How to run CVE checks using the Yocto Project

From KoanSoftware Wiki
Revision as of 17:25, 11 December 2024 by Koan (talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

How to run CVE checks using the Yocto Project

Enable CVE check

The Yocto Project provides a cve-check class which can be enabled to perform scans on packages for public CVE’s.

It is possible to enable this feature to run a scan of packages but also on images.

To enable the CVE check you can add the following to e.g local.conf:

 INHERIT += "cve-check"

Then run

bitbake core-image-minimal

Or

bitbake --runall cve_check core-image-minimal


You will get to the output a list of unpatched CVE’s where found and several log files

  • Complete CVE report summary created at: .../build/tmp/log/cve/cve-summary
  • Complete CVE JSON report summary created at: .../build/tmp/log/cve/cve-summary.json


It is also possible to check the CVE status of individual packages as follows:

bitbake -c cve_check flex libarchive