Hi, I was thinking that the code could be optimize and do not depend on the spdx file but the debugsources.
These has some benefits: 1. you don't need to enable SPDX_INCLUDE_COMPILED_SOURCES to have kernel specific config 2. don't need to have spdx 3 and spdx 2 dependent code. It is using the same file as SPDX_INCLUDE_COMPILED_SOURCES is using without the need to enable it. Also it seems that the task dependency chain is not correct. I'm getting I have create a core-image-minimal.bbappend with the bbclass. And then set the SRC to the mirror IMPROVE_KERNEL_CVE_SRC_URI = "git://mirror/git.kernel.org.pub.scm.linux.security.vulns;protocol=https;branch=master" WARNING: core-image-minimal-1.0-r0 do_scout_extra_kernel_vulns: improve_kernel_cve: CVE_CHECK file not found: /---/build/tmp/work/qemuarm64-poky-linux/core-image-minimal/1.0/deploy-core-image-minimal-image-complete/core-image-minimal-qemuarm64.rootfs-20260120145604.json. Skipping extra kernel vulnerabilities scouting. NOTE: Tasks Summary: Attempted 2509 tasks of which 2507 didn't need to be rerun and all succeeded. Complete CVE JSON report summary created at: ---/build/tmp/log/cve/cve-summary.json Also the autorev doesn't seem to work ERROR: ---/meta/recipes-core/images/core-image-minimal.bb: AUTOREV/SRCPV set too late for the fetcher to work properly, please set the variables earlier in parsing. Erroring instead of later obtuse build failures. Best regards, Daniel > -----Original Message----- > From: ValentinBoudevin <[email protected]> > Sent: Monday, 19 January 2026 19:41 > To: [email protected] > Cc: Daniel Turull <[email protected]>; > [email protected]; ValentinBoudevin > <[email protected]> > Subject: [PATCH v4 1/1] improve_kernel_cve_report: Add a bbclass support > > The script improve_kernel_cve_report.py doesn't have a bbclass. > It can be useful to have one to generate improved cve-check files at every > run. > > This commit contains three classes: > > -improve_kernel_cve_report-base.bbclass: Base class which contains the tasks > to > perform improve_kernel_cve_report.py initialization and execution. > -improve_kernel_cve_report-spdx-2.2.bbclass: Set > IMPROVE_KERNEL_SPDX_FILE variable for SPDX-2.2 builds and set > IMPROVE_KERNEL_PREFERRED_PROVIDER to require "create-spdx-2.2" in > INHERIT > -improve_kernel_cve_report-spdx.bbclass: Set IMPROVE_KERNEL_SPDX_FILE > variable for SPDX-3.0 projectsi and IMPROVE_KERNEL_PREFERRED_PROVIDER to > "create-spdx" to requires it in INHERIT > > These three new .bbclass files can be used to generate a new output in > tmp/deploy/images with a .scouted.json file in addition to the existing .json > cve- > check file. > > The new .scouted.json is based on the cve-check file and the SBOM to generate > this improved cve-check file with extra entries found by the script > improve_kernel_cve_report.py. > > It only requires to use "inherit" on an image recipe (e.g. on > core-image-minimal). > > The bbclass "improve_kernel_cve_report-spdx-2.2.bbclass" can be used if > "create-spdx-2.2" is configured in INHERIT, and "create-spdx" is removed. > > INHERIT:remove = "create-spdx" > INHERIT:append = " create-spdx-2.2" > > By default, projects use SPDX-3.0 and don't require any additional > configuration. > > It also works offline and/or with custom repos thanks to the variables: > > -IMPROVE_KERNEL_CVE_SRC_URI: Use to set SRC_URI for "vulns" repository > -IMPROVE_KERNEL_CVE_SRCREV: Use to fix a SRCREV for "vulns" repository. > By default the class use AUTOREV to get the latest commit available but will > require a fix commit if used offline. > -IMPROVE_KERNEL_CVE_NETWORK: > Use DL_DIR folder as to find the source "vulns" repository and set offline > mode > -IMPROVE_KERNEL_CVE_WORKDIR: Working directory for the class > -IMPROVE_KERNEL_CVE_DESTSUFFIX: Suffix used to clone the "vulns" > repository IMPROVE_KERNEL_CVE_UNPACK_DIR: Folder to unpack the "vulns" > directory > > Signed-off-by: Valentin Boudevin <[email protected]> > --- > .../improve_kernel_cve_report-base.bbclass | 149 ++++++++++++++++++ > ...improve_kernel_cve_report-spdx-2.2.bbclass | 4 + > .../improve_kernel_cve_report-spdx.bbclass | 4 + > 3 files changed, 157 insertions(+) > create mode 100644 meta/classes/improve_kernel_cve_report-base.bbclass > create mode 100644 meta/classes/improve_kernel_cve_report-spdx-2.2.bbclass > create mode 100644 meta/classes/improve_kernel_cve_report-spdx.bbclass > > diff --git a/meta/classes/improve_kernel_cve_report-base.bbclass > b/meta/classes/improve_kernel_cve_report-base.bbclass > new file mode 100644 > index 0000000000..9d3be08203 > --- /dev/null > +++ b/meta/classes/improve_kernel_cve_report-base.bbclass > @@ -0,0 +1,149 @@ > +# Settings for the vulns git repository configuration > +IMPROVE_KERNEL_CVE_SRC_URI ?= > "git://git.kernel.org/pub/scm/linux/security/vulns.git;branch=master;protocol=h > ttps" > +IMPROVE_KERNEL_CVE_SRCREV ?= "${@bb.fetch2.get_autorev(d)}" > +IMPROVE_KERNEL_CVE_NETWORK ?= "1" > +IMPROVE_KERNEL_CVE_WORKDIR ?= "${WORKDIR}/vulns" > +IMPROVE_KERNEL_CVE_DESTSUFFIX ?= "git" > +IMPROVE_KERNEL_CVE_UNPACK_DIR ?= > "${IMPROVE_KERNEL_CVE_WORKDIR}/${IMPROVE_KERNEL_CVE_DESTSUFFIX} > " > + > +# Settings for SPDX support > +IMPROVE_KERNEL_PREFERRED_PROVIDER ?= "" > +IMPROVE_KERNEL_SPDX_FILE ?= "" > + > +python __anonymous() { > + srcrev = d.getVar("IMPROVE_KERNEL_CVE_SRCREV", True) or "" > + network = d.getVar("IMPROVE_KERNEL_CVE_NETWORK", True) or "0" > + # Check the IMPROVE_KERNEL_SPDX_FILE variable was set > + if not d.getVar("IMPROVE_KERNEL_SPDX_FILE"): > + bb.fatal("improve_kernel_cve: IMPROVE_KERNEL_SPDX_FILE is not set. > Need to inherit improve_kernel_cve_report-spdx-2.2 or > improve_kernel_cve_report-spdx") > + return > + # Check if networking is enabled to set SRC_URI > + if network == "0": > + d.appendVar("SRC_URI", " > ${IMPROVE_KERNEL_CVE_SRC_URI};name=improve-kernel- > cve;destsuffix=${IMPROVE_KERNEL_CVE_DESTSUFFIX}") > + # Check offline mode with AUTOREV-like SRCREV > + if network == "0" and srcrev.strip() in ("${AUTOREV}", "AUTOINC", > "INVALID"): > + bb.fatal("improve_kernel_cve: Offline mode but SRCREV is set to > AUTOREV/AUTOINC/INVALID. Cannot proceed without network access or use a > fixed SRCREV.") > + d.setVar("SRCREV_improve-kernel-cve", > d.getVar("IMPROVE_KERNEL_CVE_SRCREV")) > + # Check which SPDX class is inherited > + inherits = (d.getVar("INHERIT") or "") > + if "create-spdx-2.2" in inherits: > + bb.build.addtask("do_scout_extra_kernel_vulns", "do_build", > "do_rootfs", > d) > + elif "create-spdx" in inherits: > + bb.build.addtask('do_scout_extra_kernel_vulns', 'do_build', > +'do_create_image_sbom_spdx', d) } > + > +python do_clean:append() { > + import os, glob > + deploy_dir = d.expand('${DEPLOY_DIR_IMAGE}') > + for f in glob.glob(os.path.join(deploy_dir, '*scouted.json')): > + bb.note("Removing " + f) > + os.remove(f) > +} > + > +python do_clone_kernel_cve() { > + import subprocess > + import shutil, os > + # Check if the system is using SPDX 3.0 > + inherit_var = d.getVar("INHERIT") > + preferred_provider = d.getVar("IMPROVE_KERNEL_PREFERRED_PROVIDER") > + if preferred_provider not in inherit_var: > + bb.warn(f"improve_kernel_cve: Requires the class {preferred_provider} > enable in INHERIT variable.") > + return > + network_allowed = d.getVar("IMPROVE_KERNEL_CVE_NETWORK") == "1" > + workdir = d.getVar("IMPROVE_KERNEL_CVE_WORKDIR") > + unpack_dir = d.getVar("IMPROVE_KERNEL_CVE_UNPACK_DIR") > + # Remove existing unpacked directory if any > + if os.path.exists(workdir): > + shutil.rmtree(workdir) > + # Prepare fetcher > + src_uri_list = (d.getVar('SRC_URI') or "").split() > + cve_uris = [] > + for uri in src_uri_list: > + if "name=improve-kernel-cve" in uri: > + cve_uris.append(uri) > + if not cve_uris: > + bb.note("No CVE exclusions SRC_URI found, skipping fetch") > + return > + fetcher = bb.fetch2.Fetch(cve_uris, d) > + # Clone only if network is allowed > + if network_allowed: > + fetcher.download() > + else: > + # Offline mode without network access > + bb.note("IMPROVE_KERNEL_CVE_NETWORK=0: Skipping online fetch. > Checking local downloads in DL_DIR...") > + have_sources = False > + dl_dir = d.getVar("DL_DIR") > + srcrev = d.getVar("SRCREV_improve-kernel-cve") > + bb.note(f"Checking for sources for SRCREV: {srcrev}") > + # Check SRCREV is NOT set to AUTOREV > + if srcrev.strip() in ("${AUTOREV}", "AUTOINC", "INVALID"): > + bb.fatal("improve-kernel-cve: Offline mode but SRCREV is set to > AUTOREV/AUTOINC/INVALID. Cannot proceed without network access or use a > fixed SRCREV.") > + return > + # Loop through the fetcher's expanded URL data > + for ud in fetcher.expanded_urldata(): > + ud.setup_localpath(d) > + # Check mirror tarballs first > + for mirror_fname in ud.mirrortarballs: > + mirror_path = os.path.join(dl_dir, mirror_fname) > + if os.path.exists(mirror_path): > + bb.note(f"Found mirror tarball: {mirror_path}") > + have_sources = True > + break > + # If no mirror, check original download path > + if not have_sources and ud.localpath and > os.path.exists(ud.localpath): > + bb.note(f"Found local download: {ud.localpath}") > + have_sources = True > + if not have_sources: > + bb.fatal("improve-kernel-cve: Offline mode but required > source is > missing.\n"f"SRC_URI = {ud.url}") > + return > + # Unpack into the standard work directory > + fetcher.unpack(unpack_dir) > + # Remove the folder ${PN} set by unpack > + subdirs = [d for d in os.listdir(unpack_dir) if > os.path.isdir(os.path.join(unpack_dir, d))] > + if len(subdirs) == 1: > + srcdir = os.path.join(unpack_dir, subdirs[0]) > + for f in os.listdir(srcdir): > + shutil.move(os.path.join(srcdir, f), unpack_dir) > + shutil.rmtree(srcdir) > +} > +do_clone_kernel_cve[network] = "${IMPROVE_KERNEL_CVE_NETWORK}" > +do_clone_kernel_cve[nostamp] = "1" > +do_clone_kernel_cve[doc] = "Clone the latest kernel vulnerabilities from > https://git.kernel/. > org%2Fpub%2Fscm%2Flinux%2Fsecurity%2Fvulns.git&data=05%7C02%7Cdaniel.t > urull%40ericsson.com%7C7fb6e45acb9f4e4aa5d408de578a4fa7%7C92e84cebfbf > d47abbe52080c6b87953f%7C0%7C0%7C639044448728663376%7CUnknown%7 > CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXa > W4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=KKGJFw > ohvnHwtHU5kfbCGHrzBNIHwrvDtYWlyXxZJjU%3D&reserved=0" > +addtask clone_kernel_cve after do_fetch before > +do_scout_extra_kernel_vulns > + > +do_scout_extra_kernel_vulns() { > + > new_cve_report_file="${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}.scouted.json" > + > improve_kernel_cve_script="${COREBASE}/scripts/contrib/improve_kernel_cve_ > report.py" > + > + # Check that IMPROVE_KERNEL_SPDX_FILE is set and the file exists > + if [ -z "${IMPROVE_KERNEL_SPDX_FILE}" ] || [ ! -f > "${IMPROVE_KERNEL_SPDX_FILE}" ]; then > + bbwarn "improve_kernel_cve: IMPROVE_KERNEL_SPDX_FILE is empty or > file not found: ${IMPROVE_KERNEL_SPDX_FILE}" > + return 0 > + fi > + if [ ! -f "${CVE_CHECK_MANIFEST_JSON}" ]; then > + bbwarn "improve_kernel_cve: CVE_CHECK file not found: > ${CVE_CHECK_MANIFEST_JSON}. Skipping extra kernel vulnerabilities scouting." > + return 0 > + fi > + if [ ! -f "${improve_kernel_cve_script}" ]; then > + bbwarn "improve_kernel_cve: improve_kernel_cve_report.py not found in > ${COREBASE}." > + return 0 > + fi > + if [ ! -d "${IMPROVE_KERNEL_CVE_WORKDIR}" ]; then > + bbwarn "improve_kernel_cve: Vulnerabilities data not found in > ${IMPROVE_KERNEL_CVE_WORKDIR}." > + return 0 > + fi > + > + #Run the improve_kernel_cve_report.py script > + bbplain "improve_kernel_cve: Using SPDX file for extra kernel > vulnerabilities > scouting: ${IMPROVE_KERNEL_SPDX_FILE}" > + python3 "${improve_kernel_cve_script}" \ > + --spdx "${IMPROVE_KERNEL_SPDX_FILE}" \ > + --old-cve-report "${CVE_CHECK_MANIFEST_JSON}" \ > + --new-cve-report "${new_cve_report_file}" \ > + --datadir "${IMPROVE_KERNEL_CVE_WORKDIR}" > + bbplain "Improve CVE report with extra kernel cves: > ${new_cve_report_file}" > + > + #Create a symlink as every other JSON file in tmp/deploy/images > + ln -sf ${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}.scouted.json > +${DEPLOY_DIR_IMAGE}/${IMAGE_BASENAME}${IMAGE_MACHINE_SUFFIX}${I > MAGE_NAM > +E_SUFFIX}.scouted.json > +} > +do_scout_extra_kernel_vulns[nostamp] = "1" > +do_scout_extra_kernel_vulns[doc] = "Scout extra kernel vulnerabilities and > create a new enhanced version of the cve_check file in the deploy directory" > \ No newline at end of file > diff --git a/meta/classes/improve_kernel_cve_report-spdx-2.2.bbclass > b/meta/classes/improve_kernel_cve_report-spdx-2.2.bbclass > new file mode 100644 > index 0000000000..45b483134d > --- /dev/null > +++ b/meta/classes/improve_kernel_cve_report-spdx-2.2.bbclass > @@ -0,0 +1,4 @@ > +IMPROVE_KERNEL_PREFERRED_PROVIDER = "create-spdx-2.2" > +IMPROVE_KERNEL_SPDX_FILE = > "${DEPLOY_DIR}/spdx/2.2/${@d.getVar('MACHINE').replace('-', > '_')}/recipes/recipe-${PREFERRED_PROVIDER_virtual/kernel}.spdx.json" > + > +inherit improve_kernel_cve_report-base > \ No newline at end of file > diff --git a/meta/classes/improve_kernel_cve_report-spdx.bbclass > b/meta/classes/improve_kernel_cve_report-spdx.bbclass > new file mode 100644 > index 0000000000..3849f66aaf > --- /dev/null > +++ b/meta/classes/improve_kernel_cve_report-spdx.bbclass > @@ -0,0 +1,4 @@ > +IMPROVE_KERNEL_PREFERRED_PROVIDER = "create-spdx" > +IMPROVE_KERNEL_SPDX_FILE = > "${SPDXIMAGEDEPLOYDIR}/${IMAGE_LINK_NAME}.spdx.json" > + > +inherit improve_kernel_cve_report-base > \ No newline at end of file
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#229739): https://lists.openembedded.org/g/openembedded-core/message/229739 Mute This Topic: https://lists.openembedded.org/mt/117349999/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
