]> git.ipfire.org Git - thirdparty/openembedded/openembedded-core.git/commit
projects / thirdparty / openembedded / openembedded-core.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 767321b) | patch
improve_kernel_cve_report: Add a bbclass support
authorValentinBoudevin <valentin.boudevin@gmail.com>
Mon, 19 Jan 2026 18:40:50 +0000 (13:40 -0500)
committerRichard Purdie <richard.purdie@linuxfoundation.org>
Thu, 22 Jan 2026 14:21:52 +0000 (14:21 +0000)
commit76cd0ed973f0359765ec90520c3933f3bfeecf9f
tree3536928c7bb2fb702382b3b0aa9fc70e5b47d6f9tree | snapshot
parent767321b3d2db2446eb0b6044fcf13aa50c3b29f5commit | diff
improve_kernel_cve_report: Add a bbclass support

The script improve_kernel_cve_report.py doesn't have a bbclass.
It can be useful to have one to generate improved cve-check files at
every run.

This commit contains three classes:

-improve_kernel_cve_report-base.bbclass: Base class which contains the
tasks to perform improve_kernel_cve_report.py initialization and
execution.
-improve_kernel_cve_report-spdx-2.2.bbclass: Set
IMPROVE_KERNEL_SPDX_FILE variable for SPDX-2.2 builds and set
IMPROVE_KERNEL_PREFERRED_PROVIDER to require "create-spdx-2.2" in
INHERIT
-improve_kernel_cve_report-spdx.bbclass: Set IMPROVE_KERNEL_SPDX_FILE
variable for SPDX-3.0 projectsi and IMPROVE_KERNEL_PREFERRED_PROVIDER to
"create-spdx" to requires it in INHERIT

These three new .bbclass files can be used to generate a new output in
tmp/deploy/images with a .scouted.json file in addition to the existing
.json cve-check file.

The new .scouted.json is based on the cve-check file and the SBOM to
generate this improved cve-check file with extra entries found by the
script improve_kernel_cve_report.py.

It only requires to use "inherit" on an image recipe (e.g. on
core-image-minimal).

The bbclass "improve_kernel_cve_report-spdx-2.2.bbclass" can be used if
"create-spdx-2.2" is configured in INHERIT, and "create-spdx" is
removed.

INHERIT:remove = "create-spdx"
INHERIT:append = " create-spdx-2.2"

By default, projects use SPDX-3.0 and don't require any additional
configuration.

It also works offline and/or with custom repos thanks to the variables:

-IMPROVE_KERNEL_CVE_SRC_URI: Use to set SRC_URI for "vulns" repository
-IMPROVE_KERNEL_CVE_SRCREV: Use to fix a SRCREV for "vulns" repository.
By default the class use AUTOREV to get the latest commit available but
will require a fix commit if used offline.
-IMPROVE_KERNEL_CVE_NETWORK:
Use DL_DIR folder as to find the source "vulns" repository and set
offline mode
-IMPROVE_KERNEL_CVE_WORKDIR: Working directory for the class
-IMPROVE_KERNEL_CVE_DESTSUFFIX: Suffix used to clone the "vulns"
repository IMPROVE_KERNEL_CVE_UNPACK_DIR: Folder to unpack the "vulns"
directory

Signed-off-by: Valentin Boudevin <valentin.boudevin@gmail.com>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
meta/classes/improve_kernel_cve_report-base.bbclass [new file with mode: 0644] blob
meta/classes/improve_kernel_cve_report-spdx-2.2.bbclass [new file with mode: 0644] blob
meta/classes/improve_kernel_cve_report-spdx.bbclass [new file with mode: 0644] blob
Mirror of git://git.openembedded.org/openembedded-core