Re: [PATCH] improve_kernel_cve_report: use numeric versions instead of cpeApplicability

[Benjamin Robin <benjamin.robin@bootlin.com>]

On Friday, April 17, 2026 at 4:35 PM, Daniel Turull wrote:
> True,
> I sent CVEs that had different responses. I used an old checkout and rerun with the old and the new script.
> 
> I'm starting to find some issues with the data that we should clarify before merging this patch. Let's pause it and have it correct.
> 
> For example,
> https://git.kernel.org/pub/scm/linux/security/vulns.git/tree/cve/published/2025/CVE-2025-40067.json
> 
> "defaultStatus": "affected",
> {
>                      "version": "6.6.112",
>                      "lessThanOrEqual": "6.6.*",
>                      "status": "unaffected",
>                      "versionType": "semver"
>                   },
> 
> "negate": false,
> {
>                            "vulnerable": true,
>                            "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
>                            "versionStartIncluding": "6.6.102",
>                            "versionEndExcluding": "6.6.112"
>                         },

I see nothing wrong here.
In [>6.6.102, <6.6.112] => vulnerable, and [>=6.6.112, <=6.6.*] => not vulnerable.

> In this case, the information in one of the entries is not correct. For example, in 6.6.100 is vulnerable in the version not in the cpeApplicability, but git versions and cpeApplicability match if we do a git describe on them.

I really did not understood this sentence.
Be aware that if you do a git describe, this is the tag that can be reached
that is displayed, not the tag that include the commit!

Could you elaborate in more details, I may be wrong here...

> I'll send an email to ask for clarification to the kernel security team and try to see other similar cases. I must say that this is a minority of all CVEs.
> 
> Also I need to look if this could be integrated in the sbom-cve-check, so we have it only one place. I want to be able to run the script as well with older releases or just telling the kernel to use without SBOM.

This is already integrated to sbom-cve-check (I pushed today in main),
but the algorithm is completely different.
And again since NVD database is enabled (by default) the result is not as
good as if you are only using the CVEList entries.

I was going to propose to drop this Python script that you are working on.

> 
> Best regards,
> Daniel
> 
> 
> > -----Original Message-----
> > From: Benjamin Robin <benjamin.robin@bootlin.com>
> > Sent: Friday, 17 April 2026 15:55
> > To: openembedded-core@lists.openembedded.org; Daniel Turull
> > <daniel.turull@ericsson.com>
> > Subject: Re: [PATCH] improve_kernel_cve_report: use numeric versions
> > instead of cpeApplicability
> > 
> > On Friday, April 17, 2026 at 3:44 PM, Daniel Turull wrote:
> > > Hi,
> > > We had Greg visiting us and I asked him what is better to use and he said git
> > or versions, not cvepAplicability that has issues defining trees.
> > 
> > You reply is technically not responding to my question :) Could you provide at
> > least one example with an entry that is not correct in the cpeApplicability
> > node?
> > 
> > The script had previously various issue (or at least it looked like it).
> > I preferred to use a completely different algorithm (and using all sources of
> > information)
> > 
> > But since I am also using NVD entries this degrade a bit the quality of the
> > generated assessment message
> > 
> > > I have done some comparison with 6.6.100 and 6.18.22



-- 
Benjamin Robin, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com