From: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" <hetpat@cisco.com>
To: openembedded-core@lists.openembedded.org
Cc: xe-linux-external@cisco.com, vchavda@cisco.com
Subject: [openembedded-core] [scarthgap] [PATCH v1 06/34] cve-check: remove the TEXT format support
Date: Thu, 19 Feb 2026 21:34:15 -0800 [thread overview]
Message-ID: <20260220053443.3006180-6-hetpat@cisco.com> (raw)
In-Reply-To: <20260220053443.3006180-1-hetpat@cisco.com>
From: Marta Rybczynska <rybczynska@gmail.com>
Remove the TEXT format support, as the JSON format offers more functions.
Users who do automation should have migrated already.
Support of both formats makes the code more complex than necessary.
Users can convert JSON files to TEXT files with cve-json-to-text.py
in scripts/
Backport Changes:
- The changes from commit [81e702c85c62] have been discarded.
Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 05ef4f2a7b225c8d230eaca8d333ffb921729d79)
Signed-off-by: Het Patel <hetpat@cisco.com>
---
meta/classes/cve-check.bbclass | 118 +--------------------------------
1 file changed, 1 insertion(+), 117 deletions(-)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 32fb9e8a5c..65d90dd420 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -36,20 +36,15 @@ CVE_CHECK_DB_DIR ?= "${STAGING_DIR}/CVE_CHECK"
CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/${CVE_CHECK_DB_FILENAME}"
CVE_CHECK_DB_FILE_LOCK ?= "${CVE_CHECK_DB_FILE}.lock"
-CVE_CHECK_LOG ?= "${T}/cve.log"
-CVE_CHECK_TMP_FILE ?= "${TMPDIR}/cve_check"
CVE_CHECK_SUMMARY_DIR ?= "${LOG_DIR}/cve"
CVE_CHECK_SUMMARY_FILE_NAME ?= "cve-summary"
-CVE_CHECK_SUMMARY_FILE ?= "${CVE_CHECK_SUMMARY_DIR}/${CVE_CHECK_SUMMARY_FILE_NAME}"
CVE_CHECK_SUMMARY_FILE_NAME_JSON = "cve-summary.json"
CVE_CHECK_SUMMARY_INDEX_PATH = "${CVE_CHECK_SUMMARY_DIR}/cve-summary-index.txt"
CVE_CHECK_LOG_JSON ?= "${T}/cve.json"
CVE_CHECK_DIR ??= "${DEPLOY_DIR}/cve"
-CVE_CHECK_RECIPE_FILE ?= "${CVE_CHECK_DIR}/${PN}"
CVE_CHECK_RECIPE_FILE_JSON ?= "${CVE_CHECK_DIR}/${PN}_cve.json"
-CVE_CHECK_MANIFEST ?= "${IMGDEPLOYDIR}/${IMAGE_NAME}.cve"
CVE_CHECK_MANIFEST_JSON_SUFFIX ?= "json"
CVE_CHECK_MANIFEST_JSON ?= "${IMGDEPLOYDIR}/${IMAGE_NAME}.${CVE_CHECK_MANIFEST_JSON_SUFFIX}"
CVE_CHECK_COPY_FILES ??= "1"
@@ -60,9 +55,6 @@ CVE_CHECK_REPORT_PATCHED ??= "1"
CVE_CHECK_SHOW_WARNINGS ??= "1"
-# Provide text output
-CVE_CHECK_FORMAT_TEXT ??= "1"
-
# Provide JSON output
CVE_CHECK_FORMAT_JSON ??= "1"
@@ -139,20 +131,11 @@ python cve_save_summary_handler () {
import datetime
from oe.cve_check import update_symlinks
- cve_tmp_file = d.getVar("CVE_CHECK_TMP_FILE")
-
cve_summary_name = d.getVar("CVE_CHECK_SUMMARY_FILE_NAME")
cvelogpath = d.getVar("CVE_CHECK_SUMMARY_DIR")
bb.utils.mkdirhier(cvelogpath)
timestamp = datetime.datetime.now().strftime('%Y%m%d%H%M%S')
- cve_summary_file = os.path.join(cvelogpath, "%s-%s.txt" % (cve_summary_name, timestamp))
-
- if os.path.exists(cve_tmp_file):
- shutil.copyfile(cve_tmp_file, cve_summary_file)
- cvefile_link = os.path.join(cvelogpath, cve_summary_name)
- update_symlinks(cve_summary_file, cvefile_link)
- bb.plain("Complete CVE report summary created at: %s" % cvefile_link)
if d.getVar("CVE_CHECK_FORMAT_JSON") == "1":
json_summary_link_name = os.path.join(cvelogpath, d.getVar("CVE_CHECK_SUMMARY_FILE_NAME_JSON"))
@@ -195,7 +178,6 @@ python cve_check_cleanup () {
"""
Delete the file used to gather all the CVE information.
"""
- bb.utils.remove(e.data.getVar("CVE_CHECK_TMP_FILE"))
bb.utils.remove(e.data.getVar("CVE_CHECK_SUMMARY_INDEX_PATH"))
}
@@ -213,9 +195,6 @@ python cve_check_write_rootfs_manifest () {
from oe.cve_check import cve_check_merge_jsons, update_symlinks
if d.getVar("CVE_CHECK_COPY_FILES") == "1":
- deploy_file = d.getVar("CVE_CHECK_RECIPE_FILE")
- if os.path.exists(deploy_file):
- bb.utils.remove(deploy_file)
deploy_file_json = d.getVar("CVE_CHECK_RECIPE_FILE_JSON")
if os.path.exists(deploy_file_json):
bb.utils.remove(deploy_file_json)
@@ -235,19 +214,13 @@ python cve_check_write_rootfs_manifest () {
json_data = {"version":"1", "package": []}
text_data = ""
enable_json = d.getVar("CVE_CHECK_FORMAT_JSON") == "1"
- enable_text = d.getVar("CVE_CHECK_FORMAT_TEXT") == "1"
save_pn = d.getVar("PN")
for pkg in recipies:
- # To be able to use the CVE_CHECK_RECIPE_FILE variable we have to evaluate
+ # To be able to use the CVE_CHECK_RECIPE_FILE_JSON variable we have to evaluate
# it with the different PN names set each time.
d.setVar("PN", pkg)
- if enable_text:
- pkgfilepath = d.getVar("CVE_CHECK_RECIPE_FILE")
- if os.path.exists(pkgfilepath):
- with open(pkgfilepath) as pfile:
- text_data += pfile.read()
if enable_json:
pkgfilepath = d.getVar("CVE_CHECK_RECIPE_FILE_JSON")
@@ -258,17 +231,6 @@ python cve_check_write_rootfs_manifest () {
d.setVar("PN", save_pn)
- if enable_text:
- manifest_name = d.getVar("CVE_CHECK_MANIFEST")
-
- with open(manifest_name, "w") as f:
- f.write(text_data)
-
- if link_name:
- link_path = os.path.join(deploy_dir, "%s.cve" % link_name)
- update_symlinks(manifest_name, link_path)
- bb.plain("Image CVE report stored in: %s" % manifest_name)
-
if enable_json:
manifest_name_suffix = d.getVar("CVE_CHECK_MANIFEST_JSON_SUFFIX")
manifest_name = d.getVar("CVE_CHECK_MANIFEST_JSON")
@@ -481,82 +443,6 @@ def get_cve_info(d, cve_data):
cursor.close()
conn.close()
-def cve_write_data_text(d, cve_data):
- """
- Write CVE information in WORKDIR; and to CVE_CHECK_DIR, and
- CVE manifest if enabled.
- """
-
- cve_file = d.getVar("CVE_CHECK_LOG")
- fdir_name = d.getVar("FILE_DIRNAME")
- layer = fdir_name.split("/")[-3]
-
- include_layers = d.getVar("CVE_CHECK_LAYER_INCLUDELIST").split()
- exclude_layers = d.getVar("CVE_CHECK_LAYER_EXCLUDELIST").split()
-
- report_all = d.getVar("CVE_CHECK_REPORT_PATCHED") == "1"
-
- if exclude_layers and layer in exclude_layers:
- return
-
- if include_layers and layer not in include_layers:
- return
-
- # Early exit, the text format does not report packages without CVEs
- if not len(cve_data):
- return
-
- nvd_link = "https://nvd.nist.gov/vuln/detail/"
- write_string = ""
- unpatched_cves = []
- bb.utils.mkdirhier(os.path.dirname(cve_file))
-
- for cve in sorted(cve_data):
- if not report_all and (cve_data[cve]["abbrev-status"] == "Patched" or cve_data[cve]["abbrev-status"] == "Ignored"):
- continue
- write_string += "LAYER: %s\n" % layer
- write_string += "PACKAGE NAME: %s\n" % d.getVar("PN")
- write_string += "PACKAGE VERSION: %s%s\n" % (d.getVar("EXTENDPE"), d.getVar("PV"))
- write_string += "CVE: %s\n" % cve
- write_string += "CVE STATUS: %s\n" % cve_data[cve]["abbrev-status"]
-
- if 'status' in cve_data[cve]:
- write_string += "CVE DETAIL: %s\n" % cve_data[cve]["status"]
- if 'justification' in cve_data[cve]:
- write_string += "CVE DESCRIPTION: %s\n" % cve_data[cve]["justification"]
-
- if "NVD-summary" in cve_data[cve]:
- write_string += "CVE SUMMARY: %s\n" % cve_data[cve]["NVD-summary"]
- write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["NVD-scorev2"]
- write_string += "CVSS v3 BASE SCORE: %s\n" % cve_data[cve]["NVD-scorev3"]
- write_string += "CVSS v3 BASE SCORE: %s\n" % cve_data[cve]["NVD-scorev4"]
- write_string += "VECTOR: %s\n" % cve_data[cve]["NVD-vector"]
- write_string += "VECTORSTRING: %s\n" % cve_data[cve]["NVD-vectorString"]
-
- write_string += "MORE INFORMATION: %s%s\n\n" % (nvd_link, cve)
- if cve_data[cve]["abbrev-status"] == "Unpatched":
- unpatched_cves.append(cve)
-
- if unpatched_cves and d.getVar("CVE_CHECK_SHOW_WARNINGS") == "1":
- bb.warn("Found unpatched CVE (%s), for more information check %s" % (" ".join(unpatched_cves),cve_file))
-
- with open(cve_file, "w") as f:
- bb.note("Writing file %s with CVE information" % cve_file)
- f.write(write_string)
-
- if d.getVar("CVE_CHECK_COPY_FILES") == "1":
- deploy_file = d.getVar("CVE_CHECK_RECIPE_FILE")
- bb.utils.mkdirhier(os.path.dirname(deploy_file))
- with open(deploy_file, "w") as f:
- f.write(write_string)
-
- if d.getVar("CVE_CHECK_CREATE_MANIFEST") == "1":
- cvelogpath = d.getVar("CVE_CHECK_SUMMARY_DIR")
- bb.utils.mkdirhier(cvelogpath)
-
- with open(d.getVar("CVE_CHECK_TMP_FILE"), "a") as f:
- f.write("%s" % write_string)
-
def cve_check_write_json_output(d, output, direct_file, deploy_file, manifest_file):
"""
Write CVE information in the JSON format: to WORKDIR; and to
@@ -665,7 +551,5 @@ def cve_write_data(d, cve_data, status):
Write CVE data in each enabled format.
"""
- if d.getVar("CVE_CHECK_FORMAT_TEXT") == "1":
- cve_write_data_text(d, cve_data)
if d.getVar("CVE_CHECK_FORMAT_JSON") == "1":
cve_write_data_json(d, cve_data, status)
next prev parent reply other threads:[~2026-02-20 5:34 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-20 5:34 [openembedded-core] [scarthgap] [PATCH v1 01/34] cve-check: encode affected product/vendor in CVE_STATUS Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 02/34] cve_check: Update selftest with new status detail Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 03/34] cve-check: annotate CVEs during analysis Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 04/34] cve-check-map: add new statuses Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 05/34] selftest: add test_product_match Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco) [this message]
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 07/34] cve-check-update-nvd2-native: Incremement DL_DIR database location Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 08/34] cve-check: add field "modified" to JSON report Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 09/34] cve-check: do not skip cve status description after : Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 10/34] cve-check: fix malformed cve status description with : characters Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 11/34] cve-check: restore CVE_CHECK_SHOW_WARNINGS functionality Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 12/34] cve-check: fix cvesInRecord Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 13/34] cve-check: Fix errors in log lines Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 14/34] cve-check: Rework patch parsing Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 15/34] meta/lib/oe/cve_check.py: fix patched_cves not updated Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 16/34] cve-check: allow feed choice Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 17/34] cve-update-db-native: restore Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 18/34] cve-update-db-native: update structure Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 19/34] cve-update-db-native: add the fkie source Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 20/34] cve-check: change the default feed Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 21/34] cve-check: fix debug message Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 22/34] spdx30: Allow VEX Justification to be configurable Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 23/34] cve-update-db-native: fix fetcher for CVEs missing nodes Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 24/34] cve-update-db-native: Use a local copy of the database during builds Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 25/34] cve-update-db-native: Handle BB_NO_NETWORK and missing db Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 26/34] cve-update-db-native: log a little more Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 27/34] cve-update: decrease update interval to 23 hours Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 28/34] cve-update: remove cleanup of db_file in downloads Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 29/34] cve-update-db-native: Fix FKIE CVE accessVector parsing Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 30/34] cve-update-db-native: FKIE CVE parsing: Use Secondary metric Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 31/34] cve-update: log timestamps and add force update for future time Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 32/34] cve-update-db-native: pycodestyle fixes Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 33/34] cve-update-nvd2-native: " Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20 5:34 ` [openembedded-core] [scarthgap] [PATCH v1 34/34] cve-update: Avoid NFS caching issues Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-23 9:46 ` [OE-core] [openembedded-core] [scarthgap] [PATCH v1 01/34] cve-check: encode affected product/vendor in CVE_STATUS Paul Barker
2026-02-23 12:31 ` Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-03-03 9:09 ` Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-03-05 13:13 ` Yoann Congal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260220053443.3006180-6-hetpat@cisco.com \
--to=hetpat@cisco.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=vchavda@cisco.com \
--cc=xe-linux-external@cisco.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox