Yocto Scarthgap CVE checking reports 626 unpatched cves with linux-intel-rt kernel 6.6 LTS

[orascheg]

Hello,

Thanks for providing the intel-linux-rt kernel. I have built a Yocto system basing on the actual Scarthgap LTS version and am using meta-intel. I have set "linux-intel-rt" in as preferred kernel provider. I have also switched on CVE checking (inherit "cve-check"). When compiling the kernel, Yocto reports 626 unpatched CVEs. I have already contacted the maintainer of meta-intel who forwarded me to better fitted teams. We are preparing for the EU cyber resilience act and this high number of unpatched CVEs (please find the SPDX SBOM of that compile attached) is quite troublesome.

Please tell if I am doing something basically wrong. What is the linux-cve branch about? Can one use that instead of the "normal" linux branches? Shall I merge those together? Is there an rt version of the linux-cve branch? I do not see this as new vulnerability report, SBOM shows vulnerabilities like CVE-1999-0524, CVE-1999-0656 etc. Therefore, I am not reporting that via secure@intel.com. Please tell if you see this the same way.

cve.json

[orascheg]

Can it be that the comment was not intended for this issue? The count of unpatched CVEs is increasing. Now it is already 664 unpatched CVEs.