Re: [OE-core] [scarthgap] [PATCH v1 0/4] cve-check: fix incorrect CVE assessments and runtime warnings - cover letter

["Yoann Congal" <yoann.congal@smile.fr>]

Hello,

On Wed Mar 18, 2026 at 6:39 AM CET, Het Patel via lists.openembedded.org wrote:
> From: Het Patel <hetpat@cisco.com>
>
> The patches address the following bugs:
>
> 1. Incomplete CVE Assessment Details: Currently, the `detail` field is missing for approximately 81% of entries, rendering reports unreliable for auditing. These changes ensure that the rationale for a "Patched" or "Unpatched" assessment is properly recorded, allowing for a clear distinction between version-based assessments and missing data.
>
> 2. Runtime Warnings: Corrects four instances where debug calls were missing the required log level parameter. This change eliminates the runtime warnings that currently trigger during every CVE scan.

I appreciate that you trimed down your previous try to cleanup CVE
checking code[0]. But I still feel like it is too intrusive for stable
inclusion.

Can you please provide examples of some CVEs having "Incomplete CVE
Assessment Details:" so I can understand the problem?

> Testing:
> - Applied cleanly to the current `scarthgap` HEAD.
> - Verified via a full CVE scan.
> - Confirmed that all existing CVE statuses are preserved with no regressions observed.

Can you provide output (log+json) both before/after to verify this
claim?

Thanks!

[0]: https://lore.kernel.org/openembedded-core/20260220053443.3006180-1-hetpat@cisco.com/#r

> Het Patel (4):
>   cve-check: encode affected product/vendor in CVE_STATUS
>   cve-check: annotate CVEs during analysis
>   cve-check-map: add new statuses
>   cve-check: fix debug message
>
>  meta/classes/cve-check.bbclass | 246 +++++++++++++++++++++--------------------
>  meta/conf/cve-check-map.conf   |   9 +
>  meta/lib/oe/cve_check.py       |  74 +++++++++---
>  3 files changed, 197 insertions(+), 132 deletions(-)


-- 
Yoann Congal
Smile ECS