Re: [OE-core][scarthgap 21/25] improve_kernel_cve_report: add script for postprocesing of kernel CVE data

["Yoann Congal" <yoann.congal@smile.fr>]

On Tue Feb 10, 2026 at 10:35 AM CET, Yoann Congal wrote:
> On Mon Feb 9, 2026 at 11:58 AM CET, Paul Barker wrote:
>> On Mon, 2026-02-09 at 10:29 +0100, Yoann Congal via
>> lists.openembedded.org wrote:
>>> From: Daniel Turull <daniel.turull@ericsson.com>
>>> 
>>> Adding postprocessing script to process data from linux CNA that includes more accurate metadata and it is updated directly by the source.
>>> 
>>> Example of enhanced CVE from a report from cve-check:
>>> 
>>> {
>>>   "id": "CVE-2024-26710",
>>>   "status": "Ignored",
>>>   "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26710",
>>>   "summary": "In the Linux kernel, the following vulnerability [...]",
>>>   "scorev2": "0.0",
>>>   "scorev3": "5.5",
>>>   "scorev4": "0.0",
>>>   "modified": "2025-03-17T15:36:11.620",
>>>   "vector": "LOCAL",
>>>   "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
>>>   "detail": "not-applicable-config",
>>>   "description": "Source code not compiled by config. ['arch/powerpc/include/asm/thread_info.h']"
>>> },
>>> 
>>> And same from a report generated with vex:
>>> {
>>>   "id": "CVE-2024-26710",
>>>   "status": "Ignored",
>>>   "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26710",
>>>   "detail": "not-applicable-config",
>>>   "description": "Source code not compiled by config. ['arch/powerpc/include/asm/thread_info.h']"
>>> },
>>> 
>>> For unpatched CVEs, provide more context in the description:
>>> Tested with 6.12.22 kernel
>>> {
>>>   "id": "CVE-2025-39728",
>>>   "status": "Unpatched",
>>>   "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39728",
>>>   "summary": "In the Linux kernel, the following vulnerability has been [...],
>>>   "scorev2": "0.0",
>>>   "scorev3": "0.0",
>>>   "scorev4": "0.0",
>>>   "modified": "2025-04-21T14:23:45.950",
>>>   "vector": "UNKNOWN",
>>>   "vectorString": "UNKNOWN",
>>>   "detail": "version-in-range",
>>>   "description": "Needs backporting (fixed from 6.12.23)"
>>> },
>>> 
>>> CC: Peter Marko <peter.marko@siemens.com>
>>> CC: Marta Rybczynska <rybczynska@gmail.com>
>>> Signed-off-by: Daniel Turull <daniel.turull@ericsson.com>
>>> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
>>> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
>>> (cherry picked from commit e60b1759c1aea5b8f5317e46608f0a3e782ecf57)
>>> Signed-off-by: Suresh H A <suresh.ha@bmwtechworks.in>
>>> Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
>>
>> This looks like a backport of a new feature, if we're making an
>> exception to allow this to be backported then we should document the
>> reason why (apologies if this is somewhere on the list and I've missed
>> it).
>
> I've talked about it briefly there:
> https://lore.kernel.org/openembedded-core/CAMSfU+6DXfuaG0uyPtEg5hE7oHqP=8pRhSttciF+NHcwr0Hpjg@mail.gmail.com/t/#u
> Mainly, since this is "contrib/", I don't mind relaxing rules a bit.
> @Paul, do you think this is reasonable?
>
> I agree that this exception should be documented (I will add a note in the
> commit message)

@Paul, see the update commit message in
https://git.openembedded.org/openembedded-core-contrib/commit/?h=stable/scarthgap-nut&id=26138b9f4c1cfe4718f719ea7710c80290d9a8da :
> [Yoann: Stable policy exception: This change is clearly a new feature
> and thus should be rejected from stables by policy. But, since this is
> contrib/ an exception can be made]
> Signed-off-by: Yoann Congal <yoann.congal@smile.fr>


>> If we do take this, we should also consider the other changes made to
>> this script since it was added to master.
>
> Yes, if I accept this one, I would also accept further updates on this
> script.
>
> Cheers,


-- 
Yoann Congal
Smile ECS