improve_kernel_cve_report: add option to read debugsources.zstd

Adding option to be able to import debugsources.zstd directly. The linux-yocto-debugsources.zstd is generated in every build and does not require any additional configuration. In contrast, SPDX_INCLUDE_COMPILED_SOURCES needs to be explicitly added and increases build time. (From OE-Core rev: c84a8958f30bbb982656ddcbe7476f6f81e1a6fb) Signed-off-by: Daniel Turull <daniel.turull@ericsson.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Daniel Turull <daniel.turull@ericsson.com> 2025-10-23 09:13:39 +0200
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2025-10-27 17:20:42 +0000
commit: 6a2a827e9ceedcf7d9e43284b26a03289af7ed2a (patch)
tree: e94fb9522fd55b2013841c0ee6b76ff39d28e866 /scripts/contrib/improve_kernel_cve_report.py
parent: c8bf51b2fe730f06508bdecedca2b291b2c8e67c (diff)
download: poky-6a2a827e9ceedcf7d9e43284b26a03289af7ed2a.tar.gz
1 files changed, 27 insertions, 0 deletions
diff --git a/scripts/contrib/improve_kernel_cve_report.py b/scripts/contrib/improve_kernel_cve_report.py
index 5c39df05a5..3a15b1ed26 100755
--- a/scripts/contrib/improve_kernel_cve_report.py
+++ b/scripts/contrib/improve_kernel_cve_report.py
@@ -236,6 +236,26 @@ def read_spdx3(spdx):
            cfiles.add(filename)
    return cfiles
+def read_debugsources(file_path):
+    '''
+    Read zstd file from pkgdata to extract sources
+    '''
+    import zstandard as zstd
+    import itertools
+    # Decompress the .zst file
+    cfiles = set()
+    with open(file_path, 'rb') as fh:
+        dctx = zstd.ZstdDecompressor()
+        with dctx.stream_reader(fh) as reader:
+            decompressed_bytes = reader.read()
+            json_data = json.loads(decompressed_bytes)
+            # We need to remove one level from the debug sources
+            for source_list in json_data.values():
+                for source in source_list:
+                    src = source.split("/",1)[1]
+                    cfiles.add(src)
+    return cfiles
 def check_kernel_compiled_files(compiled_files, cve_info):
    """
    Return if a CVE affected us depending on compiled files
@@ -373,6 +393,10 @@ def main():
        help="SPDX2/3 for the kernel. Needs to include compiled sources",
    )
    parser.add_argument(
+        "--debug-sources-file",
+        help="Debug sources zstd file generated from Yocto",
+    )
+    parser.add_argument(
        "--datadir",
        type=pathlib.Path,
        help="Directory where CVE data is",
@@ -415,6 +439,9 @@ def main():
    if args.spdx:
        compiled_files = read_spdx(args.spdx)
        logging.info("Total compiled files %d", len(compiled_files))
+    if args.debug_sources_file:
+        compiled_files = read_debugsources(args.debug_sources_file)
+        logging.info("Total compiled files %d", len(compiled_files))
    if args.old_cve_report:
        with open(args.old_cve_report, encoding='ISO-8859-1') as f:
author	Daniel Turull <daniel.turull@ericsson.com>	2025-10-23 09:13:39 +0200
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2025-10-27 17:20:42 +0000
commit	6a2a827e9ceedcf7d9e43284b26a03289af7ed2a (patch)
tree	e94fb9522fd55b2013841c0ee6b76ff39d28e866 /scripts/contrib/improve_kernel_cve_report.py
parent	c8bf51b2fe730f06508bdecedca2b291b2c8e67c (diff)
download	poky-6a2a827e9ceedcf7d9e43284b26a03289af7ed2a.tar.gz

diff --git a/scripts/contrib/improve_kernel_cve_report.py b/scripts/contrib/improve_kernel_cve_report.py index 5c39df05a5..3a15b1ed26 100755 --- a/scripts/contrib/improve_kernel_cve_report.py +++ b/scripts/contrib/improve_kernel_cve_report.py
@@ -236,6 +236,26 @@ def read_spdx3(spdx):
236	cfiles.add(filename)	236	cfiles.add(filename)
237	return cfiles	237	return cfiles
238		238
		239	def read_debugsources(file_path):
		240	'''
		241	Read zstd file from pkgdata to extract sources
		242	'''
		243	import zstandard as zstd
		244	import itertools
		245	# Decompress the .zst file
		246	cfiles = set()
		247	with open(file_path, 'rb') as fh:
		248	dctx = zstd.ZstdDecompressor()
		249	with dctx.stream_reader(fh) as reader:
		250	decompressed_bytes = reader.read()
		251	json_data = json.loads(decompressed_bytes)
		252	# We need to remove one level from the debug sources
		253	for source_list in json_data.values():
		254	for source in source_list:
		255	src = source.split("/",1)[1]
		256	cfiles.add(src)
		257	return cfiles
		258
239	def check_kernel_compiled_files(compiled_files, cve_info):	259	def check_kernel_compiled_files(compiled_files, cve_info):
240	"""	260	"""
241	Return if a CVE affected us depending on compiled files	261	Return if a CVE affected us depending on compiled files
@@ -373,6 +393,10 @@ def main():
373	help="SPDX2/3 for the kernel. Needs to include compiled sources",	393	help="SPDX2/3 for the kernel. Needs to include compiled sources",
374	)	394	)
375	parser.add_argument(	395	parser.add_argument(
		396	"--debug-sources-file",
		397	help="Debug sources zstd file generated from Yocto",
		398	)
		399	parser.add_argument(
376	"--datadir",	400	"--datadir",
377	type=pathlib.Path,	401	type=pathlib.Path,
378	help="Directory where CVE data is",	402	help="Directory where CVE data is",
@@ -415,6 +439,9 @@ def main():
415	if args.spdx:	439	if args.spdx:
416	compiled_files = read_spdx(args.spdx)	440	compiled_files = read_spdx(args.spdx)
417	logging.info("Total compiled files %d", len(compiled_files))	441	logging.info("Total compiled files %d", len(compiled_files))
		442	if args.debug_sources_file:
		443	compiled_files = read_debugsources(args.debug_sources_file)
		444	logging.info("Total compiled files %d", len(compiled_files))
418		445
419	if args.old_cve_report:	446	if args.old_cve_report:
420	with open(args.old_cve_report, encoding='ISO-8859-1') as f:	447	with open(args.old_cve_report, encoding='ISO-8859-1') as f: