Thanks for the changes Valentin,
I have tested series 5 as offline build. When it is not enable, it doesn't
interfere with the rest of the build.
For offline build, I had to setup a fix GENERATE_CVE_EXCLUSIONS_SRCREV, since
the fetcher doesn't work with AUTOREV (kind of expected). This seems to work.
ENABLE_KERNEL_CVE_EXCLUSIONS = "1"
GENERATE_CVE_EXCLUSIONS_SRCREV = "bcd089af283df7902b33e9cf0cedef5aa2c4a298"
GENERATE_CVE_EXCLUSIONS_NETWORK = "0"
When setting GENERATE_CVE_EXCLUSIONS_SRC_URI to an internal mirror it also
works with AUTOREV
ENABLE_KERNEL_CVE_EXCLUSIONS = "1"
GENERATE_CVE_EXCLUSIONS_SRC_URI =
"git://internal-mirror/github.com.CVEProject.cvelistV5;protocol=https;branch=main"
GENERATE_CVE_EXCLUSIONS_SRCREV = "AUTOREV"
I have also look at the generate SPDX for the linux-yocto, it includes an
additional source, which technically is not that correct I think
jq . tmp/deploy/spdx/3.0.1/qemuarm64/recipes/recipe-linux-yocto.spdx.json |
grep cvelistV5 -A 3 -B 10
{
"type": "software_Package",
"spdxId":
"http://spdx.org/spdxdocs/linux-yocto-f9f75dbe-e63f-5a48-86d8-e19d0ec693db/a35fa1d8530e46c84d59b6776858eafc75bdd98b8439c2ee06db6fdab151a8c3/source/3";,
"creationInfo": "_:CreationInfo0",
"extension": [
{
"type": "https://rdf.openembedded.org/spdx/3.0/id-alias";,
"https://rdf.openembedded.org/spdx/3.0/alias":
"http://spdxdocs.org/openembedded-alias/by-doc-hash/8fe80285f43eb235d61996ced46668293eb3feaba85810b14aed822b4680e56f/linux-yocto/UNIHASH/source/3";
}
],
"name": "github.com.CVEProject.cvelistV5.git",
"software_primaryPurpose": "source",
"software_downloadLocation":
"git+https://github.com/CVEProject/cvelistV5.git@bcd089af283df7902b33e9cf0cedef5aa2c4a298";
},
Also bitbake linux-yocto -c do_generate_cve_exclusions works as expected, if it
will be updating the inc file that is used in the linux-yocto with the
exclusions, these will also show up in the SPDX file.
Thanks again for trying to push the changes that you have in vulnscout into
oe-core.
Best regards
Daniel
> -----Original Message-----
> From: ValentinBoudevin <[email protected]>
> Sent: Friday, 16 January 2026 20:05
> To: [email protected]
> Cc: Daniel Turull <[email protected]>;
> [email protected]; [email protected];
> ValentinBoudevin <[email protected]>
> Subject: [PATCH v5 0/4] generate-cve-exclusions: Add a .bbclass
>
> Changes since v4:
> - Patch 2/4:
> * Renamed the bbclass to kernel-generate-cve-exclusions.bbclass to better
> reflect its purpose.
> * Add new variable ENABLE_KERNEL_CVE_EXCLUSIONS to enable/disable
> the
> feature.
> By default, the feature is disabled to avoid unexpected behavior on
> existing builds with linux-yocto.
> * Add new "__anonymous" python function to setup the variables SRC_URI
> and SRCREV only if
> this feature is enabled with ENABLE_KERNEL_CVE_EXCLUSIONS.
> Also prevent from modifying SRC_URI and SRCREV variables in the default
> linux-yocto usecase.
> Now, the recipe does not have any impact on the basic "linux-yocto" recipe
> if
> the feature is disabled.
> * Add new variables GENERATE_CVE_EXCLUSIONS_DESTSUFFIX and
> GENERATE_CVE_EXCLUSIONS_UNPACK_DIR to customize the working
> directory path of the
> class.
> - Patch 4/4:
> * Update the inherit statement in linux-yocto.inc to reflect the new name of
> the bbclass with
> "kernel-generate-cve-exclusions".
>
> Changes since v3:
> - Patch 2/4:
> * Add variables to control offline mode, source URI and
> SRCREV for deterministic testing (GENERATE_CVE_EXCLUSIONS_SRC_URI,
> GENERATE_CVE_EXCLUSIONS_SRCREV,
> GENERATE_CVE_EXCLUSIONS_NETWORK).
> * Updated generate_cve_exclusions task scheduling to be executed before
> do_cve_check.
>
> Changes since v2:
> - Patch 4/4: Inherit the new bbclass in linux-yocto.inc instead of
> individual recipes.
>
> Changes since v1:
> - Patch 2/4: Removed the mandatory execution of the
> generate-cve-exclusions class on every build. It now needs to be
> manually run using:
> bitbake -c generate-cve-exclusions <kernel-recipe>
>
> ValentinBoudevin (4):
> generate-cve-exclusions: Add --output-json option
> generate-cve-exclusions: Add a .bbclass
> generate-cve-exclusions: Move python script
> linux: Add inherit on generate-cve-exclusions
>
> .../kernel-generate-cve-exclusions.bbclass | 135 ++++++++++++++++++
> meta/recipes-kernel/linux/linux-yocto.inc | 3 +
> .../contrib}/generate-cve-exclusions.py | 64 +++++++--
> 3 files changed, 188 insertions(+), 14 deletions(-) create mode 100644
> meta/classes/kernel-generate-cve-exclusions.bbclass
> rename {meta/recipes-kernel/linux => scripts/contrib}/generate-cve-
> exclusions.py (71%)
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#229605):
https://lists.openembedded.org/g/openembedded-core/message/229605
Mute This Topic: https://lists.openembedded.org/mt/117303423/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
