improve_kernel_cve_report: add option to read debugsources.zstd

Adding option to be able to import debugsources.zstd directly. The linux-yocto-debugsources.zstd is generated in every build and does not require any additional configuration. In contrast, SPDX_INCLUDE_COMPILED_SOURCES needs to be explicitly added and increases build time. (From OE-Core rev: c84a8958f30bbb982656ddcbe7476f6f81e1a6fb) Signed-off-by: Daniel Turull <daniel.turull@ericsson.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2026-01-01 13:58:04 +00:00 · 2025-10-23 09:13:39 +02:00 · 2025-10-23 09:13:39 +02:00 · 6a2a827e9c
commit 6a2a827e9c
parent c8bf51b2fe
1 changed files with 27 additions and 0 deletions
--- a/scripts/contrib/improve_kernel_cve_report.py
+++ b/scripts/contrib/improve_kernel_cve_report.py
@ -236,6 +236,26 @@ def read_spdx3(spdx):
            cfiles.add(filename)
    return cfiles

+def read_debugsources(file_path):
+    '''
+    Read zstd file from pkgdata to extract sources
+    '''
+    import zstandard as zstd
+    import itertools
+    # Decompress the .zst file
+    cfiles = set()
+    with open(file_path, 'rb') as fh:
+        dctx = zstd.ZstdDecompressor()
+        with dctx.stream_reader(fh) as reader:
+            decompressed_bytes = reader.read()
+            json_data = json.loads(decompressed_bytes)
+            # We need to remove one level from the debug sources
+            for source_list in json_data.values():
+                for source in source_list:
+                    src = source.split("/",1)[1]
+                    cfiles.add(src)
+    return cfiles
+
 def check_kernel_compiled_files(compiled_files, cve_info):
    """
    Return if a CVE affected us depending on compiled files
@ -372,6 +392,10 @@ def main():
        "--spdx",
        help="SPDX2/3 for the kernel. Needs to include compiled sources",
    )
+    parser.add_argument(
+        "--debug-sources-file",
+        help="Debug sources zstd file generated from Yocto",
+    )
    parser.add_argument(
        "--datadir",
        type=pathlib.Path,
@ -415,6 +439,9 @@ def main():
    if args.spdx:
        compiled_files = read_spdx(args.spdx)
        logging.info("Total compiled files %d", len(compiled_files))
+    if args.debug_sources_file:
+        compiled_files = read_debugsources(args.debug_sources_file)
+        logging.info("Total compiled files %d", len(compiled_files))

    if args.old_cve_report:
        with open(args.old_cve_report, encoding='ISO-8859-1') as f: