Skip to content

CVEScan

cvescan is a tool provided by Witekio which filters out most of false positives that other tools raise.

cvescan has 2 parts:

  • meta-cvescan: a Yocto layer in charge of generating at build-time the CVE inventory of your project.
  • The cvescan filtering tool: in charge of analyzing the project configuration and inventory, against the public CVE databases (NIST, Ubuntu UCT, mainline Linux kernel repository) and reporting active vulnerabilities.

System requirements

Here are the required packages for building the CVEScan tools:

  • cmake
  • python >= 3.8.12
  • python3-venv
  • doctest-dev

Enable CVEScan

To enable the CVEScan inventory you need to:

  • Download the meta-cvescan layer
  • Add it in your conf/bblayers.conf
  • Activate the cvescan inventory in conf/local.conf:
INHERIT += "cvescan-inventory"

Then, building an image of the project will generate the inventory. Eg: 

tmp/deploy/images/${MACHINE}/welma-image-minimal-${MACHINE}.inventory.json

Finally, running the cvescan filtering tool will generate a report. Some scripts in welma-manifest/utils may help for this step:

  • cvescan-init-update-db: download and update the public databases
  • cvescan-annotations-yaml2json: convert the annotation YAML file to JSON format
  • cvescan-run: run the scanning, filtering, reporting

Annotate vulnerabilities

Annotating vulnerabilities is a way to indicate that some CVE are fixed, irrelevant, accepted, etc.

There are 2 ways to annotate a CVE.

  • Define CVE_CHECK_IGNORE in your Yocto recipes to indicate vulnerabilities to ignore. This is typically used when a patch or configuration parameter fixes the vulnerability and cvescan cannot detect it automatically.
  • Use an annotation file, that you manually write and keep versioned, to register CVE reviews.

Annotation file

The annotation file must be written manually, in YAML format, and has for each CVE:

  • The CVE identifier
  • comment: A comment that explains how and why the CVE is considered
  • vulnerable: If the product is considered vulnerable or not (values: true or false)
  • annotation-date: The day of the review (format YYYY-mm-dd). CVEScan will raise a warning if the CVE has been updated after the review.

Example: 

CVE-2022-45934:
  comment: "This CVE is considered irrelevant because of this and that..."
  vulnerable: false
  annotation-date: 2022-01-01

A script cvescan-annotations-yaml2json converts this YAML format to a JSON format suitable for the cvescan tool.

Same example after being converted to JSON: 

{
  "version": "1.0.0",
  "annotations": [
    {
      "cve": "CVE-2022-45934",
      "comment": "This CVE is considered irrelevant because of this and that...",
      "vulnerable": false,
      "cve_last_modified_date": "2022-01-01"
    }
  ]
}