Skip to content

CVE Scan

CVE Scan is a tool provided by The Embedded Kit that extracts CVEs from a Software Bill of Materials (SBOM).

CVE Scan comes in 2 parts:

  • meta-cvescan, a Yocto layer in charge of generating a SBOM of your project. See https://gitlab.com/theembeddedkit/cvescan/meta-cvescan.
  • The cvescan tool, in charge of analyzing the project configuration and inventory, and reporting active vulnerabilities, against public CVE databases:
    • NIST National Vulnerability Database (NVD)
    • Ubuntu UCT
    • The mainline Linux kernel repository

System requirements

Required packages for the cvescan tool:

  • git
  • libgit2-dev
  • python3 3.10 or greater
  • python3-pip

Generate CVE Scan inventory (aka: SBOM)

To have CVE Scan inventory generated, you need to:

  • Download the meta-cvescan layer
  • Add it in your conf/bblayers.conf
  • Activate the cvescan inventory in conf/local.conf: 
    INHERIT += "cvescan-inventory"
  • Build your image

The inventory will be generated. Eg: 

tmp/deploy/images/${MACHINE}/welma-image-minimal-${MACHINE}.inventory.json

Using the CVE Scan tool

Doing an analysis of your SBOM needs the following steps:

  • Update the datasources: cvescan datasources-update. This may take a few hours on the first time, and we recommend updating it on a weekly basis.

  • Run the analysis: cvescan run ...

  • Generate a report: cvescan export-report ...

See https://docs.cvescan.theembeddedkit.io/ for usage.

Integrating in your CI/CD

We recommend the following rules:

  • Share the local cache of datasources between your CI/CD runners.
  • Update this cache on a weekly basis.
  • Do not let 2 jobs work on the cache at the same time (eg: use a lock). This concerns cvescan datasources-update and cvescan run.