On Tue Feb 10, 2026 at 10:35 AM CET, Yoann Congal wrote: > On Mon Feb 9, 2026 at 11:58 AM CET, Paul Barker wrote: >> On Mon, 2026-02-09 at 10:29 +0100, Yoann Congal via >> lists.openembedded.org wrote: >>> From: Daniel Turull <[email protected]> >>> >>> Adding postprocessing script to process data from linux CNA that includes >>> more accurate metadata and it is updated directly by the source. >>> >>> Example of enhanced CVE from a report from cve-check: >>> >>> { >>> "id": "CVE-2024-26710", >>> "status": "Ignored", >>> "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26710";, >>> "summary": "In the Linux kernel, the following vulnerability [...]", >>> "scorev2": "0.0", >>> "scorev3": "5.5", >>> "scorev4": "0.0", >>> "modified": "2025-03-17T15:36:11.620", >>> "vector": "LOCAL", >>> "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", >>> "detail": "not-applicable-config", >>> "description": "Source code not compiled by config. >>> ['arch/powerpc/include/asm/thread_info.h']" >>> }, >>> >>> And same from a report generated with vex: >>> { >>> "id": "CVE-2024-26710", >>> "status": "Ignored", >>> "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26710";, >>> "detail": "not-applicable-config", >>> "description": "Source code not compiled by config. >>> ['arch/powerpc/include/asm/thread_info.h']" >>> }, >>> >>> For unpatched CVEs, provide more context in the description: >>> Tested with 6.12.22 kernel >>> { >>> "id": "CVE-2025-39728", >>> "status": "Unpatched", >>> "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39728";, >>> "summary": "In the Linux kernel, the following vulnerability has been >>> [...], >>> "scorev2": "0.0", >>> "scorev3": "0.0", >>> "scorev4": "0.0", >>> "modified": "2025-04-21T14:23:45.950", >>> "vector": "UNKNOWN", >>> "vectorString": "UNKNOWN", >>> "detail": "version-in-range", >>> "description": "Needs backporting (fixed from 6.12.23)" >>> }, >>> >>> CC: Peter Marko <[email protected]> >>> CC: Marta Rybczynska <[email protected]> >>> Signed-off-by: Daniel Turull <[email protected]> >>> Signed-off-by: Mathieu Dubois-Briand <[email protected]> >>> Signed-off-by: Richard Purdie <[email protected]> >>> (cherry picked from commit e60b1759c1aea5b8f5317e46608f0a3e782ecf57) >>> Signed-off-by: Suresh H A <[email protected]> >>> Signed-off-by: Yoann Congal <[email protected]> >> >> This looks like a backport of a new feature, if we're making an >> exception to allow this to be backported then we should document the >> reason why (apologies if this is somewhere on the list and I've missed >> it). > > I've talked about it briefly there: > https://lore.kernel.org/openembedded-core/CAMSfU+6DXfuaG0uyPtEg5hE7oHqP=8prhsttcif+nhcwr0h...@mail.gmail.com/t/#u > Mainly, since this is "contrib/", I don't mind relaxing rules a bit. > @Paul, do you think this is reasonable? > > I agree that this exception should be documented (I will add a note in the > commit message)
@Paul, see the update commit message in https://git.openembedded.org/openembedded-core-contrib/commit/?h=stable/scarthgap-nut&id=26138b9f4c1cfe4718f719ea7710c80290d9a8da : > [Yoann: Stable policy exception: This change is clearly a new feature > and thus should be rejected from stables by policy. But, since this is > contrib/ an exception can be made] > Signed-off-by: Yoann Congal <[email protected]> >> If we do take this, we should also consider the other changes made to >> this script since it was added to master. > > Yes, if I accept this one, I would also accept further updates on this > script. > > Cheers, -- Yoann Congal Smile ECS
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#230883): https://lists.openembedded.org/g/openembedded-core/message/230883 Mute This Topic: https://lists.openembedded.org/mt/117716616/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
