linux: cve-exclusions: Fix false negatives

Amend the generate-cve-exclusions.py checking logic in part of the code
responsible for iterating the "affected" defaultStatus part of the JSON
structure in order to mitigate occurrences of false negatives in the
generated output, as well as occurrences of wrong reason for negative
result in case where the reason is actually that the checked kernel
version is in backport fix scope.

In tandem we regenerate the content of cve-exclusion_6.12.inc using
https://github.com/CVEProject/cvelistV5.git repository main branch at
git hash b20d0043711588b6409ae3118bc0510ab888c316 to keep the content
in sync with the script.

Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit b1a5939535d67b9c0e6d8c2729cff9749a0ebaae)
Signed-off-by: Steve Sakoman <steve@sakoman.com>

diff --git a/meta/recipes-kernel/linux/cve-exclusion_6.12.inc b/meta/recipes-kernel/linux/cve-exclusion_6.12.inc
index 49d8bfcf0c0d75ae5826cbf124fcf0a0d3e85730..c03ad19a3d9b5ef958c442ec2a67e3f8af7bc78f 100644 (file)
--- a/meta/recipes-kernel/linux/cve-exclusion_6.12.inc
+++ b/meta/recipes-kernel/linux/cve-exclusion_6.12.inc
@@ -1,6 +1,6 @@
 
 # Auto-generated CVE metadata, DO NOT EDIT BY HAND.
-# Generated at 2025-05-24 07:35:37.850677+00:00 for version 6.12.27
+# Generated at 2025-05-24 12:02:58.590640+00:00 for version 6.12.27
 
 python check_kernel_cve_status_version() {
     this_version = "6.12.27"
@@ -11234,7 +11234,7 @@ CVE_STATUS[CVE-2024-57975] = "cpe-stable-backport: Backported in 6.12.13"
 
 CVE_STATUS[CVE-2024-57977] = "cpe-stable-backport: Backported in 6.12.13"
 
-CVE_STATUS[CVE-2024-57978] = "fixed-version: only affects 6.13 onwards"
+CVE_STATUS[CVE-2024-57978] = "cpe-stable-backport: Backported in 6.12.13"
 
 CVE_STATUS[CVE-2024-57979] = "cpe-stable-backport: Backported in 6.12.13"
 
@@ -11296,7 +11296,7 @@ CVE_STATUS[CVE-2024-58007] = "cpe-stable-backport: Backported in 6.12.14"
 
 CVE_STATUS[CVE-2024-58008] = "cpe-stable-backport: Backported in 6.12.14"
 
-CVE_STATUS[CVE-2024-58009] = "fixed-version: only affects 6.13 onwards"
+CVE_STATUS[CVE-2024-58009] = "cpe-stable-backport: Backported in 6.12.14"
 
 CVE_STATUS[CVE-2024-58010] = "cpe-stable-backport: Backported in 6.12.14"
 
@@ -11542,7 +11542,7 @@ CVE_STATUS[CVE-2025-21685] = "cpe-stable-backport: Backported in 6.12.11"
 
 CVE_STATUS[CVE-2025-21687] = "cpe-stable-backport: Backported in 6.12.12"
 
-CVE_STATUS[CVE-2025-21688] = "fixed-version: only affects 6.13 onwards"
+CVE_STATUS[CVE-2025-21688] = "cpe-stable-backport: Backported in 6.12.12"
 
 CVE_STATUS[CVE-2025-21689] = "cpe-stable-backport: Backported in 6.12.12"
 
@@ -11570,7 +11570,7 @@ CVE_STATUS[CVE-2025-21701] = "cpe-stable-backport: Backported in 6.12.13"
 
 CVE_STATUS[CVE-2025-21702] = "cpe-stable-backport: Backported in 6.12.14"
 
-CVE_STATUS[CVE-2025-21703] = "fixed-version: only affects 6.13 onwards"
+CVE_STATUS[CVE-2025-21703] = "cpe-stable-backport: Backported in 6.12.14"
 
 CVE_STATUS[CVE-2025-21704] = "cpe-stable-backport: Backported in 6.12.16"
 
@@ -11784,7 +11784,7 @@ CVE_STATUS[CVE-2025-21811] = "cpe-stable-backport: Backported in 6.12.13"
 
 CVE_STATUS[CVE-2025-21812] = "cpe-stable-backport: Backported in 6.12.13"
 
-CVE_STATUS[CVE-2025-21813] = "fixed-version: only affects 6.13 onwards"
+CVE_STATUS[CVE-2025-21813] = "cpe-stable-backport: Backported in 6.12.14"
 
 CVE_STATUS[CVE-2025-21814] = "cpe-stable-backport: Backported in 6.12.14"
 
@@ -11794,7 +11794,7 @@ CVE_STATUS[CVE-2025-21816] = "cpe-stable-backport: Backported in 6.12.14"
 
 # CVE-2025-21817 needs backporting (fixed from 6.14)
 
-CVE_STATUS[CVE-2025-21819] = "fixed-version: only affects 6.13 onwards"
+CVE_STATUS[CVE-2025-21819] = "cpe-stable-backport: Backported in 6.12.14"
 
 CVE_STATUS[CVE-2025-21820] = "cpe-stable-backport: Backported in 6.12.14"
 
@@ -11884,7 +11884,7 @@ CVE_STATUS[CVE-2025-21863] = "cpe-stable-backport: Backported in 6.12.17"
 
 CVE_STATUS[CVE-2025-21864] = "cpe-stable-backport: Backported in 6.12.17"
 
-CVE_STATUS[CVE-2025-21865] = "fixed-version: only affects 6.13 onwards"
+CVE_STATUS[CVE-2025-21865] = "cpe-stable-backport: Backported in 6.12.17"
 
 CVE_STATUS[CVE-2025-21866] = "cpe-stable-backport: Backported in 6.12.17"
 
@@ -11958,7 +11958,7 @@ CVE_STATUS[CVE-2025-21900] = "cpe-stable-backport: Backported in 6.12.18"
 
 CVE_STATUS[CVE-2025-21901] = "cpe-stable-backport: Backported in 6.12.18"
 
-CVE_STATUS[CVE-2025-21902] = "fixed-version: only affects 6.13 onwards"
+CVE_STATUS[CVE-2025-21902] = "cpe-stable-backport: Backported in 6.12.19"
 
 CVE_STATUS[CVE-2025-21903] = "cpe-stable-backport: Backported in 6.12.19"
 
@@ -12212,11 +12212,11 @@ CVE_STATUS[CVE-2025-22027] = "cpe-stable-backport: Backported in 6.12.23"
 
 CVE_STATUS[CVE-2025-22028] = "cpe-stable-backport: Backported in 6.12.23"
 
-CVE_STATUS[CVE-2025-22030] = "fixed-version: only affects 6.13 onwards"
+CVE_STATUS[CVE-2025-22030] = "cpe-stable-backport: Backported in 6.12.23"
 
 CVE_STATUS[CVE-2025-22031] = "fixed-version: only affects 6.13 onwards"
 
-CVE_STATUS[CVE-2025-22032] = "fixed-version: only affects 6.14 onwards"
+CVE_STATUS[CVE-2025-22032] = "cpe-stable-backport: Backported in 6.12.23"
 
 CVE_STATUS[CVE-2025-22033] = "cpe-stable-backport: Backported in 6.12.23"
 
@@ -12246,9 +12246,9 @@ CVE_STATUS[CVE-2025-22045] = "cpe-stable-backport: Backported in 6.12.23"
 
 CVE_STATUS[CVE-2025-22046] = "cpe-stable-backport: Backported in 6.12.23"
 
-CVE_STATUS[CVE-2025-22047] = "fixed-version: only affects 6.14 onwards"
+CVE_STATUS[CVE-2025-22047] = "cpe-stable-backport: Backported in 6.12.23"
 
-CVE_STATUS[CVE-2025-22048] = "fixed-version: only affects 6.13 onwards"
+CVE_STATUS[CVE-2025-22048] = "cpe-stable-backport: Backported in 6.12.23"
 
 CVE_STATUS[CVE-2025-22049] = "cpe-stable-backport: Backported in 6.12.23"
 
@@ -12300,13 +12300,13 @@ CVE_STATUS[CVE-2025-22072] = "cpe-stable-backport: Backported in 6.12.23"
 
 CVE_STATUS[CVE-2025-22073] = "cpe-stable-backport: Backported in 6.12.23"
 
-CVE_STATUS[CVE-2025-22074] = "fixed-version: only affects 6.14 onwards"
+CVE_STATUS[CVE-2025-22074] = "cpe-stable-backport: Backported in 6.12.23"
 
 CVE_STATUS[CVE-2025-22075] = "cpe-stable-backport: Backported in 6.12.23"
 
 CVE_STATUS[CVE-2025-22076] = "cpe-stable-backport: Backported in 6.12.23"
 
-CVE_STATUS[CVE-2025-22077] = "fixed-version: only affects 6.13 onwards"
+CVE_STATUS[CVE-2025-22077] = "cpe-stable-backport: Backported in 6.12.25"
 
 CVE_STATUS[CVE-2025-22078] = "cpe-stable-backport: Backported in 6.12.23"
 
@@ -12338,7 +12338,7 @@ CVE_STATUS[CVE-2025-22091] = "cpe-stable-backport: Backported in 6.12.23"
 
 CVE_STATUS[CVE-2025-22092] = "fixed-version: only affects 6.13 onwards"
 
-CVE_STATUS[CVE-2025-22093] = "fixed-version: only affects 6.13 onwards"
+CVE_STATUS[CVE-2025-22093] = "cpe-stable-backport: Backported in 6.12.23"
 
 CVE_STATUS[CVE-2025-22094] = "fixed-version: only affects 6.13 onwards"
 
@@ -12392,7 +12392,7 @@ CVE_STATUS[CVE-2025-22118] = "fixed-version: only affects 6.13 onwards"
 
 CVE_STATUS[CVE-2025-22119] = "fixed-version: only affects 6.14 onwards"
 
-CVE_STATUS[CVE-2025-22120] = "fixed-version: only affects 6.13 onwards"
+CVE_STATUS[CVE-2025-22120] = "cpe-stable-backport: Backported in 6.12.26"
 
 # CVE-2025-22121 needs backporting (fixed from 6.15rc1)
 
@@ -12506,7 +12506,7 @@ CVE_STATUS[CVE-2025-37750] = "cpe-stable-backport: Backported in 6.12.24"
 
 CVE_STATUS[CVE-2025-37751] = "fixed-version: only affects 6.14 onwards"
 
-CVE_STATUS[CVE-2025-37752] = "fixed-version: only affects 6.14 onwards"
+CVE_STATUS[CVE-2025-37752] = "cpe-stable-backport: Backported in 6.12.24"
 
 CVE_STATUS[CVE-2025-37753] = "fixed-version: only affects 6.15rc1 onwards"
 
@@ -12522,7 +12522,7 @@ CVE_STATUS[CVE-2025-37758] = "cpe-stable-backport: Backported in 6.12.24"
 
 CVE_STATUS[CVE-2025-37759] = "cpe-stable-backport: Backported in 6.12.24"
 
-CVE_STATUS[CVE-2025-37760] = "fixed-version: only affects 6.14 onwards"
+CVE_STATUS[CVE-2025-37760] = "cpe-stable-backport: Backported in 6.12.25"
 
 CVE_STATUS[CVE-2025-37761] = "cpe-stable-backport: Backported in 6.12.25"
 
@@ -12570,7 +12570,7 @@ CVE_STATUS[CVE-2025-37782] = "cpe-stable-backport: Backported in 6.12.25"
 
 CVE_STATUS[CVE-2025-37783] = "fixed-version: only affects 6.14 onwards"
 
-CVE_STATUS[CVE-2025-37784] = "fixed-version: only affects 6.13 onwards"
+CVE_STATUS[CVE-2025-37784] = "cpe-stable-backport: Backported in 6.12.25"
 
 CVE_STATUS[CVE-2025-37785] = "cpe-stable-backport: Backported in 6.12.23"
 
@@ -12620,15 +12620,15 @@ CVE_STATUS[CVE-2025-37809] = "cpe-stable-backport: Backported in 6.12.26"
 
 CVE_STATUS[CVE-2025-37810] = "cpe-stable-backport: Backported in 6.12.26"
 
-CVE_STATUS[CVE-2025-37811] = "fixed-version: only affects 6.13 onwards"
+CVE_STATUS[CVE-2025-37811] = "cpe-stable-backport: Backported in 6.12.26"
 
 CVE_STATUS[CVE-2025-37812] = "cpe-stable-backport: Backported in 6.12.26"
 
-CVE_STATUS[CVE-2025-37813] = "fixed-version: only affects 6.13 onwards"
+CVE_STATUS[CVE-2025-37813] = "cpe-stable-backport: Backported in 6.12.26"
 
-CVE_STATUS[CVE-2025-37814] = "fixed-version: only affects 6.14 onwards"
+CVE_STATUS[CVE-2025-37814] = "cpe-stable-backport: Backported in 6.12.26"
 
-CVE_STATUS[CVE-2025-37815] = "fixed-version: only affects 6.13 onwards"
+CVE_STATUS[CVE-2025-37815] = "cpe-stable-backport: Backported in 6.12.26"
 
 CVE_STATUS[CVE-2025-37816] = "cpe-stable-backport: Backported in 6.12.26"
 
@@ -12686,7 +12686,7 @@ CVE_STATUS[CVE-2025-37843] = "cpe-stable-backport: Backported in 6.12.24"
 
 CVE_STATUS[CVE-2025-37844] = "cpe-stable-backport: Backported in 6.12.24"
 
-CVE_STATUS[CVE-2025-37845] = "fixed-version: only affects 6.14 onwards"
+CVE_STATUS[CVE-2025-37845] = "cpe-stable-backport: Backported in 6.12.24"
 
 CVE_STATUS[CVE-2025-37846] = "cpe-stable-backport: Backported in 6.12.24"
 
@@ -12732,13 +12732,13 @@ CVE_STATUS[CVE-2025-37866] = "fixed-version: only affects 6.14 onwards"
 
 CVE_STATUS[CVE-2025-37867] = "cpe-stable-backport: Backported in 6.12.25"
 
-CVE_STATUS[CVE-2025-37868] = "fixed-version: only affects 6.14 onwards"
+CVE_STATUS[CVE-2025-37868] = "cpe-stable-backport: Backported in 6.12.25"
 
 CVE_STATUS[CVE-2025-37869] = "cpe-stable-backport: Backported in 6.12.25"
 
 CVE_STATUS[CVE-2025-37870] = "cpe-stable-backport: Backported in 6.12.25"
 
-CVE_STATUS[CVE-2025-37871] = "fixed-version: only affects 6.15rc1 onwards"
+CVE_STATUS[CVE-2025-37871] = "cpe-stable-backport: Backported in 6.12.25"
 
 CVE_STATUS[CVE-2025-37872] = "cpe-stable-backport: Backported in 6.12.25"
 
@@ -12786,7 +12786,7 @@ CVE_STATUS[CVE-2025-37893] = "cpe-stable-backport: Backported in 6.12.23"
 
 # CVE-2025-37894 needs backporting (fixed from 6.12.28)
 
-CVE_STATUS[CVE-2025-37895] = "fixed-version: only affects 6.13 onwards"
+# CVE-2025-37895 needs backporting (fixed from 6.12.28)
 
 CVE_STATUS[CVE-2025-37896] = "fixed-version: only affects 6.14 onwards"
 
@@ -12854,7 +12854,7 @@ CVE_STATUS[CVE-2025-37904] = "fixed-version: only affects 6.13 onwards"
 
 # CVE-2025-37928 needs backporting (fixed from 6.12.28)
 
-CVE_STATUS[CVE-2025-37929] = "fixed-version: only affects 6.15rc1 onwards"
+# CVE-2025-37929 needs backporting (fixed from 6.12.28)
 
 # CVE-2025-37930 needs backporting (fixed from 6.12.28)
 
@@ -12902,7 +12902,7 @@ CVE_STATUS[CVE-2025-37950] = "fixed-version: only affects 6.14 onwards"
 
 # CVE-2025-37952 needs backporting (fixed from 6.12.29)
 
-CVE_STATUS[CVE-2025-37953] = "fixed-version: only affects 6.15rc2 onwards"
+# CVE-2025-37953 needs backporting (fixed from 6.12.29)
 
 # CVE-2025-37954 needs backporting (fixed from 6.12.29)
 
@@ -12920,13 +12920,13 @@ CVE_STATUS[CVE-2025-37953] = "fixed-version: only affects 6.15rc2 onwards"
 
 # CVE-2025-37961 needs backporting (fixed from 6.12.29)
 
-CVE_STATUS[CVE-2025-37962] = "fixed-version: only affects 6.15rc1 onwards"
+# CVE-2025-37962 needs backporting (fixed from 6.12.29)
 
 # CVE-2025-37963 needs backporting (fixed from 6.12.29)
 
-CVE_STATUS[CVE-2025-37964] = "fixed-version: only affects 6.14 onwards"
+# CVE-2025-37964 needs backporting (fixed from 6.12.29)
 
-CVE_STATUS[CVE-2025-37965] = "fixed-version: only affects 6.15rc2 onwards"
+# CVE-2025-37965 needs backporting (fixed from 6.12.29)
 
 CVE_STATUS[CVE-2025-37966] = "fixed-version: only affects 6.13 onwards"
 
@@ -12944,7 +12944,7 @@ CVE_STATUS[CVE-2025-37966] = "fixed-version: only affects 6.13 onwards"
 
 # CVE-2025-37973 needs backporting (fixed from 6.12.29)
 
-CVE_STATUS[CVE-2025-37974] = "fixed-version: only affects 6.13 onwards"
+# CVE-2025-37974 needs backporting (fixed from 6.12.29)
 
 CVE_STATUS[CVE-2025-37975] = "cpe-stable-backport: Backported in 6.12.25"
 
@@ -12998,7 +12998,7 @@ CVE_STATUS[CVE-2025-39688] = "cpe-stable-backport: Backported in 6.12.23"
 
 CVE_STATUS[CVE-2025-39728] = "cpe-stable-backport: Backported in 6.12.23"
 
-CVE_STATUS[CVE-2025-39735] = "fixed-version: only affects 6.13 onwards"
+CVE_STATUS[CVE-2025-39735] = "cpe-stable-backport: Backported in 6.12.23"
 
 CVE_STATUS[CVE-2025-39755] = "fixed-version: only affects 6.13 onwards"
 

diff --git a/meta/recipes-kernel/linux/generate-cve-exclusions.py b/meta/recipes-kernel/linux/generate-cve-exclusions.py
index 302ec8ebc9fae8cbd47a3d165b5d759c38a99ee8..ea59c15a01155bb2f60b62c123d6ab0a68909943 100755 (executable)
--- a/meta/recipes-kernel/linux/generate-cve-exclusions.py
+++ b/meta/recipes-kernel/linux/generate-cve-exclusions.py
@@ -42,9 +42,11 @@ def get_fixed_versions(cve_info, base_version):
         if affected["defaultStatus"] == "affected":
             for version in affected["versions"]:
                 v = Version(version["version"])
-                if v == 0:
+                if v == Version('0'):
                     #Skiping non-affected
                     continue
+                if version["status"] == "unaffected" and first_affected and v < first_affected:
+                    first_affected = Version(f"{v.major}.{v.minor}")
                 if version["status"] == "affected" and not first_affected:
                     first_affected = v
                 elif (version["status"] == "unaffected" and