Run a CVE checker against the code base
A CVE checker allows to see which issues might be available in a code base. Yocto includes cve-check.bbclass 1 that allows to generate a database.
We might do the following:
- Enable the checker
- Generate the scan for all images with a regular frequency (eg. daily) or on world
- Store the results after each run
- Define the presentation method (website, documentation...) for releases and head
In short, to run the analysis do the following:
add cve-check to conf/local.conf eg.
INHERIT += "own-mirrors cve-check"
You can check a specific package, for example
MACHINE=qemux86-64 bitbake -c cve_check flex
Then you can just build the image as usual, for example:
MACHINE=qemux86-64 bitbake allscenarios-image-base
and the scan results will be printed on screen in a shortened form and get generated into a file like: