Hell all, There have been questions and discussions recently about the external tooling for CVE-checking in the context of the NVD issues.
Last year, we posted an RFC of the yocto-vex-check and the vex.bbclass. vex.bbclass has been integrated into the Yocto Project. There has been no much discussion about yocto-vex-check on the mailing list, but there are some people who are already using it... Short version: you can download it from https://gitlab.com/syslinbit/public/yocto-vex-check Longer version: ============ There are a few missing features we're working on before the integration in the YP and the next patchset (limiting the number of false positives is one). They are in private branches but will be merging soon. You can use it still (we have a daily bot) and a typical command for an external run (when you have done an YP build) is like ./wrap-yocto-vex-check.py \ -i ../openembedded-core/build/tmp/log/cve/cve-summary.json \ -o out-check-test \ -t temp-out-check \ -db ../cvelistV5-overrides/ -db-type CVE For the complete instructions, see the blog post that I plan to update with the progress of changes coming: https://ygreky.com/2025/02/yocto-vex-check/ We have also presented the tool at FOSDEM 2025 and you can accces it from the talk page: https://fosdem.org/2025/schedule/event/fosdem-2025-5519-vulnerability-management-at-a-scale-for-the-yocto-project/ If you have any questions, ask them here. We'll be happy to see your remarks/test results! Kind regards, Marta
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#211864): https://lists.openembedded.org/g/openembedded-core/message/211864 Mute This Topic: https://lists.openembedded.org/mt/111373640/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
