On Wed Mar 18, 2026 at 2:10 PM CET, Yoann Congal wrote: > On Wed Mar 18, 2026 at 1:57 PM CET, Het Patel -X (hetpat - E INFOCHIPS > PRIVATE LIMITED at Cisco) wrote: >> Hi Yoann, >> >> I will share the new series of patches, which includes a few additional >> ones. I will attach the corresponding output files to that. > > Hmmm, I wrote that I felt that the series was too intrusive and now you > want to add more patches? Are you sure this is the right direction?
Oh, I see now that you are talking about patches from Peter suggestion. The series might still be too intrusive but it will be more coherent. Got it. > (I'm trying to prevent you from losing time to something that could > ultimately be unmergable...) > > Regards, > >> >> Best regards, >> Het >> ________________________________ >> From: Yoann Congal <[email protected]> >> Sent: Wednesday, March 18, 2026 4:37 PM >> To: Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco) >> <[email protected]>; [email protected] >> <[email protected]> >> Cc: xe-linux-external(mailer list) <[email protected]>; Viral >> Chavda (vchavda) <[email protected]> >> Subject: Re: [OE-core] [scarthgap] [PATCH v1 0/4] cve-check: fix incorrect >> CVE assessments and runtime warnings - cover letter >> >> Hello, >> >> On Wed Mar 18, 2026 at 6:39 AM CET, Het Patel via lists.openembedded.org >> wrote: >>> From: Het Patel <[email protected]> >>> >>> The patches address the following bugs: >>> >>> 1. Incomplete CVE Assessment Details: Currently, the `detail` field is >>> missing for approximately 81% of entries, rendering reports unreliable for >>> auditing. These changes ensure that the rationale for a "Patched" or >>> "Unpatched" assessment is properly recorded, allowing for a clear >>> distinction between version-based assessments and missing data. >>> >>> 2. Runtime Warnings: Corrects four instances where debug calls were missing >>> the required log level parameter. This change eliminates the runtime >>> warnings that currently trigger during every CVE scan. >> >> I appreciate that you trimed down your previous try to cleanup CVE >> checking code[0]. But I still feel like it is too intrusive for stable >> inclusion. >> >> Can you please provide examples of some CVEs having "Incomplete CVE >> Assessment Details:" so I can understand the problem? >> >>> Testing: >>> - Applied cleanly to the current `scarthgap` HEAD. >>> - Verified via a full CVE scan. >>> - Confirmed that all existing CVE statuses are preserved with no >>> regressions observed. >> >> Can you provide output (log+json) both before/after to verify this >> claim? >> >> Thanks! >> >> [0]: >> https://lore.kernel.org/openembedded-core/[email protected]/#r >> >>> Het Patel (4): >>> cve-check: encode affected product/vendor in CVE_STATUS >>> cve-check: annotate CVEs during analysis >>> cve-check-map: add new statuses >>> cve-check: fix debug message >>> >>> meta/classes/cve-check.bbclass | 246 >>> +++++++++++++++++++++-------------------- >>> meta/conf/cve-check-map.conf | 9 + >>> meta/lib/oe/cve_check.py | 74 +++++++++--- >>> 3 files changed, 197 insertions(+), 132 deletions(-) >> >> >> -- >> Yoann Congal >> Smile ECS -- Yoann Congal Smile ECS
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#233388): https://lists.openembedded.org/g/openembedded-core/message/233388 Mute This Topic: https://lists.openembedded.org/mt/118378623/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
