Re: [PATCH] improve_kernel_cve_report: use numeric versions instead of cpeApplicability

public inbox for openembedded-core@lists.openembedded.org
 help / color / mirror / Atom feed

From: Benjamin Robin <benjamin.robin@bootlin.com>
To: "openembedded-core@lists.openembedded.org"
	<openembedded-core@lists.openembedded.org>,
	Daniel Turull <daniel.turull@ericsson.com>
Subject: Re: [PATCH] improve_kernel_cve_report: use numeric versions instead of cpeApplicability
Date: Fri, 17 Apr 2026 15:54:57 +0200	[thread overview]
Message-ID: <2259273.irdbgypaU6@brobin-bootlin> (raw)
In-Reply-To: <PA3PR07MB10721B25CE9927D9C2E70BD208A202@PA3PR07MB10721.eurprd07.prod.outlook.com>

On Friday, April 17, 2026 at 3:44 PM, Daniel Turull wrote:
> Hi,
> We had Greg visiting us and I asked him what is better to use and he said git or versions, not cvepAplicability that has issues defining trees.

You reply is technically not responding to my question :)
Could you provide at least one example with an entry that is not correct
in the cpeApplicability node?

The script had previously various issue (or at least it looked like it).
I preferred to use a completely different algorithm (and using all sources
of information)

But since I am also using NVD entries this degrade a bit the quality of
the generated assessment message

> I have done some comparison with 6.6.100 and 6.18.22
> 
> 
> === 6.6.100 ===
> Old: 10900  New: 10898  Match: 10418  Only old: 2  Only new: 0  Diff: 480
>     327  Unpatched/version-in-range -> Unpatched/version-in-range
>     106  Patched/fixed-version -> Patched/fixed-version
>      16  Patched/cpe-stable-backport -> Unpatched/version-in-range
>      15  Unpatched/version-in-range -> Patched/fixed-version
>       5  Patched/fixed-version -> Unpatched/known-affected
>       5  Patched/fixed-version -> Unpatched/version-in-range
>       2  Patched/cpe-stable-backport -> Patched/fixed-version
>       1  Patched/version-not-in-range -> Unpatched/version-in-range
>       1  Patched/cpe-stable-backport -> Unpatched/known-affected
>       1  Patched/version-not-in-range -> Patched/fixed-version
>       1  Unpatched/version-in-range -> Unpatched/known-affected
>   Only in old:
>     CVE-2024-0000: Patched/version-not-in-range
>     CVE-2024-0053: Patched/version-not-in-range
> 
> === 6.18.22 ===
> Old: 10900  New: 10898  Match: 10877  Only old: 2  Only new: 0  Diff: 21
>       7  Unpatched/version-in-range -> Unpatched/version-in-range
>       6  Patched/fixed-version -> Patched/fixed-version
>       6  Patched/fixed-version -> Unpatched/known-affected
>       1  Unpatched/version-in-range -> Unpatched/known-affected
>       1  Unpatched/version-in-range -> Patched/cpe-stable-backport
>   Only in old:
>     CVE-2024-0000: Patched/version-not-in-range
>     CVE-2024-0053: Patched/version-not-in-range
> 
> old vs new outputs for kernel 6.18.22
> 
> Old total: 10900
> New total: 10898
> Matching: 10877
> Only in old: 2
> Only in new: 0
> Different: 21
> 
> Difference categories:
>       7  Unpatched/version-in-range -> Unpatched/version-in-range
>       6  Patched/fixed-version -> Patched/fixed-version
>       6  Patched/fixed-version -> Unpatched/known-affected
>       1  Unpatched/version-in-range -> Unpatched/known-affected
>       1  Unpatched/version-in-range -> Patched/cpe-stable-backport
> 
> Only in old (2):
>   CVE-2024-0000: Patched/version-not-in-range: No CPE match
>   CVE-2024-0053: Patched/version-not-in-range: No CPE match
> 
> Different (all 21):
>   CVE-2021-47295:
>     old: Patched/fixed-version: Fixed from version 6.2.5
>     new: Patched/fixed-version: Fixed from version 5.14
>   CVE-2021-47342:
>     old: Patched/fixed-version: Fixed from version 5.12.5000
>     new: Patched/fixed-version: Fixed from version 5.10.77
>   CVE-2022-50396:
>     old: Patched/fixed-version: Fixed from version 6.2.5
>     new: Patched/fixed-version: Fixed from version 6.2
>   CVE-2023-53012:
>     old: Patched/fixed-version: Fixed from version 6.1.5000
>     new: Unpatched/known-affected: No known resolution
>   CVE-2023-53187:
>     old: Patched/fixed-version: Fixed from version 5.15.5000
>     new: Unpatched/known-affected: No known resolution
>   CVE-2024-49854:
>     old: Patched/fixed-version: Fixed from version 5.10.5000
>     new: Unpatched/known-affected: No known resolution
>   CVE-2025-38656:
>     old: Patched/fixed-version: Fixed from version 6.12.5000
>     new: Unpatched/known-affected: No known resolution
>   CVE-2025-68195:
>     old: Patched/fixed-version: Fixed from version 6.12.5000
>     new: Unpatched/known-affected: No known resolution
>   CVE-2025-68357:
>     old: Patched/fixed-version: Fixed from version 6.17.5000
>     new: Patched/fixed-version: Fixed from version 6.12.64
>   CVE-2025-71145:
>     old: Patched/fixed-version: Fixed from version 5.10.5000
>     new: Unpatched/known-affected: No known resolution
>   CVE-2026-23288:
>     old: Patched/fixed-version: only affects 6.19.4 onwards
>     new: Patched/fixed-version: only affects 6.19 onwards
>   CVE-2026-23327:
>     old: Unpatched/version-in-range: Needs backporting (fixed from 6.19.7)
>     new: Unpatched/version-in-range: Needs backporting (fixed from 7.0rc2)
>   CVE-2026-23328:
>     old: Unpatched/version-in-range: Needs backporting (fixed from 6.19.7)
>     new: Unpatched/version-in-range: Needs backporting (fixed from 7.0rc3)
>   CVE-2026-23333:
>     old: Unpatched/version-in-range: Needs backporting (fixed from 6.19.4)
>     new: Unpatched/known-affected: No known resolution
>   CVE-2026-23341:
>     old: Patched/fixed-version: only affects 6.19.4 onwards
>     new: Patched/fixed-version: only affects 6.19 onwards
>   CVE-2026-23355:
>     old: Unpatched/version-in-range: Needs backporting (fixed from 7.0rc3)
>     new: Patched/cpe-stable-backport: Backported in 6.18.18
>   CVE-2026-23371:
>     old: Unpatched/version-in-range: Needs backporting (fixed from 6.19.7)
>     new: Unpatched/version-in-range: Needs backporting (fixed from 7.0rc3)
>   CVE-2026-23374:
>     old: Unpatched/version-in-range: Needs backporting (fixed from 6.19.7)
>     new: Unpatched/version-in-range: Needs backporting (fixed from 7.0rc3)
>   CVE-2026-23377:
>     old: Unpatched/version-in-range: Needs backporting (fixed from 6.19.7)
>     new: Unpatched/version-in-range: Needs backporting (fixed from 7.0rc3)
>   CVE-2026-23389:
>     old: Unpatched/version-in-range: Needs backporting (fixed from 6.19.7)
>     new: Unpatched/version-in-range: Needs backporting (fixed from 7.0rc3)
>   CVE-2026-23394:
>     old: Unpatched/version-in-range: Needs backporting (fixed from 6.19.10)
>     new: Unpatched/version-in-range: Needs backporting (fixed from 7.0rc5)
> 
> Best regards,
> Daniel
> 
> > -----Original Message-----
> > From: Benjamin Robin <benjamin.robin@bootlin.com>
> > Sent: Friday, 17 April 2026 15:32
> > To: openembedded-core@lists.openembedded.org; Daniel Turull
> > <daniel.turull@ericsson.com>
> > Subject: Re: [PATCH] improve_kernel_cve_report: use numeric versions
> > instead of cpeApplicability
> > 
> > [You don't often get email from benjamin.robin@bootlin.com. Learn why this
> > is important at https://aka.ms/LearnAboutSenderIdentification ]
> > 
> > Hello Daniel,
> > 
> > On Friday, April 17, 2026 at 3:24 PM, daniel.turull@ericsson.com wrote:
> > > From: Daniel Turull <daniel.turull@ericsson.com>
> > >
> > > git shas or versions should be use instead of cpeApplicability.
> > > Reuse the same logic as generate-cve-exclusions, so outputs are consistent.
> > >
> > > cpeApplicability does not provide accurate version information and for
> > > some  CVEs the information is not the same. This came from a
> > > discussion that we had with Greg Kroah-Hartma, member of the Linux
> > security team.
> > 
> > Indeed "cpeApplicability" does not provide the same kind of information that
> > the "versions" node.
> > In sbom-cve-check (the latest version in main branch) we are using both
> > sources of information.
> > But you are saying that "cpeApplicability" does not provide accurate version
> > information. Could you elaborate and give various examples? I never saw
> > something invalid in "cpeApplicability".
> > 

-- 
Benjamin Robin, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

next prev parent reply	other threads:[~2026-04-17 13:55 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-04-17 13:24 [PATCH] improve_kernel_cve_report: use numeric versions instead of cpeApplicability daniel.turull
2026-04-17 13:32 ` Benjamin Robin
2026-04-17 13:44   ` Daniel Turull
2026-04-17 13:54     ` Benjamin Robin [this message]
2026-04-17 14:35       ` Daniel Turull
2026-04-17 14:47         ` Benjamin Robin
2026-04-17 16:54           ` Daniel Turull
2026-04-19  9:07             ` Benjamin Robin
2026-04-20  7:10               ` [OE-core] " Daniel Turull
2026-04-20  7:30                 ` Benjamin Robin
2026-04-20  7:53                   ` Daniel Turull

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2259273.irdbgypaU6@brobin-bootlin \
    --to=benjamin.robin@bootlin.com \
    --cc=daniel.turull@ericsson.com \
    --cc=openembedded-core@lists.openembedded.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox