How to run CVE checks using the Yocto Project

How to run CVE checks using the Yocto Project

Enable CVE check

The Yocto Project provides a cve-check class which can be enabled to perform scans on packages for public CVE’s.

It is possible to enable this feature to run a scan of packages but also on images.

To enable the CVE check you can add the following to e.g local.conf:

 INHERIT += "cve-check"

Then run

bitbake --runall cve_check core-image-minimal

You will get to the output a list of unpatched CVE’s where found and several log files

• Complete CVE report summary created at: .../build/tmp/log/cve/cve-summary

• Complete CVE JSON report summary created at: .../build/tmp/log/cve/cve-summary.json