Re: [OE-core] [scarthgap] [PATCH v1 0/4] cve-check: fix incorrect CVE assessments and runtime warnings - cover letter

["Yoann Congal" <yoann.congal@smile.fr>]

On Wed Mar 18, 2026 at 2:10 PM CET, Yoann Congal wrote:
> On Wed Mar 18, 2026 at 1:57 PM CET, Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco) wrote:
>> Hi Yoann,
>>
>> I will share the new series of patches, which includes a few additional ones. I will attach the corresponding output files to that.
>
> Hmmm, I wrote that I felt that the series was too intrusive and now you
> want to add more patches? Are you sure this is the right direction?

Oh, I see now that you are talking about patches from Peter
suggestion. The series might still be too intrusive but it will be more
coherent. Got it.

> (I'm trying to prevent you from losing time to something that could
> ultimately be unmergable...)
>
> Regards,
>
>>
>> Best regards,
>> Het
>> ________________________________
>> From: Yoann Congal <yoann.congal@smile.fr>
>> Sent: Wednesday, March 18, 2026 4:37 PM
>> To: Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco) <hetpat@cisco.com>; openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org>
>> Cc: xe-linux-external(mailer list) <xe-linux-external@cisco.com>; Viral Chavda (vchavda) <vchavda@cisco.com>
>> Subject: Re: [OE-core] [scarthgap] [PATCH v1 0/4] cve-check: fix incorrect CVE assessments and runtime warnings - cover letter
>>
>> Hello,
>>
>> On Wed Mar 18, 2026 at 6:39 AM CET, Het Patel via lists.openembedded.org wrote:
>>> From: Het Patel <hetpat@cisco.com>
>>>
>>> The patches address the following bugs:
>>>
>>> 1. Incomplete CVE Assessment Details: Currently, the `detail` field is missing for approximately 81% of entries, rendering reports unreliable for auditing. These changes ensure that the rationale for a "Patched" or "Unpatched" assessment is properly recorded, allowing for a clear distinction between version-based assessments and missing data.
>>>
>>> 2. Runtime Warnings: Corrects four instances where debug calls were missing the required log level parameter. This change eliminates the runtime warnings that currently trigger during every CVE scan.
>>
>> I appreciate that you trimed down your previous try to cleanup CVE
>> checking code[0]. But I still feel like it is too intrusive for stable
>> inclusion.
>>
>> Can you please provide examples of some CVEs having "Incomplete CVE
>> Assessment Details:" so I can understand the problem?
>>
>>> Testing:
>>> - Applied cleanly to the current `scarthgap` HEAD.
>>> - Verified via a full CVE scan.
>>> - Confirmed that all existing CVE statuses are preserved with no regressions observed.
>>
>> Can you provide output (log+json) both before/after to verify this
>> claim?
>>
>> Thanks!
>>
>> [0]: https://lore.kernel.org/openembedded-core/20260220053443.3006180-1-hetpat@cisco.com/#r
>>
>>> Het Patel (4):
>>>   cve-check: encode affected product/vendor in CVE_STATUS
>>>   cve-check: annotate CVEs during analysis
>>>   cve-check-map: add new statuses
>>>   cve-check: fix debug message
>>>
>>>  meta/classes/cve-check.bbclass | 246 +++++++++++++++++++++--------------------
>>>  meta/conf/cve-check-map.conf   |   9 +
>>>  meta/lib/oe/cve_check.py       |  74 +++++++++---
>>>  3 files changed, 197 insertions(+), 132 deletions(-)
>>
>>
>> --
>> Yoann Congal
>> Smile ECS


-- 
Yoann Congal
Smile ECS