From: ValentinBoudevin <valentin.boudevin@gmail.com>
To: docs@lists.yoctoproject.org
Cc: ValentinBoudevin <valentin.boudevin@gmail.com>
Subject: [PATCH] vulnerabilities: add support for new bbclass
Date: Tue, 13 Jan 2026 14:24:57 -0500 [thread overview]
Message-ID: <20260113192458.3478804-1-valentin.boudevin@gmail.com> (raw)
Update the documentation to add the description for:
*generate-cve-exclusions.bbclass
*improve_kernel_cve_report.bbclass
This .bbclass haven't been merged yet in openembedded-core. This doesn't
need to be merged until the two following PR are validated:
*PR for generate-cve-exclusions.bbclass: https://lists.openembedded.org/g/openembedded-core/message/228924
*PR for improve_kernel_cve_report.bbclass: https://lists.openembedded.org/g/openembedded-core/message/228932
Request to set the documentation up-to-date:
https://lists.openembedded.org/g/openembedded-core/message/229041
Signed-off-by: ValentinBoudevin <valentin.boudevin@gmail.com>
---
documentation/dev-manual/vulnerabilities.rst | 62 +++++++++++++++++---
1 file changed, 54 insertions(+), 8 deletions(-)
diff --git a/documentation/dev-manual/vulnerabilities.rst b/documentation/dev-manual/vulnerabilities.rst
index 6eaf75758..a1eb8105a 100644
--- a/documentation/dev-manual/vulnerabilities.rst
+++ b/documentation/dev-manual/vulnerabilities.rst
@@ -346,15 +346,47 @@ issues helps to reduce their workload.
:term:`OpenEmbedded-Core (OE-Core)` has two scripts that help to characterize
and filter CVEs affecting the Linux kernel:
-- ``openembedded-core/meta/recipes-kernel/linux/generate-cve-exclusions.py``
+- ``openembedded-core/scripts/contrib/generate-cve-exclusions.py``
- ``openembedded-core/scripts/contrib/improve_kernel_cve_report.py``
-``generate-cve-exclusions.py``
+The usage of these scripts can be automated with ``.bbclass`` files:
+
+- ``openembedded-core/meta/classes/generate-cve-exclusions.bbclass``
+- ``openembedded-core/meta/classes/improve_kernel_cve_report.bbclass``
+
+``generate-cve-exclusions``
------------------------------
-When updating a kernel recipe, a helper script needs to be run manually to
-update the :term:`CVE_STATUS` for the kernel recipe. The script can be used
-for custom kernels.
+The kernel recipe requires :term:`CVE_STATUS` variable.
+
+Two methods are available to generate the CVE exclusions for the kernel:
+
+- The class ``generate-cve-exclusions.bbclass`` can be inherited in the
+ kernel recipe to automatically set the variable :term:`CVE_STATUS`
+ during the build, based on ``https://github.com/CVEProject/cvelistV5``.
+
+First, modify your kernel recipe to inherit the class::
+
+ inherit generate-cve-exclusions
+
+Then, you can invoke the ``generate-cve-exclusions`` task to generate
+the CVE exclusions for the kernel version being built.
+
+.. code-block:: shell
+
+ $ bitbake -c generate-cve-exclusions <linux-recipe>
+
+The task will create a new folder named ``cvelistV5`` under the kernel
+working directory.
+
+This folder will contain an updated version of ``https://github.com/CVEProject/cvelistV5``.
+
+It will also store a ``.json`` file which contains the update for
+:term:`CVE_STATUS` variable for the kernel version being built.
+
+- A script named ``generate-cve-exclusions.py`` that can be run manually
+ to generate the CVE exclusions file that can be included in the kernel
+ recipe:
First we need to get an updated version of the CVE information from the
`CVE Project`. Run it as follows:
@@ -391,7 +423,7 @@ Don't forget to update your kernel recipe with::
Then the CVE information will automatically be added in the
:ref:`ref-classes-cve-check` or :ref:`ref-classes-vex` report.
-``improve_kernel_cve_report.py``
+``improve_kernel_cve_report``
--------------------------------
The ``openembedded-core/scripts/contrib/improve_kernel_cve_report.py`` script
@@ -442,8 +474,22 @@ Finally, store either the ``recipe-linux-yocto.spdx.json`` or the
The :term:`SPDX` file is under
``tmp/deploy/spdx/<spdx_version>/<MACHINE>/recipes/recipe-linux-yocto.spdx.json``
-Once you have the input data, first you need to clone or fetch the latest CVE
-information from https://git.kernel.org:
+Once you have the input data, you will have two options to run the script:
+
+- Use the ``.bbclass`` file ``improve_kernel_cve_report.bbclass`` to
+ automatically run the script during the build. This class can be
+ inherited in the image recipe as follows::
+
+ inherit improve_kernel_cve_report
+
+ The class will run the script after the ``cve-check`` task and
+ generate a new version of it with a new entry in
+ ``tmp/deploy/images/machine/`` finishing with
+ ``.rootfs.scouted.json``.
+
+- Run manually the script ``improve_kernel_cve_report.py`` as follows:
+
+First, you need to clone or fetch the latest CVE information from https://git.kernel.org:
.. code-block:: shell
next reply other threads:[~2026-01-13 19:25 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-13 19:24 ValentinBoudevin [this message]
2026-01-27 7:23 ` [docs] [PATCH] vulnerabilities: add support for new bbclass Antonin Godard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260113192458.3478804-1-valentin.boudevin@gmail.com \
--to=valentin.boudevin@gmail.com \
--cc=docs@lists.yoctoproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox