Skip to content

bootlin/meta-sbom-cve-check

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
classes
classes
 
 
conf
conf
 
 
kas
kas
 
 
recipes-devtools/python
recipes-devtools/python
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

meta-sbom-cve-check

This layer integrates the sbom-cve-check utility into Yocto builds. It allows you to run the CVE analysis on the SPDX Software Bill of Materials (SBOM) generated by Yocto.

Features

  • Provides sbom-cve-check as a native build-time utility
  • Adds optionally a do_sbom_cve_check BitBake task that:
    • Run the CVE analysis on generated SBOM,
    • Deploys export files into the image deploy directory.

Using sbom-cve-check native tool

Requirements

  • Yocto / OpenEmbedded build environment
  • This layer is included in bblayers.conf

Running sbom-cve-check from Yocto

To run sbom-cve-check from Yocto sysroot:

  1. Clone and include this layer in your bblayers.conf:
$ git clone https://github.com/bootlin/meta-sbom-cve-check.git layers/meta-sbom-cve-check
  1. Build the native tool:
bitbake python3-sbom-cve-check-native -caddto_recipe_sysroot
  1. Run the tool like that, for example, to see the help:
oe-run-native python3-sbom-cve-check-native sbom-cve-check --help

Using sbom-cve-check task

Requirements

  • Yocto / OpenEmbedded build environment
  • This layer is included in bblayers.conf
  • The vex class needs to be enabled globally
  • Currently only SPDX3 is supported by the sbom-cve-check class
  • On Scarthgap: SPDX2.2 needs to be disabled and SPDX3 enabled

Enabling the task

To run a CVE analysis on the built image:

  1. Clone and include this layer in your bblayers.conf.

  2. Enable the vex class globally, typically in your local.conf:

INHERIT += "vex"
  1. Enable sbom-cve-check class from your image recipe:
inherit sbom-cve-check
  1. Optionally configure CVE analysis by using the following variables:

  • SBOM_CVE_CHECK_EXTRA_ARGS: Allow to specify extra arguments to sbom-cve-check. For example to add filtering options.

  • SBOM_CVE_CHECK_EXPORT_VARS: List of variables that declare export files to generate. By default equal to SBOM_CVE_CHECK_EXPORT_FILE.

    Each variable must have the following flags set:

    • [type]: The type of export, which corresponds to the value set to the --export-type option flag (e.g., csv or spdx3).
    • [ext]: The file extension of the exported file that is going to be generated.

  • SBOM_CVE_CHECK_EXPORT_FILE: Default export file configuration. The [type] flag is set by default to spdx3, and the [ext] flag is set by default to .cve-check.spdx.json.

  1. Build your target image.

    The resulting exported file, which is an SPDX3 file, will be available in the deploy directory, with this default name: ${IMAGE_NAME}.cve-check.spdx.json

Support

For issues or contributions, please open an issue or pull request on GitHub.

About

Yocto layer for sbom-cve-check

Topics

yocto-layer cve-scanning

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Languages