[yocto] cve-checker tool

Khem Raj raj.khem at gmail.com
Thu Oct 27 19:34:04 PDT 2016 

> On Oct 27, 2016, at 4:03 AM, Sona Sarmadi <sona.sarmadi at enea.com> wrote:
> 
> 
> 
>> -----Original Message-----
>> From: Sona Sarmadi
>> Sent: den 27 oktober 2016 10:57
>> To: Scott Rifenbark <srifenbark at gmail.com>; 'mariano.lopez at intel.com'
>> <mariano.lopez at intel.com>; yocto at yoctoproject.org
>> Subject: cve-checker tool
>> 
>> Hi guys,
>> 
>> I have some questions regarding cve-check tool. I don't find anything
>> about this tool in Yocto
>> 2.2 release, dose documentation mention this tool and how to use it?
>> 
>> Is this tool planned to be integrated with daily build so the Yocto project
>> can detect Not addressed CVEs automatically?
>> 
>> Mariano:
>> Does this tool look at CVE tag inside the recipe as well or only checks the
>> package version?
>> 
>> Can this tool be used together with "meta-security-isafw" and get a fancy
>> report?
> 
> There are some useful info in the cve-check.bbclass:
> 
> #In order to use this class just inherit the class in the
> # local.conf file and it will add the cve_check task for
> # every recipe. The task can be used per recipe, per image,
> # or using the special cases "world" and "universe". The
> # cve_check task will print a warning for every unpatched
> # CVE found and generate a file in the recipe WORKDIR/cve
> # directory. If an image is build it will generate a report
> # in DEPLOY_DIR_IMAGE for all the packages used.
> 
> I see following logs are generated:
> ./unzip/1_6.0-r5/cve/cve.log
> ./gnutls/3.5.3-r0/cve/cve.log
> ./glibc/2.24-r0/cve/cve.log
> ./glibc-initial/2.24-r0/cve/cve.log
> ./foomatic-filters/4.0.17-r1/cve/cve.log
> ./bzip2/1.0.6-r5/cve/cve.log
> ./libxml2/2.9.4-r0/cve/cve.log
> ./perl/5.22.1-r0/cve/cve.log
> ./expat/2.2.0-r0/cve/cve.log
> ./flex/2.6.0-r0/cve/cve.log

perhaps you can add this info to "How Do I”
section in wiki here https://wiki.yoctoproject.org/wiki/How_do_I

> 
> //Sona
> --
> _______________________________________________
> yocto mailing list
> yocto at yoctoproject.org
> https://lists.yoctoproject.org/listinfo/yocto

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 204 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.yoctoproject.org/pipermail/yocto/attachments/20161027/e3cd1c2c/attachment.pgp>

More information about the yocto mailing list