From dac57535d979d59a9d965af0552e8879750425aa Mon Sep 17 00:00:00 2001 From: Daniel Turull Date: Fri, 4 Jul 2025 15:02:54 +0200 Subject: improve_kernel_cve_report: do not override backported-patch If the user has a CVE_STATUS for their own backported patch, the backport takes priority over upstream vulnerable versions. (From OE-Core rev: 0beef05be119ea465ba06553a42edea03dfc9fd3) Signed-off-by: Daniel Turull Signed-off-by: Antonin Godard Signed-off-by: Richard Purdie --- scripts/contrib/improve_kernel_cve_report.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/scripts/contrib/improve_kernel_cve_report.py b/scripts/contrib/improve_kernel_cve_report.py index 829cc4cd30..a81aa0ff94 100755 --- a/scripts/contrib/improve_kernel_cve_report.py +++ b/scripts/contrib/improve_kernel_cve_report.py @@ -340,6 +340,10 @@ def cve_update(cve_data, cve, entry): if cve_data[cve]['status'] == entry['status']: return if entry['status'] == "Unpatched" and cve_data[cve]['status'] == "Patched": + # Backported-patch (e.g. vendor kernel repo with cherry-picked CVE patch) + # has priority over unpatch from CNA + if cve_data[cve]['detail'] == "backported-patch": + return logging.warning("CVE entry %s update from Patched to Unpatched from the scan result", cve) cve_data[cve] = copy_data(cve_data[cve], entry) return -- cgit v1.2.3-54-g00ecf