On Mon, 2026-02-09 at 10:29 +0100, Yoann Congal via lists.openembedded.org wrote: > From: Daniel Turull <[email protected]> > > Adding postprocessing script to process data from linux CNA that includes > more accurate metadata and it is updated directly by the source. > > Example of enhanced CVE from a report from cve-check: > > { > "id": "CVE-2024-26710", > "status": "Ignored", > "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26710";, > "summary": "In the Linux kernel, the following vulnerability [...]", > "scorev2": "0.0", > "scorev3": "5.5", > "scorev4": "0.0", > "modified": "2025-03-17T15:36:11.620", > "vector": "LOCAL", > "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", > "detail": "not-applicable-config", > "description": "Source code not compiled by config. > ['arch/powerpc/include/asm/thread_info.h']" > }, > > And same from a report generated with vex: > { > "id": "CVE-2024-26710", > "status": "Ignored", > "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26710";, > "detail": "not-applicable-config", > "description": "Source code not compiled by config. > ['arch/powerpc/include/asm/thread_info.h']" > }, > > For unpatched CVEs, provide more context in the description: > Tested with 6.12.22 kernel > { > "id": "CVE-2025-39728", > "status": "Unpatched", > "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39728";, > "summary": "In the Linux kernel, the following vulnerability has been [...], > "scorev2": "0.0", > "scorev3": "0.0", > "scorev4": "0.0", > "modified": "2025-04-21T14:23:45.950", > "vector": "UNKNOWN", > "vectorString": "UNKNOWN", > "detail": "version-in-range", > "description": "Needs backporting (fixed from 6.12.23)" > }, > > CC: Peter Marko <[email protected]> > CC: Marta Rybczynska <[email protected]> > Signed-off-by: Daniel Turull <[email protected]> > Signed-off-by: Mathieu Dubois-Briand <[email protected]> > Signed-off-by: Richard Purdie <[email protected]> > (cherry picked from commit e60b1759c1aea5b8f5317e46608f0a3e782ecf57) > Signed-off-by: Suresh H A <[email protected]> > Signed-off-by: Yoann Congal <[email protected]>
This looks like a backport of a new feature, if we're making an exception to allow this to be backported then we should document the reason why (apologies if this is somewhere on the list and I've missed it). If we do take this, we should also consider the other changes made to this script since it was added to master. Best regards, -- Paul Barker
signature.asc
Description: This is a digitally signed message part
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#230782): https://lists.openembedded.org/g/openembedded-core/message/230782 Mute This Topic: https://lists.openembedded.org/mt/117716616/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
