you get; it will
+# be updated to the latest stable version that is supported
+inherit improve_kernel_cve_report-spdx-3.0
\ No newline at end of file
next prev parent reply other threads:[~2026-02-02 21:08 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <188AFD4FCC1313A8.2683732@lists.openembedded.org>
2026-01-19 18:40 ` [PATCH v4 0/1] improve_kernel_cve_report: Add a bbclass support ValentinBoudevin
2026-01-19 18:40 ` [PATCH v4 1/1] " ValentinBoudevin
2026-01-20 15:00 ` Daniel Turull
2026-01-22 12:58 ` Benjamin ROBIN
2026-01-26 12:56 ` [OE-core] " Ross Burton
2026-01-28 16:38 ` [PATCH v5 0/2] " ValentinBoudevin
2026-01-28 16:38 ` [PATCH v5 1/2] vulns: add a new recipe ValentinBoudevin
2026-01-31 17:59 ` [OE-core] " Mathieu Dubois-Briand
2026-01-28 16:38 ` [PATCH v5 2/2] improve_kernel_cve_report: Add a bbclass support ValentinBoudevin
2026-01-29 11:01 ` [PATCH v5 0/2] " Daniel Turull
2026-01-29 16:34 ` vboudevin
2026-02-01 15:54 ` [OE-core] " Marta Rybczynska
2026-02-02 21:08 ` [PATCH v6 " ValentinBoudevin
2026-02-02 21:08 ` [PATCH v6 1/2] vulns: add a new recipe ValentinBoudevin
2026-02-02 21:08 ` ValentinBoudevin [this message]
2026-02-04 14:58 ` [PATCH v6 0/2] improve_kernel_cve_report: Add a bbclass support Daniel Turull
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260202210811.2136027-3-valentin.boudevin@gmail.com \
--to=valentin.boudevin@gmail.com \
--cc=daniel.turull@ericsson.com \
--cc=jerome.oufella@savoirfairelinux.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox