On Wed Mar 18, 2026 at 1:57 PM CET, Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco) wrote: > Hi Yoann, > > I will share the new series of patches, which includes a few additional ones. > I will attach the corresponding output files to that.
Hmmm, I wrote that I felt that the series was too intrusive and now you want to add more patches? Are you sure this is the right direction? (I'm trying to prevent you from losing time to something that could ultimately be unmergable...) Regards, > > Best regards, > Het > ________________________________ > From: Yoann Congal <[email protected]> > Sent: Wednesday, March 18, 2026 4:37 PM > To: Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco) > <[email protected]>; [email protected] > <[email protected]> > Cc: xe-linux-external(mailer list) <[email protected]>; Viral > Chavda (vchavda) <[email protected]> > Subject: Re: [OE-core] [scarthgap] [PATCH v1 0/4] cve-check: fix incorrect > CVE assessments and runtime warnings - cover letter > > Hello, > > On Wed Mar 18, 2026 at 6:39 AM CET, Het Patel via lists.openembedded.org > wrote: >> From: Het Patel <[email protected]> >> >> The patches address the following bugs: >> >> 1. Incomplete CVE Assessment Details: Currently, the `detail` field is >> missing for approximately 81% of entries, rendering reports unreliable for >> auditing. These changes ensure that the rationale for a "Patched" or >> "Unpatched" assessment is properly recorded, allowing for a clear >> distinction between version-based assessments and missing data. >> >> 2. Runtime Warnings: Corrects four instances where debug calls were missing >> the required log level parameter. This change eliminates the runtime >> warnings that currently trigger during every CVE scan. > > I appreciate that you trimed down your previous try to cleanup CVE > checking code[0]. But I still feel like it is too intrusive for stable > inclusion. > > Can you please provide examples of some CVEs having "Incomplete CVE > Assessment Details:" so I can understand the problem? > >> Testing: >> - Applied cleanly to the current `scarthgap` HEAD. >> - Verified via a full CVE scan. >> - Confirmed that all existing CVE statuses are preserved with no regressions >> observed. > > Can you provide output (log+json) both before/after to verify this > claim? > > Thanks! > > [0]: > https://lore.kernel.org/openembedded-core/[email protected]/#r > >> Het Patel (4): >> cve-check: encode affected product/vendor in CVE_STATUS >> cve-check: annotate CVEs during analysis >> cve-check-map: add new statuses >> cve-check: fix debug message >> >> meta/classes/cve-check.bbclass | 246 >> +++++++++++++++++++++-------------------- >> meta/conf/cve-check-map.conf | 9 + >> meta/lib/oe/cve_check.py | 74 +++++++++--- >> 3 files changed, 197 insertions(+), 132 deletions(-) > > > -- > Yoann Congal > Smile ECS -- Yoann Congal Smile ECS
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#233386): https://lists.openembedded.org/g/openembedded-core/message/233386 Mute This Topic: https://lists.openembedded.org/mt/118378623/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
