On Mon Feb 9, 2026 at 11:58 AM CET, Paul Barker wrote: > On Mon, 2026-02-09 at 10:29 +0100, Yoann Congal via > lists.openembedded.org wrote: >> From: Daniel Turull <[email protected]> >> >> Adding postprocessing script to process data from linux CNA that includes >> more accurate metadata and it is updated directly by the source. >> >> Example of enhanced CVE from a report from cve-check: >> >> { >> "id": "CVE-2024-26710", >> "status": "Ignored", >> "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26710";, >> "summary": "In the Linux kernel, the following vulnerability [...]", >> "scorev2": "0.0", >> "scorev3": "5.5", >> "scorev4": "0.0", >> "modified": "2025-03-17T15:36:11.620", >> "vector": "LOCAL", >> "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", >> "detail": "not-applicable-config", >> "description": "Source code not compiled by config. >> ['arch/powerpc/include/asm/thread_info.h']" >> }, >> >> And same from a report generated with vex: >> { >> "id": "CVE-2024-26710", >> "status": "Ignored", >> "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26710";, >> "detail": "not-applicable-config", >> "description": "Source code not compiled by config. >> ['arch/powerpc/include/asm/thread_info.h']" >> }, >> >> For unpatched CVEs, provide more context in the description: >> Tested with 6.12.22 kernel >> { >> "id": "CVE-2025-39728", >> "status": "Unpatched", >> "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39728";, >> "summary": "In the Linux kernel, the following vulnerability has been >> [...], >> "scorev2": "0.0", >> "scorev3": "0.0", >> "scorev4": "0.0", >> "modified": "2025-04-21T14:23:45.950", >> "vector": "UNKNOWN", >> "vectorString": "UNKNOWN", >> "detail": "version-in-range", >> "description": "Needs backporting (fixed from 6.12.23)" >> }, >> >> CC: Peter Marko <[email protected]> >> CC: Marta Rybczynska <[email protected]> >> Signed-off-by: Daniel Turull <[email protected]> >> Signed-off-by: Mathieu Dubois-Briand <[email protected]> >> Signed-off-by: Richard Purdie <[email protected]> >> (cherry picked from commit e60b1759c1aea5b8f5317e46608f0a3e782ecf57) >> Signed-off-by: Suresh H A <[email protected]> >> Signed-off-by: Yoann Congal <[email protected]> > > This looks like a backport of a new feature, if we're making an > exception to allow this to be backported then we should document the > reason why (apologies if this is somewhere on the list and I've missed > it).
I've talked about it briefly there: https://lore.kernel.org/openembedded-core/CAMSfU+6DXfuaG0uyPtEg5hE7oHqP=8prhsttcif+nhcwr0h...@mail.gmail.com/t/#u Mainly, since this is "contrib/", I don't mind relaxing rules a bit. @Paul, do you think this is reasonable? I agree that this exception should be documented (I will add a note in the commit message) > If we do take this, we should also consider the other changes made to > this script since it was added to master. Yes, if I accept this one, I would also accept further updates on this script. Cheers, -- Yoann Congal Smile ECS
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#230869): https://lists.openembedded.org/g/openembedded-core/message/230869 Mute This Topic: https://lists.openembedded.org/mt/117716616/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
