From: Benjamin Robin <benjamin.robin@bootlin.com>
To: openembedded-core@lists.openembedded.org,
Daniel Turull <daniel.turull@ericsson.com>
Subject: Re: [PATCH] improve_kernel_cve_report: use numeric versions instead of cpeApplicability
Date: Fri, 17 Apr 2026 15:32:18 +0200 [thread overview]
Message-ID: <5983306.DvuYhMxLoT@brobin-bootlin> (raw)
In-Reply-To: <20260417132409.1638132-1-daniel.turull@ericsson.com>
Hello Daniel,
On Friday, April 17, 2026 at 3:24 PM, daniel.turull@ericsson.com wrote:
> From: Daniel Turull <daniel.turull@ericsson.com>
>
> git shas or versions should be use instead of cpeApplicability.
> Reuse the same logic as generate-cve-exclusions, so outputs are consistent.
>
> cpeApplicability does not provide accurate version information and for some
> CVEs the information is not the same. This came from a discussion that
> we had with Greg Kroah-Hartma, member of the Linux security team.
Indeed "cpeApplicability" does not provide the same kind of information that
the "versions" node.
In sbom-cve-check (the latest version in main branch) we are using both
sources of information.
But you are saying that "cpeApplicability" does not provide accurate version
information. Could you elaborate and give various examples? I never saw
something invalid in "cpeApplicability".
> Signed-off-by: Daniel Turull <daniel.turull@ericsson.com>
> ---
> scripts/contrib/improve_kernel_cve_report.py | 247 ++++++++-----------
> 1 file changed, 104 insertions(+), 143 deletions(-)
--
Benjamin Robin, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
next prev parent reply other threads:[~2026-04-17 13:32 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-17 13:24 [PATCH] improve_kernel_cve_report: use numeric versions instead of cpeApplicability daniel.turull
2026-04-17 13:32 ` Benjamin Robin [this message]
2026-04-17 13:44 ` Daniel Turull
2026-04-17 13:54 ` Benjamin Robin
2026-04-17 14:35 ` Daniel Turull
2026-04-17 14:47 ` Benjamin Robin
2026-04-17 16:54 ` Daniel Turull
2026-04-19 9:07 ` Benjamin Robin
2026-04-20 7:10 ` [OE-core] " Daniel Turull
2026-04-20 7:30 ` Benjamin Robin
2026-04-20 7:53 ` Daniel Turull
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5983306.DvuYhMxLoT@brobin-bootlin \
--to=benjamin.robin@bootlin.com \
--cc=daniel.turull@ericsson.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox