[PATCH][nanbield 1/7] linux-yocto: update CVE exclusions

[PATCH][nanbield 1/7] linux-yocto: update CVE exclusions

[ross.burton]

From: Ross Burton <ross.burton@arm.com>

Signed-off-by: Ross Burton <ross.burton@arm.com>
---
 .../linux/cve-exclusion_6.1.inc               | 64 ++++++++++++++++---
 .../linux/cve-exclusion_6.5.inc               | 58 +++++++++++++++--
 2 files changed, 107 insertions(+), 15 deletions(-)

diff --git a/meta/recipes-kernel/linux/cve-exclusion_6.1.inc b/meta/recipes-kernel/linux/cve-exclusion_6.1.inc
index 6af53b0d750..a8df51f321a 100644
--- a/meta/recipes-kernel/linux/cve-exclusion_6.1.inc
+++ b/meta/recipes-kernel/linux/cve-exclusion_6.1.inc
@@ -1,6 +1,6 @@
 
 # Auto-generated CVE metadata, DO NOT EDIT BY HAND.
-# Generated at 2023-10-14 12:24:32.747058+00:00 for version 6.1.57
+# Generated at 2023-11-03 13:24:16.070181+00:00 for version 6.1.57
 
 python check_kernel_cve_status_version() {
     this_version = "6.1.57"
@@ -3354,7 +3354,7 @@ CVE_STATUS[CVE-2020-27194] = "fixed-version: Fixed from version 5.9"
 
 CVE_STATUS[CVE-2020-2732] = "fixed-version: Fixed from version 5.6rc4"
 
-# CVE-2020-27418 has no known resolution
+CVE_STATUS[CVE-2020-27418] = "fixed-version: Fixed from version 5.6rc5"
 
 CVE_STATUS[CVE-2020-27673] = "fixed-version: Fixed from version 5.10rc1"
 
@@ -4644,7 +4644,7 @@ CVE_STATUS[CVE-2023-1118] = "cpe-stable-backport: Backported in 6.1.16"
 
 CVE_STATUS[CVE-2023-1192] = "cpe-stable-backport: Backported in 6.1.33"
 
-# CVE-2023-1193 has no known resolution
+# CVE-2023-1193 needs backporting (fixed from 6.3rc6)
 
 CVE_STATUS[CVE-2023-1194] = "cpe-stable-backport: Backported in 6.1.34"
 
@@ -4856,7 +4856,7 @@ CVE_STATUS[CVE-2023-3106] = "fixed-version: Fixed from version 4.8rc7"
 
 # CVE-2023-31084 needs backporting (fixed from 6.4rc3)
 
-# CVE-2023-31085 has no known resolution
+CVE_STATUS[CVE-2023-31085] = "cpe-stable-backport: Backported in 6.1.57"
 
 CVE_STATUS[CVE-2023-3111] = "fixed-version: Fixed from version 6.0rc2"
 
@@ -4936,6 +4936,8 @@ CVE_STATUS[CVE-2023-34256] = "cpe-stable-backport: Backported in 6.1.29"
 
 CVE_STATUS[CVE-2023-34319] = "cpe-stable-backport: Backported in 6.1.44"
 
+CVE_STATUS[CVE-2023-34324] = "cpe-stable-backport: Backported in 6.1.57"
+
 CVE_STATUS[CVE-2023-3439] = "fixed-version: Fixed from version 5.18rc5"
 
 CVE_STATUS[CVE-2023-35001] = "cpe-stable-backport: Backported in 6.1.39"
@@ -4952,7 +4954,7 @@ CVE_STATUS[CVE-2023-35824] = "cpe-stable-backport: Backported in 6.1.28"
 
 CVE_STATUS[CVE-2023-35826] = "cpe-stable-backport: Backported in 6.1.28"
 
-# CVE-2023-35827 has no known resolution
+# CVE-2023-35827 needs backporting (fixed from 6.1.59)
 
 CVE_STATUS[CVE-2023-35828] = "cpe-stable-backport: Backported in 6.1.28"
 
@@ -5004,6 +5006,16 @@ CVE_STATUS[CVE-2023-3866] = "cpe-stable-backport: Backported in 6.1.36"
 
 CVE_STATUS[CVE-2023-3867] = "cpe-stable-backport: Backported in 6.1.40"
 
+CVE_STATUS[CVE-2023-39189] = "cpe-stable-backport: Backported in 6.1.54"
+
+# CVE-2023-39191 needs backporting (fixed from 6.3rc1)
+
+CVE_STATUS[CVE-2023-39192] = "cpe-stable-backport: Backported in 6.1.53"
+
+CVE_STATUS[CVE-2023-39193] = "cpe-stable-backport: Backported in 6.1.53"
+
+CVE_STATUS[CVE-2023-39194] = "cpe-stable-backport: Backported in 6.1.47"
+
 CVE_STATUS[CVE-2023-4004] = "cpe-stable-backport: Backported in 6.1.42"
 
 # CVE-2023-4010 has no known resolution
@@ -5012,6 +5024,8 @@ CVE_STATUS[CVE-2023-4015] = "cpe-stable-backport: Backported in 6.1.43"
 
 CVE_STATUS[CVE-2023-40283] = "cpe-stable-backport: Backported in 6.1.45"
 
+# CVE-2023-40791 needs backporting (fixed from 6.5rc6)
+
 CVE_STATUS[CVE-2023-4128] = "cpe-stable-backport: Backported in 6.1.45"
 
 CVE_STATUS[CVE-2023-4132] = "cpe-stable-backport: Backported in 6.1.39"
@@ -5032,7 +5046,7 @@ CVE_STATUS[CVE-2023-4207] = "cpe-stable-backport: Backported in 6.1.45"
 
 CVE_STATUS[CVE-2023-4208] = "cpe-stable-backport: Backported in 6.1.45"
 
-# CVE-2023-4244 needs backporting (fixed from 6.5rc7)
+CVE_STATUS[CVE-2023-4244] = "cpe-stable-backport: Backported in 6.1.56"
 
 CVE_STATUS[CVE-2023-4273] = "cpe-stable-backport: Backported in 6.1.45"
 
@@ -5040,8 +5054,12 @@ CVE_STATUS[CVE-2023-42752] = "cpe-stable-backport: Backported in 6.1.53"
 
 CVE_STATUS[CVE-2023-42753] = "cpe-stable-backport: Backported in 6.1.53"
 
+CVE_STATUS[CVE-2023-42754] = "cpe-stable-backport: Backported in 6.1.56"
+
 CVE_STATUS[CVE-2023-42755] = "cpe-stable-backport: Backported in 6.1.55"
 
+CVE_STATUS[CVE-2023-42756] = "fixed-version: only affects 6.4rc6 onwards"
+
 CVE_STATUS[CVE-2023-4385] = "fixed-version: Fixed from version 5.19rc1"
 
 CVE_STATUS[CVE-2023-4387] = "fixed-version: Fixed from version 5.18"
@@ -5050,23 +5068,51 @@ CVE_STATUS[CVE-2023-4389] = "fixed-version: Fixed from version 5.18rc3"
 
 CVE_STATUS[CVE-2023-4394] = "fixed-version: Fixed from version 6.0rc3"
 
+CVE_STATUS[CVE-2023-44466] = "cpe-stable-backport: Backported in 6.1.40"
+
 CVE_STATUS[CVE-2023-4459] = "fixed-version: Fixed from version 5.18"
 
-# CVE-2023-4563 needs backporting (fixed from 6.5rc6)
+CVE_STATUS[CVE-2023-4563] = "cpe-stable-backport: Backported in 6.1.56"
 
 CVE_STATUS[CVE-2023-4569] = "cpe-stable-backport: Backported in 6.1.47"
 
+CVE_STATUS[CVE-2023-45862] = "cpe-stable-backport: Backported in 6.1.18"
+
+CVE_STATUS[CVE-2023-45863] = "cpe-stable-backport: Backported in 6.1.16"
+
+CVE_STATUS[CVE-2023-45871] = "cpe-stable-backport: Backported in 6.1.53"
+
+CVE_STATUS[CVE-2023-45898] = "fixed-version: only affects 6.5rc1 onwards"
+
+# CVE-2023-4610 needs backporting (fixed from 6.4)
+
 CVE_STATUS[CVE-2023-4611] = "fixed-version: only affects 6.4rc1 onwards"
 
 # CVE-2023-4622 needs backporting (fixed from 6.5rc1)
 
 CVE_STATUS[CVE-2023-4623] = "cpe-stable-backport: Backported in 6.1.53"
 
+# CVE-2023-46813 needs backporting (fixed from 6.1.60)
+
+# CVE-2023-46862 needs backporting (fixed from 6.6)
+
+CVE_STATUS[CVE-2023-4732] = "fixed-version: Fixed from version 5.14rc1"
+
 CVE_STATUS[CVE-2023-4881] = "cpe-stable-backport: Backported in 6.1.54"
 
 CVE_STATUS[CVE-2023-4921] = "cpe-stable-backport: Backported in 6.1.54"
 
-# CVE-2023-5158 has no known resolution
+# CVE-2023-5090 needs backporting (fixed from 6.6rc7)
+
+CVE_STATUS[CVE-2023-5158] = "cpe-stable-backport: Backported in 6.1.57"
+
+# CVE-2023-5178 needs backporting (fixed from 6.1.60)
+
+CVE_STATUS[CVE-2023-5197] = "cpe-stable-backport: Backported in 6.1.56"
+
+CVE_STATUS[CVE-2023-5345] = "cpe-stable-backport: Backported in 6.1.56"
+
+# CVE-2023-5633 needs backporting (fixed from 6.6rc6)
 
-# CVE-2023-5197 needs backporting (fixed from 6.6rc3)
+# CVE-2023-5717 needs backporting (fixed from 6.1.60)
 
diff --git a/meta/recipes-kernel/linux/cve-exclusion_6.5.inc b/meta/recipes-kernel/linux/cve-exclusion_6.5.inc
index dbcfdcd31c7..d48b0e14935 100644
--- a/meta/recipes-kernel/linux/cve-exclusion_6.5.inc
+++ b/meta/recipes-kernel/linux/cve-exclusion_6.5.inc
@@ -1,6 +1,6 @@
 
 # Auto-generated CVE metadata, DO NOT EDIT BY HAND.
-# Generated at 2023-10-14 12:24:32.683888+00:00 for version 6.5.7
+# Generated at 2023-11-03 13:24:25.010946+00:00 for version 6.5.7
 
 python check_kernel_cve_status_version() {
     this_version = "6.5.7"
@@ -3354,7 +3354,7 @@ CVE_STATUS[CVE-2020-27194] = "fixed-version: Fixed from version 5.9"
 
 CVE_STATUS[CVE-2020-2732] = "fixed-version: Fixed from version 5.6rc4"
 
-# CVE-2020-27418 has no known resolution
+CVE_STATUS[CVE-2020-27418] = "fixed-version: Fixed from version 5.6rc5"
 
 CVE_STATUS[CVE-2020-27673] = "fixed-version: Fixed from version 5.10rc1"
 
@@ -4644,7 +4644,7 @@ CVE_STATUS[CVE-2023-1118] = "fixed-version: Fixed from version 6.3rc1"
 
 CVE_STATUS[CVE-2023-1192] = "fixed-version: Fixed from version 6.4rc1"
 
-# CVE-2023-1193 has no known resolution
+CVE_STATUS[CVE-2023-1193] = "fixed-version: Fixed from version 6.3rc6"
 
 CVE_STATUS[CVE-2023-1194] = "fixed-version: Fixed from version 6.4rc6"
 
@@ -4856,7 +4856,7 @@ CVE_STATUS[CVE-2023-3106] = "fixed-version: Fixed from version 4.8rc7"
 
 CVE_STATUS[CVE-2023-31084] = "fixed-version: Fixed from version 6.4rc3"
 
-# CVE-2023-31085 has no known resolution
+# CVE-2023-31085 needs backporting (fixed from 6.6rc5)
 
 CVE_STATUS[CVE-2023-3111] = "fixed-version: Fixed from version 6.0rc2"
 
@@ -4936,6 +4936,8 @@ CVE_STATUS[CVE-2023-34256] = "fixed-version: Fixed from version 6.4rc2"
 
 CVE_STATUS[CVE-2023-34319] = "fixed-version: Fixed from version 6.5rc6"
 
+# CVE-2023-34324 needs backporting (fixed from 6.6rc6)
+
 CVE_STATUS[CVE-2023-3439] = "fixed-version: Fixed from version 5.18rc5"
 
 CVE_STATUS[CVE-2023-35001] = "fixed-version: Fixed from version 6.5rc2"
@@ -4952,7 +4954,7 @@ CVE_STATUS[CVE-2023-35824] = "fixed-version: Fixed from version 6.4rc1"
 
 CVE_STATUS[CVE-2023-35826] = "fixed-version: Fixed from version 6.4rc1"
 
-# CVE-2023-35827 has no known resolution
+# CVE-2023-35827 needs backporting (fixed from 6.6rc6)
 
 CVE_STATUS[CVE-2023-35828] = "fixed-version: Fixed from version 6.4rc1"
 
@@ -5004,6 +5006,16 @@ CVE_STATUS[CVE-2023-3866] = "fixed-version: Fixed from version 6.4"
 
 CVE_STATUS[CVE-2023-3867] = "fixed-version: Fixed from version 6.5rc1"
 
+# CVE-2023-39189 needs backporting (fixed from 6.6rc1)
+
+CVE_STATUS[CVE-2023-39191] = "fixed-version: Fixed from version 6.3rc1"
+
+# CVE-2023-39192 needs backporting (fixed from 6.6rc1)
+
+# CVE-2023-39193 needs backporting (fixed from 6.6rc1)
+
+CVE_STATUS[CVE-2023-39194] = "fixed-version: Fixed from version 6.5rc7"
+
 CVE_STATUS[CVE-2023-4004] = "fixed-version: Fixed from version 6.5rc3"
 
 # CVE-2023-4010 has no known resolution
@@ -5012,6 +5024,8 @@ CVE_STATUS[CVE-2023-4015] = "fixed-version: Fixed from version 6.5rc4"
 
 CVE_STATUS[CVE-2023-40283] = "fixed-version: Fixed from version 6.5rc1"
 
+CVE_STATUS[CVE-2023-40791] = "fixed-version: Fixed from version 6.5rc6"
+
 CVE_STATUS[CVE-2023-4128] = "fixed-version: Fixed from version 6.5rc5"
 
 CVE_STATUS[CVE-2023-4132] = "fixed-version: Fixed from version 6.5rc1"
@@ -5040,8 +5054,12 @@ CVE_STATUS[CVE-2023-4273] = "fixed-version: Fixed from version 6.5rc5"
 
 # CVE-2023-42753 needs backporting (fixed from 6.6rc1)
 
+# CVE-2023-42754 needs backporting (fixed from 6.6rc3)
+
 CVE_STATUS[CVE-2023-42755] = "fixed-version: Fixed from version 6.3rc1"
 
+# CVE-2023-42756 needs backporting (fixed from 6.6rc3)
+
 CVE_STATUS[CVE-2023-4385] = "fixed-version: Fixed from version 5.19rc1"
 
 CVE_STATUS[CVE-2023-4387] = "fixed-version: Fixed from version 5.18"
@@ -5050,23 +5068,51 @@ CVE_STATUS[CVE-2023-4389] = "fixed-version: Fixed from version 5.18rc3"
 
 CVE_STATUS[CVE-2023-4394] = "fixed-version: Fixed from version 6.0rc3"
 
+CVE_STATUS[CVE-2023-44466] = "fixed-version: Fixed from version 6.5rc2"
+
 CVE_STATUS[CVE-2023-4459] = "fixed-version: Fixed from version 5.18"
 
 CVE_STATUS[CVE-2023-4563] = "fixed-version: Fixed from version 6.5rc6"
 
 CVE_STATUS[CVE-2023-4569] = "fixed-version: Fixed from version 6.5rc7"
 
+CVE_STATUS[CVE-2023-45862] = "fixed-version: Fixed from version 6.3rc1"
+
+CVE_STATUS[CVE-2023-45863] = "fixed-version: Fixed from version 6.3rc1"
+
+# CVE-2023-45871 needs backporting (fixed from 6.6rc1)
+
+# CVE-2023-45898 needs backporting (fixed from 6.6rc1)
+
+CVE_STATUS[CVE-2023-4610] = "fixed-version: Fixed from version 6.4"
+
 CVE_STATUS[CVE-2023-4611] = "fixed-version: Fixed from version 6.5rc4"
 
 CVE_STATUS[CVE-2023-4622] = "fixed-version: Fixed from version 6.5rc1"
 
 # CVE-2023-4623 needs backporting (fixed from 6.6rc1)
 
+# CVE-2023-46813 needs backporting (fixed from 6.6rc7)
+
+# CVE-2023-46862 needs backporting (fixed from 6.6)
+
+CVE_STATUS[CVE-2023-4732] = "fixed-version: Fixed from version 5.14rc1"
+
 # CVE-2023-4881 needs backporting (fixed from 6.6rc1)
 
 # CVE-2023-4921 needs backporting (fixed from 6.6rc1)
 
-# CVE-2023-5158 has no known resolution
+# CVE-2023-5090 needs backporting (fixed from 6.6rc7)
+
+# CVE-2023-5158 needs backporting (fixed from 6.6rc5)
+
+# CVE-2023-5178 needs backporting (fixed from 6.6rc7)
 
 # CVE-2023-5197 needs backporting (fixed from 6.6rc3)
 
+# CVE-2023-5345 needs backporting (fixed from 6.6rc4)
+
+# CVE-2023-5633 needs backporting (fixed from 6.6rc6)
+
+# CVE-2023-5717 needs backporting (fixed from 6.6rc7)
+
-- 
2.34.1

[PATCH][nanbield 2/7] libxml2: ignore disputed CVE-2023-45322

[ross.burton]

From: Ross Burton <ross.burton@arm.com>

This CVE is a use-after-free which theoretically can be an exploit
vector, but this UAF only occurs when malloc() fails.  As it's
unlikely that the user can orchestrate malloc() failures at just the
place to break on _this_ malloc and not others it is disputed that this
is actually a security issue.

The underlying bug has been fixed, and will be incorporated into the
next release.

Signed-off-by: Ross Burton <ross.burton@arm.com>
---
 meta/recipes-core/libxml/libxml2_2.11.5.bb | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/meta/recipes-core/libxml/libxml2_2.11.5.bb b/meta/recipes-core/libxml/libxml2_2.11.5.bb
index 4cf6dd09a9a..fc82912df25 100644
--- a/meta/recipes-core/libxml/libxml2_2.11.5.bb
+++ b/meta/recipes-core/libxml/libxml2_2.11.5.bb
@@ -21,6 +21,9 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20130923.tar;subdir=${BP};name=testt
 SRC_URI[archive.sha256sum] = "3727b078c360ec69fa869de14bd6f75d7ee8d36987b071e6928d4720a28df3a6"
 SRC_URI[testtar.sha256sum] = "c6b2d42ee50b8b236e711a97d68e6c4b5c8d83e69a2be4722379f08702ea7273"
 
+# Disputed as a security issue, but fixed in d39f780
+CVE_STATUS[CVE-2023-45322] = "disputed: issue requires memory allocation to fail"
+
 BINCONFIG = "${bindir}/xml2-config"
 
 PACKAGECONFIG ??= "python \
-- 
2.34.1

[PATCH][nanbield 3/7] zlib: ignore CVE-2023-45853

[ross.burton]

From: Ross Burton <ross.burton@arm.com>

This CVE relates to a bug in the minizip tool, but we don't build that.

Signed-off-by: Ross Burton <ross.burton@arm.com>
---
 meta/recipes-core/zlib/zlib_1.3.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-core/zlib/zlib_1.3.bb b/meta/recipes-core/zlib/zlib_1.3.bb
index c8fd855ee67..1ed18172faa 100644
--- a/meta/recipes-core/zlib/zlib_1.3.bb
+++ b/meta/recipes-core/zlib/zlib_1.3.bb
@@ -45,3 +45,5 @@ do_install_ptest() {
 }
 
 BBCLASSEXTEND = "native nativesdk"
+
+CVE_STATUS[CVE-2023-45853] = "not-applicable-config: we don't build minizip"
-- 
2.34.1

[PATCH][nanbield 4/7] pixman: ignore CVE-2023-37769

[ross.burton]

From: Ross Burton <ross.burton@arm.com>

This issue relates to a floating point exception in stress-test, which
is an unlikely security exploit at the best of times, but the test is
not installed so isn't relevant.

Signed-off-by: Ross Burton <ross.burton@arm.com>
---
 meta/recipes-graphics/xorg-lib/pixman_0.42.2.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-graphics/xorg-lib/pixman_0.42.2.bb b/meta/recipes-graphics/xorg-lib/pixman_0.42.2.bb
index 98df6dab217..8a93f8c0fe3 100644
--- a/meta/recipes-graphics/xorg-lib/pixman_0.42.2.bb
+++ b/meta/recipes-graphics/xorg-lib/pixman_0.42.2.bb
@@ -41,3 +41,5 @@ EXTRA_OEMESON:append:armv7a = "${@bb.utils.contains("TUNE_FEATURES","neon","","
 EXTRA_OEMESON:append:armv7ve = "${@bb.utils.contains("TUNE_FEATURES","neon",""," -Dneon=disabled",d)}"
 
 BBCLASSEXTEND = "native nativesdk"
+
+CVE_STATUS[CVE-2023-37769] = "not-applicable-config: stress-test is an uninstalled test"
-- 
2.34.1

[PATCH][nanbield 5/7] cve-check: sort the package list in the JSON report

[ross.burton]

From: Ross Burton <ross.burton@arm.com>

The JSON report generated by the cve-check class is basically a huge
list of packages.  This list of packages is, however, unsorted.

To make things easier for people comparing the JSON, or more
specifically for git when archiving the JSON over time in a git
repository, we can sort the list by package name.

Signed-off-by: Ross Burton <ross.burton@arm.com>
---
 meta/classes/cve-check.bbclass | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index b55f4299da3..5191d043030 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -138,6 +138,8 @@ def generate_json_report(d, out_path, link_path):
                     cve_check_merge_jsons(summary, data)
                 filename = f.readline()
 
+        summary["package"].sort(key=lambda d: d['name'])
+
         with open(out_path, "w") as f:
             json.dump(summary, f, indent=2)
 
-- 
2.34.1

[PATCH][nanbield 6/7] cve-check: slightly more verbose warning when adding the same package twice

[ross.burton]

From: Ross Burton <ross.burton@arm.com>

Occasionally the cve-check tool will warn that it is adding the same
package twice.  Knowing what this package is might be the first step
towards understanding where this message comes from.

Signed-off-by: Ross Burton <ross.burton@arm.com>
---
 meta/lib/oe/cve_check.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py
index 3979d521d10..c0ab22d25ea 100644
--- a/meta/lib/oe/cve_check.py
+++ b/meta/lib/oe/cve_check.py
@@ -172,7 +172,7 @@ def cve_check_merge_jsons(output, data):
 
     for product in output["package"]:
         if product["name"] == data["package"][0]["name"]:
-            bb.error("Error adding the same package twice")
+            bb.error("Error adding the same package %s twice" % product["name"])
             return
 
     output["package"].append(data["package"][0])
-- 
2.34.1

[PATCH][nanbield 7/7] cve-check: don't warn if a patch is remote

[ross.burton]

From: Ross Burton <ross.burton@arm.com>

We don't make do_cve_check depend on do_unpack because that would be a
waste of time 99% of the time.  The compromise here is that we can't
scan remote patches for issues, but this isn't a problem so downgrade
the warning to a note.

Also move the check for CVEs in the filename before the local file check
so that even with remote patches, we still check for CVE references in
the name.

Signed-off-by: Ross Burton <ross.burton@arm.com>
---
 meta/lib/oe/cve_check.py | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py
index c0ab22d25ea..3fa77bf9a71 100644
--- a/meta/lib/oe/cve_check.py
+++ b/meta/lib/oe/cve_check.py
@@ -95,11 +95,6 @@ def get_patched_cves(d):
     for url in oe.patch.src_patches(d):
         patch_file = bb.fetch.decodeurl(url)[2]
 
-        # Remote compressed patches may not be unpacked, so silently ignore them
-        if not os.path.isfile(patch_file):
-            bb.warn("%s does not exist, cannot extract CVE list" % patch_file)
-            continue
-
         # Check patch file name for CVE ID
         fname_match = cve_file_name_match.search(patch_file)
         if fname_match:
@@ -107,6 +102,12 @@ def get_patched_cves(d):
             patched_cves.add(cve)
             bb.debug(2, "Found CVE %s from patch file name %s" % (cve, patch_file))
 
+        # Remote patches won't be present and compressed patches won't be
+        # unpacked, so say we're not scanning them
+        if not os.path.isfile(patch_file):
+            bb.note("%s is remote or compressed, not scanning content" % patch_file)
+            continue
+
         with open(patch_file, "r", encoding="utf-8") as f:
             try:
                 patch_text = f.read()
-- 
2.34.1