[PATCH 1/4] generate-cve-exclusions: Add --output-json option

[PATCH 1/4] generate-cve-exclusions: Add --output-json option

[ValentinBoudevin]

This option "--output-json" can be used to return a json file instead of
the standard .inc file provided.
The JSON file can easily be manipulated contrary to the .inc file.

Example output structure of the JSON file:

```json
{
  "cve_status": {
    "CVE-2019-25160": {
      "active": false,
      "message": "fixed-version: Fixed from version 5.0"
    },
    "CVE-2019-25162": {
      "active": false,
      "message": "fixed-version: Fixed from version 6.0"
    },
...
```

Also, this commit doesn't affect or modify any existing behaviour of the
script.
---
 .../linux/generate-cve-exclusions.py          | 64 +++++++++++++++----
 1 file changed, 50 insertions(+), 14 deletions(-)

diff --git a/meta/recipes-kernel/linux/generate-cve-exclusions.py b/meta/recipes-kernel/linux/generate-cve-exclusions.py
index dfc16663a5..5a0a947e06 100755
--- a/meta/recipes-kernel/linux/generate-cve-exclusions.py
+++ b/meta/recipes-kernel/linux/generate-cve-exclusions.py
@@ -91,6 +91,7 @@ def main(argp=None):
     parser = argparse.ArgumentParser()
     parser.add_argument("datadir", type=pathlib.Path, help="Path to a clone of https://github.com/CVEProject/cvelistV5 or https://git.kernel.org/pub/scm/linux/security/vulns.git")
     parser.add_argument("version", type=Version, help="Kernel version number to generate data for, such as 6.1.38")
+    parser.add_argument("--output-json", action="store_true", help="Return CVE_STATUS mapping as JSON")
 
     args = parser.parse_args(argp)
     datadir = args.datadir.resolve()
@@ -99,7 +100,10 @@ def main(argp=None):
 
     data_version = subprocess.check_output(("git", "describe", "--tags", "HEAD"), cwd=datadir, text=True)
 
-    print(f"""
+    cve_status = {}
+
+    if not args.output_json:
+        print(f"""
 # Auto-generated CVE metadata, DO NOT EDIT BY HAND.
 # Generated at {datetime.datetime.now(datetime.timezone.utc)} for kernel version {version}
 # From {datadir.name} {data_version}
@@ -131,26 +135,58 @@ do_cve_check[prefuncs] += "check_kernel_cve_status_version"
             continue
         first_affected, fixed, backport_ver = get_fixed_versions(cve_info, base_version)
         if not fixed:
-            print(f"# {cve} has no known resolution")
+            cve_status[cve] = {
+                "active": True,
+                "message": "no known resolution"
+            }
+            if not args.output_json:
+                print(f"# {cve} has no known resolution")
         elif first_affected and version < first_affected:
-            print(f'CVE_STATUS[{cve}] = "fixed-version: only affects {first_affected} onwards"')
+            cve_status[cve] = {
+                "active": False,
+                "message": f"fixed-version: only affects {first_affected} onwards"
+            }
+            if not args.output_json:
+                print(f'CVE_STATUS[{cve}] = "fixed-version: only affects {first_affected} onwards"')
         elif fixed <= version:
-            print(
-                f'CVE_STATUS[{cve}] = "fixed-version: Fixed from version {fixed}"'
-            )
+            cve_status[cve] = {
+                "active": False,
+                "message": f"fixed-version: Fixed from version {fixed}"
+            }
+            if not args.output_json:
+                print(f'CVE_STATUS[{cve}] = "fixed-version: Fixed from version {fixed}"')
         else:
             if backport_ver:
                 if backport_ver <= version:
-                    print(
-                        f'CVE_STATUS[{cve}] = "cpe-stable-backport: Backported in {backport_ver}"'
-                    )
+                    cve_status[cve] = {
+                        "active": False,
+                        "message": f"cpe-stable-backport: Backported in {backport_ver}"
+                    }
+                    if not args.output_json:
+                        print(f'CVE_STATUS[{cve}] = "cpe-stable-backport: Backported in {backport_ver}"')
                 else:
-                    print(f"# {cve} may need backporting (fixed from {backport_ver})")
+                    cve_status[cve] = {
+                        "active": True,
+                        "message": f"May need backporting (fixed from {backport_ver})"
+                    }
+                    if not args.output_json:
+                        print(f"# {cve} may need backporting (fixed from {backport_ver})")
             else:
-                print(f"# {cve} needs backporting (fixed from {fixed})")
-
-        print()
-
+                cve_status[cve] = {
+                    "active": True,
+                    "message": f"#Needs backporting (fixed from {fixed})"
+                }
+                if not args.output_json:
+                    print(f"# {cve} needs backporting (fixed from {fixed})")
+
+        if not args.output_json:
+            print()
+
+    # Emit structured output if --ret-struct was requested
+    if args.output_json:
+        print(json.dumps({
+            "cve_status": cve_status,
+        }, indent=2))
 
 if __name__ == "__main__":
     main()
-- 
2.43.0

[PATCH 2/4] generate-cve-exclusions: Add a .bbclass

[ValentinBoudevin]

Add a .bbclass to generate-cve-exclusions to use this script at every
run.
This class needs to be inherit by the linux kernel recipe.

This class contains several methods:

*do_clone_cvelistV5: Clone the cvelistV5 repo in
${WORKDIR}/cvelistV5/git

(e.g. bitbake-builds/poky-master/build/tmp/work/qemux86_64-poky-linux/
linux-yocto/6.18.1+git/cvelistV5/git)

*do_generate_cve_exclusions: Use the script generate-cve-exclusions.py.
It uses the new "--output-json" argument to generate a JSON file as an
output stored in ${WORKDIR}/cvelistV5//cve-exclusion_${LINUX_VERSION}.json

*do_cve_check:prepend: Parse the previously generated JSON file to set
the variable CVE_STATUS corretly
---
 meta/classes/generate-cve-exclusions.bbclass | 67 ++++++++++++++++++++
 1 file changed, 67 insertions(+)
 create mode 100644 meta/classes/generate-cve-exclusions.bbclass

diff --git a/meta/classes/generate-cve-exclusions.bbclass b/meta/classes/generate-cve-exclusions.bbclass
new file mode 100644
index 0000000000..3e34ba563d
--- /dev/null
+++ b/meta/classes/generate-cve-exclusions.bbclass
@@ -0,0 +1,67 @@
+CVE_EXCLUSIONS_WORKDIR ?= "${WORKDIR}/cvelistV5"
+CVELISTV5_PATH ?= "${CVE_EXCLUSIONS_WORKDIR}/git"
+
+python do_clone_cvelistV5() {
+    import subprocess
+    import shutil, os
+    rootdir = d.getVar("CVELISTV5_PATH")
+    d.setVar("SRC_URI", "git://github.com/CVEProject/cvelistV5.git;branch=main;protocol=https")
+    d.setVar("SRCREV", "${AUTOREV}")
+    src_uri = (d.getVar('SRC_URI') or "").split()
+    # Fetch the kernel vulnerabilities sources
+    fetcher = bb.fetch2.Fetch(src_uri, d)
+    fetcher.download()
+    # Unpack into the standard work directory
+    fetcher.unpack(rootdir)
+    # Remove the folder ${PN} set by unpack
+    subdirs = [d for d in os.listdir(rootdir) if os.path.isdir(os.path.join(rootdir, d))]
+    if len(subdirs) == 1:
+        srcdir = os.path.join(rootdir, subdirs[0])
+        for f in os.listdir(srcdir):
+            shutil.move(os.path.join(srcdir, f), rootdir)
+        shutil.rmtree(srcdir)
+    bb.note("Vulnerabilities repo unpacked into: %s" % rootdir)
+}
+do_clone_cvelistV5[network] = "1"
+do_clone_cvelistV5[nostamp] = "1"
+do_clone_cvelistV5[doc] = "Clone CVE information from the CVE Project: https://github.com/CVEProject/cvelistV5.git"
+addtask clone_cvelistV5 after do_fetch before do_generate_cve_exclusions
+
+do_generate_cve_exclusions() {
+    generate_cve_exclusions_script=$(find ${COREBASE} -name "generate-cve-exclusions.py")
+    if [ -z "${generate_cve_exclusions_script}" ]; then
+        bbfatal "generate-cve-exclusions.py not found in ${COREBASE}."
+    fi
+    python3 "${generate_cve_exclusions_script}" \
+        ${CVELISTV5_PATH} \
+        ${LINUX_VERSION} \
+        --output-json > ${CVE_EXCLUSIONS_WORKDIR}/cve-exclusion_${LINUX_VERSION}.json
+}
+do_generate_cve_exclusions[nostamp] = "1"
+do_generate_cve_exclusions[doc] = "Generate CVE exclusions for the kernel build. (e.g., cve-exclusion_6.12.inc)"
+addtask generate_cve_exclusions after do_clone_cvelistV5 before do_cve_check
+
+python do_cve_check:prepend() {
+    import os
+    import json
+
+    workdir = d.getVar("CVE_EXCLUSIONS_WORKDIR")
+    kernel_version = d.getVar("LINUX_VERSION")
+    json_input_file = os.path.join(workdir, "cve-exclusion_%s.json" % kernel_version)
+
+    # Parse JSON
+    with open(json_input_file, 'r', encoding='utf-8') as f:
+        cve_data = json.load(f)
+
+    cve_status_dict = cve_data.get("cve_status", {})
+
+    if os.path.exists(json_input_file):
+        count = 0
+        for cve_id, info in cve_status_dict.items():
+            if info.get("active", True):
+                # Skip active CVEs
+                continue
+            d.setVarFlag("CVE_STATUS", cve_id, info.get("message", ""))
+            count += 1
+    bb.note("Loaded %d CVE_STATUS entries from JSON output for kernel %s" % (count, kernel_version))
+}
\ No newline at end of file
-- 
2.43.0

[PATCH 3/4] generate-cve-exclusions: Move python script

[ValentinBoudevin]

The script should be located with other scripts in scripts/contrib
instead of staying in meta/classes/.

Update the new .bbclass to match this modification
---
 meta/classes/generate-cve-exclusions.bbclass                    | 2 +-
 .../linux => scripts/contrib}/generate-cve-exclusions.py        | 0
 2 files changed, 1 insertion(+), 1 deletion(-)
 rename {meta/recipes-kernel/linux => scripts/contrib}/generate-cve-exclusions.py (100%)

diff --git a/meta/classes/generate-cve-exclusions.bbclass b/meta/classes/generate-cve-exclusions.bbclass
index 3e34ba563d..4f539ee4c5 100644
--- a/meta/classes/generate-cve-exclusions.bbclass
+++ b/meta/classes/generate-cve-exclusions.bbclass
@@ -28,7 +28,7 @@ do_clone_cvelistV5[doc] = "Clone CVE information from the CVE Project: https://g
 addtask clone_cvelistV5 after do_fetch before do_generate_cve_exclusions
 
 do_generate_cve_exclusions() {
-    generate_cve_exclusions_script=$(find ${COREBASE} -name "generate-cve-exclusions.py")
+    generate_cve_exclusions_script=${COREBASE}/scripts/contrib/generate-cve-exclusions.py
     if [ -z "${generate_cve_exclusions_script}" ]; then
         bbfatal "generate-cve-exclusions.py not found in ${COREBASE}."
     fi
diff --git a/meta/recipes-kernel/linux/generate-cve-exclusions.py b/scripts/contrib/generate-cve-exclusions.py
similarity index 100%
rename from meta/recipes-kernel/linux/generate-cve-exclusions.py
rename to scripts/contrib/generate-cve-exclusions.py
-- 
2.43.0

[PATCH 4/4] linux: Add inherit on generate-cve-exclusions

[ValentinBoudevin]

All kernel recipes can use generate-cve-exclusions class to perform CVE
exclusions.
---
 meta/recipes-kernel/linux/linux-yocto-rt_6.12.bb   | 3 +++
 meta/recipes-kernel/linux/linux-yocto-rt_6.16.bb   | 3 +++
 meta/recipes-kernel/linux/linux-yocto-rt_6.18.bb   | 3 +++
 meta/recipes-kernel/linux/linux-yocto-tiny_6.12.bb | 3 +++
 meta/recipes-kernel/linux/linux-yocto-tiny_6.16.bb | 3 +++
 meta/recipes-kernel/linux/linux-yocto-tiny_6.18.bb | 3 +++
 meta/recipes-kernel/linux/linux-yocto_6.12.bb      | 3 +++
 meta/recipes-kernel/linux/linux-yocto_6.16.bb      | 3 +++
 meta/recipes-kernel/linux/linux-yocto_6.18.bb      | 3 +++
 9 files changed, 27 insertions(+)

diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_6.12.bb b/meta/recipes-kernel/linux/linux-yocto-rt_6.12.bb
index 9ac8507f9f..5cc735ae93 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_6.12.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_6.12.bb
@@ -5,6 +5,9 @@ require recipes-kernel/linux/linux-yocto.inc
 # CVE exclusions
 include recipes-kernel/linux/cve-exclusion_6.12.inc
 
+# Generate Dynamic CVE Exclusions
+inherit generate-cve-exclusions
+
 # Skip processing of this recipe if it is not explicitly specified as the
 # PREFERRED_PROVIDER for virtual/kernel. This avoids errors when trying
 # to build multiple virtual/kernel providers, e.g. as dependency of
diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_6.16.bb b/meta/recipes-kernel/linux/linux-yocto-rt_6.16.bb
index 1230e4e805..53532b4e7e 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_6.16.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_6.16.bb
@@ -5,6 +5,9 @@ require recipes-kernel/linux/linux-yocto.inc
 # CVE exclusions
 include recipes-kernel/linux/cve-exclusion_6.16.inc
 
+# Generate Dynamic CVE Exclusions
+inherit generate-cve-exclusions
+
 # Skip processing of this recipe if it is not explicitly specified as the
 # PREFERRED_PROVIDER for virtual/kernel. This avoids errors when trying
 # to build multiple virtual/kernel providers, e.g. as dependency of
diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_6.18.bb b/meta/recipes-kernel/linux/linux-yocto-rt_6.18.bb
index 32ed29f25e..e95264d99d 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_6.18.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_6.18.bb
@@ -5,6 +5,9 @@ require recipes-kernel/linux/linux-yocto.inc
 # CVE exclusions
 include recipes-kernel/linux/cve-exclusion_6.18.inc
 
+# Generate Dynamic CVE Exclusions
+inherit generate-cve-exclusions
+
 # Skip processing of this recipe if it is not explicitly specified as the
 # PREFERRED_PROVIDER for virtual/kernel. This avoids errors when trying
 # to build multiple virtual/kernel providers, e.g. as dependency of
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_6.12.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_6.12.bb
index 940561352c..6b17c2ff7f 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_6.12.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_6.12.bb
@@ -8,6 +8,9 @@ require recipes-kernel/linux/linux-yocto.inc
 # CVE exclusions
 include recipes-kernel/linux/cve-exclusion_6.12.inc
 
+# Generate Dynamic CVE Exclusions
+inherit generate-cve-exclusions
+
 LINUX_VERSION ?= "6.12.62"
 LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
 
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_6.16.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_6.16.bb
index ffa15b0c1b..02e502faed 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_6.16.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_6.16.bb
@@ -8,6 +8,9 @@ require recipes-kernel/linux/linux-yocto.inc
 # CVE exclusions
 include recipes-kernel/linux/cve-exclusion_6.16.inc
 
+# Generate Dynamic CVE Exclusions
+inherit generate-cve-exclusions
+
 LINUX_VERSION ?= "6.16.11"
 LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
 
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_6.18.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_6.18.bb
index 2afdc02467..e36a7fb028 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_6.18.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_6.18.bb
@@ -8,6 +8,9 @@ require recipes-kernel/linux/linux-yocto.inc
 # CVE exclusions
 include recipes-kernel/linux/cve-exclusion_6.18.inc
 
+# Generate Dynamic CVE Exclusions
+inherit generate-cve-exclusions
+
 LINUX_VERSION ?= "6.18.1"
 LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
 
diff --git a/meta/recipes-kernel/linux/linux-yocto_6.12.bb b/meta/recipes-kernel/linux/linux-yocto_6.12.bb
index 84419f8c78..b6ac5f9b90 100644
--- a/meta/recipes-kernel/linux/linux-yocto_6.12.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_6.12.bb
@@ -6,6 +6,9 @@ require recipes-kernel/linux/linux-yocto.inc
 include recipes-kernel/linux/cve-exclusion.inc
 include recipes-kernel/linux/cve-exclusion_6.12.inc
 
+# Generate Dynamic CVE Exclusions
+inherit generate-cve-exclusions
+
 # board specific branches
 KBRANCH:qemuarm  ?= "v6.12/standard/arm-versatile-926ejs"
 KBRANCH:qemuarm64 ?= "v6.12/standard/base"
diff --git a/meta/recipes-kernel/linux/linux-yocto_6.16.bb b/meta/recipes-kernel/linux/linux-yocto_6.16.bb
index 408f14b451..947de4186e 100644
--- a/meta/recipes-kernel/linux/linux-yocto_6.16.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_6.16.bb
@@ -6,6 +6,9 @@ require recipes-kernel/linux/linux-yocto.inc
 include recipes-kernel/linux/cve-exclusion.inc
 include recipes-kernel/linux/cve-exclusion_6.16.inc
 
+# Generate Dynamic CVE Exclusions
+inherit generate-cve-exclusions
+
 # board specific branches
 KBRANCH:qemuarm  ?= "v6.16/standard/arm-versatile-926ejs"
 KBRANCH:qemuarm64 ?= "v6.16/standard/base"
diff --git a/meta/recipes-kernel/linux/linux-yocto_6.18.bb b/meta/recipes-kernel/linux/linux-yocto_6.18.bb
index 562a997020..66320f7123 100644
--- a/meta/recipes-kernel/linux/linux-yocto_6.18.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_6.18.bb
@@ -6,6 +6,9 @@ require recipes-kernel/linux/linux-yocto.inc
 include recipes-kernel/linux/cve-exclusion.inc
 include recipes-kernel/linux/cve-exclusion_6.18.inc
 
+# Generate Dynamic CVE Exclusions
+inherit generate-cve-exclusions
+
 # board specific branches
 KBRANCH:qemuarm  ?= "v6.18/standard/arm-versatile-926ejs"
 KBRANCH:qemuarm64 ?= "v6.18/standard/base"
-- 
2.43.0

Re: [OE-core] [PATCH 2/4] generate-cve-exclusions: Add a .bbclass

[Bruce Ashfield]

[-- Attachment #1: Type: text/plain, Size: 5243 bytes --]

I can't tell, if this runs on every bitbake/compilation of the kernel, then
this is a hard NACK.

Make a task for it, or just add instructions on how to generate these, but
it cannot be in the standard build set of tasks.

Bruce

On Tue, Jan 6, 2026 at 1:28 PM vboudevin via lists.openembedded.org
<valentin.boudevin=gmail.com@lists.openembedded.org> wrote:

> Add a .bbclass to generate-cve-exclusions to use this script at every
> run.
> This class needs to be inherit by the linux kernel recipe.
>
> This class contains several methods:
>
> *do_clone_cvelistV5: Clone the cvelistV5 repo in
> ${WORKDIR}/cvelistV5/git
>
> (e.g. bitbake-builds/poky-master/build/tmp/work/qemux86_64-poky-linux/
> linux-yocto/6.18.1+git/cvelistV5/git)
>
> *do_generate_cve_exclusions: Use the script generate-cve-exclusions.py.
> It uses the new "--output-json" argument to generate a JSON file as an
> output stored in ${WORKDIR}/cvelistV5//cve-exclusion_${LINUX_VERSION}.json
>
> *do_cve_check:prepend: Parse the previously generated JSON file to set
> the variable CVE_STATUS corretly
> ---
>  meta/classes/generate-cve-exclusions.bbclass | 67 ++++++++++++++++++++
>  1 file changed, 67 insertions(+)
>  create mode 100644 meta/classes/generate-cve-exclusions.bbclass
>
> diff --git a/meta/classes/generate-cve-exclusions.bbclass
> b/meta/classes/generate-cve-exclusions.bbclass
> new file mode 100644
> index 0000000000..3e34ba563d
> --- /dev/null
> +++ b/meta/classes/generate-cve-exclusions.bbclass
> @@ -0,0 +1,67 @@
> +CVE_EXCLUSIONS_WORKDIR ?= "${WORKDIR}/cvelistV5"
> +CVELISTV5_PATH ?= "${CVE_EXCLUSIONS_WORKDIR}/git"
> +
> +python do_clone_cvelistV5() {
> +    import subprocess
> +    import shutil, os
> +    rootdir = d.getVar("CVELISTV5_PATH")
> +    d.setVar("SRC_URI", "git://
> github.com/CVEProject/cvelistV5.git;branch=main;protocol=https")
> +    d.setVar("SRCREV", "${AUTOREV}")
> +    src_uri = (d.getVar('SRC_URI') or "").split()
> +    # Fetch the kernel vulnerabilities sources
> +    fetcher = bb.fetch2.Fetch(src_uri, d)
> +    fetcher.download()
> +    # Unpack into the standard work directory
> +    fetcher.unpack(rootdir)
> +    # Remove the folder ${PN} set by unpack
> +    subdirs = [d for d in os.listdir(rootdir) if
> os.path.isdir(os.path.join(rootdir, d))]
> +    if len(subdirs) == 1:
> +        srcdir = os.path.join(rootdir, subdirs[0])
> +        for f in os.listdir(srcdir):
> +            shutil.move(os.path.join(srcdir, f), rootdir)
> +        shutil.rmtree(srcdir)
> +    bb.note("Vulnerabilities repo unpacked into: %s" % rootdir)
> +}
> +do_clone_cvelistV5[network] = "1"
> +do_clone_cvelistV5[nostamp] = "1"
> +do_clone_cvelistV5[doc] = "Clone CVE information from the CVE Project:
> https://github.com/CVEProject/cvelistV5.git"
> +addtask clone_cvelistV5 after do_fetch before do_generate_cve_exclusions
> +
> +do_generate_cve_exclusions() {
> +    generate_cve_exclusions_script=$(find ${COREBASE} -name
> "generate-cve-exclusions.py")
> +    if [ -z "${generate_cve_exclusions_script}" ]; then
> +        bbfatal "generate-cve-exclusions.py not found in ${COREBASE}."
> +    fi
> +    python3 "${generate_cve_exclusions_script}" \
> +        ${CVELISTV5_PATH} \
> +        ${LINUX_VERSION} \
> +        --output-json >
> ${CVE_EXCLUSIONS_WORKDIR}/cve-exclusion_${LINUX_VERSION}.json
> +}
> +do_generate_cve_exclusions[nostamp] = "1"
> +do_generate_cve_exclusions[doc] = "Generate CVE exclusions for the kernel
> build. (e.g., cve-exclusion_6.12.inc)"
> +addtask generate_cve_exclusions after do_clone_cvelistV5 before
> do_cve_check
> +
> +python do_cve_check:prepend() {
> +    import os
> +    import json
> +
> +    workdir = d.getVar("CVE_EXCLUSIONS_WORKDIR")
> +    kernel_version = d.getVar("LINUX_VERSION")
> +    json_input_file = os.path.join(workdir, "cve-exclusion_%s.json" %
> kernel_version)
> +
> +    # Parse JSON
> +    with open(json_input_file, 'r', encoding='utf-8') as f:
> +        cve_data = json.load(f)
> +
> +    cve_status_dict = cve_data.get("cve_status", {})
> +
> +    if os.path.exists(json_input_file):
> +        count = 0
> +        for cve_id, info in cve_status_dict.items():
> +            if info.get("active", True):
> +                # Skip active CVEs
> +                continue
> +            d.setVarFlag("CVE_STATUS", cve_id, info.get("message", ""))
> +            count += 1
> +    bb.note("Loaded %d CVE_STATUS entries from JSON output for kernel %s"
> % (count, kernel_version))
> +}
> \ No newline at end of file
> --
> 2.43.0
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#228910):
> https://lists.openembedded.org/g/openembedded-core/message/228910
> Mute This Topic: https://lists.openembedded.org/mt/117110144/1050810
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [
> bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>

-- 
- Thou shalt not follow the NULL pointer, for chaos and madness await thee
at its end
- "Use the force Harry" - Gandalf, Star Trek II

[-- Attachment #2: Type: text/html, Size: 7450 bytes --]

Re: [OE-core] [PATCH 4/4] linux: Add inherit on generate-cve-exclusions

[Bruce Ashfield]

[-- Attachment #1: Type: text/plain, Size: 7824 bytes --]

Make sure to copy me directly on any changes to the linux-yocto*
recipes.

To repeat my review of the class, if this is something that adds
a process step to standard builds of the kernel, then this isn't
the right integration point.

If I've misunderstood the patches, then the comments in the
commit log and in the code itself should be tweaked to make it
clear.

Bruce

On Tue, Jan 6, 2026 at 1:28 PM vboudevin via lists.openembedded.org
<valentin.boudevin=gmail.com@lists.openembedded.org> wrote:

> All kernel recipes can use generate-cve-exclusions class to perform CVE
> exclusions.
> ---
>  meta/recipes-kernel/linux/linux-yocto-rt_6.12.bb   | 3 +++
>  meta/recipes-kernel/linux/linux-yocto-rt_6.16.bb   | 3 +++
>  meta/recipes-kernel/linux/linux-yocto-rt_6.18.bb   | 3 +++
>  meta/recipes-kernel/linux/linux-yocto-tiny_6.12.bb | 3 +++
>  meta/recipes-kernel/linux/linux-yocto-tiny_6.16.bb | 3 +++
>  meta/recipes-kernel/linux/linux-yocto-tiny_6.18.bb | 3 +++
>  meta/recipes-kernel/linux/linux-yocto_6.12.bb      | 3 +++
>  meta/recipes-kernel/linux/linux-yocto_6.16.bb      | 3 +++
>  meta/recipes-kernel/linux/linux-yocto_6.18.bb      | 3 +++
>  9 files changed, 27 insertions(+)
>
> diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_6.12.bb
> b/meta/recipes-kernel/linux/linux-yocto-rt_6.12.bb
> index 9ac8507f9f..5cc735ae93 100644
> --- a/meta/recipes-kernel/linux/linux-yocto-rt_6.12.bb
> +++ b/meta/recipes-kernel/linux/linux-yocto-rt_6.12.bb
> @@ -5,6 +5,9 @@ require recipes-kernel/linux/linux-yocto.inc
>  # CVE exclusions
>  include recipes-kernel/linux/cve-exclusion_6.12.inc
>
> +# Generate Dynamic CVE Exclusions
> +inherit generate-cve-exclusions
> +
>  # Skip processing of this recipe if it is not explicitly specified as the
>  # PREFERRED_PROVIDER for virtual/kernel. This avoids errors when trying
>  # to build multiple virtual/kernel providers, e.g. as dependency of
> diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_6.16.bb
> b/meta/recipes-kernel/linux/linux-yocto-rt_6.16.bb
> index 1230e4e805..53532b4e7e 100644
> --- a/meta/recipes-kernel/linux/linux-yocto-rt_6.16.bb
> +++ b/meta/recipes-kernel/linux/linux-yocto-rt_6.16.bb
> @@ -5,6 +5,9 @@ require recipes-kernel/linux/linux-yocto.inc
>  # CVE exclusions
>  include recipes-kernel/linux/cve-exclusion_6.16.inc
>
> +# Generate Dynamic CVE Exclusions
> +inherit generate-cve-exclusions
> +
>  # Skip processing of this recipe if it is not explicitly specified as the
>  # PREFERRED_PROVIDER for virtual/kernel. This avoids errors when trying
>  # to build multiple virtual/kernel providers, e.g. as dependency of
> diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_6.18.bb
> b/meta/recipes-kernel/linux/linux-yocto-rt_6.18.bb
> index 32ed29f25e..e95264d99d 100644
> --- a/meta/recipes-kernel/linux/linux-yocto-rt_6.18.bb
> +++ b/meta/recipes-kernel/linux/linux-yocto-rt_6.18.bb
> @@ -5,6 +5,9 @@ require recipes-kernel/linux/linux-yocto.inc
>  # CVE exclusions
>  include recipes-kernel/linux/cve-exclusion_6.18.inc
>
> +# Generate Dynamic CVE Exclusions
> +inherit generate-cve-exclusions
> +
>  # Skip processing of this recipe if it is not explicitly specified as the
>  # PREFERRED_PROVIDER for virtual/kernel. This avoids errors when trying
>  # to build multiple virtual/kernel providers, e.g. as dependency of
> diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_6.12.bb
> b/meta/recipes-kernel/linux/linux-yocto-tiny_6.12.bb
> index 940561352c..6b17c2ff7f 100644
> --- a/meta/recipes-kernel/linux/linux-yocto-tiny_6.12.bb
> +++ b/meta/recipes-kernel/linux/linux-yocto-tiny_6.12.bb
> @@ -8,6 +8,9 @@ require recipes-kernel/linux/linux-yocto.inc
>  # CVE exclusions
>  include recipes-kernel/linux/cve-exclusion_6.12.inc
>
> +# Generate Dynamic CVE Exclusions
> +inherit generate-cve-exclusions
> +
>  LINUX_VERSION ?= "6.12.62"
>  LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
>
> diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_6.16.bb
> b/meta/recipes-kernel/linux/linux-yocto-tiny_6.16.bb
> index ffa15b0c1b..02e502faed 100644
> --- a/meta/recipes-kernel/linux/linux-yocto-tiny_6.16.bb
> +++ b/meta/recipes-kernel/linux/linux-yocto-tiny_6.16.bb
> @@ -8,6 +8,9 @@ require recipes-kernel/linux/linux-yocto.inc
>  # CVE exclusions
>  include recipes-kernel/linux/cve-exclusion_6.16.inc
>
> +# Generate Dynamic CVE Exclusions
> +inherit generate-cve-exclusions
> +
>  LINUX_VERSION ?= "6.16.11"
>  LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
>
> diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_6.18.bb
> b/meta/recipes-kernel/linux/linux-yocto-tiny_6.18.bb
> index 2afdc02467..e36a7fb028 100644
> --- a/meta/recipes-kernel/linux/linux-yocto-tiny_6.18.bb
> +++ b/meta/recipes-kernel/linux/linux-yocto-tiny_6.18.bb
> @@ -8,6 +8,9 @@ require recipes-kernel/linux/linux-yocto.inc
>  # CVE exclusions
>  include recipes-kernel/linux/cve-exclusion_6.18.inc
>
> +# Generate Dynamic CVE Exclusions
> +inherit generate-cve-exclusions
> +
>  LINUX_VERSION ?= "6.18.1"
>  LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
>
> diff --git a/meta/recipes-kernel/linux/linux-yocto_6.12.bb
> b/meta/recipes-kernel/linux/linux-yocto_6.12.bb
> index 84419f8c78..b6ac5f9b90 100644
> --- a/meta/recipes-kernel/linux/linux-yocto_6.12.bb
> +++ b/meta/recipes-kernel/linux/linux-yocto_6.12.bb
> @@ -6,6 +6,9 @@ require recipes-kernel/linux/linux-yocto.inc
>  include recipes-kernel/linux/cve-exclusion.inc
>  include recipes-kernel/linux/cve-exclusion_6.12.inc
>
> +# Generate Dynamic CVE Exclusions
> +inherit generate-cve-exclusions
> +
>  # board specific branches
>  KBRANCH:qemuarm  ?= "v6.12/standard/arm-versatile-926ejs"
>  KBRANCH:qemuarm64 ?= "v6.12/standard/base"
> diff --git a/meta/recipes-kernel/linux/linux-yocto_6.16.bb
> b/meta/recipes-kernel/linux/linux-yocto_6.16.bb
> index 408f14b451..947de4186e 100644
> --- a/meta/recipes-kernel/linux/linux-yocto_6.16.bb
> +++ b/meta/recipes-kernel/linux/linux-yocto_6.16.bb
> @@ -6,6 +6,9 @@ require recipes-kernel/linux/linux-yocto.inc
>  include recipes-kernel/linux/cve-exclusion.inc
>  include recipes-kernel/linux/cve-exclusion_6.16.inc
>
> +# Generate Dynamic CVE Exclusions
> +inherit generate-cve-exclusions
> +
>  # board specific branches
>  KBRANCH:qemuarm  ?= "v6.16/standard/arm-versatile-926ejs"
>  KBRANCH:qemuarm64 ?= "v6.16/standard/base"
> diff --git a/meta/recipes-kernel/linux/linux-yocto_6.18.bb
> b/meta/recipes-kernel/linux/linux-yocto_6.18.bb
> index 562a997020..66320f7123 100644
> --- a/meta/recipes-kernel/linux/linux-yocto_6.18.bb
> +++ b/meta/recipes-kernel/linux/linux-yocto_6.18.bb
> @@ -6,6 +6,9 @@ require recipes-kernel/linux/linux-yocto.inc
>  include recipes-kernel/linux/cve-exclusion.inc
>  include recipes-kernel/linux/cve-exclusion_6.18.inc
>
> +# Generate Dynamic CVE Exclusions
> +inherit generate-cve-exclusions
> +
>  # board specific branches
>  KBRANCH:qemuarm  ?= "v6.18/standard/arm-versatile-926ejs"
>  KBRANCH:qemuarm64 ?= "v6.18/standard/base"
> --
> 2.43.0
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#228912):
> https://lists.openembedded.org/g/openembedded-core/message/228912
> Mute This Topic: https://lists.openembedded.org/mt/117110147/1050810
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [
> bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>

-- 
- Thou shalt not follow the NULL pointer, for chaos and madness await thee
at its end
- "Use the force Harry" - Gandalf, Star Trek II

[-- Attachment #2: Type: text/html, Size: 13417 bytes --]

Re: [PATCH 2/4] generate-cve-exclusions: Add a .bbclass

[vboudevin]

[-- Attachment #1: Type: text/plain, Size: 218 bytes --]

Thanks for your feedback.

Then, I will modify it to be an independent task which can be run with "bitbake linux-yocto -c generate_cve_exclusions".
It will remove the mandatory aspect of this task in the workflow.

[-- Attachment #2: Type: text/html, Size: 293 bytes --]