From: Ross Burton <ross.burton@arm.com>
Date: Fri, 25 Aug 2023 16:08:29 +0000 (+0100)
Subject: linux/generate-cve-exclusions: add version check warning
X-Git-Tag: uninative-4.3~14
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=645066ecec0f52eac0225a144285f44882003856;p=thirdparty%2Fopenembedded%2Fopenembedded-core.git

linux/generate-cve-exclusions: add version check warning

Embed the version that this file was generated for in the include, and
compare it to the version that is being checked.

This should act as a reminder to update the file when the kernel is
upgraded.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---

diff --git a/meta/recipes-kernel/linux/generate-cve-exclusions.py b/meta/recipes-kernel/linux/generate-cve-exclusions.py
index 34f9ee731dc..3bc1c7096ff 100755
--- a/meta/recipes-kernel/linux/generate-cve-exclusions.py
+++ b/meta/recipes-kernel/linux/generate-cve-exclusions.py
@@ -42,9 +42,18 @@ def main(argp=None):
     with open(datadir / "data" / "stream_fixes.json", "r") as f:
         stream_data = json.load(f)
 
-    print("# Auto-generated CVE metadata, DO NOT EDIT BY HAND.")
-    print(f"# Generated at {datetime.datetime.now()} for version {version}")
-    print()
+    print(f"""
+# Auto-generated CVE metadata, DO NOT EDIT BY HAND.
+# Generated at {datetime.datetime.now()} for version {version}
+
+python check_kernel_cve_status_version() {{
+    this_version = "{version}"
+    kernel_version = d.getVar("LINUX_VERSION")
+    if kernel_version != this_version:
+        bb.warn("Kernel CVE status needs updating: generated for %s but kernel is %s" % (this_version, kernel_version))
+}}
+do_cve_check[prefuncs] += "check_kernel_cve_status_version"
+""")
 
     for cve, data in cve_data.items():
         if "affected_versions" not in data: