How to run CVE checks using the Yocto Project
From KoanSoftware Wiki
How to run CVE checks using the Yocto Project
Enable CVE check
The Yocto Project provides a cve-check class which can be enabled to perform scans on packages for public CVE’s.
It is possible to enable this feature to run a scan of packages but also on images.
To enable the CVE check you can add the following to e.g local.conf:
INHERIT += "cve-check"
Then run
bitbake core-image-minimal
Or
bitbake --runall cve_check core-image-minimal
You will get to the output a list of unpatched CVE’s where found and several log files
- Complete CVE report summary created at: .../build/tmp/log/cve/cve-summary
- Complete CVE JSON report summary created at: .../build/tmp/log/cve/cve-summary.json
It is also possible to check the CVE status of individual packages as follows:
bitbake -c cve_check flex libarchive