[yocto] cve-checker tool
Sona Sarmadi
sona.sarmadi at enea.com
Thu Oct 27 04:03:14 PDT 2016
> -----Original Message-----
> From: Sona Sarmadi
> Sent: den 27 oktober 2016 10:57
> To: Scott Rifenbark <srifenbark at gmail.com>; 'mariano.lopez at intel.com'
> <mariano.lopez at intel.com>; yocto at yoctoproject.org
> Subject: cve-checker tool
>
> Hi guys,
>
> I have some questions regarding cve-check tool. I don't find anything
> about this tool in Yocto
> 2.2 release, dose documentation mention this tool and how to use it?
>
> Is this tool planned to be integrated with daily build so the Yocto project
> can detect Not addressed CVEs automatically?
>
> Mariano:
> Does this tool look at CVE tag inside the recipe as well or only checks the
> package version?
>
> Can this tool be used together with "meta-security-isafw" and get a fancy
> report?
There are some useful info in the cve-check.bbclass:
#In order to use this class just inherit the class in the
# local.conf file and it will add the cve_check task for
# every recipe. The task can be used per recipe, per image,
# or using the special cases "world" and "universe". The
# cve_check task will print a warning for every unpatched
# CVE found and generate a file in the recipe WORKDIR/cve
# directory. If an image is build it will generate a report
# in DEPLOY_DIR_IMAGE for all the packages used.
I see following logs are generated:
./unzip/1_6.0-r5/cve/cve.log
./gnutls/3.5.3-r0/cve/cve.log
./glibc/2.24-r0/cve/cve.log
./glibc-initial/2.24-r0/cve/cve.log
./foomatic-filters/4.0.17-r1/cve/cve.log
./bzip2/1.0.6-r5/cve/cve.log
./libxml2/2.9.4-r0/cve/cve.log
./perl/5.22.1-r0/cve/cve.log
./expat/2.2.0-r0/cve/cve.log
./flex/2.6.0-r0/cve/cve.log
//Sona
More information about the yocto
mailing list