Re: [OE-core] [PATCH v7 3/4] kernel-generate-cve-exclusions: Add a .bbclass

[Daniel Turull via lists.openembedded.org]

Minor typo

> -----Original Message-----
> From: ValentinBoudevin <valentin.boude...@gmail.com>
> Sent: Monday, 2 February 2026 21:52
> To: openembedded-core@lists.openembedded.org
> Cc: Daniel Turull <daniel.tur...@ericsson.com>;
> jerome.oufe...@savoirfairelinux.com; ValentinBoudevin
> <valentin.boude...@gmail.com>
> Subject: [PATCH v7 3/4] kernel-generate-cve-exclusions: Add a .bbclass
> 
> Add a new class named kernel-generate-cve-exclusions.bbclass to generate-cve-
> exclusions to use this script at every run.
> 
> Two steps for testing:
> 
> 1) inherit this class in the kernel recipe with "inherit
>    kernel-generate-cve-exclusions.bbclass"
> 2) Use the following command to generate cve exclusions .json, and .inc
>    file : "bitbake linux-yocto -c "do_generate_cve_exclusions"
> 
> This class contains several methods:
> 
> *do_generate_cve_exclusions: Use the script generate-cve-exclusions.py.
> It uses the new "--output-json-file" argument to generate a JSON file as an
> output stored in ${GENERATE_CVE_EXCLUSIONS_OUTPUT_JSON}, and a .inc file
> in ${GENERATE_CVE_EXCLUSIONS_OUTPUT_INC}
> 
> *do_cve_check:prepend: Parse the previously generated JSON file to set the
> variable CVE_STATUS corretly
> 
> The class also provides some variables:
> 
> *GENERATE_CVE_EXCLUSIONS_OUTPUT_JSON: path of the output JSON file
> used to set CVE_STATUS
> *GENERATE_CVE_EXCLUSIONS_OUTPUT_INC: cve exclusions .inc file output
> path. Not used directly by this class (needs to be inherit manually).
> 
> Signed-off-by: Valentin Boudevin <valentin.boude...@gmail.com>
> ---
>  .../kernel-generate-cve-exclusions.bbclass    | 46 +++++++++++++++++++
>  1 file changed, 46 insertions(+)
>  create mode 100644 meta/classes/kernel-generate-cve-exclusions.bbclass
> 
> diff --git a/meta/classes/kernel-generate-cve-exclusions.bbclass
> b/meta/classes/kernel-generate-cve-exclusions.bbclass
> new file mode 100644
> index 0000000000..8efa32f6a1
> --- /dev/null
> +++ b/meta/classes/kernel-generate-cve-exclusions.bbclass
> @@ -0,0 +1,46 @@
> +# Generate CVE exclusions for the kernel build (set to "1" to enable)
> +GENERATE_CVE_EXCLUSIONS_OUTPUT_JSON = "${WORKDIR}/temp/cve-
> exclusion_${LINUX_VERSION}.json"
> +GENERATE_CVE_EXCLUSIONS_OUTPUT_INC  = "${WORKDIR}/temp//cve-
> exclusion_${LINUX_VERSION}.inc"
Remove one / after temp

> +
> +do_generate_cve_exclusions() {
> +    # Check for required files and directories
> +    generate_cve_exclusions_script=${COREBASE}/scripts/contrib/generate-cve-
> exclusions.py
> +    if [ ! -f "${generate_cve_exclusions_script}" ]; then
> +        bbwarn "generate-cve-exclusions.py not found in
> ${generate_cve_exclusions_script}."
> +        return 0
> +    fi
> +    if [ ! -d "${STAGING_DATADIR_NATIVE}/cvelistv5-native" ]; then
> +        bbwarn "CVE exclusions source directory not found in
> ${STAGING_DATADIR_NATIVE}/cvelistv5-native."
> +        return 0
> +    fi
> +    # Generate the CVE exclusions JSON & INC file
> +    python3 "${generate_cve_exclusions_script}" \
> +        "${STAGING_DATADIR_NATIVE}/cvelistv5-native" \
> +        ${LINUX_VERSION} \
> +        --output-json-file "${GENERATE_CVE_EXCLUSIONS_OUTPUT_JSON}" \
> +        --output-inc-file "${GENERATE_CVE_EXCLUSIONS_OUTPUT_INC}"
> +    bbplain "CVE exclusions generated for kernel version ${LINUX_VERSION} at
> ${GENERATE_CVE_EXCLUSIONS_OUTPUT_INC} and
> ${GENERATE_CVE_EXCLUSIONS_OUTPUT_JSON}."
> +}
> +do_generate_cve_exclusions[depends] += "cvelistv5-
> native:do_populate_sysroot"
> +do_generate_cve_exclusions[nostamp] = "1"
> +do_generate_cve_exclusions[doc] = "Generate CVE exclusions for the kernel
> build. (e.g., cve-exclusion_6.12.json)"
> +addtask generate_cve_exclusions after do_prepare_recipe_sysroot before
> +do_cve_check
> +
> +python do_cve_check:prepend() {
> +    import os
> +    import json
> +    workdir = d.getVar("${STAGING_DATADIR_NATIVE}/cvelistv5-native")
> +    kernel_version = d.getVar("LINUX_VERSION")
> +    json_input_file = d.getVar("GENERATE_CVE_EXCLUSIONS_OUTPUT_JSON")
> +    if os.path.exists(json_input_file):
> +        with open(json_input_file, 'r', encoding='utf-8') as f:
> +            cve_data = json.load(f)
> +        cve_status_dict = cve_data.get("cve_status", {})
> +        count = 0
> +        for cve_id, info in cve_status_dict.items():
> +            if info.get("active", True):
> +                continue
> +            d.setVarFlag("CVE_STATUS", cve_id, info.get("message", ""))
> +            count += 1
> +        bb.note("Loaded %d CVE_STATUS entries from JSON output for
> +kernel %s" % (count, kernel_version)) }

Daniel

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#230534): 
https://lists.openembedded.org/g/openembedded-core/message/230534
Mute This Topic: https://lists.openembedded.org/mt/117604450/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-