1. Overview[edit | edit source]
This article explains how to configure an OpenSTLinux Yocto build to check the CVE (Common Vulnerabilities and Exposures) status.
2. OpenEmbedded/Yocto Project®[edit | edit source]
OpenEmbedded/Yocto provides a class that permits to check the CVE status.
To enable a CVE status check, add the following to your configuration (conf/local.conf):
INHERIT += "cve-check"
For more information about how to configure CVE check exclusions, see the section Vulnerability check at build time
The CVE check generates some CVE status by package in <build directory>/tmp-glibc/deploy/cve/ directory.
Example for tf-a-stm32mp:
tf-a-stm32mp tf-a-stm32mp_cve.json
The two files contain the same information: as a text in the first one, and as a json in the second one.