[PATCH 1/4] improve_kernel_cve_report: sort kernel_compiled_files

[PATCH 1/4] improve_kernel_cve_report: sort kernel_compiled_files

[daniel.turull]

From: Daniel Turull <daniel.turull@ericsson.com>

Sorting the set so the that output is predictable

Signed-off-by: Andrew Fenner <andrew.fenner@est.tech>
Signed-off-by: Daniel Turull <daniel.turull@ericsson.com>
---
 scripts/contrib/improve_kernel_cve_report.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/contrib/improve_kernel_cve_report.py b/scripts/contrib/improve_kernel_cve_report.py
index 3a15b1ed26..27ebed2cbd 100755
--- a/scripts/contrib/improve_kernel_cve_report.py
+++ b/scripts/contrib/improve_kernel_cve_report.py
@@ -106,7 +106,7 @@ def get_kernel_cves(datadir, compiled_files, version):
                     "status": "Ignored",
                     "detail": "not-applicable-config",
                     "summary": description,
-                    "description": f"Source code not compiled by config. {affected_files}"
+                    "description": f"Source code not compiled by config. {sorted(affected_files)}"
                 }
                 not_applicable_config +=1
             # Check if we have backport

[PATCH 2/4] improve_kernel_cve_report: correct description for fixed-version

[daniel.turull]

From: Daniel Turull <daniel.turull@ericsson.com>

Remove duplication in the description when fixed-version, to be
consistent with the other status description.

Signed-off-by: Daniel Turull <daniel.turull@ericsson.com>
---
 scripts/contrib/improve_kernel_cve_report.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/contrib/improve_kernel_cve_report.py b/scripts/contrib/improve_kernel_cve_report.py
index 27ebed2cbd..50d25b2239 100755
--- a/scripts/contrib/improve_kernel_cve_report.py
+++ b/scripts/contrib/improve_kernel_cve_report.py
@@ -164,7 +164,7 @@ def get_kernel_cves(datadir, compiled_files, version):
                     "status": "Patched",
                     "detail": "fixed-version",
                     "summary": description,
-                    "description": f"fixed-version: Fixed from version {last_affected}"
+                    "description": f"Fixed from version {last_affected}"
                 }
                 not_vulnerable += 1
             elif backport_base == base_version:

[PATCH 3/4] improve_kernel_cve_report: update data if CVE exists

[daniel.turull]

From: Daniel Turull <daniel.turull@ericsson.com>

This allow to include additional information if one of the
sources is more complete. Updating description with more
up to date information and including summary.

For example:

Before while using cve_check:

       {
          "id": "CVE-2025-68167",
          "status": "Patched",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68167",
          "detail": "fixed-version",
          "description": "Fixed from version 6.18"
        },

After:
        {
          "id": "CVE-2025-68167",
          "status": "Patched",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-68167",
          "detail": "fixed-version",
          "description": "Fixed from version 6.18",
          "summary": "In the Linux kernel, the following (...)"
        },

Signed-off-by: Daniel Turull <daniel.turull@ericsson.com>
---
 scripts/contrib/improve_kernel_cve_report.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/scripts/contrib/improve_kernel_cve_report.py b/scripts/contrib/improve_kernel_cve_report.py
index 50d25b2239..903de0000c 100755
--- a/scripts/contrib/improve_kernel_cve_report.py
+++ b/scripts/contrib/improve_kernel_cve_report.py
@@ -358,6 +358,7 @@ def cve_update(cve_data, cve, entry):
         cve_data[cve] = copy_data(cve_data[cve], entry)
         return
     if cve_data[cve]['status'] == entry['status']:
+        cve_data[cve] = copy_data(cve_data[cve], entry)
         return
     if entry['status'] == "Unpatched" and cve_data[cve]['status'] == "Patched":
         # Backported-patch (e.g. vendor kernel repo with cherry-picked CVE patch)

[PATCH 4/4] improve_kernel_cve_report: validate that cve details field exists

[daniel.turull]

From: Daniel Turull <daniel.turull@ericsson.com>

Check if the cve information has the details field to avoid crashing

Signed-off-by: Daniel Turull <daniel.turull@ericsson.com>
---
 scripts/contrib/improve_kernel_cve_report.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/contrib/improve_kernel_cve_report.py b/scripts/contrib/improve_kernel_cve_report.py
index 903de0000c..b386c9383a 100755
--- a/scripts/contrib/improve_kernel_cve_report.py
+++ b/scripts/contrib/improve_kernel_cve_report.py
@@ -363,7 +363,7 @@ def cve_update(cve_data, cve, entry):
     if entry['status'] == "Unpatched" and cve_data[cve]['status'] == "Patched":
         # Backported-patch (e.g. vendor kernel repo with cherry-picked CVE patch)
         # has priority over unpatch from CNA
-        if cve_data[cve]['detail'] == "backported-patch":
+        if "detail" in cve_data and cve_data[cve]['detail'] == "backported-patch":
             return
         logging.warning("CVE entry %s update from Patched to Unpatched from the scan result", cve)
         cve_data[cve] = copy_data(cve_data[cve], entry)