How to check the CVE status in OpenSTLinux

Applicable for STM32MP13x lines, STM32MP15x lines

1 Overview[edit]

This article explains how to configure an OpenSTLinux Yocto build to check the CVE (Common Vulnerabilities and Exposures) status.

2 OpenEmbedded/Yocto Project®[edit]

OpenEmbedded/Yocto provides a class that permits to check the CVE status.
To enable a CVE status check, add the following to your configuration (conf/local.conf):

INHERIT += "cve-check"

For more information about how to configure CVE check exclusions, see the section Vulnerability check at build time

The CVE check generates some CVE status by package in <build directory>/tmp-glibc/deploy/cve/ directory.

Example for tf-a-stm32mp:

tf-a-stm32mp tf-a-stm32mp_cve.json

The two files contain the same information: as a text in the first one, and as a json in the second one.