[PATCH] vulnerabilities: add support for new bbclass

[PATCH] vulnerabilities: add support for new bbclass

[ValentinBoudevin]

Update the documentation to add the description for:

*generate-cve-exclusions.bbclass
*improve_kernel_cve_report.bbclass

This .bbclass haven't been merged yet in openembedded-core. This doesn't
need to be merged until the two following PR are validated:

*PR for generate-cve-exclusions.bbclass: https://lists.openembedded.org/g/openembedded-core/message/228924
*PR for improve_kernel_cve_report.bbclass: https://lists.openembedded.org/g/openembedded-core/message/228932

Request to set the documentation up-to-date:

https://lists.openembedded.org/g/openembedded-core/message/229041

Signed-off-by: ValentinBoudevin <valentin.boudevin@gmail.com>
---
 documentation/dev-manual/vulnerabilities.rst | 62 +++++++++++++++++---
 1 file changed, 54 insertions(+), 8 deletions(-)

diff --git a/documentation/dev-manual/vulnerabilities.rst b/documentation/dev-manual/vulnerabilities.rst
index 6eaf75758..a1eb8105a 100644
--- a/documentation/dev-manual/vulnerabilities.rst
+++ b/documentation/dev-manual/vulnerabilities.rst
@@ -346,15 +346,47 @@ issues helps to reduce their workload.
 :term:`OpenEmbedded-Core (OE-Core)` has two scripts that help to characterize
 and filter CVEs affecting the Linux kernel:
 
--  ``openembedded-core/meta/recipes-kernel/linux/generate-cve-exclusions.py``
+-  ``openembedded-core/scripts/contrib/generate-cve-exclusions.py``
 -  ``openembedded-core/scripts/contrib/improve_kernel_cve_report.py``
 
-``generate-cve-exclusions.py``
+The usage of these scripts can be automated with ``.bbclass`` files:
+
+-  ``openembedded-core/meta/classes/generate-cve-exclusions.bbclass``
+-  ``openembedded-core/meta/classes/improve_kernel_cve_report.bbclass``
+
+``generate-cve-exclusions``
 ------------------------------
 
-When updating a kernel recipe, a helper script needs to be run manually to
-update the :term:`CVE_STATUS` for the kernel recipe. The script can be used
-for custom kernels.
+The kernel recipe requires :term:`CVE_STATUS` variable.
+
+Two methods are available to generate the CVE exclusions for the kernel:
+
+- The class ``generate-cve-exclusions.bbclass`` can be inherited in the
+  kernel recipe to automatically set the variable :term:`CVE_STATUS`
+  during the build, based on ``https://github.com/CVEProject/cvelistV5``.
+
+First, modify your kernel recipe to inherit the class::
+
+   inherit generate-cve-exclusions
+
+Then, you can invoke the ``generate-cve-exclusions`` task to generate
+the CVE exclusions for the kernel version being built.
+
+.. code-block:: shell
+
+   $ bitbake -c generate-cve-exclusions <linux-recipe>
+
+The task will create a new folder named ``cvelistV5`` under the kernel
+working directory.
+
+This folder will contain an updated version of ``https://github.com/CVEProject/cvelistV5``.
+
+It will also store a ``.json`` file which contains the update for
+:term:`CVE_STATUS` variable for the kernel version being built.
+
+- A script named ``generate-cve-exclusions.py`` that can be run manually
+  to generate the CVE exclusions file that can be included in the kernel
+  recipe:
 
 First we need to get an updated version of the CVE information from the
 `CVE Project`. Run it as follows:
@@ -391,7 +423,7 @@ Don't forget to update your kernel recipe with::
 Then the CVE information will automatically be added in the
 :ref:`ref-classes-cve-check` or :ref:`ref-classes-vex` report.
 
-``improve_kernel_cve_report.py``
+``improve_kernel_cve_report``
 --------------------------------
 
 The ``openembedded-core/scripts/contrib/improve_kernel_cve_report.py`` script
@@ -442,8 +474,22 @@ Finally, store either the ``recipe-linux-yocto.spdx.json`` or the
 The :term:`SPDX` file is under
 ``tmp/deploy/spdx/<spdx_version>/<MACHINE>/recipes/recipe-linux-yocto.spdx.json``
 
-Once you have the input data, first you need to clone or fetch the latest CVE
-information from https://git.kernel.org:
+Once you have the input data, you will have two options to run the script:
+
+- Use the ``.bbclass`` file ``improve_kernel_cve_report.bbclass`` to
+  automatically run the script during the build. This class can be
+  inherited in the image recipe as follows::
+
+     inherit improve_kernel_cve_report
+
+  The class will run the script after the ``cve-check`` task and
+  generate a new version of it with a new entry in
+  ``tmp/deploy/images/machine/`` finishing with
+  ``.rootfs.scouted.json``.
+
+- Run manually the script ``improve_kernel_cve_report.py`` as follows:
+
+First, you need to clone or fetch the latest CVE information from https://git.kernel.org:
 
 .. code-block:: shell
 

Re: [docs] [PATCH] vulnerabilities: add support for new bbclass

[Antonin Godard]

Hi,

On Tue Jan 13, 2026 at 8:24 PM CET, vboudevin via lists.yoctoproject.org wrote:
> Update the documentation to add the description for:
>
> *generate-cve-exclusions.bbclass
> *improve_kernel_cve_report.bbclass
>
> This .bbclass haven't been merged yet in openembedded-core. This doesn't
> need to be merged until the two following PR are validated:
>
> *PR for generate-cve-exclusions.bbclass: https://lists.openembedded.org/g/openembedded-core/message/228924
> *PR for improve_kernel_cve_report.bbclass: https://lists.openembedded.org/g/openembedded-core/message/228932
>
> Request to set the documentation up-to-date:
>
> https://lists.openembedded.org/g/openembedded-core/message/229041

Thanks a lot for sending documentation patches for these two classes. I will
review them if your classes are merged.

Antonin

-- 
Antonin Godard, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com