From: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" <hetpat@cisco.com>
To: openembedded-core@lists.openembedded.org
Cc: xe-linux-external@cisco.com, vchavda@cisco.com
Subject: [openembedded-core] [scarthgap] [PATCH v1 03/34] cve-check: annotate CVEs during analysis
Date: Thu, 19 Feb 2026 21:34:12 -0800 [thread overview]
Message-ID: <20260220053443.3006180-3-hetpat@cisco.com> (raw)
In-Reply-To: <20260220053443.3006180-1-hetpat@cisco.com>
From: Marta Rybczynska <rybczynska@gmail.com>
Add status information for each CVE under analysis.
Previously the information passed between different function of the
cve-check class included only tables of patched, unpatched, ignored
vulnerabilities and the general status of the recipe.
The VEX work requires more information, and we need to pass them
between different functions, so that it can be enriched as the
analysis progresses. Instead of multiple tables, use a single one
with annotations for each CVE encountered. For example, a patched
CVE will have:
{"abbrev-status": "Patched", "status": "version-not-in-range"}
abbrev-status contains the general status (Patched, Unpatched,
Ignored and Unknown that will be added in the VEX code)
status contains more detailed information that can come from
CVE_STATUS and the analysis.
Additional fields of the annotation include for example the name
of the patch file fixing a given CVE.
We also use the annotation in CVE_STATUS to filter out entries
that do not apply to the given recipe
Backport Changes:
- Cherry-picking this patch, which precedes commit [358dbfcd80ae] in
master. Since commit [358dbfcd80ae] was already cherry-picked earlier
in scarthgap, adjusted the changes accordingly to avoid conflicts.
Signed-off-by: Marta Rybczynska <marta.rybczynska@syslinbit.com>
Signed-off-by: Samantha Jalabert <samantha.jalabert@syslinbit.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 452e605b55ad61c08f4af7089a5a9c576ca28f7d)
Signed-off-by: Het Patel <hetpat@cisco.com>
---
meta/classes/cve-check.bbclass | 214 +++++++++++++++++----------------
meta/lib/oe/cve_check.py | 35 +++++-
2 files changed, 142 insertions(+), 107 deletions(-)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index de5ddf6f04..32fb9e8a5c 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -176,10 +176,10 @@ python do_cve_check () {
patched_cves = get_patched_cves(d)
except FileNotFoundError:
bb.fatal("Failure in searching patches")
- ignored, patched, unpatched, status = check_cves(d, patched_cves)
- if patched or unpatched or (d.getVar("CVE_CHECK_COVERAGE") == "1" and status):
- cve_data = get_cve_info(d, patched + unpatched + ignored)
- cve_write_data(d, patched, unpatched, ignored, cve_data, status)
+ cve_data, status = check_cves(d, patched_cves)
+ if len(cve_data) or (d.getVar("CVE_CHECK_COVERAGE") == "1" and status):
+ get_cve_info(d, cve_data)
+ cve_write_data(d, cve_data, status)
else:
bb.note("No CVE database found, skipping CVE check")
@@ -287,7 +287,51 @@ ROOTFS_POSTPROCESS_COMMAND:prepend = "${@'cve_check_write_rootfs_manifest ' if d
do_rootfs[recrdeptask] += "${@'do_cve_check' if d.getVar('CVE_CHECK_CREATE_MANIFEST') == '1' else ''}"
do_populate_sdk[recrdeptask] += "${@'do_cve_check' if d.getVar('CVE_CHECK_CREATE_MANIFEST') == '1' else ''}"
-def check_cves(d, patched_cves):
+def cve_is_ignored(d, cve_data, cve):
+ if cve not in cve_data:
+ return False
+ if cve_data[cve]['abbrev-status'] == "Ignored":
+ return True
+ return False
+
+def cve_is_patched(d, cve_data, cve):
+ if cve not in cve_data:
+ return False
+ if cve_data[cve]['abbrev-status'] == "Patched":
+ return True
+ return False
+
+def cve_update(d, cve_data, cve, entry):
+ # If no entry, just add it
+ if cve not in cve_data:
+ cve_data[cve] = entry
+ return
+ # If we are updating, there might be change in the status
+ bb.debug("Trying CVE entry update for %s from %s to %s" % (cve, cve_data[cve]['abbrev-status'], entry['abbrev-status']))
+ if cve_data[cve]['abbrev-status'] == "Unknown":
+ cve_data[cve] = entry
+ return
+ if cve_data[cve]['abbrev-status'] == entry['abbrev-status']:
+ return
+ # Update like in {'abbrev-status': 'Patched', 'status': 'version-not-in-range'} to {'abbrev-status': 'Unpatched', 'status': 'version-in-range'}
+ if entry['abbrev-status'] == "Unpatched" and cve_data[cve]['abbrev-status'] == "Patched":
+ if entry['status'] == "version-in-range" and cve_data[cve]['status'] == "version-not-in-range":
+ # New result from the scan, vulnerable
+ cve_data[cve] = entry
+ bb.debug("CVE entry %s update from Patched to Unpatched from the scan result" % cve)
+ return
+ if entry['abbrev-status'] == "Patched" and cve_data[cve]['abbrev-status'] == "Unpatched":
+ if entry['status'] == "version-not-in-range" and cve_data[cve]['status'] == "version-in-range":
+ # Range does not match the scan, but we already have a vulnerable match, ignore
+ bb.debug("CVE entry %s update from Patched to Unpatched from the scan result - not applying" % cve)
+ return
+ # If we have an "Ignored", it has a priority
+ if cve_data[cve]['abbrev-status'] == "Ignored":
+ bb.debug("CVE %s not updating because Ignored" % cve)
+ return
+ bb.warn("Unhandled CVE entry update for %s from %s to %s" % (cve, cve_data[cve], entry))
+
+def check_cves(d, cve_data):
"""
Connect to the NVD database and find unpatched cves.
"""
@@ -297,28 +341,19 @@ def check_cves(d, patched_cves):
real_pv = d.getVar("PV")
suffix = d.getVar("CVE_VERSION_SUFFIX")
- cves_unpatched = []
- cves_ignored = []
cves_status = []
cves_in_recipe = False
# CVE_PRODUCT can contain more than one product (eg. curl/libcurl)
products = d.getVar("CVE_PRODUCT").split()
# If this has been unset then we're not scanning for CVEs here (for example, image recipes)
if not products:
- return ([], [], [], [])
+ return ([], [])
pv = d.getVar("CVE_VERSION").split("+git")[0]
# If the recipe has been skipped/ignored we return empty lists
if pn in d.getVar("CVE_CHECK_SKIP_RECIPE").split():
bb.note("Recipe has been skipped by cve-check")
- return ([], [], [], [])
-
- # Convert CVE_STATUS into ignored CVEs and check validity
- cve_ignore = []
- for cve in (d.getVarFlags("CVE_STATUS") or {}):
- decoded_status = decode_cve_status(d, cve)
- if 'mapping' in decoded_status and decoded_status['mapping'] == "Ignored":
- cve_ignore.append(cve)
+ return ([], [])
import sqlite3
db_file = d.expand("file:${CVE_CHECK_DB_FILE}?mode=ro")
@@ -337,11 +372,10 @@ def check_cves(d, patched_cves):
for cverow in cve_cursor:
cve = cverow[0]
- if cve in cve_ignore:
+ if cve_is_ignored(d, cve_data, cve):
bb.note("%s-%s ignores %s" % (product, pv, cve))
- cves_ignored.append(cve)
continue
- elif cve in patched_cves:
+ elif cve_is_patched(d, cve_data, cve):
bb.note("%s has been patched" % (cve))
continue
# Write status once only for each product
@@ -357,7 +391,7 @@ def check_cves(d, patched_cves):
for row in product_cursor:
(_, _, _, version_start, operator_start, version_end, operator_end) = row
#bb.debug(2, "Evaluating row " + str(row))
- if cve in cve_ignore:
+ if cve_is_ignored(d, cve_data, cve):
ignored = True
version_start = convert_cve_version(version_start)
@@ -396,16 +430,16 @@ def check_cves(d, patched_cves):
if vulnerable:
if ignored:
bb.note("%s is ignored in %s-%s" % (cve, pn, real_pv))
- cves_ignored.append(cve)
+ cve_update(d, cve_data, cve, {"abbrev-status": "Ignored"})
else:
bb.note("%s-%s is vulnerable to %s" % (pn, real_pv, cve))
- cves_unpatched.append(cve)
+ cve_update(d, cve_data, cve, {"abbrev-status": "Unpatched", "status": "version-in-range"})
break
product_cursor.close()
if not vulnerable:
bb.note("%s-%s is not vulnerable to %s" % (pn, real_pv, cve))
- patched_cves.add(cve)
+ cve_update(d, cve_data, cve, {"abbrev-status": "Patched", "status": "version-not-in-range"})
cve_cursor.close()
if not cves_in_product:
@@ -413,49 +447,46 @@ def check_cves(d, patched_cves):
cves_status.append([product, False])
conn.close()
- diff_ignore = list(set(cve_ignore) - set(cves_ignored))
- if diff_ignore:
- oe.qa.handle_error("cve_status_not_in_db", "Found CVE (%s) with CVE_STATUS set that are not found in database for this component" % " ".join(diff_ignore), d)
if not cves_in_recipe:
bb.note("No CVE records for products in recipe %s" % (pn))
- return (list(cves_ignored), list(patched_cves), cves_unpatched, cves_status)
+ return (cve_data, cves_status)
-def get_cve_info(d, cves):
+def get_cve_info(d, cve_data):
"""
Get CVE information from the database.
"""
import sqlite3
- cve_data = {}
db_file = d.expand("file:${CVE_CHECK_DB_FILE}?mode=ro")
conn = sqlite3.connect(db_file, uri=True)
- for cve in cves:
+ for cve in cve_data:
cursor = conn.execute("SELECT * FROM NVD WHERE ID IS ?", (cve,))
for row in cursor:
- cve_data[row[0]] = {}
- cve_data[row[0]]["summary"] = row[1]
- cve_data[row[0]]["scorev2"] = row[2]
- cve_data[row[0]]["scorev3"] = row[3]
- cve_data[row[0]]["scorev4"] = row[4]
- cve_data[row[0]]["modified"] = row[5]
- cve_data[row[0]]["vector"] = row[6]
- cve_data[row[0]]["vectorString"] = row[7]
+ # The CVE itdelf has been added already
+ if row[0] not in cve_data:
+ bb.note("CVE record %s not present" % row[0])
+ continue
+ #cve_data[row[0]] = {}
+ cve_data[row[0]]["NVD-summary"] = row[1]
+ cve_data[row[0]]["NVD-scorev2"] = row[2]
+ cve_data[row[0]]["NVD-scorev3"] = row[3]
+ cve_data[row[0]]["NVD-scorev4"] = row[4]
+ cve_data[row[0]]["NVD-modified"] = row[5]
+ cve_data[row[0]]["NVD-vector"] = row[6]
+ cve_data[row[0]]["NVD-vectorString"] = row[7]
cursor.close()
conn.close()
- return cve_data
-def cve_write_data_text(d, patched, unpatched, ignored, cve_data):
+def cve_write_data_text(d, cve_data):
"""
Write CVE information in WORKDIR; and to CVE_CHECK_DIR, and
CVE manifest if enabled.
"""
- from oe.cve_check import decode_cve_status
-
cve_file = d.getVar("CVE_CHECK_LOG")
fdir_name = d.getVar("FILE_DIRNAME")
layer = fdir_name.split("/")[-3]
@@ -472,7 +503,7 @@ def cve_write_data_text(d, patched, unpatched, ignored, cve_data):
return
# Early exit, the text format does not report packages without CVEs
- if not patched+unpatched+ignored:
+ if not len(cve_data):
return
nvd_link = "https://nvd.nist.gov/vuln/detail/"
@@ -481,37 +512,30 @@ def cve_write_data_text(d, patched, unpatched, ignored, cve_data):
bb.utils.mkdirhier(os.path.dirname(cve_file))
for cve in sorted(cve_data):
- is_patched = cve in patched
- is_ignored = cve in ignored
-
- status = "Unpatched"
- if (is_patched or is_ignored) and not report_all:
+ if not report_all and (cve_data[cve]["abbrev-status"] == "Patched" or cve_data[cve]["abbrev-status"] == "Ignored"):
continue
- if is_ignored:
- status = "Ignored"
- elif is_patched:
- status = "Patched"
- else:
- # default value of status is Unpatched
- unpatched_cves.append(cve)
-
write_string += "LAYER: %s\n" % layer
write_string += "PACKAGE NAME: %s\n" % d.getVar("PN")
write_string += "PACKAGE VERSION: %s%s\n" % (d.getVar("EXTENDPE"), d.getVar("PV"))
write_string += "CVE: %s\n" % cve
- write_string += "CVE STATUS: %s\n" % status
- status_details = decode_cve_status(d, cve)
- if 'detail' in status_details:
- write_string += "CVE DETAIL: %s\n" % status_details['detail']
- if 'description' in status_details:
- write_string += "CVE DESCRIPTION: %s\n" % status_details['description']
- write_string += "CVE SUMMARY: %s\n" % cve_data[cve]["summary"]
- write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["scorev2"]
- write_string += "CVSS v3 BASE SCORE: %s\n" % cve_data[cve]["scorev3"]
- write_string += "CVSS v4 BASE SCORE: %s\n" % cve_data[cve]["scorev4"]
- write_string += "VECTOR: %s\n" % cve_data[cve]["vector"]
- write_string += "VECTORSTRING: %s\n" % cve_data[cve]["vectorString"]
+ write_string += "CVE STATUS: %s\n" % cve_data[cve]["abbrev-status"]
+
+ if 'status' in cve_data[cve]:
+ write_string += "CVE DETAIL: %s\n" % cve_data[cve]["status"]
+ if 'justification' in cve_data[cve]:
+ write_string += "CVE DESCRIPTION: %s\n" % cve_data[cve]["justification"]
+
+ if "NVD-summary" in cve_data[cve]:
+ write_string += "CVE SUMMARY: %s\n" % cve_data[cve]["NVD-summary"]
+ write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["NVD-scorev2"]
+ write_string += "CVSS v3 BASE SCORE: %s\n" % cve_data[cve]["NVD-scorev3"]
+ write_string += "CVSS v3 BASE SCORE: %s\n" % cve_data[cve]["NVD-scorev4"]
+ write_string += "VECTOR: %s\n" % cve_data[cve]["NVD-vector"]
+ write_string += "VECTORSTRING: %s\n" % cve_data[cve]["NVD-vectorString"]
+
write_string += "MORE INFORMATION: %s%s\n\n" % (nvd_link, cve)
+ if cve_data[cve]["abbrev-status"] == "Unpatched":
+ unpatched_cves.append(cve)
if unpatched_cves and d.getVar("CVE_CHECK_SHOW_WARNINGS") == "1":
bb.warn("Found unpatched CVE (%s), for more information check %s" % (" ".join(unpatched_cves),cve_file))
@@ -563,13 +587,11 @@ def cve_check_write_json_output(d, output, direct_file, deploy_file, manifest_fi
with open(index_path, "a+") as f:
f.write("%s\n" % fragment_path)
-def cve_write_data_json(d, patched, unpatched, ignored, cve_data, cve_status):
+def cve_write_data_json(d, cve_data, cve_status):
"""
Prepare CVE data for the JSON format, then write it.
"""
- from oe.cve_check import decode_cve_status
-
output = {"version":"1", "package": []}
nvd_link = "https://nvd.nist.gov/vuln/detail/"
@@ -587,8 +609,6 @@ def cve_write_data_json(d, patched, unpatched, ignored, cve_data, cve_status):
if include_layers and layer not in include_layers:
return
- unpatched_cves = []
-
product_data = []
for s in cve_status:
p = {"product": s[0], "cvesInRecord": "Yes"}
@@ -603,40 +623,32 @@ def cve_write_data_json(d, patched, unpatched, ignored, cve_data, cve_status):
"version" : package_version,
"products": product_data
}
+
cve_list = []
for cve in sorted(cve_data):
- is_patched = cve in patched
- is_ignored = cve in ignored
- status = "Unpatched"
- if (is_patched or is_ignored) and not report_all:
+ if not report_all and (cve_data[cve]["abbrev-status"] == "Patched" or cve_data[cve]["abbrev-status"] == "Ignored"):
continue
- if is_ignored:
- status = "Ignored"
- elif is_patched:
- status = "Patched"
- else:
- # default value of status is Unpatched
- unpatched_cves.append(cve)
-
issue_link = "%s%s" % (nvd_link, cve)
cve_item = {
"id" : cve,
- "summary" : cve_data[cve]["summary"],
- "scorev2" : cve_data[cve]["scorev2"],
- "scorev3" : cve_data[cve]["scorev3"],
- "scorev4" : cve_data[cve]["scorev4"],
- "vector" : cve_data[cve]["vector"],
- "vectorString" : cve_data[cve]["vectorString"],
- "status" : status,
- "link": issue_link
+ "status" : cve_data[cve]["abbrev-status"],
+ "link": issue_link,
}
- status_details = decode_cve_status(d, cve)
- if 'detail' in status_details:
- cve_item["detail"] = status_details['detail']
- if 'description' in status_details:
- cve_item["description"] = status_details['description']
+ if 'NVD-summary' in cve_data[cve]:
+ cve_item["summary"] = cve_data[cve]["NVD-summary"]
+ cve_item["scorev2"] = cve_data[cve]["NVD-scorev2"]
+ cve_item["scorev3"] = cve_data[cve]["NVD-scorev3"]
+ cve_item["scorev4"] = cve_data[cve]["NVD-scorev4"]
+ cve_item["vector"] = cve_data[cve]["NVD-vector"]
+ cve_item["vectorString"] = cve_data[cve]["NVD-vectorString"]
+ if 'status' in cve_data[cve]:
+ cve_item["detail"] = cve_data[cve]["status"]
+ if 'justification' in cve_data[cve]:
+ cve_item["description"] = cve_data[cve]["justification"]
+ if 'resource' in cve_data[cve]:
+ cve_item["patch-file"] = cve_data[cve]["resource"]
cve_list.append(cve_item)
package_data["issue"] = cve_list
@@ -648,12 +660,12 @@ def cve_write_data_json(d, patched, unpatched, ignored, cve_data, cve_status):
cve_check_write_json_output(d, output, direct_file, deploy_file, manifest_file)
-def cve_write_data(d, patched, unpatched, ignored, cve_data, status):
+def cve_write_data(d, cve_data, status):
"""
Write CVE data in each enabled format.
"""
if d.getVar("CVE_CHECK_FORMAT_TEXT") == "1":
- cve_write_data_text(d, patched, unpatched, ignored, cve_data)
+ cve_write_data_text(d, cve_data)
if d.getVar("CVE_CHECK_FORMAT_JSON") == "1":
- cve_write_data_json(d, patched, unpatched, ignored, cve_data, status)
+ cve_write_data_json(d, cve_data, status)
diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py
index 767d1a6750..37230b7957 100644
--- a/meta/lib/oe/cve_check.py
+++ b/meta/lib/oe/cve_check.py
@@ -88,7 +88,7 @@ def get_patched_cves(d):
# (cve_match regular expression)
cve_file_name_match = re.compile(r".*(CVE-\d{4}-\d+)", re.IGNORECASE)
- patched_cves = set()
+ patched_cves = {}
patches = oe.patch.src_patches(d)
bb.debug(2, "Scanning %d patches for CVEs" % len(patches))
for url in patches:
@@ -98,7 +98,7 @@ def get_patched_cves(d):
fname_match = cve_file_name_match.search(patch_file)
if fname_match:
cve = fname_match.group(1).upper()
- patched_cves.add(cve)
+ patched_cves[cve] = {"abbrev-status": "Patched", "status": "fix-file-included", "resource": patch_file}
bb.debug(2, "Found %s from patch file name %s" % (cve, patch_file))
# Remote patches won't be present and compressed patches won't be
@@ -124,7 +124,7 @@ def get_patched_cves(d):
cves = patch_text[match.start()+5:match.end()]
for cve in cves.split():
bb.debug(2, "Patch %s solves %s" % (patch_file, cve))
- patched_cves.add(cve)
+ patched_cves[cve] = {"abbrev-status": "Patched", "status": "fix-file-included", "resource": patch_file}
text_match = True
if not fname_match and not text_match:
@@ -133,9 +133,15 @@ def get_patched_cves(d):
# Search for additional patched CVEs
for cve in (d.getVarFlags("CVE_STATUS") or {}):
decoded_status = decode_cve_status(d, cve)
- if 'mapping' in decoded_status and decoded_status['mapping'] == "Patched":
- bb.debug(2, "CVE %s is additionally patched" % cve)
- patched_cves.add(cve)
+ products = d.getVar("CVE_PRODUCT")
+ if has_cve_product_match(decoded_status, products) == True:
+ patched_cves[cve] = {
+ "abbrev-status": decoded_status["mapping"],
+ "status": decoded_status["detail"],
+ "justification": decoded_status["description"],
+ "affected-vendor": decoded_status["vendor"],
+ "affected-product": decoded_status["product"]
+ }
return patched_cves
@@ -286,3 +292,20 @@ def extend_cve_status(d):
d.setVarFlag("CVE_STATUS", cve, d.getVarFlag(cve_status_group, "status"))
else:
bb.warn("CVE_STATUS_GROUPS contains undefined variable %s" % cve_status_group)
+
+def has_cve_product_match(detailed_status, products):
+ """
+ Check product/vendor match between detailed_status from decode_cve_status and a string of
+ products (like from CVE_PRODUCT)
+ """
+ for product in products.split():
+ vendor = "*"
+ if ":" in product:
+ vendor, product = product.split(":", 1)
+
+ if (vendor == detailed_status["vendor"] or detailed_status["vendor"] == "*") and \
+ (product == detailed_status["product"] or detailed_status["product"] == "*"):
+ return True
+
+ #if no match, return False
+ return False
next prev parent reply other threads:[~2026-02-20 5:34 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-20 5:34 [openembedded-core] [scarthgap] [PATCH v1 01/34] cve-check: encode affected product/vendor in CVE_STATUS Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 02/34] cve_check: Update selftest with new status detail Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco) [this message]
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 04/34] cve-check-map: add new statuses Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 05/34] selftest: add test_product_match Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 06/34] cve-check: remove the TEXT format support Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 07/34] cve-check-update-nvd2-native: Incremement DL_DIR database location Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 08/34] cve-check: add field "modified" to JSON report Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 09/34] cve-check: do not skip cve status description after : Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 10/34] cve-check: fix malformed cve status description with : characters Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 11/34] cve-check: restore CVE_CHECK_SHOW_WARNINGS functionality Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 12/34] cve-check: fix cvesInRecord Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 13/34] cve-check: Fix errors in log lines Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 14/34] cve-check: Rework patch parsing Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 15/34] meta/lib/oe/cve_check.py: fix patched_cves not updated Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 16/34] cve-check: allow feed choice Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 17/34] cve-update-db-native: restore Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 18/34] cve-update-db-native: update structure Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 19/34] cve-update-db-native: add the fkie source Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 20/34] cve-check: change the default feed Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 21/34] cve-check: fix debug message Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 22/34] spdx30: Allow VEX Justification to be configurable Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 23/34] cve-update-db-native: fix fetcher for CVEs missing nodes Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 24/34] cve-update-db-native: Use a local copy of the database during builds Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 25/34] cve-update-db-native: Handle BB_NO_NETWORK and missing db Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 26/34] cve-update-db-native: log a little more Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 27/34] cve-update: decrease update interval to 23 hours Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 28/34] cve-update: remove cleanup of db_file in downloads Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 29/34] cve-update-db-native: Fix FKIE CVE accessVector parsing Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 30/34] cve-update-db-native: FKIE CVE parsing: Use Secondary metric Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 31/34] cve-update: log timestamps and add force update for future time Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 32/34] cve-update-db-native: pycodestyle fixes Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 33/34] cve-update-nvd2-native: " Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 34/34] cve-update: Avoid NFS caching issues Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-23 9:46 ` [OE-core] [openembedded-core] [scarthgap] [PATCH v1 01/34] cve-check: encode affected product/vendor in CVE_STATUS Paul Barker
2026-02-23 12:31 ` Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-03-03 9:09 ` Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-03-05 13:13 ` Yoann Congal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260220053443.3006180-3-hetpat@cisco.com \
--to=hetpat@cisco.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=vchavda@cisco.com \
--cc=xe-linux-external@cisco.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox