Hello, On Thursday, April 2, 2026 at 4:42 PM, Ross Burton wrote: > On 1 Apr 2026, at 13:29, Daniel Turull <[email protected]> wrote: > > The kernel scripts to check CVEs uses the vex output as input. > > https://git.openembedded.org/openembedded-core/tree/scripts/contrib/improve_kernel_cve_report.py > > I believe this functionality is also superceded by sbom-cve-check, as the > recommended configuration fragment sets > SPDX_INCLUDE_COMPILED_SOURCES:pn-linux-yocto = “1”. > > Would you be able to verify this, we might be able to deprecate/remove this > script too in master. > > Ross
Currently, sbom-cve-check does not fully handle Linux kernel CVEs correctly. Special processing is required when the information originates from the kernel CNA, as many kernel CVEs are incorrectly marked as vulnerable. Additionally, sbom-cve-check does not yet provide an assessment as detailed as improve_kernel_cve_report.py. The first limitation is planned to be addressed in the very near future (within this month). And for the second point, I hope I can address it at the same time. -- Benjamin Robin, Bootlin Embedded Linux and Kernel engineering https://bootlin.com
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#234531): https://lists.openembedded.org/g/openembedded-core/message/234531 Mute This Topic: https://lists.openembedded.org/mt/118596049/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
