Checking for Security Vulnerabilities in a Yocto Build

Yocto has a fantastic feature that enables it to automatically check any software packages added to a system image against the known security vulnerabilities, as tracked by the public Common Vulnerabilities and Exposures (CVE) database.

To enable the check, add the following line to your configuration (local.conf is a reasonable place):

INHERIT += "cve-check"

This will then create a report every time you run bitbake. Each recipe will have an entry in build/tmp/deploy/cve and if you are building a full image, these are combined into a single file build/tmp/deploy/images/<machine>/<image name>-<machine name>.cve.

The report for each recipe will contain:

  • Metadata about the software component like names and versions.
  • Metadata about the CVE issue such as description and NVD link.
  • For each software component – a list of CVEs which may be impacting that version.
  • The status of each CVE: PatchedUnpatched or Ignored.

For more information, see https://docs.yoctoproject.org/dev/dev-manual/vulnerabilities.html

While this is incredibly useful information, it becomes a pain to then go through all of the entries to find out what is unpatched. As a result, I created a little utility to parse the build CVE file and separate out the patched/ignored entries from the unpatched.

The GitHub repository is at https://github.com/ming4real/yocto_cve_checker

What this script will do is parse the build CVE file and create three files:

  • patched.json – A list of patched/ignored recipes
  • unpatched.json – A list of unpatched recipes. This is the file you need to really examine well!
  • changed.json – A history showing all of the changes (unpatched –> patched or new unpatched) to make it easier to see where and when CVEs were added or the recipe was patched.