1. Overview[edit source]
This article explains how to configure OpenSTLinux yocto build to check CVE status.
2. Openembedded/Yocto[edit source]
Openembedded/Yocto provide a calss whcih permit to check CVE status.
To Enable a check fo CVE status, add on your configuration (conf/local.conf):
INHERIT += "cve-check"
For more information about how to configuration, exclusion for CVE check, please see the section Vulnerability check at build time on Yocto manual.
The CVE check generate some CVE status by package on <build directory>/tmp-glibc/deploy/cve/ directory.
Example for tf-a-stm32mp:
tf-a-stm32mp tf-a-stm32mp_cve.json
The two files contains the same information but first one stored as text content and second one as json.
3. OpenSTLinux[edit source]
When CVE check are enabled, OpenSTLinux provide a html file which is a summary of CVE status for main image, available on deploy image directory:
<image-name>-<distro>-<machine>-cve_content.html
like
st-image-weston-openstlinux-weston-stm32mp25-cve_content.html