{"id":2198162,"url":"http://patchwork.ozlabs.org/api/1.0/covers/2198162/?format=json","project":{"id":27,"url":"http://patchwork.ozlabs.org/api/1.0/projects/27/?format=json","name":"Buildroot development","link_name":"buildroot","list_id":"buildroot.buildroot.org","list_email":"buildroot@buildroot.org","web_url":"","scm_url":"","webscm_url":""},"msgid":"<20260219134834.151782-1-fabien.lehoussel@smile.fr>","date":"2026-02-19T13:48:28","name":"[v2,0/2] Linux kernel CVE filtering improvements","submitter":{"id":91059,"url":"http://patchwork.ozlabs.org/api/1.0/people/91059/?format=json","name":"Fabien LEHOUSSEL","email":"fabien.lehoussel@smile.fr"},"series":[{"id":492679,"url":"http://patchwork.ozlabs.org/api/1.0/series/492679/?format=json","date":"2026-02-19T13:48:28","name":"Linux kernel CVE filtering improvements","version":2,"mbox":"http://patchwork.ozlabs.org/series/492679/mbox/"}],"headers":{"Return-Path":"<buildroot-bounces@buildroot.org>","X-Original-To":["incoming-buildroot@patchwork.ozlabs.org","buildroot@buildroot.org"],"Delivered-To":["patchwork-incoming-buildroot@legolas.ozlabs.org","buildroot@buildroot.org"],"Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=buildroot.org header.i=@buildroot.org\n header.a=rsa-sha256 header.s=default header.b=lOo+m2KK;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org\n (client-ip=140.211.166.137; helo=smtp4.osuosl.org;\n envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org)"],"Received":["from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fGvqK4Nbkz1xvg\n\tfor <incoming-buildroot@patchwork.ozlabs.org>;\n Fri, 20 Feb 2026 00:48:45 +1100 (AEDT)","from localhost (localhost [127.0.0.1])\n\tby smtp4.osuosl.org (Postfix) with ESMTP id 545154097A;\n\tThu, 19 Feb 2026 13:48:43 +0000 (UTC)","from smtp4.osuosl.org ([127.0.0.1])\n by localhost (smtp4.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id oVfT8bTSXUVQ; Thu, 19 Feb 2026 13:48:42 +0000 (UTC)","from lists1.osuosl.org (lists1.osuosl.org [140.211.166.142])\n\tby smtp4.osuosl.org (Postfix) with ESMTP id 7415B4098E;\n\tThu, 19 Feb 2026 13:48:42 +0000 (UTC)","from smtp2.osuosl.org (smtp2.osuosl.org [140.211.166.133])\n by lists1.osuosl.org (Postfix) with ESMTP id F34DF1CE\n for <buildroot@buildroot.org>; Thu, 19 Feb 2026 13:48:40 +0000 (UTC)","from localhost (localhost [127.0.0.1])\n by smtp2.osuosl.org (Postfix) with ESMTP id D85AF403E3\n for <buildroot@buildroot.org>; Thu, 19 Feb 2026 13:48:40 +0000 (UTC)","from smtp2.osuosl.org ([127.0.0.1])\n by localhost (smtp2.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id ZrBaYiqrpTSM for <buildroot@buildroot.org>;\n Thu, 19 Feb 2026 13:48:40 +0000 (UTC)","from mail-wm1-x32f.google.com (mail-wm1-x32f.google.com\n [IPv6:2a00:1450:4864:20::32f])\n by smtp2.osuosl.org (Postfix) with ESMTPS id 763D1403CC\n for <buildroot@buildroot.org>; Thu, 19 Feb 2026 13:48:39 +0000 (UTC)","by mail-wm1-x32f.google.com with SMTP id\n 5b1f17b1804b1-4806bf39419so14735405e9.1\n for <buildroot@buildroot.org>; Thu, 19 Feb 2026 05:48:39 -0800 (PST)","from FRSMI25-GRAVITY.idf.intranet\n (static-css-ccs-204145.business.bouyguestelecom.com. [176.157.204.145])\n by smtp.gmail.com with ESMTPSA id\n 5b1f17b1804b1-4839f97831bsm16604295e9.12.2026.02.19.05.48.36\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Thu, 19 Feb 2026 05:48:36 -0800 (PST)"],"X-Virus-Scanned":["amavis at osuosl.org","amavis at osuosl.org"],"X-Comment":"SPF check N/A for local connections - client-ip=140.211.166.142;\n helo=lists1.osuosl.org; envelope-from=buildroot-bounces@buildroot.org;\n receiver=<UNKNOWN> ","DKIM-Filter":["OpenDKIM Filter v2.11.0 smtp4.osuosl.org 7415B4098E","OpenDKIM Filter v2.11.0 smtp2.osuosl.org 763D1403CC"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=buildroot.org;\n\ts=default; t=1771508922;\n\tbh=xJQd+VjcyKZZdXbCxxNcLBV9P9LOk5bp/5u/NJ+pjMM=;\n\th=To:Cc:Date:Subject:List-Id:List-Unsubscribe:List-Archive:\n\t List-Post:List-Help:List-Subscribe:From:Reply-To:From;\n\tb=lOo+m2KKO4dJiOS3apmu9YOVQeGkgPBa+KhLZETcCPzuUoUW87hybDS4Jc83uxpeB\n\t Rzheo87+SFRgla5ARkEcBBQpxLgO7FAEwGa3/gUNyVjy2bceffXTolI2tuGfTkpuXj\n\t 8PvWUZqzE7BouS1Eal+G+NQRgqylBtJ6A1sZ/hl+Vyv2vmA3mlZzBtmDjm9+FNuVAs\n\t lRB06e2QU2UDWgfJSXFckFt5YjhL1xsslDFRjKa875mcgCeuBnFZjkzp+jcXYNISfg\n\t W52LRYiSS5XwrWoxsh8SAZpdcVqh0eRU15/PaThkN12XzrY7M2gHcmClvT5Glzf70F\n\t ulvPvSUxzSTAQ==","Received-SPF":"Pass (mailfrom) identity=mailfrom;\n client-ip=2a00:1450:4864:20::32f; helo=mail-wm1-x32f.google.com;\n envelope-from=fabien.lehoussel@smile.fr; receiver=<UNKNOWN>","DMARC-Filter":"OpenDMARC Filter v1.4.2 smtp2.osuosl.org 763D1403CC","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20230601; t=1771508917; x=1772113717;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date\n :message-id:reply-to;\n bh=gKBVgOJcnX3ZyIWjB5wOyQVLnemoPaHDZmmT0CNkgKQ=;\n b=nP8/TihM1QN6GU/tsysK9JYiJdFDqYeKfgqONusH65HUb/ZEzn07Y48n+vGWKXZDB2\n mWxy9SVkTQSyEZQz4jIVYcRjHAXFuaPu6rp/WCCrYwC++/9Rp86Z6oi3R8yCauGHsMH7\n iE/915uwAlRhCXWVsJzc8hscf9A84bNiO6tj6S5dCdvbarY7ZsXdcztaP9ZDM5CKbZCo\n If3G0racegWdSRjusu6CQFqnSWEk0Sw4zY0NvB6kNkIMAV4V798A6sjiFc4PJU0ZWllz\n 5rbrLekkBjFQVlUD/wkHUDB9Kx7VtFPmH6/BGOZCMpgdhYEA380Pp3E3LiwtCUvzp/19\n VRdQ==","X-Gm-Message-State":"AOJu0Yz07YNsmNVMmT3U1x2/FWG4ta9skVDQTY1sZPZpIUCWNELez1w3\n /MfjSeJLm2YXJMK4BWNiSBjq+s8vJe5hD/C8uymQzz7D6lYFZds0YmwhOmZQZD8TlN5tqiRwd+D\n Phkic","X-Gm-Gg":"AZuq6aLT1Qolnee+nqQYZpg5sp4kEvD7KE3TgjdWZKPlqZbP+3hzk1y1cTZYlPpRreP\n S+iROt6Llxh12tmVT0Dg+Y4fzfExOtNEYxAOEb0CKpiG8QjkaCYUkWn/URAAVCw4Xsu5q27RcAh\n zWBMdJW1js3Mtjd/zs6DoIyg7rpNzwDMhFQ/VIMnQLYibs9K8r/ZVl3qwzrdd9p4hJPPgMt1sV/\n CzJPqJdGqvFbpGZzjRwLJ6g2a2HcNCNPKSnyV5GU/tSu1kSA7Jr5KUwpppsha1mjhs77qpvCaPL\n AlUOhvZbig2pvXBRrXmO9ZAbkyZR3oZukUzS2bsgzx4MtTi1X8PM6bLCAAZY0kQYFJxu/1O5CJJ\n PWYZiWuAy0RPrN3giz3Q2gyzt3YIGMHphdcxbg9QsHV1h4db/RuEz10qCR0Z7sER0+jU8wnwPuV\n I6TrX0HGYnguq6NwdEzksYej9xRGhiyTEePt58HlqzAbFGvohce+59TuuSmBTLOW7+Xi1zaSM3x\n Y+rzyNZCtcVkDGSoNMbplKoXnYs8qz5MXOjUphzHMy/nYxJWJ30","X-Received":"by 2002:a05:600c:214b:b0:47e:e051:79ee with SMTP id\n 5b1f17b1804b1-4839fe90522mr26482735e9.3.1771508916754;\n Thu, 19 Feb 2026 05:48:36 -0800 (PST)","To":"buildroot@buildroot.org","Cc":"Thomas Perale <thomas.perale@mind.be>,\n Fabien Lehoussel <fabien.lehoussel@smile.fr>","Date":"Thu, 19 Feb 2026 14:48:28 +0100","Message-ID":"<20260219134834.151782-1-fabien.lehoussel@smile.fr>","X-Mailer":"git-send-email 2.43.0","MIME-Version":"1.0","X-Mailman-Original-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=smile.fr; s=google; t=1771508917; x=1772113717; darn=buildroot.org;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:from:to:cc:subject:date:message-id:reply-to;\n bh=gKBVgOJcnX3ZyIWjB5wOyQVLnemoPaHDZmmT0CNkgKQ=;\n b=y/znyee7SfPCxg1younUtoN5f+aR4Zsn0WtBcE1MwVhn8FxWFl4SmT3OQC4EP5+uRE\n 0+gwdHMZ/bbP22FJpwfMS3bY7jpoc3EmWb2BF9Es5WZvP3lC1rdsyyF4f2njv+Bh4RjD\n lHBgGIUX5Z8UpSplfNGuItVzaWm0ipsqgPHkA=","X-Mailman-Original-Authentication-Results":["smtp2.osuosl.org;\n dmarc=pass (p=reject dis=none)\n header.from=smile.fr","smtp2.osuosl.org;\n dkim=pass (1024-bit key,\n unprotected) header.d=smile.fr header.i=@smile.fr header.a=rsa-sha256\n header.s=google header.b=y/znyee7"],"Subject":"[Buildroot] [PATCH v2 0/2] Linux kernel CVE filtering improvements","X-BeenThere":"buildroot@buildroot.org","X-Mailman-Version":"2.1.30","Precedence":"list","List-Id":"Discussion and development of buildroot <buildroot.buildroot.org>","List-Unsubscribe":"<https://lists.buildroot.org/mailman/options/buildroot>,\n <mailto:buildroot-request@buildroot.org?subject=unsubscribe>","List-Archive":"<http://lists.buildroot.org/pipermail/buildroot/>","List-Post":"<mailto:buildroot@buildroot.org>","List-Help":"<mailto:buildroot-request@buildroot.org?subject=help>","List-Subscribe":"<https://lists.buildroot.org/mailman/listinfo/buildroot>,\n <mailto:buildroot-request@buildroot.org?subject=subscribe>","From":"Fabien Lehoussel via buildroot <buildroot@buildroot.org>","Reply-To":"Fabien Lehoussel <fabien.lehoussel@smile.fr>","Content-Type":"text/plain; charset=\"us-ascii\"","Content-Transfer-Encoding":"7bit","Errors-To":"buildroot-bounces@buildroot.org","Sender":"\"buildroot\" <buildroot-bounces@buildroot.org>"},"content":"This patch series adds support for generating compile_commands.json during\nthe Linux kernel build and provides kernel CVE filtering based on which files\nare actually compiled, significantly reducing false positives in CVE reports.\n\nChanges from v1:\nFollowing Thomas' suggestion (https://lists.buildroot.org/pipermail/buildroot/2026-February/797289.html) \nthis v2 implements kernel CVE filtering directly into cve-check rather than as a separate script\n\n1. Kernel build generates compile_commands.json (optional, via Kconfig)\n2. cve-check script enhanced with optional kernel CVE filtering\n   - Automatically activates when --cc-path and --cna-path are provided\n   - Uses CNA database to determine which files are affected by each CVE\n   - Matches against compile_commands.json to filter false positives\n   - Keeps CVEs where affected files ARE compiled\n   - Removes CVEs where NO affected files are compiled\n   - Keeps uncertain CVEs (CNA database lacks information) for review\n\nFabien Lehoussel (2):\n  linux/linux.mk: add generation of compile_commands.json\n  support/scripts/cve-check: add kernel CVE filtering based on compiled\n    files\n\n linux/Config.in           |  20 +++\n linux/linux.mk            |  12 ++\n support/scripts/cve-check | 118 ++++++++++++++-\n support/scripts/cve.py    | 292 +++++++++++++++++++++++++++++++++++---\n 4 files changed, 415 insertions(+), 27 deletions(-)"}