From: Benjamin Robin <benjamin.robin@bootlin.com>
To: Daniel Turull <daniel.turull@ericsson.com>,
Ross Burton <Ross.Burton@arm.com>
Cc: "rybczynska@gmail.com" <rybczynska@gmail.com>,
"openembedded-core@lists.openembedded.org"
<openembedded-core@lists.openembedded.org>
Subject: Re: [OE-core] [PATCH 1/3] classes/vex: remove
Date: Thu, 02 Apr 2026 16:53:33 +0200 [thread overview]
Message-ID: <3204609.CbtlEUcBR6@brobin-bootlin> (raw)
In-Reply-To: <B7466D11-14E9-49CF-9203-24A6B4D47DB6@arm.com>
Hello,
On Thursday, April 2, 2026 at 4:42 PM, Ross Burton wrote:
> On 1 Apr 2026, at 13:29, Daniel Turull <daniel.turull@ericsson.com> wrote:
> > The kernel scripts to check CVEs uses the vex output as input.
> > https://git.openembedded.org/openembedded-core/tree/scripts/contrib/improve_kernel_cve_report.py
>
> I believe this functionality is also superceded by sbom-cve-check, as the recommended configuration fragment sets SPDX_INCLUDE_COMPILED_SOURCES:pn-linux-yocto = “1”.
>
> Would you be able to verify this, we might be able to deprecate/remove this script too in master.
>
> Ross
Currently, sbom-cve-check does not fully handle Linux kernel CVEs correctly.
Special processing is required when the information originates from the
kernel CNA, as many kernel CVEs are incorrectly marked as vulnerable.
Additionally, sbom-cve-check does not yet provide an assessment as detailed
as improve_kernel_cve_report.py.
The first limitation is planned to be addressed in the very near future
(within this month). And for the second point, I hope I can address it
at the same time.
--
Benjamin Robin, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
next prev parent reply other threads:[~2026-04-02 14:53 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-31 13:24 [PATCH 1/3] classes/vex: remove Ross Burton
2026-03-31 13:24 ` [PATCH 2/3] classes/sbom-cve-check: remove references to vex.bbclass Ross Burton
2026-03-31 13:24 ` [PATCH 3/3] classes/cve-check: remove class Ross Burton
2026-03-31 13:48 ` [OE-core] " Marko, Peter
2026-03-31 14:43 ` [OE-core] [PATCH 1/3] classes/vex: remove Marta Rybczynska
2026-03-31 15:04 ` Ross Burton
2026-03-31 15:13 ` Marta Rybczynska
2026-03-31 15:19 ` Ross Burton
2026-04-01 12:29 ` Daniel Turull
2026-04-02 14:42 ` Ross Burton
2026-04-02 14:53 ` Benjamin Robin [this message]
2026-04-07 7:39 ` Daniel Turull
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3204609.CbtlEUcBR6@brobin-bootlin \
--to=benjamin.robin@bootlin.com \
--cc=Ross.Burton@arm.com \
--cc=daniel.turull@ericsson.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=rybczynska@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox