{"id":2197822,"url":"http://patchwork.ozlabs.org/api/1.0/covers/2197822/?format=json","project":{"id":27,"url":"http://patchwork.ozlabs.org/api/1.0/projects/27/?format=json","name":"Buildroot development","link_name":"buildroot","list_id":"buildroot.buildroot.org","list_email":"buildroot@buildroot.org","web_url":"","scm_url":"","webscm_url":""},"msgid":"<20260218163205.1639035-1-fabien.lehoussel@smile.fr>","date":"2026-02-18T16:32:02","name":"[0/2] Linux kernel CVE filtering improvements","submitter":{"id":91059,"url":"http://patchwork.ozlabs.org/api/1.0/people/91059/?format=json","name":"Fabien LEHOUSSEL","email":"fabien.lehoussel@smile.fr"},"series":[{"id":492573,"url":"http://patchwork.ozlabs.org/api/1.0/series/492573/?format=json","date":"2026-02-18T16:32:03","name":"Linux kernel CVE filtering improvements","version":1,"mbox":"http://patchwork.ozlabs.org/series/492573/mbox/"}],"headers":{"Return-Path":"<buildroot-bounces@buildroot.org>","X-Original-To":["incoming-buildroot@patchwork.ozlabs.org","buildroot@buildroot.org"],"Delivered-To":["patchwork-incoming-buildroot@legolas.ozlabs.org","buildroot@buildroot.org"],"Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=buildroot.org header.i=@buildroot.org\n header.a=rsa-sha256 header.s=default header.b=HaepCEF6;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org\n (client-ip=2605:bc80:3010::138; helo=smtp1.osuosl.org;\n envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org)"],"Received":["from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fGMVW6vKWz1xvq\n\tfor <incoming-buildroot@patchwork.ozlabs.org>;\n Thu, 19 Feb 2026 03:32:19 +1100 (AEDT)","from localhost (localhost [127.0.0.1])\n\tby smtp1.osuosl.org (Postfix) with ESMTP id BD87F81247;\n\tWed, 18 Feb 2026 16:32:15 +0000 (UTC)","from smtp1.osuosl.org ([127.0.0.1])\n by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id 3s0KE9g4SliA; Wed, 18 Feb 2026 16:32:13 +0000 (UTC)","from lists1.osuosl.org (lists1.osuosl.org [140.211.166.142])\n\tby smtp1.osuosl.org (Postfix) with ESMTP id 8BB298123F;\n\tWed, 18 Feb 2026 16:32:13 +0000 (UTC)","from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136])\n by lists1.osuosl.org (Postfix) with ESMTP id 3BCC435B\n for <buildroot@buildroot.org>; Wed, 18 Feb 2026 16:32:12 +0000 (UTC)","from localhost (localhost [127.0.0.1])\n by smtp3.osuosl.org (Postfix) with ESMTP id 2138860903\n for <buildroot@buildroot.org>; Wed, 18 Feb 2026 16:32:12 +0000 (UTC)","from smtp3.osuosl.org ([127.0.0.1])\n by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id 0zvYSoOJMuhl for <buildroot@buildroot.org>;\n Wed, 18 Feb 2026 16:32:11 +0000 (UTC)","from mail-wm1-x333.google.com (mail-wm1-x333.google.com\n [IPv6:2a00:1450:4864:20::333])\n by smtp3.osuosl.org (Postfix) with ESMTPS id BF4CE60904\n for <buildroot@buildroot.org>; Wed, 18 Feb 2026 16:32:10 +0000 (UTC)","by mail-wm1-x333.google.com with SMTP id\n 5b1f17b1804b1-4836f4cbe0bso117565e9.3\n for <buildroot@buildroot.org>; Wed, 18 Feb 2026 08:32:10 -0800 (PST)","from FRSMI25-GRAVITY.. ([2a01:e0a:943:83d0:6dc6:c524:f7df:4d64])\n by smtp.gmail.com with ESMTPSA id\n 5b1f17b1804b1-483983e8e3dsm20677605e9.20.2026.02.18.08.32.07\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Wed, 18 Feb 2026 08:32:07 -0800 (PST)"],"X-Virus-Scanned":["amavis at osuosl.org","amavis at osuosl.org"],"X-Comment":"SPF check N/A for local connections - client-ip=140.211.166.142;\n helo=lists1.osuosl.org; envelope-from=buildroot-bounces@buildroot.org;\n receiver=<UNKNOWN> ","DKIM-Filter":["OpenDKIM Filter v2.11.0 smtp1.osuosl.org 8BB298123F","OpenDKIM Filter v2.11.0 smtp3.osuosl.org BF4CE60904"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=buildroot.org;\n\ts=default; t=1771432333;\n\tbh=6Y9bkyRDS6M16b24DOnxYfOB1Mtj1fVSIQE+QcktZtk=;\n\th=To:Cc:Date:Subject:List-Id:List-Unsubscribe:List-Archive:\n\t List-Post:List-Help:List-Subscribe:From:Reply-To:From;\n\tb=HaepCEF6tjuhr+6XDsmRjaLuy2YZudsJxiqQ8vVLDrI0CFzUxm0gzmVKJ53cj9QaE\n\t 8P7znK6PteqXx19SI+Hga+DhLmRoiagxhgW06fbEeuHyMHOUMutAG5UNJoJylHdJsT\n\t ZUBdxQpor5IQckB3vFeHqSrhhmlboKy9xezBijgjesfG+vtAN35RAhMQEPILof/ju8\n\t qAQ4SGhG1/LcejIkoBzfzKrGNgflMJylu2o5VFnS310rDscBckcm4GNM5U48TrM4L/\n\t wc9+Ddx9tgd+SJveZTqqAlDQhWNmhwmrP3q/F06hjxERrlg8c2HoyCRoXDAl7beUYj\n\t fNZgitzmY58Zw==","Received-SPF":"Pass (mailfrom) identity=mailfrom;\n client-ip=2a00:1450:4864:20::333; helo=mail-wm1-x333.google.com;\n envelope-from=fabien.lehoussel@smile.fr; receiver=<UNKNOWN>","DMARC-Filter":"OpenDMARC Filter v1.4.2 smtp3.osuosl.org BF4CE60904","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20230601; t=1771432328; x=1772037128;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date\n :message-id:reply-to;\n bh=x3DEq4/FuA6nMw9VAplQrh1f7Qa9qLwYhLmIDDzTRsM=;\n b=WPrXa9haZv7lOOI4JLfFmLncg56ooC19FkeXhSwufJwG6UPjx1h3rGFb2B0dhGLgki\n Zc84lORjc7HSfsFTnsjyps1e9cYAERggxfZR5YUoAoOq7l1T0CjtdfDF/Fs4T/8EX7vr\n lZRpfQ0i1TiRUdm1nezPbnMa3FS0MwWLBeVYhbI5uebzLyVyyVKXiGIdt2z01eNxO3VY\n LjDK2D1us5es6A57ESL2hiAnJDt1lKQMz6j+O1rdw9khqNd7aGEDvR36DCRRvqpgb3Om\n Ft4xHTbITTKK0rETOqtq/mzt4dWWMY7Jf+FhaC5CT61M1RV3gGp/vFo175bBwsZ0A75A\n JgOA==","X-Gm-Message-State":"AOJu0YyQS9IkiKutgrWBIKxdCm/JSEjw2kAq6me4ZmbylLhay0Mba/hi\n hBa1A2Uk2xjFx4POHNNTtRu0KNjjxDRBH/wJcJj5KQQUBkUkF0Wu08/ApI4Y01wXIICrDNIM97N\n o0KoK","X-Gm-Gg":"AZuq6aIhV5GUGhaYF3IBaBzwJFtnTjO6t/YpKgTiy6j2ppapQp6j4d1u1nnLG9z5KbE\n e9U+1KQFYYRPQhHlIH84o7CbtTydKxkG9pW6x4G7Ncwv8Bch78uTSAKKD2+ZjFUHQE5bQhATFyy\n My3BKy5c43JVdI+rU7R2sZQOuH0XSHJnJDHItlwVpzAN1VcyWizH43UiXVvPDDlWAKxoI4md3Nw\n lR29kvR54erC4jI8YSBfleY/brJSM0uFa35ZSzNoPeQnlSmwJdu6Iqq5oY1YUiL3BDxseKFsg6N\n SIvtC1Z48M4uL7Dp54AHGdDjMC36aCeBbRiMMnxaHhoSScQMkfk8bFcoQLZ9p8jrSMdMojpkI3c\n yiL9p34MuRCixX5euary88zeGtxVNYczxnQ42FONhrb2TfJpb0pAy9fOrfY7a+LoPJV9h/4+V/c\n EilPvyVCX7UWoERN3Iz3djXWTNcgyluv5sQtm07z5B","X-Received":"by 2002:a05:600c:3b86:b0:480:69b6:dfed with SMTP id\n 5b1f17b1804b1-48398ad3023mr45249185e9.24.1771432328206;\n Wed, 18 Feb 2026 08:32:08 -0800 (PST)","To":"buildroot@buildroot.org","Cc":"Fabien Lehoussel <fabien.lehoussel@smile.fr>","Date":"Wed, 18 Feb 2026 17:32:02 +0100","Message-ID":"<20260218163205.1639035-1-fabien.lehoussel@smile.fr>","X-Mailer":"git-send-email 2.43.0","MIME-Version":"1.0","X-Mailman-Original-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=smile.fr; s=google; t=1771432328; x=1772037128; darn=buildroot.org;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:from:to:cc:subject:date:message-id:reply-to;\n bh=x3DEq4/FuA6nMw9VAplQrh1f7Qa9qLwYhLmIDDzTRsM=;\n b=S2f1nMchf9oUUez20cO07xnNztMDZy1iAL4SkF9O2ettrFFX4cOnBqfwWPaE4JgHM2\n mNUBUIKJYo4e7IWv/RcdcbcsSVMlqA0IU/S5qXr94Rc6x0w0QFZOaWD1snddnCvlDYyI\n WrLC+bbgWAGqfn2npOOQwl6HuE76Np4U/eRuo=","X-Mailman-Original-Authentication-Results":["smtp3.osuosl.org;\n dmarc=pass (p=reject dis=none)\n header.from=smile.fr","smtp3.osuosl.org;\n dkim=pass (1024-bit key,\n unprotected) header.d=smile.fr header.i=@smile.fr header.a=rsa-sha256\n header.s=google header.b=S2f1nMch"],"Subject":"[Buildroot] [PATCH 0/2] Linux kernel CVE filtering improvements","X-BeenThere":"buildroot@buildroot.org","X-Mailman-Version":"2.1.30","Precedence":"list","List-Id":"Discussion and development of buildroot <buildroot.buildroot.org>","List-Unsubscribe":"<https://lists.buildroot.org/mailman/options/buildroot>,\n <mailto:buildroot-request@buildroot.org?subject=unsubscribe>","List-Archive":"<http://lists.buildroot.org/pipermail/buildroot/>","List-Post":"<mailto:buildroot@buildroot.org>","List-Help":"<mailto:buildroot-request@buildroot.org?subject=help>","List-Subscribe":"<https://lists.buildroot.org/mailman/listinfo/buildroot>,\n <mailto:buildroot-request@buildroot.org?subject=subscribe>","From":"Fabien Lehoussel via buildroot <buildroot@buildroot.org>","Reply-To":"Fabien Lehoussel <fabien.lehoussel@smile.fr>","Content-Type":"text/plain; charset=\"us-ascii\"","Content-Transfer-Encoding":"7bit","Errors-To":"buildroot-bounces@buildroot.org","Sender":"\"buildroot\" <buildroot-bounces@buildroot.org>"},"content":"This patch series adds support for generating compile_commands.json during\nthe Linux kernel build and provides a tool to filter out CVEs that are\ndefinitively NOT applicable to the current build.\n\nThe goal is to remove false positives from CVE reports while keeping\npotentially applicable CVEs that require\nfurther investigation.\n\nThe series consists of:\n\n1. linux: generate compile_commands.json for kernel CVE analysis\n   - Adds Makefile hook to generate compile_commands.json\n   - Adds Kconfig option to enable this feature (disabled by default)\n   - File is copied to binaries directory for use by analysis tools\n\n2. support/scripts: add filter-kernel-cve script for Linux kernel CVE analysis\n   - New script to analyze CVEs from Buildroot's CycloneDX SBOM\n   - Cross-references with official CVE database (CNA/cvelistV5)\n   - Removes CVEs where NO affected files are compiled\n   - Keeps CVEs where affected files ARE compiled\n   - Keeps CVEs with insufficient data for manual review\n   - Supports stdin/stdout for pipeline integration\n   - Optionally auto-updates CVE database\n\n\nFabien Lehoussel (2):\n  linux/linux.mk: add generation of compile_commands.json\n  support/scripts: add filter-kernel-cve script for Linux kernel CVE\n    analysis\n\n linux/Config.in                   |  20 +\n linux/linux.mk                    |  12 +\n support/scripts/filter-kernel-cve | 592 ++++++++++++++++++++++++++++++\n 3 files changed, 624 insertions(+)\n create mode 100755 support/scripts/filter-kernel-cve"}