From: Benjamin ROBIN <benjamin.robin@bootlin.com>
To: openembedded-core@lists.openembedded.org,
ValentinBoudevin <valentin.boudevin@gmail.com>,
Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: daniel.turull@ericsson.com, jerome.oufella@savoirfairelinux.com,
Olivier Benjamin <olivier.benjamin@bootlin.com>,
Antonin Godard <antonin.godard@bootlin.com>
Subject: Re: [PATCH v4 1/1] improve_kernel_cve_report: Add a bbclass support
Date: Thu, 22 Jan 2026 13:58:30 +0100 [thread overview]
Message-ID: <3399952.44csPzL39Z@brobin-bootlin> (raw)
In-Reply-To: <20260119184051.2878026-2-valentin.boudevin@gmail.com>
Hello,
Sorry to provide these remarks in the v4 version.
On Monday, January 19, 2026 at 7:40 PM, ValentinBoudevin wrote:
> Signed-off-by: Valentin Boudevin <valentin.boudevin@gmail.com>
> ---
> .../improve_kernel_cve_report-base.bbclass | 149 ++++++++++++++++++
> ...improve_kernel_cve_report-spdx-2.2.bbclass | 4 +
> .../improve_kernel_cve_report-spdx.bbclass | 4 +
> 3 files changed, 157 insertions(+)
> create mode 100644 meta/classes/improve_kernel_cve_report-base.bbclass
> create mode 100644 meta/classes/improve_kernel_cve_report-spdx-2.2.bbclass
> create mode 100644 meta/classes/improve_kernel_cve_report-spdx.bbclass
>
> diff --git a/meta/classes/improve_kernel_cve_report-base.bbclass b/meta/classes/improve_kernel_cve_report-base.bbclass
> new file mode 100644
> index 0000000000..9d3be08203
> --- /dev/null
> +++ b/meta/classes/improve_kernel_cve_report-base.bbclass
> @@ -0,0 +1,149 @@
Maybe add documentation on how to use this bbclass?
> +# Settings for the vulns git repository configuration
> +IMPROVE_KERNEL_CVE_SRC_URI ?= "git://git.kernel.org/pub/scm/linux/security/vulns.git;branch=master;protocol=https"
> +IMPROVE_KERNEL_CVE_SRCREV ?= "${@bb.fetch2.get_autorev(d)}"
> +IMPROVE_KERNEL_CVE_NETWORK ?= "1"
> +IMPROVE_KERNEL_CVE_WORKDIR ?= "${WORKDIR}/vulns"
> +IMPROVE_KERNEL_CVE_DESTSUFFIX ?= "git"
> +IMPROVE_KERNEL_CVE_UNPACK_DIR ?= "${IMPROVE_KERNEL_CVE_WORKDIR}/${IMPROVE_KERNEL_CVE_DESTSUFFIX}"
> +
> +# Settings for SPDX support
> +IMPROVE_KERNEL_PREFERRED_PROVIDER ?= ""
> +IMPROVE_KERNEL_SPDX_FILE ?= ""
> +
> +python __anonymous() {
> + srcrev = d.getVar("IMPROVE_KERNEL_CVE_SRCREV", True) or ""
> + network = d.getVar("IMPROVE_KERNEL_CVE_NETWORK", True) or "0"
> + # Check the IMPROVE_KERNEL_SPDX_FILE variable was set
> + if not d.getVar("IMPROVE_KERNEL_SPDX_FILE"):
> + bb.fatal("improve_kernel_cve: IMPROVE_KERNEL_SPDX_FILE is not set. Need to inherit improve_kernel_cve_report-spdx-2.2 or improve_kernel_cve_report-spdx")
> + return
> + # Check if networking is enabled to set SRC_URI
> + if network == "0":
> + d.appendVar("SRC_URI", " ${IMPROVE_KERNEL_CVE_SRC_URI};name=improve-kernel-cve;destsuffix=${IMPROVE_KERNEL_CVE_DESTSUFFIX}")
> + # Check offline mode with AUTOREV-like SRCREV
> + if network == "0" and srcrev.strip() in ("${AUTOREV}", "AUTOINC", "INVALID"):
> + bb.fatal("improve_kernel_cve: Offline mode but SRCREV is set to AUTOREV/AUTOINC/INVALID. Cannot proceed without network access or use a fixed SRCREV.")
> + d.setVar("SRCREV_improve-kernel-cve", d.getVar("IMPROVE_KERNEL_CVE_SRCREV"))
> + # Check which SPDX class is inherited
> + inherits = (d.getVar("INHERIT") or "")
You really should use instead: bb.data.inherits_class("create-spdx-2.2", d)
This remark applies to various places.
> + if "create-spdx-2.2" in inherits:
> + bb.build.addtask("do_scout_extra_kernel_vulns", "do_build", "do_rootfs", d)
> + elif "create-spdx" in inherits:
> + bb.build.addtask('do_scout_extra_kernel_vulns', 'do_build', 'do_create_image_sbom_spdx', d)
> +}
> +
> +python do_clean:append() {
> + import os, glob
> + deploy_dir = d.expand('${DEPLOY_DIR_IMAGE}')
> + for f in glob.glob(os.path.join(deploy_dir, '*scouted.json')):
> + bb.note("Removing " + f)
> + os.remove(f)
> +}
> +
> +python do_clone_kernel_cve() {
> + import subprocess
> + import shutil, os
> + # Check if the system is using SPDX 3.0
> + inherit_var = d.getVar("INHERIT")
Same here.
> + preferred_provider = d.getVar("IMPROVE_KERNEL_PREFERRED_PROVIDER")
> + if preferred_provider not in inherit_var:
> + bb.warn(f"improve_kernel_cve: Requires the class {preferred_provider} enable in INHERIT variable.")
> + return
> + network_allowed = d.getVar("IMPROVE_KERNEL_CVE_NETWORK") == "1"
> + workdir = d.getVar("IMPROVE_KERNEL_CVE_WORKDIR")
> + unpack_dir = d.getVar("IMPROVE_KERNEL_CVE_UNPACK_DIR")
> + # Remove existing unpacked directory if any
> + if os.path.exists(workdir):
> + shutil.rmtree(workdir)
> + # Prepare fetcher
> + src_uri_list = (d.getVar('SRC_URI') or "").split()
> + cve_uris = []
> + for uri in src_uri_list:
> + if "name=improve-kernel-cve" in uri:
> + cve_uris.append(uri)
> + if not cve_uris:
> + bb.note("No CVE exclusions SRC_URI found, skipping fetch")
> + return
> + fetcher = bb.fetch2.Fetch(cve_uris, d)
> + # Clone only if network is allowed
> + if network_allowed:
> + fetcher.download()
> + else:
> + # Offline mode without network access
> + bb.note("IMPROVE_KERNEL_CVE_NETWORK=0: Skipping online fetch. Checking local downloads in DL_DIR...")
> + have_sources = False
> + dl_dir = d.getVar("DL_DIR")
> + srcrev = d.getVar("SRCREV_improve-kernel-cve")
> + bb.note(f"Checking for sources for SRCREV: {srcrev}")
> + # Check SRCREV is NOT set to AUTOREV
> + if srcrev.strip() in ("${AUTOREV}", "AUTOINC", "INVALID"):
> + bb.fatal("improve-kernel-cve: Offline mode but SRCREV is set to AUTOREV/AUTOINC/INVALID. Cannot proceed without network access or use a fixed SRCREV.")
> + return
> + # Loop through the fetcher's expanded URL data
> + for ud in fetcher.expanded_urldata():
> + ud.setup_localpath(d)
> + # Check mirror tarballs first
> + for mirror_fname in ud.mirrortarballs:
> + mirror_path = os.path.join(dl_dir, mirror_fname)
> + if os.path.exists(mirror_path):
> + bb.note(f"Found mirror tarball: {mirror_path}")
> + have_sources = True
> + break
> + # If no mirror, check original download path
> + if not have_sources and ud.localpath and os.path.exists(ud.localpath):
> + bb.note(f"Found local download: {ud.localpath}")
> + have_sources = True
> + if not have_sources:
> + bb.fatal("improve-kernel-cve: Offline mode but required source is missing.\n"f"SRC_URI = {ud.url}")
> + return
> + # Unpack into the standard work directory
> + fetcher.unpack(unpack_dir)
> + # Remove the folder ${PN} set by unpack
> + subdirs = [d for d in os.listdir(unpack_dir) if os.path.isdir(os.path.join(unpack_dir, d))]
> + if len(subdirs) == 1:
> + srcdir = os.path.join(unpack_dir, subdirs[0])
> + for f in os.listdir(srcdir):
> + shutil.move(os.path.join(srcdir, f), unpack_dir)
> + shutil.rmtree(srcdir)
> +}
I am not sure I understand this task. Since the
git.kernel.org/pub/scm/linux/security/vulns.git is put in SRC_URI it really
should already be downloaded for you. Why are you managing the download
manually here?
> +do_clone_kernel_cve[network] = "${IMPROVE_KERNEL_CVE_NETWORK}"
> +do_clone_kernel_cve[nostamp] = "1"
> +do_clone_kernel_cve[doc] = "Clone the latest kernel vulnerabilities from https://git.kernel.org/pub/scm/linux/security/vulns.git"
> +addtask clone_kernel_cve after do_fetch before do_scout_extra_kernel_vulns
> +
> +do_scout_extra_kernel_vulns() {
> + new_cve_report_file="${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}.scouted.json"
> + improve_kernel_cve_script="${COREBASE}/scripts/contrib/improve_kernel_cve_report.py"
> +
> + # Check that IMPROVE_KERNEL_SPDX_FILE is set and the file exists
> + if [ -z "${IMPROVE_KERNEL_SPDX_FILE}" ] || [ ! -f "${IMPROVE_KERNEL_SPDX_FILE}" ]; then
> + bbwarn "improve_kernel_cve: IMPROVE_KERNEL_SPDX_FILE is empty or file not found: ${IMPROVE_KERNEL_SPDX_FILE}"
> + return 0
> + fi
> + if [ ! -f "${CVE_CHECK_MANIFEST_JSON}" ]; then
> + bbwarn "improve_kernel_cve: CVE_CHECK file not found: ${CVE_CHECK_MANIFEST_JSON}. Skipping extra kernel vulnerabilities scouting."
> + return 0
> + fi
> + if [ ! -f "${improve_kernel_cve_script}" ]; then
> + bbwarn "improve_kernel_cve: improve_kernel_cve_report.py not found in ${COREBASE}."
> + return 0
> + fi
> + if [ ! -d "${IMPROVE_KERNEL_CVE_WORKDIR}" ]; then
> + bbwarn "improve_kernel_cve: Vulnerabilities data not found in ${IMPROVE_KERNEL_CVE_WORKDIR}."
> + return 0
> + fi
> +
> + #Run the improve_kernel_cve_report.py script
> + bbplain "improve_kernel_cve: Using SPDX file for extra kernel vulnerabilities scouting: ${IMPROVE_KERNEL_SPDX_FILE}"
> + python3 "${improve_kernel_cve_script}" \
> + --spdx "${IMPROVE_KERNEL_SPDX_FILE}" \
> + --old-cve-report "${CVE_CHECK_MANIFEST_JSON}" \
> + --new-cve-report "${new_cve_report_file}" \
> + --datadir "${IMPROVE_KERNEL_CVE_WORKDIR}"
> + bbplain "Improve CVE report with extra kernel cves: ${new_cve_report_file}"
> +
> + #Create a symlink as every other JSON file in tmp/deploy/images
> + ln -sf ${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}.scouted.json ${DEPLOY_DIR_IMAGE}/${IMAGE_BASENAME}${IMAGE_MACHINE_SUFFIX}${IMAGE_NAME_SUFFIX}.scouted.json
> +}
> +do_scout_extra_kernel_vulns[nostamp] = "1"
Technically, this task only needs to be executed when the SPDX has changed or
when the vulns.git reference has changed.
> +do_scout_extra_kernel_vulns[doc] = "Scout extra kernel vulnerabilities and create a new enhanced version of the cve_check file in the deploy directory"
> \ No newline at end of file
> diff --git a/meta/classes/improve_kernel_cve_report-spdx-2.2.bbclass b/meta/classes/improve_kernel_cve_report-spdx-2.2.bbclass
> new file mode 100644
> index 0000000000..45b483134d
> --- /dev/null
> +++ b/meta/classes/improve_kernel_cve_report-spdx-2.2.bbclass
> @@ -0,0 +1,4 @@
> +IMPROVE_KERNEL_PREFERRED_PROVIDER = "create-spdx-2.2"
> +IMPROVE_KERNEL_SPDX_FILE = "${DEPLOY_DIR}/spdx/2.2/${@d.getVar('MACHINE').replace('-', '_')}/recipes/recipe-${PREFERRED_PROVIDER_virtual/kernel}.spdx.json"
> +
> +inherit improve_kernel_cve_report-base
> \ No newline at end of file
> diff --git a/meta/classes/improve_kernel_cve_report-spdx.bbclass b/meta/classes/improve_kernel_cve_report-spdx.bbclass
> new file mode 100644
> index 0000000000..3849f66aaf
> --- /dev/null
> +++ b/meta/classes/improve_kernel_cve_report-spdx.bbclass
> @@ -0,0 +1,4 @@
> +IMPROVE_KERNEL_PREFERRED_PROVIDER = "create-spdx"
You really want to specify here "create-spdx-3.0".
Also, maybe name the bbclass with a -3.0 suffix.
> +IMPROVE_KERNEL_SPDX_FILE = "${SPDXIMAGEDEPLOYDIR}/${IMAGE_LINK_NAME}.spdx.json"
> +
> +inherit improve_kernel_cve_report-base
Best regards,
--
Benjamin Robin, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
next prev parent reply other threads:[~2026-01-22 12:58 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <188AFD4FCC1313A8.2683732@lists.openembedded.org>
2026-01-19 18:40 ` [PATCH v4 0/1] improve_kernel_cve_report: Add a bbclass support ValentinBoudevin
2026-01-19 18:40 ` [PATCH v4 1/1] " ValentinBoudevin
2026-01-20 15:00 ` Daniel Turull
2026-01-22 12:58 ` Benjamin ROBIN [this message]
2026-01-26 12:56 ` [OE-core] " Ross Burton
2026-01-28 16:38 ` [PATCH v5 0/2] " ValentinBoudevin
2026-01-28 16:38 ` [PATCH v5 1/2] vulns: add a new recipe ValentinBoudevin
2026-01-31 17:59 ` [OE-core] " Mathieu Dubois-Briand
2026-01-28 16:38 ` [PATCH v5 2/2] improve_kernel_cve_report: Add a bbclass support ValentinBoudevin
2026-01-29 11:01 ` [PATCH v5 0/2] " Daniel Turull
2026-01-29 16:34 ` vboudevin
2026-02-01 15:54 ` [OE-core] " Marta Rybczynska
2026-02-02 21:08 ` [PATCH v6 " ValentinBoudevin
2026-02-02 21:08 ` [PATCH v6 1/2] vulns: add a new recipe ValentinBoudevin
2026-02-02 21:08 ` [PATCH v6 2/2] improve_kernel_cve_report: Add a bbclass support ValentinBoudevin
2026-02-04 14:58 ` [PATCH v6 0/2] " Daniel Turull
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3399952.44csPzL39Z@brobin-bootlin \
--to=benjamin.robin@bootlin.com \
--cc=antonin.godard@bootlin.com \
--cc=daniel.turull@ericsson.com \
--cc=jerome.oufella@savoirfairelinux.com \
--cc=olivier.benjamin@bootlin.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=thomas.petazzoni@bootlin.com \
--cc=valentin.boudevin@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox