[PATCH v4 0/1] improve_kernel_cve_report: Add a bbclass support

[PATCH v4 0/1] improve_kernel_cve_report: Add a bbclass support

[ValentinBoudevin]

Changes since v3:
-Avoid code duplication with a new bbclass "improve_kernel_cve_report-base.bbclass".
-Remove direct set of SRC_URI and SRCREV for offline mode.
-Use new __anonymous function to set SRC_URI, SRCREV and task schedule do_scout_extra_kernel_vulns based on SPDX version used.
-improve_kernel_cve_report-spdx-2.2.bbclass and improve_kernel_cve_report-spdx.bbclass are only used to define IMPROVE_KERNEL_PREFERRED_PROVIDER and IMPROVE_KERNEL_SPDX_FILE

Changes since v2:
- Fixed SRC_URI:append syntax (a space was missing with the append operator).
- Removed unused variable debug_source_path

Changes since v1:
- IMPROVE_KERNEL_CVE_SRC_URI and IMPROVE_KERNEL_CVE_SRCREV can be used to set a different source repository
or a deterministic revision.
- IMPROVE_KERNEL_CVE_NETWORK variable can be used to use this repo offline
based on existing fetch repo in DL_DIR.
- Add support for SPDX2.2 with a new bbclass improve_kernel_cve_report-spdx-2.2.bbclass.

ValentinBoudevin (1):
  improve_kernel_cve_report: Add a bbclass support

 .../improve_kernel_cve_report-base.bbclass    | 149 ++++++++++++++++++
 ...improve_kernel_cve_report-spdx-2.2.bbclass |   4 +
 .../improve_kernel_cve_report-spdx.bbclass    |   4 +
 3 files changed, 157 insertions(+)
 create mode 100644 meta/classes/improve_kernel_cve_report-base.bbclass
 create mode 100644 meta/classes/improve_kernel_cve_report-spdx-2.2.bbclass
 create mode 100644 meta/classes/improve_kernel_cve_report-spdx.bbclass

[PATCH v4 1/1] improve_kernel_cve_report: Add a bbclass support

[ValentinBoudevin]

The script improve_kernel_cve_report.py doesn't have a bbclass.
It can be useful to have one to generate improved cve-check files at
every run.

This commit contains three classes:

-improve_kernel_cve_report-base.bbclass: Base class which contains the
tasks to perform improve_kernel_cve_report.py initialization and
execution.
-improve_kernel_cve_report-spdx-2.2.bbclass: Set
IMPROVE_KERNEL_SPDX_FILE variable for SPDX-2.2 builds and set
IMPROVE_KERNEL_PREFERRED_PROVIDER to require "create-spdx-2.2" in
INHERIT
-improve_kernel_cve_report-spdx.bbclass: Set IMPROVE_KERNEL_SPDX_FILE
variable for SPDX-3.0 projectsi and IMPROVE_KERNEL_PREFERRED_PROVIDER to
"create-spdx" to requires it in INHERIT

These three new .bbclass files can be used to generate a new output in
tmp/deploy/images with a .scouted.json file in addition to the existing
.json cve-check file.

The new .scouted.json is based on the cve-check file and the SBOM to
generate this improved cve-check file with extra entries found by the
script improve_kernel_cve_report.py.

It only requires to use "inherit" on an image recipe (e.g. on
core-image-minimal).

The bbclass "improve_kernel_cve_report-spdx-2.2.bbclass" can be used if
"create-spdx-2.2" is configured in INHERIT, and "create-spdx" is
removed.

INHERIT:remove = "create-spdx"
INHERIT:append = " create-spdx-2.2"

By default, projects use SPDX-3.0 and don't require any additional
configuration.

It also works offline and/or with custom repos thanks to the variables:

-IMPROVE_KERNEL_CVE_SRC_URI: Use to set SRC_URI for "vulns" repository
-IMPROVE_KERNEL_CVE_SRCREV: Use to fix a SRCREV for "vulns" repository.
By default the class use AUTOREV to get the latest commit available but
will require a fix commit if used offline.
-IMPROVE_KERNEL_CVE_NETWORK:
Use DL_DIR folder as to find the source "vulns" repository and set
offline mode
-IMPROVE_KERNEL_CVE_WORKDIR: Working directory for the class
-IMPROVE_KERNEL_CVE_DESTSUFFIX: Suffix used to clone the "vulns"
repository IMPROVE_KERNEL_CVE_UNPACK_DIR: Folder to unpack the "vulns"
directory

Signed-off-by: Valentin Boudevin <valentin.boudevin@gmail.com>
---
 .../improve_kernel_cve_report-base.bbclass    | 149 ++++++++++++++++++
 ...improve_kernel_cve_report-spdx-2.2.bbclass |   4 +
 .../improve_kernel_cve_report-spdx.bbclass    |   4 +
 3 files changed, 157 insertions(+)
 create mode 100644 meta/classes/improve_kernel_cve_report-base.bbclass
 create mode 100644 meta/classes/improve_kernel_cve_report-spdx-2.2.bbclass
 create mode 100644 meta/classes/improve_kernel_cve_report-spdx.bbclass

diff --git a/meta/classes/improve_kernel_cve_report-base.bbclass b/meta/classes/improve_kernel_cve_report-base.bbclass
new file mode 100644
index 0000000000..9d3be08203
--- /dev/null
+++ b/meta/classes/improve_kernel_cve_report-base.bbclass
@@ -0,0 +1,149 @@
+# Settings for the vulns git repository configuration
+IMPROVE_KERNEL_CVE_SRC_URI ?= "git://git.kernel.org/pub/scm/linux/security/vulns.git;branch=master;protocol=https"
+IMPROVE_KERNEL_CVE_SRCREV ?= "${@bb.fetch2.get_autorev(d)}"
+IMPROVE_KERNEL_CVE_NETWORK ?= "1"
+IMPROVE_KERNEL_CVE_WORKDIR ?= "${WORKDIR}/vulns"
+IMPROVE_KERNEL_CVE_DESTSUFFIX ?= "git"
+IMPROVE_KERNEL_CVE_UNPACK_DIR ?= "${IMPROVE_KERNEL_CVE_WORKDIR}/${IMPROVE_KERNEL_CVE_DESTSUFFIX}"
+
+# Settings for SPDX support
+IMPROVE_KERNEL_PREFERRED_PROVIDER ?= ""
+IMPROVE_KERNEL_SPDX_FILE ?= ""
+
+python __anonymous() {
+    srcrev = d.getVar("IMPROVE_KERNEL_CVE_SRCREV", True) or ""
+    network = d.getVar("IMPROVE_KERNEL_CVE_NETWORK", True) or "0"
+    # Check the IMPROVE_KERNEL_SPDX_FILE variable was set
+    if not d.getVar("IMPROVE_KERNEL_SPDX_FILE"):
+        bb.fatal("improve_kernel_cve: IMPROVE_KERNEL_SPDX_FILE is not set. Need to inherit improve_kernel_cve_report-spdx-2.2 or improve_kernel_cve_report-spdx")
+        return
+    # Check if networking is enabled to set SRC_URI
+    if network == "0":
+        d.appendVar("SRC_URI", " ${IMPROVE_KERNEL_CVE_SRC_URI};name=improve-kernel-cve;destsuffix=${IMPROVE_KERNEL_CVE_DESTSUFFIX}")
+    # Check offline mode with AUTOREV-like SRCREV
+    if network == "0" and srcrev.strip() in ("${AUTOREV}", "AUTOINC", "INVALID"):
+        bb.fatal("improve_kernel_cve: Offline mode but SRCREV is set to AUTOREV/AUTOINC/INVALID. Cannot proceed without network access or use a fixed SRCREV.")
+    d.setVar("SRCREV_improve-kernel-cve", d.getVar("IMPROVE_KERNEL_CVE_SRCREV"))
+    # Check which SPDX class is inherited
+    inherits = (d.getVar("INHERIT") or "")
+    if "create-spdx-2.2" in inherits:
+        bb.build.addtask("do_scout_extra_kernel_vulns", "do_build", "do_rootfs", d)
+    elif "create-spdx" in inherits:
+        bb.build.addtask('do_scout_extra_kernel_vulns', 'do_build', 'do_create_image_sbom_spdx', d)
+}
+
+python do_clean:append() {
+    import os, glob
+    deploy_dir = d.expand('${DEPLOY_DIR_IMAGE}')
+    for f in glob.glob(os.path.join(deploy_dir, '*scouted.json')):
+        bb.note("Removing " + f)
+        os.remove(f)
+}
+
+python do_clone_kernel_cve() {
+    import subprocess
+    import shutil, os
+    # Check if the system is using SPDX 3.0
+    inherit_var = d.getVar("INHERIT")
+    preferred_provider = d.getVar("IMPROVE_KERNEL_PREFERRED_PROVIDER")
+    if preferred_provider not in inherit_var:
+        bb.warn(f"improve_kernel_cve: Requires the class {preferred_provider} enable in INHERIT variable.")
+        return
+    network_allowed = d.getVar("IMPROVE_KERNEL_CVE_NETWORK") == "1"
+    workdir = d.getVar("IMPROVE_KERNEL_CVE_WORKDIR")
+    unpack_dir = d.getVar("IMPROVE_KERNEL_CVE_UNPACK_DIR")
+    # Remove existing unpacked directory if any
+    if os.path.exists(workdir):
+        shutil.rmtree(workdir)
+    # Prepare fetcher
+    src_uri_list = (d.getVar('SRC_URI') or "").split()
+    cve_uris = []
+    for uri in src_uri_list:
+        if "name=improve-kernel-cve" in uri:
+            cve_uris.append(uri)
+    if not cve_uris:
+        bb.note("No CVE exclusions SRC_URI found, skipping fetch")
+        return
+    fetcher = bb.fetch2.Fetch(cve_uris, d)
+    # Clone only if network is allowed
+    if network_allowed:
+        fetcher.download()
+    else:
+        # Offline mode without network access
+        bb.note("IMPROVE_KERNEL_CVE_NETWORK=0: Skipping online fetch. Checking local downloads in DL_DIR...")
+        have_sources = False
+        dl_dir = d.getVar("DL_DIR")
+        srcrev = d.getVar("SRCREV_improve-kernel-cve")
+        bb.note(f"Checking for sources for SRCREV: {srcrev}")
+        # Check SRCREV is NOT set to AUTOREV
+        if srcrev.strip() in ("${AUTOREV}", "AUTOINC", "INVALID"):
+            bb.fatal("improve-kernel-cve: Offline mode but SRCREV is set to AUTOREV/AUTOINC/INVALID. Cannot proceed without network access or use a fixed SRCREV.")
+            return
+        # Loop through the fetcher's expanded URL data
+        for ud in fetcher.expanded_urldata():
+            ud.setup_localpath(d)
+            # Check mirror tarballs first
+            for mirror_fname in ud.mirrortarballs:
+                mirror_path = os.path.join(dl_dir, mirror_fname)
+                if os.path.exists(mirror_path):
+                    bb.note(f"Found mirror tarball: {mirror_path}")
+                    have_sources = True
+                    break
+            # If no mirror, check original download path
+            if not have_sources and ud.localpath and os.path.exists(ud.localpath):
+                bb.note(f"Found local download: {ud.localpath}")
+                have_sources = True
+            if not have_sources:
+                bb.fatal("improve-kernel-cve: Offline mode but required source is missing.\n"f"SRC_URI = {ud.url}")
+                return
+    # Unpack into the standard work directory
+    fetcher.unpack(unpack_dir)
+    # Remove the folder ${PN} set by unpack
+    subdirs = [d for d in os.listdir(unpack_dir) if os.path.isdir(os.path.join(unpack_dir, d))]
+    if len(subdirs) == 1:
+        srcdir = os.path.join(unpack_dir, subdirs[0])
+        for f in os.listdir(srcdir):
+            shutil.move(os.path.join(srcdir, f), unpack_dir)
+        shutil.rmtree(srcdir)
+}
+do_clone_kernel_cve[network] = "${IMPROVE_KERNEL_CVE_NETWORK}"
+do_clone_kernel_cve[nostamp] = "1"
+do_clone_kernel_cve[doc] = "Clone the latest kernel vulnerabilities from https://git.kernel.org/pub/scm/linux/security/vulns.git"
+addtask clone_kernel_cve after do_fetch before do_scout_extra_kernel_vulns
+
+do_scout_extra_kernel_vulns() {
+    new_cve_report_file="${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}.scouted.json"
+    improve_kernel_cve_script="${COREBASE}/scripts/contrib/improve_kernel_cve_report.py"
+
+    # Check that IMPROVE_KERNEL_SPDX_FILE is set and the file exists
+    if [ -z "${IMPROVE_KERNEL_SPDX_FILE}" ] || [ ! -f "${IMPROVE_KERNEL_SPDX_FILE}" ]; then
+        bbwarn "improve_kernel_cve: IMPROVE_KERNEL_SPDX_FILE is empty or file not found: ${IMPROVE_KERNEL_SPDX_FILE}"
+        return 0
+    fi
+    if [ ! -f "${CVE_CHECK_MANIFEST_JSON}" ]; then
+        bbwarn "improve_kernel_cve: CVE_CHECK file not found: ${CVE_CHECK_MANIFEST_JSON}. Skipping extra kernel vulnerabilities scouting."
+        return 0
+    fi
+    if [ ! -f "${improve_kernel_cve_script}" ]; then
+        bbwarn "improve_kernel_cve: improve_kernel_cve_report.py not found in ${COREBASE}."
+        return 0
+    fi
+    if [ ! -d "${IMPROVE_KERNEL_CVE_WORKDIR}" ]; then
+        bbwarn "improve_kernel_cve: Vulnerabilities data not found in ${IMPROVE_KERNEL_CVE_WORKDIR}."
+        return 0
+    fi
+
+    #Run the improve_kernel_cve_report.py script
+    bbplain "improve_kernel_cve: Using SPDX file for extra kernel vulnerabilities scouting: ${IMPROVE_KERNEL_SPDX_FILE}"
+    python3 "${improve_kernel_cve_script}" \
+        --spdx "${IMPROVE_KERNEL_SPDX_FILE}" \
+        --old-cve-report "${CVE_CHECK_MANIFEST_JSON}" \
+        --new-cve-report "${new_cve_report_file}" \
+        --datadir "${IMPROVE_KERNEL_CVE_WORKDIR}"
+    bbplain "Improve CVE report with extra kernel cves: ${new_cve_report_file}"
+
+    #Create a symlink as every other JSON file in tmp/deploy/images
+    ln -sf ${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}.scouted.json ${DEPLOY_DIR_IMAGE}/${IMAGE_BASENAME}${IMAGE_MACHINE_SUFFIX}${IMAGE_NAME_SUFFIX}.scouted.json
+}
+do_scout_extra_kernel_vulns[nostamp] = "1"
+do_scout_extra_kernel_vulns[doc] = "Scout extra kernel vulnerabilities and create a new enhanced version of the cve_check file in the deploy directory"
\ No newline at end of file
diff --git a/meta/classes/improve_kernel_cve_report-spdx-2.2.bbclass b/meta/classes/improve_kernel_cve_report-spdx-2.2.bbclass
new file mode 100644
index 0000000000..45b483134d
--- /dev/null
+++ b/meta/classes/improve_kernel_cve_report-spdx-2.2.bbclass
@@ -0,0 +1,4 @@
+IMPROVE_KERNEL_PREFERRED_PROVIDER = "create-spdx-2.2"
+IMPROVE_KERNEL_SPDX_FILE = "${DEPLOY_DIR}/spdx/2.2/${@d.getVar('MACHINE').replace('-', '_')}/recipes/recipe-${PREFERRED_PROVIDER_virtual/kernel}.spdx.json"
+
+inherit improve_kernel_cve_report-base
\ No newline at end of file
diff --git a/meta/classes/improve_kernel_cve_report-spdx.bbclass b/meta/classes/improve_kernel_cve_report-spdx.bbclass
new file mode 100644
index 0000000000..3849f66aaf
--- /dev/null
+++ b/meta/classes/improve_kernel_cve_report-spdx.bbclass
@@ -0,0 +1,4 @@
+IMPROVE_KERNEL_PREFERRED_PROVIDER = "create-spdx"
+IMPROVE_KERNEL_SPDX_FILE = "${SPDXIMAGEDEPLOYDIR}/${IMAGE_LINK_NAME}.spdx.json"
+
+inherit improve_kernel_cve_report-base
\ No newline at end of file

RE: [PATCH v4 1/1] improve_kernel_cve_report: Add a bbclass support

[Daniel Turull]

Hi,
I was thinking that the code could be optimize and do not depend on the spdx file but the debugsources.

These has some benefits:
1. you don't need to enable SPDX_INCLUDE_COMPILED_SOURCES to have kernel specific config
2. don't need to have spdx 3 and spdx 2 dependent code.

It is using the same file as SPDX_INCLUDE_COMPILED_SOURCES is using without the need to enable it.

Also it seems that the task dependency chain is not correct. I'm getting
I have create a core-image-minimal.bbappend with the bbclass.

And then set the SRC to the mirror
IMPROVE_KERNEL_CVE_SRC_URI = "git://mirror/git.kernel.org.pub.scm.linux.security.vulns;protocol=https;branch=master"

WARNING: core-image-minimal-1.0-r0 do_scout_extra_kernel_vulns: improve_kernel_cve: CVE_CHECK file not found: /---/build/tmp/work/qemuarm64-poky-linux/core-image-minimal/1.0/deploy-core-image-minimal-image-complete/core-image-minimal-qemuarm64.rootfs-20260120145604.json. Skipping extra kernel vulnerabilities scouting.
NOTE: Tasks Summary: Attempted 2509 tasks of which 2507 didn't need to be rerun and all succeeded.
Complete CVE JSON report summary created at: ---/build/tmp/log/cve/cve-summary.json

Also the autorev doesn't seem to work
ERROR: ---/meta/recipes-core/images/core-image-minimal.bb: AUTOREV/SRCPV set too late for the fetcher to work properly, please set the variables earlier in parsing. Erroring instead of later obtuse build failures.

Best regards,
Daniel
> -----Original Message-----
> From: ValentinBoudevin <valentin.boudevin@gmail.com>
> Sent: Monday, 19 January 2026 19:41
> To: openembedded-core@lists.openembedded.org
> Cc: Daniel Turull <daniel.turull@ericsson.com>;
> jerome.oufella@savoirfairelinux.com; ValentinBoudevin
> <valentin.boudevin@gmail.com>
> Subject: [PATCH v4 1/1] improve_kernel_cve_report: Add a bbclass support
>
> The script improve_kernel_cve_report.py doesn't have a bbclass.
> It can be useful to have one to generate improved cve-check files at every run.
>
> This commit contains three classes:
>
> -improve_kernel_cve_report-base.bbclass: Base class which contains the tasks to
> perform improve_kernel_cve_report.py initialization and execution.
> -improve_kernel_cve_report-spdx-2.2.bbclass: Set
> IMPROVE_KERNEL_SPDX_FILE variable for SPDX-2.2 builds and set
> IMPROVE_KERNEL_PREFERRED_PROVIDER to require "create-spdx-2.2" in
> INHERIT
> -improve_kernel_cve_report-spdx.bbclass: Set IMPROVE_KERNEL_SPDX_FILE
> variable for SPDX-3.0 projectsi and IMPROVE_KERNEL_PREFERRED_PROVIDER to
> "create-spdx" to requires it in INHERIT
>
> These three new .bbclass files can be used to generate a new output in
> tmp/deploy/images with a .scouted.json file in addition to the existing .json cve-
> check file.
>
> The new .scouted.json is based on the cve-check file and the SBOM to generate
> this improved cve-check file with extra entries found by the script
> improve_kernel_cve_report.py.
>
> It only requires to use "inherit" on an image recipe (e.g. on core-image-minimal).
>
> The bbclass "improve_kernel_cve_report-spdx-2.2.bbclass" can be used if
> "create-spdx-2.2" is configured in INHERIT, and "create-spdx" is removed.
>
> INHERIT:remove = "create-spdx"
> INHERIT:append = " create-spdx-2.2"
>
> By default, projects use SPDX-3.0 and don't require any additional configuration.
>
> It also works offline and/or with custom repos thanks to the variables:
>
> -IMPROVE_KERNEL_CVE_SRC_URI: Use to set SRC_URI for "vulns" repository
> -IMPROVE_KERNEL_CVE_SRCREV: Use to fix a SRCREV for "vulns" repository.
> By default the class use AUTOREV to get the latest commit available but will
> require a fix commit if used offline.
> -IMPROVE_KERNEL_CVE_NETWORK:
> Use DL_DIR folder as to find the source "vulns" repository and set offline mode
> -IMPROVE_KERNEL_CVE_WORKDIR: Working directory for the class
> -IMPROVE_KERNEL_CVE_DESTSUFFIX: Suffix used to clone the "vulns"
> repository IMPROVE_KERNEL_CVE_UNPACK_DIR: Folder to unpack the "vulns"
> directory
>
> Signed-off-by: Valentin Boudevin <valentin.boudevin@gmail.com>
> ---
>  .../improve_kernel_cve_report-base.bbclass    | 149 ++++++++++++++++++
>  ...improve_kernel_cve_report-spdx-2.2.bbclass |   4 +
>  .../improve_kernel_cve_report-spdx.bbclass    |   4 +
>  3 files changed, 157 insertions(+)
>  create mode 100644 meta/classes/improve_kernel_cve_report-base.bbclass
>  create mode 100644 meta/classes/improve_kernel_cve_report-spdx-2.2.bbclass
>  create mode 100644 meta/classes/improve_kernel_cve_report-spdx.bbclass
>
> diff --git a/meta/classes/improve_kernel_cve_report-base.bbclass
> b/meta/classes/improve_kernel_cve_report-base.bbclass
> new file mode 100644
> index 0000000000..9d3be08203
> --- /dev/null
> +++ b/meta/classes/improve_kernel_cve_report-base.bbclass
> @@ -0,0 +1,149 @@
> +# Settings for the vulns git repository configuration
> +IMPROVE_KERNEL_CVE_SRC_URI ?=
> "git://git.kernel.org/pub/scm/linux/security/vulns.git;branch=master;protocol=h
> ttps"
> +IMPROVE_KERNEL_CVE_SRCREV ?= "${@bb.fetch2.get_autorev(d)}"
> +IMPROVE_KERNEL_CVE_NETWORK ?= "1"
> +IMPROVE_KERNEL_CVE_WORKDIR ?= "${WORKDIR}/vulns"
> +IMPROVE_KERNEL_CVE_DESTSUFFIX ?= "git"
> +IMPROVE_KERNEL_CVE_UNPACK_DIR ?=
> "${IMPROVE_KERNEL_CVE_WORKDIR}/${IMPROVE_KERNEL_CVE_DESTSUFFIX}
> "
> +
> +# Settings for SPDX support
> +IMPROVE_KERNEL_PREFERRED_PROVIDER ?= ""
> +IMPROVE_KERNEL_SPDX_FILE ?= ""
> +
> +python __anonymous() {
> +    srcrev = d.getVar("IMPROVE_KERNEL_CVE_SRCREV", True) or ""
> +    network = d.getVar("IMPROVE_KERNEL_CVE_NETWORK", True) or "0"
> +    # Check the IMPROVE_KERNEL_SPDX_FILE variable was set
> +    if not d.getVar("IMPROVE_KERNEL_SPDX_FILE"):
> +        bb.fatal("improve_kernel_cve: IMPROVE_KERNEL_SPDX_FILE is not set.
> Need to inherit improve_kernel_cve_report-spdx-2.2 or
> improve_kernel_cve_report-spdx")
> +        return
> +    # Check if networking is enabled to set SRC_URI
> +    if network == "0":
> +        d.appendVar("SRC_URI", "
> ${IMPROVE_KERNEL_CVE_SRC_URI};name=improve-kernel-
> cve;destsuffix=${IMPROVE_KERNEL_CVE_DESTSUFFIX}")
> +    # Check offline mode with AUTOREV-like SRCREV
> +    if network == "0" and srcrev.strip() in ("${AUTOREV}", "AUTOINC", "INVALID"):
> +        bb.fatal("improve_kernel_cve: Offline mode but SRCREV is set to
> AUTOREV/AUTOINC/INVALID. Cannot proceed without network access or use a
> fixed SRCREV.")
> +    d.setVar("SRCREV_improve-kernel-cve",
> d.getVar("IMPROVE_KERNEL_CVE_SRCREV"))
> +    # Check which SPDX class is inherited
> +    inherits = (d.getVar("INHERIT") or "")
> +    if "create-spdx-2.2" in inherits:
> +        bb.build.addtask("do_scout_extra_kernel_vulns", "do_build", "do_rootfs",
> d)
> +    elif "create-spdx" in inherits:
> +        bb.build.addtask('do_scout_extra_kernel_vulns', 'do_build',
> +'do_create_image_sbom_spdx', d) }
> +
> +python do_clean:append() {
> +    import os, glob
> +    deploy_dir = d.expand('${DEPLOY_DIR_IMAGE}')
> +    for f in glob.glob(os.path.join(deploy_dir, '*scouted.json')):
> +        bb.note("Removing " + f)
> +        os.remove(f)
> +}
> +
> +python do_clone_kernel_cve() {
> +    import subprocess
> +    import shutil, os
> +    # Check if the system is using SPDX 3.0
> +    inherit_var = d.getVar("INHERIT")
> +    preferred_provider = d.getVar("IMPROVE_KERNEL_PREFERRED_PROVIDER")
> +    if preferred_provider not in inherit_var:
> +        bb.warn(f"improve_kernel_cve: Requires the class {preferred_provider}
> enable in INHERIT variable.")
> +        return
> +    network_allowed = d.getVar("IMPROVE_KERNEL_CVE_NETWORK") == "1"
> +    workdir = d.getVar("IMPROVE_KERNEL_CVE_WORKDIR")
> +    unpack_dir = d.getVar("IMPROVE_KERNEL_CVE_UNPACK_DIR")
> +    # Remove existing unpacked directory if any
> +    if os.path.exists(workdir):
> +        shutil.rmtree(workdir)
> +    # Prepare fetcher
> +    src_uri_list = (d.getVar('SRC_URI') or "").split()
> +    cve_uris = []
> +    for uri in src_uri_list:
> +        if "name=improve-kernel-cve" in uri:
> +            cve_uris.append(uri)
> +    if not cve_uris:
> +        bb.note("No CVE exclusions SRC_URI found, skipping fetch")
> +        return
> +    fetcher = bb.fetch2.Fetch(cve_uris, d)
> +    # Clone only if network is allowed
> +    if network_allowed:
> +        fetcher.download()
> +    else:
> +        # Offline mode without network access
> +        bb.note("IMPROVE_KERNEL_CVE_NETWORK=0: Skipping online fetch.
> Checking local downloads in DL_DIR...")
> +        have_sources = False
> +        dl_dir = d.getVar("DL_DIR")
> +        srcrev = d.getVar("SRCREV_improve-kernel-cve")
> +        bb.note(f"Checking for sources for SRCREV: {srcrev}")
> +        # Check SRCREV is NOT set to AUTOREV
> +        if srcrev.strip() in ("${AUTOREV}", "AUTOINC", "INVALID"):
> +            bb.fatal("improve-kernel-cve: Offline mode but SRCREV is set to
> AUTOREV/AUTOINC/INVALID. Cannot proceed without network access or use a
> fixed SRCREV.")
> +            return
> +        # Loop through the fetcher's expanded URL data
> +        for ud in fetcher.expanded_urldata():
> +            ud.setup_localpath(d)
> +            # Check mirror tarballs first
> +            for mirror_fname in ud.mirrortarballs:
> +                mirror_path = os.path.join(dl_dir, mirror_fname)
> +                if os.path.exists(mirror_path):
> +                    bb.note(f"Found mirror tarball: {mirror_path}")
> +                    have_sources = True
> +                    break
> +            # If no mirror, check original download path
> +            if not have_sources and ud.localpath and os.path.exists(ud.localpath):
> +                bb.note(f"Found local download: {ud.localpath}")
> +                have_sources = True
> +            if not have_sources:
> +                bb.fatal("improve-kernel-cve: Offline mode but required source is
> missing.\n"f"SRC_URI = {ud.url}")
> +                return
> +    # Unpack into the standard work directory
> +    fetcher.unpack(unpack_dir)
> +    # Remove the folder ${PN} set by unpack
> +    subdirs = [d for d in os.listdir(unpack_dir) if
> os.path.isdir(os.path.join(unpack_dir, d))]
> +    if len(subdirs) == 1:
> +        srcdir = os.path.join(unpack_dir, subdirs[0])
> +        for f in os.listdir(srcdir):
> +            shutil.move(os.path.join(srcdir, f), unpack_dir)
> +        shutil.rmtree(srcdir)
> +}
> +do_clone_kernel_cve[network] = "${IMPROVE_KERNEL_CVE_NETWORK}"
> +do_clone_kernel_cve[nostamp] = "1"
> +do_clone_kernel_cve[doc] = "Clone the latest kernel vulnerabilities from
> https://git.kernel/.
> org%2Fpub%2Fscm%2Flinux%2Fsecurity%2Fvulns.git&data=05%7C02%7Cdaniel.t
> urull%40ericsson.com%7C7fb6e45acb9f4e4aa5d408de578a4fa7%7C92e84cebfbf
> d47abbe52080c6b87953f%7C0%7C0%7C639044448728663376%7CUnknown%7
> CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXa
> W4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=KKGJFw
> ohvnHwtHU5kfbCGHrzBNIHwrvDtYWlyXxZJjU%3D&reserved=0"
> +addtask clone_kernel_cve after do_fetch before
> +do_scout_extra_kernel_vulns
> +
> +do_scout_extra_kernel_vulns() {
> +
> new_cve_report_file="${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}.scouted.json"
> +
> improve_kernel_cve_script="${COREBASE}/scripts/contrib/improve_kernel_cve_
> report.py"
> +
> +    # Check that IMPROVE_KERNEL_SPDX_FILE is set and the file exists
> +    if [ -z "${IMPROVE_KERNEL_SPDX_FILE}" ] || [ ! -f
> "${IMPROVE_KERNEL_SPDX_FILE}" ]; then
> +        bbwarn "improve_kernel_cve: IMPROVE_KERNEL_SPDX_FILE is empty or
> file not found: ${IMPROVE_KERNEL_SPDX_FILE}"
> +        return 0
> +    fi
> +    if [ ! -f "${CVE_CHECK_MANIFEST_JSON}" ]; then
> +        bbwarn "improve_kernel_cve: CVE_CHECK file not found:
> ${CVE_CHECK_MANIFEST_JSON}. Skipping extra kernel vulnerabilities scouting."
> +        return 0
> +    fi
> +    if [ ! -f "${improve_kernel_cve_script}" ]; then
> +        bbwarn "improve_kernel_cve: improve_kernel_cve_report.py not found in
> ${COREBASE}."
> +        return 0
> +    fi
> +    if [ ! -d "${IMPROVE_KERNEL_CVE_WORKDIR}" ]; then
> +        bbwarn "improve_kernel_cve: Vulnerabilities data not found in
> ${IMPROVE_KERNEL_CVE_WORKDIR}."
> +        return 0
> +    fi
> +
> +    #Run the improve_kernel_cve_report.py script
> +    bbplain "improve_kernel_cve: Using SPDX file for extra kernel vulnerabilities
> scouting: ${IMPROVE_KERNEL_SPDX_FILE}"
> +    python3 "${improve_kernel_cve_script}" \
> +        --spdx "${IMPROVE_KERNEL_SPDX_FILE}" \
> +        --old-cve-report "${CVE_CHECK_MANIFEST_JSON}" \
> +        --new-cve-report "${new_cve_report_file}" \
> +        --datadir "${IMPROVE_KERNEL_CVE_WORKDIR}"
> +    bbplain "Improve CVE report with extra kernel cves: ${new_cve_report_file}"
> +
> +    #Create a symlink as every other JSON file in tmp/deploy/images
> +    ln -sf ${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}.scouted.json
> +${DEPLOY_DIR_IMAGE}/${IMAGE_BASENAME}${IMAGE_MACHINE_SUFFIX}${I
> MAGE_NAM
> +E_SUFFIX}.scouted.json
> +}
> +do_scout_extra_kernel_vulns[nostamp] = "1"
> +do_scout_extra_kernel_vulns[doc] = "Scout extra kernel vulnerabilities and
> create a new enhanced version of the cve_check file in the deploy directory"
> \ No newline at end of file
> diff --git a/meta/classes/improve_kernel_cve_report-spdx-2.2.bbclass
> b/meta/classes/improve_kernel_cve_report-spdx-2.2.bbclass
> new file mode 100644
> index 0000000000..45b483134d
> --- /dev/null
> +++ b/meta/classes/improve_kernel_cve_report-spdx-2.2.bbclass
> @@ -0,0 +1,4 @@
> +IMPROVE_KERNEL_PREFERRED_PROVIDER = "create-spdx-2.2"
> +IMPROVE_KERNEL_SPDX_FILE =
> "${DEPLOY_DIR}/spdx/2.2/${@d.getVar('MACHINE').replace('-',
> '_')}/recipes/recipe-${PREFERRED_PROVIDER_virtual/kernel}.spdx.json"
> +
> +inherit improve_kernel_cve_report-base
> \ No newline at end of file
> diff --git a/meta/classes/improve_kernel_cve_report-spdx.bbclass
> b/meta/classes/improve_kernel_cve_report-spdx.bbclass
> new file mode 100644
> index 0000000000..3849f66aaf
> --- /dev/null
> +++ b/meta/classes/improve_kernel_cve_report-spdx.bbclass
> @@ -0,0 +1,4 @@
> +IMPROVE_KERNEL_PREFERRED_PROVIDER = "create-spdx"
> +IMPROVE_KERNEL_SPDX_FILE =
> "${SPDXIMAGEDEPLOYDIR}/${IMAGE_LINK_NAME}.spdx.json"
> +
> +inherit improve_kernel_cve_report-base
> \ No newline at end of file

Re: [PATCH v4 1/1] improve_kernel_cve_report: Add a bbclass support

[Benjamin ROBIN]

Hello,

Sorry to provide these remarks in the v4 version.

On Monday, January 19, 2026 at 7:40 PM, ValentinBoudevin wrote:
> Signed-off-by: Valentin Boudevin <valentin.boudevin@gmail.com>
> ---
>  .../improve_kernel_cve_report-base.bbclass    | 149 ++++++++++++++++++
>  ...improve_kernel_cve_report-spdx-2.2.bbclass |   4 +
>  .../improve_kernel_cve_report-spdx.bbclass    |   4 +
>  3 files changed, 157 insertions(+)
>  create mode 100644 meta/classes/improve_kernel_cve_report-base.bbclass
>  create mode 100644 meta/classes/improve_kernel_cve_report-spdx-2.2.bbclass
>  create mode 100644 meta/classes/improve_kernel_cve_report-spdx.bbclass
> 
> diff --git a/meta/classes/improve_kernel_cve_report-base.bbclass b/meta/classes/improve_kernel_cve_report-base.bbclass
> new file mode 100644
> index 0000000000..9d3be08203
> --- /dev/null
> +++ b/meta/classes/improve_kernel_cve_report-base.bbclass
> @@ -0,0 +1,149 @@

Maybe add documentation on how to use this bbclass?

> +# Settings for the vulns git repository configuration
> +IMPROVE_KERNEL_CVE_SRC_URI ?= "git://git.kernel.org/pub/scm/linux/security/vulns.git;branch=master;protocol=https"
> +IMPROVE_KERNEL_CVE_SRCREV ?= "${@bb.fetch2.get_autorev(d)}"
> +IMPROVE_KERNEL_CVE_NETWORK ?= "1"
> +IMPROVE_KERNEL_CVE_WORKDIR ?= "${WORKDIR}/vulns"
> +IMPROVE_KERNEL_CVE_DESTSUFFIX ?= "git"
> +IMPROVE_KERNEL_CVE_UNPACK_DIR ?= "${IMPROVE_KERNEL_CVE_WORKDIR}/${IMPROVE_KERNEL_CVE_DESTSUFFIX}"
> +
> +# Settings for SPDX support
> +IMPROVE_KERNEL_PREFERRED_PROVIDER ?= ""
> +IMPROVE_KERNEL_SPDX_FILE ?= ""
> +
> +python __anonymous() {
> +    srcrev = d.getVar("IMPROVE_KERNEL_CVE_SRCREV", True) or ""
> +    network = d.getVar("IMPROVE_KERNEL_CVE_NETWORK", True) or "0"
> +    # Check the IMPROVE_KERNEL_SPDX_FILE variable was set
> +    if not d.getVar("IMPROVE_KERNEL_SPDX_FILE"):
> +        bb.fatal("improve_kernel_cve: IMPROVE_KERNEL_SPDX_FILE is not set. Need to inherit improve_kernel_cve_report-spdx-2.2 or improve_kernel_cve_report-spdx")
> +        return
> +    # Check if networking is enabled to set SRC_URI
> +    if network == "0":
> +        d.appendVar("SRC_URI", " ${IMPROVE_KERNEL_CVE_SRC_URI};name=improve-kernel-cve;destsuffix=${IMPROVE_KERNEL_CVE_DESTSUFFIX}")
> +    # Check offline mode with AUTOREV-like SRCREV
> +    if network == "0" and srcrev.strip() in ("${AUTOREV}", "AUTOINC", "INVALID"):
> +        bb.fatal("improve_kernel_cve: Offline mode but SRCREV is set to AUTOREV/AUTOINC/INVALID. Cannot proceed without network access or use a fixed SRCREV.")
> +    d.setVar("SRCREV_improve-kernel-cve", d.getVar("IMPROVE_KERNEL_CVE_SRCREV"))
> +    # Check which SPDX class is inherited
> +    inherits = (d.getVar("INHERIT") or "")

You really should use instead: bb.data.inherits_class("create-spdx-2.2", d)
This remark applies to various places.

> +    if "create-spdx-2.2" in inherits:
> +        bb.build.addtask("do_scout_extra_kernel_vulns", "do_build", "do_rootfs", d)
> +    elif "create-spdx" in inherits:
> +        bb.build.addtask('do_scout_extra_kernel_vulns', 'do_build', 'do_create_image_sbom_spdx', d)
> +}
> +
> +python do_clean:append() {
> +    import os, glob
> +    deploy_dir = d.expand('${DEPLOY_DIR_IMAGE}')
> +    for f in glob.glob(os.path.join(deploy_dir, '*scouted.json')):
> +        bb.note("Removing " + f)
> +        os.remove(f)
> +}
> +
> +python do_clone_kernel_cve() {
> +    import subprocess
> +    import shutil, os
> +    # Check if the system is using SPDX 3.0
> +    inherit_var = d.getVar("INHERIT")

Same here.

> +    preferred_provider = d.getVar("IMPROVE_KERNEL_PREFERRED_PROVIDER")
> +    if preferred_provider not in inherit_var:
> +        bb.warn(f"improve_kernel_cve: Requires the class {preferred_provider} enable in INHERIT variable.")
> +        return
> +    network_allowed = d.getVar("IMPROVE_KERNEL_CVE_NETWORK") == "1"
> +    workdir = d.getVar("IMPROVE_KERNEL_CVE_WORKDIR")
> +    unpack_dir = d.getVar("IMPROVE_KERNEL_CVE_UNPACK_DIR")
> +    # Remove existing unpacked directory if any
> +    if os.path.exists(workdir):
> +        shutil.rmtree(workdir)
> +    # Prepare fetcher
> +    src_uri_list = (d.getVar('SRC_URI') or "").split()
> +    cve_uris = []
> +    for uri in src_uri_list:
> +        if "name=improve-kernel-cve" in uri:
> +            cve_uris.append(uri)
> +    if not cve_uris:
> +        bb.note("No CVE exclusions SRC_URI found, skipping fetch")
> +        return
> +    fetcher = bb.fetch2.Fetch(cve_uris, d)
> +    # Clone only if network is allowed
> +    if network_allowed:
> +        fetcher.download()
> +    else:
> +        # Offline mode without network access
> +        bb.note("IMPROVE_KERNEL_CVE_NETWORK=0: Skipping online fetch. Checking local downloads in DL_DIR...")
> +        have_sources = False
> +        dl_dir = d.getVar("DL_DIR")
> +        srcrev = d.getVar("SRCREV_improve-kernel-cve")
> +        bb.note(f"Checking for sources for SRCREV: {srcrev}")
> +        # Check SRCREV is NOT set to AUTOREV
> +        if srcrev.strip() in ("${AUTOREV}", "AUTOINC", "INVALID"):
> +            bb.fatal("improve-kernel-cve: Offline mode but SRCREV is set to AUTOREV/AUTOINC/INVALID. Cannot proceed without network access or use a fixed SRCREV.")
> +            return
> +        # Loop through the fetcher's expanded URL data
> +        for ud in fetcher.expanded_urldata():
> +            ud.setup_localpath(d)
> +            # Check mirror tarballs first
> +            for mirror_fname in ud.mirrortarballs:
> +                mirror_path = os.path.join(dl_dir, mirror_fname)
> +                if os.path.exists(mirror_path):
> +                    bb.note(f"Found mirror tarball: {mirror_path}")
> +                    have_sources = True
> +                    break
> +            # If no mirror, check original download path
> +            if not have_sources and ud.localpath and os.path.exists(ud.localpath):
> +                bb.note(f"Found local download: {ud.localpath}")
> +                have_sources = True
> +            if not have_sources:
> +                bb.fatal("improve-kernel-cve: Offline mode but required source is missing.\n"f"SRC_URI = {ud.url}")
> +                return
> +    # Unpack into the standard work directory
> +    fetcher.unpack(unpack_dir)
> +    # Remove the folder ${PN} set by unpack
> +    subdirs = [d for d in os.listdir(unpack_dir) if os.path.isdir(os.path.join(unpack_dir, d))]
> +    if len(subdirs) == 1:
> +        srcdir = os.path.join(unpack_dir, subdirs[0])
> +        for f in os.listdir(srcdir):
> +            shutil.move(os.path.join(srcdir, f), unpack_dir)
> +        shutil.rmtree(srcdir)
> +}

I am not sure I understand this task. Since the 
git.kernel.org/pub/scm/linux/security/vulns.git is put in SRC_URI it really
should already be downloaded for you. Why are you managing the download
manually here?

> +do_clone_kernel_cve[network] = "${IMPROVE_KERNEL_CVE_NETWORK}"
> +do_clone_kernel_cve[nostamp] = "1"
> +do_clone_kernel_cve[doc] = "Clone the latest kernel vulnerabilities from https://git.kernel.org/pub/scm/linux/security/vulns.git"
> +addtask clone_kernel_cve after do_fetch before do_scout_extra_kernel_vulns
> +
> +do_scout_extra_kernel_vulns() {
> +    new_cve_report_file="${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}.scouted.json"
> +    improve_kernel_cve_script="${COREBASE}/scripts/contrib/improve_kernel_cve_report.py"
> +
> +    # Check that IMPROVE_KERNEL_SPDX_FILE is set and the file exists
> +    if [ -z "${IMPROVE_KERNEL_SPDX_FILE}" ] || [ ! -f "${IMPROVE_KERNEL_SPDX_FILE}" ]; then
> +        bbwarn "improve_kernel_cve: IMPROVE_KERNEL_SPDX_FILE is empty or file not found: ${IMPROVE_KERNEL_SPDX_FILE}"
> +        return 0
> +    fi
> +    if [ ! -f "${CVE_CHECK_MANIFEST_JSON}" ]; then
> +        bbwarn "improve_kernel_cve: CVE_CHECK file not found: ${CVE_CHECK_MANIFEST_JSON}. Skipping extra kernel vulnerabilities scouting."
> +        return 0
> +    fi
> +    if [ ! -f "${improve_kernel_cve_script}" ]; then
> +        bbwarn "improve_kernel_cve: improve_kernel_cve_report.py not found in ${COREBASE}."
> +        return 0
> +    fi
> +    if [ ! -d "${IMPROVE_KERNEL_CVE_WORKDIR}" ]; then
> +        bbwarn "improve_kernel_cve: Vulnerabilities data not found in ${IMPROVE_KERNEL_CVE_WORKDIR}."
> +        return 0
> +    fi
> +
> +    #Run the improve_kernel_cve_report.py script
> +    bbplain "improve_kernel_cve: Using SPDX file for extra kernel vulnerabilities scouting: ${IMPROVE_KERNEL_SPDX_FILE}"
> +    python3 "${improve_kernel_cve_script}" \
> +        --spdx "${IMPROVE_KERNEL_SPDX_FILE}" \
> +        --old-cve-report "${CVE_CHECK_MANIFEST_JSON}" \
> +        --new-cve-report "${new_cve_report_file}" \
> +        --datadir "${IMPROVE_KERNEL_CVE_WORKDIR}"
> +    bbplain "Improve CVE report with extra kernel cves: ${new_cve_report_file}"
> +
> +    #Create a symlink as every other JSON file in tmp/deploy/images
> +    ln -sf ${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}.scouted.json ${DEPLOY_DIR_IMAGE}/${IMAGE_BASENAME}${IMAGE_MACHINE_SUFFIX}${IMAGE_NAME_SUFFIX}.scouted.json
> +}
> +do_scout_extra_kernel_vulns[nostamp] = "1"

Technically, this task only needs to be executed when the SPDX has changed or
when the vulns.git reference has changed.

> +do_scout_extra_kernel_vulns[doc] = "Scout extra kernel vulnerabilities and create a new enhanced version of the cve_check file in the deploy directory"
> \ No newline at end of file
> diff --git a/meta/classes/improve_kernel_cve_report-spdx-2.2.bbclass b/meta/classes/improve_kernel_cve_report-spdx-2.2.bbclass
> new file mode 100644
> index 0000000000..45b483134d
> --- /dev/null
> +++ b/meta/classes/improve_kernel_cve_report-spdx-2.2.bbclass
> @@ -0,0 +1,4 @@
> +IMPROVE_KERNEL_PREFERRED_PROVIDER = "create-spdx-2.2"
> +IMPROVE_KERNEL_SPDX_FILE = "${DEPLOY_DIR}/spdx/2.2/${@d.getVar('MACHINE').replace('-', '_')}/recipes/recipe-${PREFERRED_PROVIDER_virtual/kernel}.spdx.json"
> +
> +inherit improve_kernel_cve_report-base
> \ No newline at end of file
> diff --git a/meta/classes/improve_kernel_cve_report-spdx.bbclass b/meta/classes/improve_kernel_cve_report-spdx.bbclass
> new file mode 100644
> index 0000000000..3849f66aaf
> --- /dev/null
> +++ b/meta/classes/improve_kernel_cve_report-spdx.bbclass
> @@ -0,0 +1,4 @@
> +IMPROVE_KERNEL_PREFERRED_PROVIDER = "create-spdx"

You really want to specify here "create-spdx-3.0".
Also, maybe name the bbclass with a -3.0 suffix.


> +IMPROVE_KERNEL_SPDX_FILE = "${SPDXIMAGEDEPLOYDIR}/${IMAGE_LINK_NAME}.spdx.json"
> +
> +inherit improve_kernel_cve_report-base

Best regards,
-- 
Benjamin Robin, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

Re: [OE-core] [PATCH v4 1/1] improve_kernel_cve_report: Add a bbclass support

[Ross Burton]

On 19 Jan 2026, at 18:40, vboudevin via lists.openembedded.org <valentin.boudevin=gmail.com@lists.openembedded.org> wrote:
> 
> The script improve_kernel_cve_report.py doesn't have a bbclass.
> It can be useful to have one to generate improved cve-check files at
> every run.
> 
> This commit contains three classes:

Copying Josh to have a look at the SPDX integration pieces.

This will absolutely need some tests added to oe-selftest so that the code is exercised.

Cheers,
Ross

[PATCH v5 0/2] improve_kernel_cve_report: Add a bbclass support

[ValentinBoudevin]

Changes since v4:
- Add a new commit which contains a new recipe "vulns-native" to clone
the Linux Security Vulns Repo.
- Remove the tasks do_clone_kernel_cve which is now done by the new
vulns-native recipe.
- Update the do_scout_extra_kernel_vulns task to use the new vulns-native
repository path.
- Remove variables IMPROVE_KERNEL_CVE_SRC_URI, IMPROVE_KERNEL_CVE_SRCREV, IMPROVE_KERNEL_CVE_NETWORK, IMPROVE_KERNEL_CVE_WORKDIR, and IMPROVE_KERNEL_CVE_DESTSUFFIX.
- Modify __anonymous function to not set SRC_URI and SRCREV.
- Update __anonymous function to use bb.data.inherits_class.
- Update the commit message to reflect these changes.
- Move improve_kernel_cve_report.bbclass to improve_kernel_cve_report-spdx-3.0.bbclass.
- New improve_kernel_cve_report.bbclass to include the appropriate spdx version bbclass.

Changes since v3:
-Avoid code duplication with a new bbclass "improve_kernel_cve_report-base.bbclass".
-Remove direct set of SRC_URI and SRCREV for offline mode.
-Use new __anonymous function to set SRC_URI, SRCREV and task schedule do_scout_extra_kernel_vulns based on SPDX version used.
-improve_kernel_cve_report-spdx-2.2.bbclass and improve_kernel_cve_report-spdx.bbclass are only used to define IMPROVE_KERNEL_PREFERRED_PROVIDER and IMPROVE_KERNEL_SPDX_FILE

Changes since v2:
- Fixed SRC_URI:append syntax (a space was missing with the append operator).
- Removed unused variable debug_source_path

Changes since v1:
- IMPROVE_KERNEL_CVE_SRC_URI and IMPROVE_KERNEL_CVE_SRCREV can be used to set a different source repository
or a deterministic revision.
- IMPROVE_KERNEL_CVE_NETWORK variable can be used to use this repo offline
based on existing fetch repo in DL_DIR.
- Add support for SPDX2.2 with a new bbclass improve_kernel_cve_report-spdx-2.2.bbclass.

ValentinBoudevin (2):
  vulns: add a new recipe
  improve_kernel_cve_report: Add a bbclass support

 .../improve_kernel_cve_report-base.bbclass    | 60 +++++++++++++++++++
 ...improve_kernel_cve_report-spdx-2.2.bbclass |  4 ++
 ...improve_kernel_cve_report-spdx-3.0.bbclass |  4 ++
 .../classes/improve_kernel_cve_report.bbclass |  3 +
 .../vulns-native/vulns-native_git.bb          | 24 ++++++++
 5 files changed, 95 insertions(+)
 create mode 100644 meta/classes/improve_kernel_cve_report-base.bbclass
 create mode 100644 meta/classes/improve_kernel_cve_report-spdx-2.2.bbclass
 create mode 100644 meta/classes/improve_kernel_cve_report-spdx-3.0.bbclass
 create mode 100644 meta/classes/improve_kernel_cve_report.bbclass
 create mode 100644 meta/recipes-kernel/vulns-native/vulns-native_git.bb

[PATCH v5 1/2] vulns: add a new recipe

[ValentinBoudevin]

This recipe is in charge of cloning and setting the Linux repository:
https://git.kernel.org/pub/scm/linux/security/vulns.git/

The variable VULNS_USE_AUTOREV can be used to use AUTOREV to use the
The latest available commit on the remote repository and stay
up-to-date with the latest information available.

AUTOREV would make the build non-deterministic, turned off by default.

Signed-off-by: ValentinBoudevin <valentin.boudevin@gmail.com>
---
 .../vulns-native/vulns-native_git.bb          | 24 +++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 meta/recipes-kernel/vulns-native/vulns-native_git.bb

diff --git a/meta/recipes-kernel/vulns-native/vulns-native_git.bb b/meta/recipes-kernel/vulns-native/vulns-native_git.bb
new file mode 100644
index 0000000000..089382704f
--- /dev/null
+++ b/meta/recipes-kernel/vulns-native/vulns-native_git.bb
@@ -0,0 +1,24 @@
+SUMMARY = "Linux Security Vulns Repo"
+DESCRIPTION = "Repo for tracking and maintaining the CVE identifiers reserved and assigned to \
+the Linux kernel project."
+HOMEPAGE = "https://git.kernel.org/pub/scm/linux/security/vulns.git/"
+LICENSE = "cve-tou"
+LIC_FILES_CHKSUM = "file://LICENSES/cve-tou.txt;md5=0d1f8ff7666c210e0b0404fd9d7e6703"
+
+inherit native allarch
+
+SRC_URI = "git://git.kernel.org/pub/scm/linux/security/vulns.git;branch=master;protocol=https"
+VULNS_USE_AUTOREV ?= "0"
+VULNS_DEFAULT_SRCREV ?= "2c9b20d7a0699222b58c4824560b716b6096637b"
+
+python __anonymous () {
+    if d.getVar("VULNS_USE_AUTOREV") == "1":
+        d.setVar("SRCREV", d.getVar("AUTOREV"))
+    else:
+        d.setVar("SRCREV", d.getVar("VULNS_DEFAULT_SRCREV"))
+}
+
+do_install(){
+	install -d ${D}${datadir}/vulns-native
+	cp -r ${UNPACKDIR}/vulns-git/* ${D}${datadir}/vulns-native/
+}

Re: [OE-core] [PATCH v5 1/2] vulns: add a new recipe

[Mathieu Dubois-Briand]

On Wed Jan 28, 2026 at 5:38 PM CET, vboudevin via lists.openembedded.org wrote:
> This recipe is in charge of cloning and setting the Linux repository:
> https://git.kernel.org/pub/scm/linux/security/vulns.git/
>
> The variable VULNS_USE_AUTOREV can be used to use AUTOREV to use the
> The latest available commit on the remote repository and stay
> up-to-date with the latest information available.
>
> AUTOREV would make the build non-deterministic, turned off by default.
>
> Signed-off-by: ValentinBoudevin <valentin.boudevin@gmail.com>
> ---

Hi Valentin,

Thanks for your patch.

Please note you will have to add someone as a maintainer for the new
recipe, in meta/conf/distro/include/maintainers.inc.

Thanks,
Mathieu

-- 
Mathieu Dubois-Briand, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[PATCH v5 2/2] improve_kernel_cve_report: Add a bbclass support

[ValentinBoudevin]

The script improve_kernel_cve_report.py doesn't have a bbclass.
It can be useful to have one to generate improved cve-check files at
every run.

This commit contains three classes:

-improve_kernel_cve_report-base.bbclass: Base class which contains the
tasks to perform improve_kernel_cve_report.py initialization and
execution.

-improve_kernel_cve_report-spdx-2.2.bbclass: Set
IMPROVE_KERNEL_SPDX_FILE variable for SPDX-2.2 builds and set
IMPROVE_KERNEL_PREFERRED_PROVIDER to require "create-spdx-2.2" in
INHERIT.

-improve_kernel_cve_report-spdx-3.0.bbclass: Set
IMPROVE_KERNEL_SPDX_FILE variable for SPDX-3.0 project, and set
IMPROVE_KERNEL_PREFERRED_PROVIDER to "create-spdx" to requires it in
INHERIT.

-improve_kernel_cve_report.bbclass: Include this class when you don't
care what version of SPDX you get.

These three new .bbclass files can be used to generate a new output in
tmp/deploy/images with a .scouted.json file in addition to the existing
.json cve-check file.

The new .scouted.json is based on the cve-check file and the SBOM to
generate this improved cve-check file with extra entries found by the
script improve_kernel_cve_report.py.

It only requires to use "inherit" on an image recipe (e.g. on
core-image-minimal).

The bbclass "improve_kernel_cve_report-spdx-2.2.bbclass" can be used if
"create-spdx-2.2" is configured in INHERIT, and "create-spdx" is
removed.

INHERIT:remove = "create-spdx"
INHERIT:append = " create-spdx-2.2"

By default, projects use SPDX-3.0 and don't require any additional
configuration.

Signed-off-by: Valentin Boudevin <valentin.boudevin@gmail.com>
---
 .../improve_kernel_cve_report-base.bbclass    | 60 +++++++++++++++++++
 ...improve_kernel_cve_report-spdx-2.2.bbclass |  4 ++
 ...improve_kernel_cve_report-spdx-3.0.bbclass |  4 ++
 .../classes/improve_kernel_cve_report.bbclass |  3 +
 4 files changed, 71 insertions(+)
 create mode 100644 meta/classes/improve_kernel_cve_report-base.bbclass
 create mode 100644 meta/classes/improve_kernel_cve_report-spdx-2.2.bbclass
 create mode 100644 meta/classes/improve_kernel_cve_report-spdx-3.0.bbclass
 create mode 100644 meta/classes/improve_kernel_cve_report.bbclass

diff --git a/meta/classes/improve_kernel_cve_report-base.bbclass b/meta/classes/improve_kernel_cve_report-base.bbclass
new file mode 100644
index 0000000000..e78722c59c
--- /dev/null
+++ b/meta/classes/improve_kernel_cve_report-base.bbclass
@@ -0,0 +1,60 @@
+# Settings for SPDX support
+
+# Setting to specify preferred provider for kernel SPDX file ("create-spdx" or "create-spdx-2.2")
+IMPROVE_KERNEL_PREFERRED_PROVIDER ?= ""
+# Setting to specify the path to the SPDX file to be used for extra kernel vulnerabilities scouting
+IMPROVE_KERNEL_SPDX_FILE ?= ""
+
+python __anonymous() {
+    if bb.data.inherits_class("create-spdx-2.2", d):
+        bb.build.addtask("do_scout_extra_kernel_vulns", "do_build", "do_rootfs", d)
+    elif bb.data.inherits_class("create-spdx", d):
+        bb.build.addtask('do_scout_extra_kernel_vulns', 'do_build', 'do_create_image_sbom_spdx', d)
+}
+
+python do_clean:append() {
+    import os, glob
+    deploy_dir = d.expand('${DEPLOY_DIR_IMAGE}')
+    for f in glob.glob(os.path.join(deploy_dir, '*scouted.json')):
+        bb.note("Removing " + f)
+        os.remove(f)
+}
+
+do_scout_extra_kernel_vulns() {
+    new_cve_report_file="${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}.scouted.json"
+    improve_kernel_cve_script="${COREBASE}/scripts/contrib/improve_kernel_cve_report.py"
+
+    # Check that IMPROVE_KERNEL_SPDX_FILE is set and the file exists
+    if [ -z "${IMPROVE_KERNEL_SPDX_FILE}" ] || [ ! -f "${IMPROVE_KERNEL_SPDX_FILE}" ]; then
+        bbwarn "improve_kernel_cve: IMPROVE_KERNEL_SPDX_FILE is empty or file not found: ${IMPROVE_KERNEL_SPDX_FILE}"
+        return 0
+    fi
+    if [ ! -f "${CVE_CHECK_MANIFEST_JSON}" ]; then
+        bbwarn "improve_kernel_cve: CVE_CHECK file not found: ${CVE_CHECK_MANIFEST_JSON}. Skipping extra kernel vulnerabilities scouting."
+        return 0
+    fi
+    if [ ! -f "${improve_kernel_cve_script}" ]; then
+        bbwarn "improve_kernel_cve: improve_kernel_cve_report.py not found in ${COREBASE}."
+        return 0
+    fi
+    if [ ! -d "${STAGING_DATADIR_NATIVE}/vulns-native" ]; then
+        bbwarn "improve_kernel_cve: Vulnerabilities data not found in ${STAGING_DATADIR_NATIVE}/vulns-native."
+        return 0
+    fi
+
+    #Run the improve_kernel_cve_report.py script
+    bbplain "improve_kernel_cve: Using SPDX file for extra kernel vulnerabilities scouting: ${IMPROVE_KERNEL_SPDX_FILE}"
+    python3 "${improve_kernel_cve_script}" \
+        --spdx "${IMPROVE_KERNEL_SPDX_FILE}" \
+        --old-cve-report "${CVE_CHECK_MANIFEST_JSON}" \
+        --new-cve-report "${new_cve_report_file}" \
+        --datadir "${STAGING_DATADIR_NATIVE}/vulns-native"
+    bbplain "Improve CVE report with extra kernel cves: ${new_cve_report_file}"
+
+    #Create a symlink as every other JSON file in tmp/deploy/images
+    ln -sf ${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}.scouted.json ${DEPLOY_DIR_IMAGE}/${IMAGE_BASENAME}${IMAGE_MACHINE_SUFFIX}${IMAGE_NAME_SUFFIX}.scouted.json
+}
+do_scout_extra_kernel_vulns[depends] += "vulns-native:do_populate_sysroot"
+do_scout_extra_kernel_vulns[nostamp] = "1"
+do_scout_extra_kernel_vulns[doc] = "Scout extra kernel vulnerabilities and create a new enhanced version of the cve_check file in the deploy directory"
+addtask scout_extra_kernel_vulnsate_cve_exclusions after do_prepare_recipe_sysroot
\ No newline at end of file
diff --git a/meta/classes/improve_kernel_cve_report-spdx-2.2.bbclass b/meta/classes/improve_kernel_cve_report-spdx-2.2.bbclass
new file mode 100644
index 0000000000..45b483134d
--- /dev/null
+++ b/meta/classes/improve_kernel_cve_report-spdx-2.2.bbclass
@@ -0,0 +1,4 @@
+IMPROVE_KERNEL_PREFERRED_PROVIDER = "create-spdx-2.2"
+IMPROVE_KERNEL_SPDX_FILE = "${DEPLOY_DIR}/spdx/2.2/${@d.getVar('MACHINE').replace('-', '_')}/recipes/recipe-${PREFERRED_PROVIDER_virtual/kernel}.spdx.json"
+
+inherit improve_kernel_cve_report-base
\ No newline at end of file
diff --git a/meta/classes/improve_kernel_cve_report-spdx-3.0.bbclass b/meta/classes/improve_kernel_cve_report-spdx-3.0.bbclass
new file mode 100644
index 0000000000..3849f66aaf
--- /dev/null
+++ b/meta/classes/improve_kernel_cve_report-spdx-3.0.bbclass
@@ -0,0 +1,4 @@
+IMPROVE_KERNEL_PREFERRED_PROVIDER = "create-spdx"
+IMPROVE_KERNEL_SPDX_FILE = "${SPDXIMAGEDEPLOYDIR}/${IMAGE_LINK_NAME}.spdx.json"
+
+inherit improve_kernel_cve_report-base
\ No newline at end of file
diff --git a/meta/classes/improve_kernel_cve_report.bbclass b/meta/classes/improve_kernel_cve_report.bbclass
new file mode 100644
index 0000000000..7b237d1e22
--- /dev/null
+++ b/meta/classes/improve_kernel_cve_report.bbclass
@@ -0,0 +1,3 @@
+# Include this class when you don't care what version of SPDX you get; it will
+# be updated to the latest stable version that is supported
+inherit improve_kernel_cve_report-spdx-3.0
\ No newline at end of file

RE: [PATCH v5 0/2] improve_kernel_cve_report: Add a bbclass support

[Daniel Turull]

Hello Valentin,

I have tested this new series and while it seems to run the bbclass, I think it is using a cve-summary file that doesn't have the kernel on it, and therefore it doesn't get updated.

I'm using in an offline build
INHERIT += "vex"

And a core-image-minimal.bbappend
inherit improve_kernel_cve_report

You might want to mention in your commit that if you want a more detailed list of vulnerabilities, you need to add:

SPDX_INCLUDE_COMPILED_SOURCES:pn-linux-yocto = "1"


Image VEX JSON report stored in: yocto-master/build/tmp/work/qemuarm64-poky-linux/core-image-minimal/1.0/deploy-core-image-minimal-image-complete/core-image-minimal-qemuarm64.rootfs-20260129103343.json
improve_kernel_cve: Using SPDX file for extra kernel vulnerabilities scouting: yocto-master/build/tmp/work/qemuarm64-poky-linux/core-image-minimal/1.0/spdx/3.0.1/image-deploy/core-image-minimal-qemuarm64.rootfs.spdx.json
Improve CVE report with extra kernel cves: yocto-master/build/tmp/deploy/images/qemuarm64/core-image-minimal-qemuarm64.rootfs-20260129103343.scouted.json

The file generated in /build/tmp/log/cve/cve-summary.json should have the kernel in question. The ones connected with the image doesn't have the kernel on it.

Best regards,
Daniel
> -----Original Message-----
> From: ValentinBoudevin <valentin.boudevin@gmail.com>
> Sent: Wednesday, 28 January 2026 17:38
> To: openembedded-core@lists.openembedded.org
> Cc: Daniel Turull <daniel.turull@ericsson.com>;
> jerome.oufella@savoirfairelinux.com; ValentinBoudevin
> <valentin.boudevin@gmail.com>
> Subject: [PATCH v5 0/2] improve_kernel_cve_report: Add a bbclass support
> 
> Changes since v4:
> - Add a new commit which contains a new recipe "vulns-native" to clone the
> Linux Security Vulns Repo.
> - Remove the tasks do_clone_kernel_cve which is now done by the new vulns-
> native recipe.
> - Update the do_scout_extra_kernel_vulns task to use the new vulns-native
> repository path.
> - Remove variables IMPROVE_KERNEL_CVE_SRC_URI,
> IMPROVE_KERNEL_CVE_SRCREV, IMPROVE_KERNEL_CVE_NETWORK,
> IMPROVE_KERNEL_CVE_WORKDIR, and IMPROVE_KERNEL_CVE_DESTSUFFIX.
> - Modify __anonymous function to not set SRC_URI and SRCREV.
> - Update __anonymous function to use bb.data.inherits_class.
> - Update the commit message to reflect these changes.
> - Move improve_kernel_cve_report.bbclass to improve_kernel_cve_report-spdx-
> 3.0.bbclass.
> - New improve_kernel_cve_report.bbclass to include the appropriate spdx
> version bbclass.
> 
> Changes since v3:
> -Avoid code duplication with a new bbclass "improve_kernel_cve_report-
> base.bbclass".
> -Remove direct set of SRC_URI and SRCREV for offline mode.
> -Use new __anonymous function to set SRC_URI, SRCREV and task schedule
> do_scout_extra_kernel_vulns based on SPDX version used.
> -improve_kernel_cve_report-spdx-2.2.bbclass and improve_kernel_cve_report-
> spdx.bbclass are only used to define IMPROVE_KERNEL_PREFERRED_PROVIDER
> and IMPROVE_KERNEL_SPDX_FILE
> 
> Changes since v2:
> - Fixed SRC_URI:append syntax (a space was missing with the append operator).
> - Removed unused variable debug_source_path
> 
> Changes since v1:
> - IMPROVE_KERNEL_CVE_SRC_URI and IMPROVE_KERNEL_CVE_SRCREV can be
> used to set a different source repository or a deterministic revision.
> - IMPROVE_KERNEL_CVE_NETWORK variable can be used to use this repo offline
> based on existing fetch repo in DL_DIR.
> - Add support for SPDX2.2 with a new bbclass improve_kernel_cve_report-spdx-
> 2.2.bbclass.
> 
> ValentinBoudevin (2):
>   vulns: add a new recipe
>   improve_kernel_cve_report: Add a bbclass support
> 
>  .../improve_kernel_cve_report-base.bbclass    | 60 +++++++++++++++++++
>  ...improve_kernel_cve_report-spdx-2.2.bbclass |  4 ++
> ...improve_kernel_cve_report-spdx-3.0.bbclass |  4 ++
> .../classes/improve_kernel_cve_report.bbclass |  3 +
>  .../vulns-native/vulns-native_git.bb          | 24 ++++++++
>  5 files changed, 95 insertions(+)
>  create mode 100644 meta/classes/improve_kernel_cve_report-base.bbclass
>  create mode 100644 meta/classes/improve_kernel_cve_report-spdx-2.2.bbclass
>  create mode 100644 meta/classes/improve_kernel_cve_report-spdx-3.0.bbclass
>  create mode 100644 meta/classes/improve_kernel_cve_report.bbclass
>  create mode 100644 meta/recipes-kernel/vulns-native/vulns-native_git.bb

Re: [PATCH v5 0/2] improve_kernel_cve_report: Add a bbclass support

[vboudevin]

[-- Attachment #1: Type: text/plain, Size: 576 bytes --]

Hello Daniel,

I made some tests with the new vex class. I may be wrong, but it doesn't seem like an issue linked with improve_kernel_cve_report bbclass.

I tried to clean the build, remove "inherit improve_kernel_cve_report", and keep "INHERIT += "vex"" . But, the cve-summary file is still empty after the rebuild.

If I change back to "cve-check" (still without improve_kernel_cve_report class) cve-summary seems correct and not empty.

It looks more like a vex class issue. Also, VEX does not seem to recreate a new .json file at every build, which is strange.

[-- Attachment #2: Type: text/html, Size: 644 bytes --]

Re: [OE-core] [PATCH v5 0/2] improve_kernel_cve_report: Add a bbclass support

[Marta Rybczynska]

[-- Attachment #1: Type: text/plain, Size: 1546 bytes --]

Hello,
Please take into account that the VEX class is using the same file names
for results as the cve-check. The reason was to avoid duplication
of all intermediary files, and also the final files. This was a design
decision, as not many people are expected to switch between cve-check
and vex classes, instead keep one.

Kind regards,
Marta

On Thu, Jan 29, 2026 at 5:34 PM vboudevin via lists.openembedded.org
<valentin.boudevin=gmail.com@lists.openembedded.org> wrote:

> Hello Daniel,
>
> I made some tests with the new vex class. I may be wrong, but it doesn't
> seem like an issue linked with improve_kernel_cve_report bbclass.
>
> I tried to clean the build, remove "inherit improve_kernel_cve_report",
> and keep "INHERIT += "vex"" . But, the cve-summary file is still empty
> after the rebuild.
>
> If I change back to "cve-check" (still without improve_kernel_cve_report
> class) cve-summary seems correct and not empty.
>
> It looks more like a vex class issue. Also, VEX does not seem to recreate
> a new .json file at every build, which is strange.
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#230139):
> https://lists.openembedded.org/g/openembedded-core/message/230139
> Mute This Topic: https://lists.openembedded.org/mt/117510774/5827677
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [
> rybczynska@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>

[-- Attachment #2: Type: text/html, Size: 2522 bytes --]

[PATCH v6 0/2] improve_kernel_cve_report: Add a bbclass support

[ValentinBoudevin]

Changes since v5:
- Update the maintainers.inc file to add new maintainer for the
  vulns-native recipe.
- Update vulns-native recipe to remove the variables VULNS_NATIVE_DEFAULT_SRCREV and VULNS_NATIVE_USE_AUTOREV for a fixed
  SRCREV usage (AUTOREV will be recommended in the documentation if the user wants to use the latest available commit).
- Update improve_kernel_cve_report-base.bbclass __anonymous function check the provider based on
 IMPROVE_KERNEL_PREFERRED_PROVIDER corresponds to the SPDX version used. It guarantees that the correct SPDX version is used with the
 improve_kernel_cve_report*.bbclass inherited.

Changes since v4:
- Add a new commit which contains a new recipe "vulns-native" to clone
the Linux Security Vulns Repo.
- Remove the tasks do_clone_kernel_cve which is now done by the new
vulns-native recipe.
- Update the do_scout_extra_kernel_vulns task to use the new vulns-native
repository path.
- Remove variables IMPROVE_KERNEL_CVE_SRC_URI, IMPROVE_KERNEL_CVE_SRCREV, IMPROVE_KERNEL_CVE_NETWORK, IMPROVE_KERNEL_CVE_WORKDIR, and IMPROVE_KERNEL_CVE_DESTSUFFIX.
- Modify __anonymous function to not set SRC_URI and SRCREV.
- Update __anonymous function to use bb.data.inherits_class.
- Update the commit message to reflect these changes.
- Move improve_kernel_cve_report.bbclass to improve_kernel_cve_report-spdx-3.0.bbclass.
- New improve_kernel_cve_report.bbclass to include the appropriate spdx version bbclass.

Changes since v3:
-Avoid code duplication with a new bbclass "improve_kernel_cve_report-base.bbclass".
-Remove direct set of SRC_URI and SRCREV for offline mode.
-Use new __anonymous function to set SRC_URI, SRCREV and task schedule do_scout_extra_kernel_vulns based on SPDX version used.
-improve_kernel_cve_report-spdx-2.2.bbclass and improve_kernel_cve_report-spdx.bbclass are only used to define IMPROVE_KERNEL_PREFERRED_PROVIDER and IMPROVE_KERNEL_SPDX_FILE

Changes since v2:
- Fixed SRC_URI:append syntax (a space was missing with the append operator).
- Removed unused variable debug_source_path

Changes since v1:
- IMPROVE_KERNEL_CVE_SRC_URI and IMPROVE_KERNEL_CVE_SRCREV can be used to set a different source repository
or a deterministic revision.
- IMPROVE_KERNEL_CVE_NETWORK variable can be used to use this repo offline
based on existing fetch repo in DL_DIR.
- Add support for SPDX2.2 with a new bbclass improve_kernel_cve_report-spdx-2.2.bbclass.

ValentinBoudevin (2):
  vulns: add a new recipe
  improve_kernel_cve_report: Add a bbclass support

 .../improve_kernel_cve_report-base.bbclass    | 64 +++++++++++++++++++
 ...improve_kernel_cve_report-spdx-2.2.bbclass |  4 ++
 ...improve_kernel_cve_report-spdx-3.0.bbclass |  4 ++
 .../classes/improve_kernel_cve_report.bbclass |  3 +
 meta/conf/distro/include/maintainers.inc      |  1 +
 .../vulns-native/vulns-native_git.bb          | 19 ++++++
 6 files changed, 95 insertions(+)
 create mode 100644 meta/classes/improve_kernel_cve_report-base.bbclass
 create mode 100644 meta/classes/improve_kernel_cve_report-spdx-2.2.bbclass
 create mode 100644 meta/classes/improve_kernel_cve_report-spdx-3.0.bbclass
 create mode 100644 meta/classes/improve_kernel_cve_report.bbclass
 create mode 100644 meta/recipes-kernel/vulns-native/vulns-native_git.bb

[PATCH v6 1/2] vulns: add a new recipe

[ValentinBoudevin]

This recipe is in charge of cloning and setting the Linux repository:
https://git.kernel.org/pub/scm/linux/security/vulns.git/

If the build is online, it is recommanded to use SRCREV set to AUTOREV
to use the latest available commit on the remote repository and stay
up-to-date with the latest CVE information available.

AUTOREV would make the build non-deterministic which would break
offline, turned off by default.

Signed-off-by: ValentinBoudevin <valentin.boudevin@gmail.com>
---
 meta/conf/distro/include/maintainers.inc      |  1 +
 .../vulns-native/vulns-native_git.bb          | 19 +++++++++++++++++++
 2 files changed, 20 insertions(+)
 create mode 100644 meta/recipes-kernel/vulns-native/vulns-native_git.bb

diff --git a/meta/conf/distro/include/maintainers.inc b/meta/conf/distro/include/maintainers.inc
index 550ef0e0e7..f21a00749a 100644
--- a/meta/conf/distro/include/maintainers.inc
+++ b/meta/conf/distro/include/maintainers.inc
@@ -875,6 +875,7 @@ RECIPE_MAINTAINER:pn-vulkan-tools = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-vulkan-utility-libraries = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-vulkan-validation-layers = "Vincent Davis Jr <vince@underview.tech>"
 RECIPE_MAINTAINER:pn-vulkan-volk = "Unassigned <unassigned@yoctoproject.org>"
+RECIPE_MAINTAINER:pn-vulns-native = "Valentin Boudevin <valentin.boudevin@savoirfairelinux.com>"
 RECIPE_MAINTAINER:pn-waffle = "Ross Burton <ross.burton@arm.com>"
 RECIPE_MAINTAINER:pn-watchdog = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-watchdog-config = "Unassigned <unassigned@yoctoproject.org>"
diff --git a/meta/recipes-kernel/vulns-native/vulns-native_git.bb b/meta/recipes-kernel/vulns-native/vulns-native_git.bb
new file mode 100644
index 0000000000..7ea3f743d5
--- /dev/null
+++ b/meta/recipes-kernel/vulns-native/vulns-native_git.bb
@@ -0,0 +1,19 @@
+SUMMARY = "Linux Security Vulns Repo"
+DESCRIPTION = "Repo for tracking and maintaining the CVE identifiers reserved and assigned to \
+the Linux kernel project."
+HOMEPAGE = "https://git.kernel.org/pub/scm/linux/security/vulns.git/"
+LICENSE = "cve-tou"
+LIC_FILES_CHKSUM = "file://LICENSES/cve-tou.txt;md5=0d1f8ff7666c210e0b0404fd9d7e6703"
+
+inherit allarch native
+
+SRC_URI = "git://git.kernel.org/pub/scm/linux/security/vulns.git;branch=master;protocol=https"
+
+# SRCREV is pinned to a fixed commit to ensure reproducible builds
+# To get the latest commit available and stay up-to-date, set AUTOREV as SRCREV with SRCREV:pn-vulns-native = "${AUTOREV}"
+SRCREV ?= "2c9b20d7a0699222b58c4824560b716b6096637b"
+
+do_install(){
+	install -d ${D}${datadir}/vulns-native
+	cp -r ${UNPACKDIR}/vulns-git/* ${D}${datadir}/vulns-native/
+}

[PATCH v6 2/2] improve_kernel_cve_report: Add a bbclass support

[ValentinBoudevin]

The script improve_kernel_cve_report.py doesn't have a bbclass.
It can be useful to have one to generate improved cve-check files at
every run.

This commit contains three classes:

-improve_kernel_cve_report-base.bbclass: Base class which contains the
tasks to perform improve_kernel_cve_report.py initialization and
execution.

-improve_kernel_cve_report-spdx-2.2.bbclass: Set
IMPROVE_KERNEL_SPDX_FILE variable for SPDX-2.2 builds and set
IMPROVE_KERNEL_PREFERRED_PROVIDER to require "create-spdx-2.2" in
INHERIT.

-improve_kernel_cve_report-spdx-3.0.bbclass: Set
IMPROVE_KERNEL_SPDX_FILE variable for SPDX-3.0 project, and set
IMPROVE_KERNEL_PREFERRED_PROVIDER to "create-spdx" to requires it in
INHERIT.

-improve_kernel_cve_report.bbclass: Include this class when you don't
care what version of SPDX you get.

These three new .bbclass files can be used to generate a new output in
tmp/deploy/images with a .scouted.json file in addition to the existing
.json cve-check file.

The new .scouted.json is based on the cve-check file and the SBOM to
generate this improved cve-check file with extra entries found by the
script improve_kernel_cve_report.py.

It only requires to use "inherit" on an image recipe (e.g. on
core-image-minimal).

The bbclass "improve_kernel_cve_report-spdx-2.2.bbclass" can be used if
"create-spdx-2.2" is configured in INHERIT, and "create-spdx" is
removed.

INHERIT:remove = "create-spdx"
INHERIT:append = " create-spdx-2.2"

By default, projects use SPDX-3.0 and don't require any additional
configuration.

Signed-off-by: Valentin Boudevin <valentin.boudevin@gmail.com>
---
 .../improve_kernel_cve_report-base.bbclass    | 64 +++++++++++++++++++
 ...improve_kernel_cve_report-spdx-2.2.bbclass |  4 ++
 ...improve_kernel_cve_report-spdx-3.0.bbclass |  4 ++
 .../classes/improve_kernel_cve_report.bbclass |  3 +
 4 files changed, 75 insertions(+)
 create mode 100644 meta/classes/improve_kernel_cve_report-base.bbclass
 create mode 100644 meta/classes/improve_kernel_cve_report-spdx-2.2.bbclass
 create mode 100644 meta/classes/improve_kernel_cve_report-spdx-3.0.bbclass
 create mode 100644 meta/classes/improve_kernel_cve_report.bbclass

diff --git a/meta/classes/improve_kernel_cve_report-base.bbclass b/meta/classes/improve_kernel_cve_report-base.bbclass
new file mode 100644
index 0000000000..8bc6000903
--- /dev/null
+++ b/meta/classes/improve_kernel_cve_report-base.bbclass
@@ -0,0 +1,64 @@
+# Settings for SPDX support
+
+# Setting to specify preferred provider for kernel SPDX file ("create-spdx" or "create-spdx-2.2")
+IMPROVE_KERNEL_PREFERRED_PROVIDER ?= ""
+# Setting to specify the path to the SPDX file to be used for extra kernel vulnerabilities scouting
+IMPROVE_KERNEL_SPDX_FILE ?= ""
+
+python __anonymous() {
+    if bb.data.inherits_class("create-spdx-2.2", d):
+        if not d.getVar("IMPROVE_KERNEL_PREFERRED_PROVIDER") == "create-spdx-2.2":
+            bb.fatal("improve_kernel_cve_report: IMPROVE_KERNEL_PREFERRED_PROVIDER is set to '%s', but 'create-spdx-2.2' class is inherited. Please check your configuration." % d.getVar("IMPROVE_KERNEL_PREFERRED_PROVIDER"))
+        bb.build.addtask("do_scout_extra_kernel_vulns", "do_build", "do_rootfs", d)
+    elif bb.data.inherits_class("create-spdx", d):
+        if not d.getVar("IMPROVE_KERNEL_PREFERRED_PROVIDER") == "create-spdx":
+            bb.fatal("improve_kernel_cve_report: IMPROVE_KERNEL_PREFERRED_PROVIDER is set to '%s', but 'create-spdx' class is inherited. Please check your configuration." % d.getVar("IMPROVE_KERNEL_PREFERRED_PROVIDER"))
+        bb.build.addtask('do_scout_extra_kernel_vulns', 'do_build', 'do_create_image_sbom_spdx', d)
+}
+
+python do_clean:append() {
+    import os, glob
+    deploy_dir = d.expand('${DEPLOY_DIR_IMAGE}')
+    for f in glob.glob(os.path.join(deploy_dir, '*scouted.json')):
+        bb.note("Removing " + f)
+        os.remove(f)
+}
+
+do_scout_extra_kernel_vulns() {
+    new_cve_report_file="${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}.scouted.json"
+    improve_kernel_cve_script="${COREBASE}/scripts/contrib/improve_kernel_cve_report.py"
+
+    # Check that IMPROVE_KERNEL_SPDX_FILE is set and the file exists
+    if [ -z "${IMPROVE_KERNEL_SPDX_FILE}" ] || [ ! -f "${IMPROVE_KERNEL_SPDX_FILE}" ]; then
+        bbwarn "improve_kernel_cve: IMPROVE_KERNEL_SPDX_FILE is empty or file not found: ${IMPROVE_KERNEL_SPDX_FILE}"
+        return 0
+    fi
+    if [ ! -f "${CVE_CHECK_MANIFEST_JSON}" ]; then
+        bbwarn "improve_kernel_cve: CVE_CHECK file not found: ${CVE_CHECK_MANIFEST_JSON}. Skipping extra kernel vulnerabilities scouting."
+        return 0
+    fi
+    if [ ! -f "${improve_kernel_cve_script}" ]; then
+        bbwarn "improve_kernel_cve: improve_kernel_cve_report.py not found in ${COREBASE}."
+        return 0
+    fi
+    if [ ! -d "${STAGING_DATADIR_NATIVE}/vulns-native" ]; then
+        bbwarn "improve_kernel_cve: Vulnerabilities data not found in ${STAGING_DATADIR_NATIVE}/vulns-native."
+        return 0
+    fi
+
+    #Run the improve_kernel_cve_report.py script
+    bbplain "improve_kernel_cve: Using SPDX file for extra kernel vulnerabilities scouting: ${IMPROVE_KERNEL_SPDX_FILE}"
+    python3 "${improve_kernel_cve_script}" \
+        --spdx "${IMPROVE_KERNEL_SPDX_FILE}" \
+        --old-cve-report "${CVE_CHECK_MANIFEST_JSON}" \
+        --new-cve-report "${new_cve_report_file}" \
+        --datadir "${STAGING_DATADIR_NATIVE}/vulns-native"
+    bbplain "Improve CVE report with extra kernel cves: ${new_cve_report_file}"
+
+    #Create a symlink as every other JSON file in tmp/deploy/images
+    ln -sf ${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}.scouted.json ${DEPLOY_DIR_IMAGE}/${IMAGE_BASENAME}${IMAGE_MACHINE_SUFFIX}${IMAGE_NAME_SUFFIX}.scouted.json
+}
+do_scout_extra_kernel_vulns[depends] += "vulns-native:do_populate_sysroot"
+do_scout_extra_kernel_vulns[nostamp] = "1"
+do_scout_extra_kernel_vulns[doc] = "Scout extra kernel vulnerabilities and create a new enhanced version of the cve_check file in the deploy directory"
+addtask scout_extra_kernel_vulnsate_cve_exclusions after do_prepare_recipe_sysroot
\ No newline at end of file
diff --git a/meta/classes/improve_kernel_cve_report-spdx-2.2.bbclass b/meta/classes/improve_kernel_cve_report-spdx-2.2.bbclass
new file mode 100644
index 0000000000..45b483134d
--- /dev/null
+++ b/meta/classes/improve_kernel_cve_report-spdx-2.2.bbclass
@@ -0,0 +1,4 @@
+IMPROVE_KERNEL_PREFERRED_PROVIDER = "create-spdx-2.2"
+IMPROVE_KERNEL_SPDX_FILE = "${DEPLOY_DIR}/spdx/2.2/${@d.getVar('MACHINE').replace('-', '_')}/recipes/recipe-${PREFERRED_PROVIDER_virtual/kernel}.spdx.json"
+
+inherit improve_kernel_cve_report-base
\ No newline at end of file
diff --git a/meta/classes/improve_kernel_cve_report-spdx-3.0.bbclass b/meta/classes/improve_kernel_cve_report-spdx-3.0.bbclass
new file mode 100644
index 0000000000..3849f66aaf
--- /dev/null
+++ b/meta/classes/improve_kernel_cve_report-spdx-3.0.bbclass
@@ -0,0 +1,4 @@
+IMPROVE_KERNEL_PREFERRED_PROVIDER = "create-spdx"
+IMPROVE_KERNEL_SPDX_FILE = "${SPDXIMAGEDEPLOYDIR}/${IMAGE_LINK_NAME}.spdx.json"
+
+inherit improve_kernel_cve_report-base
\ No newline at end of file
diff --git a/meta/classes/improve_kernel_cve_report.bbclass b/meta/classes/improve_kernel_cve_report.bbclass
new file mode 100644
index 0000000000..7b237d1e22
--- /dev/null
+++ b/meta/classes/improve_kernel_cve_report.bbclass
@@ -0,0 +1,3 @@
+# Include this class when you don't care what version of SPDX you get; it will
+# be updated to the latest stable version that is supported
+inherit improve_kernel_cve_report-spdx-3.0
\ No newline at end of file

RE: [PATCH v6 0/2] improve_kernel_cve_report: Add a bbclass support

[Daniel Turull]

Hi,

The series works for me. For reference the issue that I had is that the qemuarm64 doesn't include the kernel in the cve report, since it is not part of the image, while the qemux86-64 does.

I have tested it locally and it seems to work fine, also filtering out the files not included in the kernel.

Best regards,
Daniel

> -----Original Message-----
> From: ValentinBoudevin <valentin.boudevin@gmail.com>
> Sent: Monday, 2 February 2026 22:08
> To: openembedded-core@lists.openembedded.org
> Cc: Daniel Turull <daniel.turull@ericsson.com>;
> jerome.oufella@savoirfairelinux.com; ValentinBoudevin
> <valentin.boudevin@gmail.com>
> Subject: [PATCH v6 0/2] improve_kernel_cve_report: Add a bbclass support
> 
> Changes since v5:
> - Update the maintainers.inc file to add new maintainer for the
>   vulns-native recipe.
> - Update vulns-native recipe to remove the variables
> VULNS_NATIVE_DEFAULT_SRCREV and VULNS_NATIVE_USE_AUTOREV for a
> fixed
>   SRCREV usage (AUTOREV will be recommended in the documentation if the user
> wants to use the latest available commit).
> - Update improve_kernel_cve_report-base.bbclass __anonymous function check
> the provider based on  IMPROVE_KERNEL_PREFERRED_PROVIDER corresponds
> to the SPDX version used. It guarantees that the correct SPDX version is used with
> the  improve_kernel_cve_report*.bbclass inherited.
> 
> Changes since v4:
> - Add a new commit which contains a new recipe "vulns-native" to clone the
> Linux Security Vulns Repo.
> - Remove the tasks do_clone_kernel_cve which is now done by the new vulns-
> native recipe.
> - Update the do_scout_extra_kernel_vulns task to use the new vulns-native
> repository path.
> - Remove variables IMPROVE_KERNEL_CVE_SRC_URI,
> IMPROVE_KERNEL_CVE_SRCREV, IMPROVE_KERNEL_CVE_NETWORK,
> IMPROVE_KERNEL_CVE_WORKDIR, and IMPROVE_KERNEL_CVE_DESTSUFFIX.
> - Modify __anonymous function to not set SRC_URI and SRCREV.
> - Update __anonymous function to use bb.data.inherits_class.
> - Update the commit message to reflect these changes.
> - Move improve_kernel_cve_report.bbclass to improve_kernel_cve_report-spdx-
> 3.0.bbclass.
> - New improve_kernel_cve_report.bbclass to include the appropriate spdx
> version bbclass.
> 
> Changes since v3:
> -Avoid code duplication with a new bbclass "improve_kernel_cve_report-
> base.bbclass".
> -Remove direct set of SRC_URI and SRCREV for offline mode.
> -Use new __anonymous function to set SRC_URI, SRCREV and task schedule
> do_scout_extra_kernel_vulns based on SPDX version used.
> -improve_kernel_cve_report-spdx-2.2.bbclass and improve_kernel_cve_report-
> spdx.bbclass are only used to define IMPROVE_KERNEL_PREFERRED_PROVIDER
> and IMPROVE_KERNEL_SPDX_FILE
> 
> Changes since v2:
> - Fixed SRC_URI:append syntax (a space was missing with the append operator).
> - Removed unused variable debug_source_path
> 
> Changes since v1:
> - IMPROVE_KERNEL_CVE_SRC_URI and IMPROVE_KERNEL_CVE_SRCREV can be
> used to set a different source repository or a deterministic revision.
> - IMPROVE_KERNEL_CVE_NETWORK variable can be used to use this repo offline
> based on existing fetch repo in DL_DIR.
> - Add support for SPDX2.2 with a new bbclass improve_kernel_cve_report-spdx-
> 2.2.bbclass.
> 
> ValentinBoudevin (2):
>   vulns: add a new recipe
>   improve_kernel_cve_report: Add a bbclass support
> 
>  .../improve_kernel_cve_report-base.bbclass    | 64 +++++++++++++++++++
>  ...improve_kernel_cve_report-spdx-2.2.bbclass |  4 ++
> ...improve_kernel_cve_report-spdx-3.0.bbclass |  4 ++
> .../classes/improve_kernel_cve_report.bbclass |  3 +
>  meta/conf/distro/include/maintainers.inc      |  1 +
>  .../vulns-native/vulns-native_git.bb          | 19 ++++++
>  6 files changed, 95 insertions(+)
>  create mode 100644 meta/classes/improve_kernel_cve_report-base.bbclass
>  create mode 100644 meta/classes/improve_kernel_cve_report-spdx-2.2.bbclass
>  create mode 100644 meta/classes/improve_kernel_cve_report-spdx-3.0.bbclass
>  create mode 100644 meta/classes/improve_kernel_cve_report.bbclass
>  create mode 100644 meta/recipes-kernel/vulns-native/vulns-native_git.bb