How to run CVE checks using the Yocto Project

From KoanSoftware Wiki
Jump to navigation Jump to search

How to run CVE checks using the Yocto Project

Enable CVE check

The Yocto Project provides a cve-check class which can be enabled to perform scans on packages for public CVE’s.

It is possible to enable this feature to run a scan of packages but also on images.

To enable the CVE check you can add the following to e.g local.conf: 

 INHERIT += "cve-check"

Then run 

bitbake core-image-minimal

Or 

bitbake --runall cve_check core-image-minimal


You will get to the output a list of unpatched CVE’s where found and several log files

  • Complete CVE report summary created at: .../build/tmp/log/cve/cve-summary
  • Complete CVE JSON report summary created at: .../build/tmp/log/cve/cve-summary.json


It is also possible to check the CVE status of individual packages as follows: 

bitbake -c cve_check flex libarchive
Retrieved from "https://wiki.koansoftware.com/index.php?title=How_to_run_CVE_checks_using_the_Yocto_Project&oldid=381"