[yocto-security] Import cve-check to srtool

Reyna, David david.reyna at windriver.com
Tue Mar 12 14:33:16 PDT 2019


Hi Dan,

> "I just heard about Yocto srtool. It looks fantastic!"

Thank you! 

It is under rapid development right now, with a huge commit pending based on my deployment within Wind River. Once I get that shared (plus new support for multiple SQL databases), we will declare version 2.0 and more formally announcement it to the world.

> "I’m wondering is there a way to automatically import cve-check from Yocto build process to strool somehow? I have not be able to find a way to do so."

That is part of the plan, to connect and/or correlate the SRTool data to actual builds, their package manifests, and scanner output like "cve-check".

I myself do not have any experience with "cve-check" yet. As per Ross's comments, do you have an idea on how you would like to fit the data together?

I am happy to host a meeting to discuss it if you want to explore the idea together.

David Reyna
Lead Developer, SRTool

-----Original Message-----
From: yocto-security-bounces at yoctoproject.org [mailto:yocto-security-bounces at yoctoproject.org] On Behalf Of Burton, Ross
Sent: Tuesday, March 12, 2019 2:25 PM
To: Daniel Wang
Cc: yocto-security at yoctoproject.org
Subject: Re: [yocto-security] Import cve-check to srtool

On Tue, 12 Mar 2019 at 21:12, Daniel Wang <xiaolong.wang at anki.com> wrote:
> I just heard about Yocto srtool. It looks fantastic! I’m wondering is there a way to automatically import cve-check from Yocto build process to strool somehow? I have not be able to find a way to do so.

What do you expect the import to be?  Remember that the cve-check-tool
output *needs* to be reviewed by a human, so srtool is effectively
that review using its own copy of the CVE database.

Ross
_______________________________________________
yocto-security mailing list
yocto-security at yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto-security


More information about the yocto-security mailing list