Last edited 11 months ago

How to check the CVE status in OpenSTLinux

Applicable for STM32MP13x lines, STM32MP15x lines

1. Overview[edit source]

This article explains how to configure an OpenSTLinux Yocto build to check the CVE (Common Vulnerabilities and Exposures) status.

2. OpenEmbedded/Yocto Project®[edit source]

OpenEmbedded/Yocto provides a class that permits to check the CVE status.
To enable a CVE status check, add the following to your configuration (conf/local.conf):

INHERIT += "cve-check"

For more information about how to configure CVE check exclusions, see the section Vulnerability check at build time

The CVE check generates some CVE status by package in <build directory>/tmp-glibc/deploy/cve/ directory.

Example for tf-a-stm32mp:

tf-a-stm32mp tf-a-stm32mp_cve.json

The two files contain the same information: as a text in the first one, and as a json in the second one.