{"id":45666666,"url":"https://github.com/timesysgit/meta-timesys","last_synced_at":"2026-04-02T00:46:29.974Z","repository":{"id":26801976,"uuid":"101098878","full_name":"TimesysGit/meta-timesys","owner":"TimesysGit","description":"Vulnerability management tool that provides Yocto SBOM generation and CVE Analysis of target images.","archived":false,"fork":false,"pushed_at":"2026-02-02T08:44:18.000Z","size":1340,"stargazers_count":38,"open_issues_count":1,"forks_count":23,"subscribers_count":12,"default_branch":"master","last_synced_at":"2026-02-02T21:23:34.186Z","etag":null,"topics":["cve","cve-scanning","linux-security","security-vulnerability","spdx-sbom","vigiles-cve-scanner","yocto-cve-analysis","yocto-linux-security","yocto-sbom","yocto-security"],"latest_commit_sha":null,"homepage":"https://www.timesys.com/vigiles/","language":"BitBake","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/TimesysGit.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2017-08-22T19:16:56.000Z","updated_at":"2026-02-02T08:32:09.000Z","dependencies_parsed_at":"2025-07-08T12:28:10.028Z","dependency_job_id":"369fcf5d-2597-4012-b009-d5e1fc6be96c","html_url":"https://github.com/TimesysGit/meta-timesys","commit_stats":null,"previous_names":[],"tags_count":982,"template":false,"template_full_name":null,"purl":"pkg:github/TimesysGit/meta-timesys","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TimesysGit%2Fmeta-timesys","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TimesysGit%2Fmeta-timesys/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TimesysGit%2Fmeta-timesys/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TimesysGit%2Fmeta-timesys/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/TimesysGit","download_url":"https://codeload.github.com/TimesysGit/meta-timesys/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TimesysGit%2Fmeta-timesys/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29779262,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-24T04:54:30.205Z","status":"ssl_error","status_checked_at":"2026-02-24T04:53:58.628Z","response_time":75,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cve","cve-scanning","linux-security","security-vulnerability","spdx-sbom","vigiles-cve-scanner","yocto-cve-analysis","yocto-linux-security","yocto-sbom","yocto-security"],"created_at":"2026-02-24T10:00:33.267Z","updated_at":"2026-02-24T10:01:11.128Z","avatar_url":"https://github.com/TimesysGit.png","language":"BitBake","funding_links":[],"categories":[],"sub_categories":[],"readme":"What is meta-timesys?\n=====================\n\nThis Yocto layer provides scripts for SBOM generation used for vulnerability monitoring and notification as part of the **[Vigiles](https://www.lynx.com/solutions/vulnerability-mitigation-management)** product offering.\n\n\nWhat is Vigiles?\n================\n\nVigiles is a vulnerability management tool that provides build-time Yocto CVE Analysis of target images. It does this by collecting metadata about packages to be installed and uploading it to be compared against the Vigiles CVE database.A high-level overview of the detected vulnerabilities is returned and a full detailed analysis can be viewed online.\n\n\nTo request a trial account, please get in touch with us at sales@timesys.com\n\n\nPre-Requisites\n==============\n\nA BitBake build environment is required for the Vigiles CVE Scanner to evaluate the potential risk of a target system. \n\nThe fastest way to use the Vigiles CVE Scanner is to integrate it into your existing BSP (clone alongside other layers, add to bblayers.conf). \n\nIf you do not already have an environment configured, you can bootstrap a minimal setup. This can be done either using a manual setup or the `bitbake-setup` method.\n\n### Review the Yocto system requirements here:\n\nhttps://docs.yoctoproject.org/dev/ref-manual/system-requirements.html#system-requirements\n\n### *Using manual setup*\n\nClone bitbake and openembedded-core\n\n```sh\ngit clone https://git.openembedded.org/bitbake\ngit clone https://git.openembedded.org/openembedded-core\n```\nIf you also want to include the poky reference distro, clone meta-yocto\n\n```sh\ngit clone https://git.yoctoproject.org/meta-yocto\n```\n\nActivate the build environment\n\n```sh\nsource openembedded-core/oe-init-build-env\n```\n\n\n### *Using bitbake-setup*\n\nClone bitbake\n\n```sh\ngit clone https://git.openembedded.org/bitbake\n```\n\nRun the bitbake-setup tool included in the bitbake source tree\n\n```sh\n./bitbake/bin/bitbake-setup init\n```\n\nThis will start an interactive prompt where you can choose the target distro, machine, and other configuration options. Once complete, it will automatically fetch the layers and prepare the build environment.\n\nActivate the build environment\n\n```sh\nsource bitbake-builds/\u003csetup_dir\u003e/build/init-build-env\n```\n\n\nUsing Vigiles\n=============\n\n### Add meta-timesys to _conf/bblayers.conf_\n\nClone meta-timesys\n\n```sh\ngit clone https://github.com/TimesysGit/meta-timesys.git\n```\n\nFollow the format of the file and add the path to meta-timesys after the layers you have included.\n\n```\nBBLAYERS += \"${TOPDIR}/../layers/meta-timesys\"\n```\n\n\n### Append _vigiles_ to **INHERIT** in _conf/local.conf_\n\n```\nINHERIT += \"vigiles\"\n```\n\n### Check an Image for CVEs\n\nWhen you build any image, the Vigiles CVE Scanner will execute automatically:\n\n```sh\nbitbake core-image-minimal\n```\n\n\n### Review the Output\n\nAn overview will be printed to the console after the check is complete and a persistent local summary will be created in the \n_vigiles/\\\u003cimage name\\\u003e/_ directory for that build. A symlink is created to the latest report at _vigiles/\\\u003cimage name\\\u003e-report.txt_:\n\n```sh\n$ readlink vigiles/core-image-minimal-report.txt\ncore-image-minimal/core-image-minimal-2019-06-07_19.22.40-report.txt\n```\n\n\n##### Console Output\n```\nVigiles: Requesting image analysis ...\n\n\n-- Vigiles CVE Report --\n\n\tView detailed online report at:\n\t  https://vigiles.lynx.com/cves/reports/ODUzOA.D9xLIQ.KKiK2E76n---q6_-KmJrsZ9ap9Y\n\n\tUnfixed: 62 (0 RFS, 60 Kernel, 2 Toolchain)\n\tUnfixed, Patch Available: 7 (2 RFS, 0 Kernel, 5 Toolchain)\n\tFixed: 0 (0 RFS, 0 Kernel, 0 Toolchain)\n\tHigh CVSS: 30 (2 RFS, 24 Kernel, 4 Toolchain)\n\n\tLocal summary written to:\n\t  vigiles/core-image-minimal/core-image-minimal-2019-06-07_19.22.40-report.txt\n```\n\n\nInterpreting the Results\n========================\n\n### Console Output\n\nA CVE summary is printed and contains the following:\n\n* \"Unfixed\" CVEs are existing CVEs that have been reported against packages to be installed.\n\n* \"Patch Available\" CVEs have a fix available in the meta-timesys-security layer.\n  If the layer is already included, then you may need to update your copy.\n\n* \"Fixed\" CVEs are those that originally existed in packages to be installed, but have been fixed/mitigated by subsequent patches.\n\n* \"CPU\" CVEs are filed against the hardware. They may be fixed or mitigated in other components such as the kernel or compiler.\n\n* \"High CVSS\" CVEs are those that are of utmost priority and require immediate attention, based on their Common Vulnerability Scoring System (v3) ranking.\n\nAdditionally, the distribution of the vulnerabilities across system components will be displayed.\n\n\n### Online Report\n\nThe Vigiles CVE online report specified in the output provides a dashboard interface for examining all known details about each CVE detected, including the affected version ranges, priority and existing mitigations.\n\n\n### Local Summary\n\nThe local summary includes console output and descriptive information about the report instance. It also includes detailed information about each CVE detected during the scan and any fixes that have been applied. Below is an example from a generated report.\n\n```\n-- Recipe CVEs --\n        Recipe:  glibc\n        Version: 2.28\n        CVE ID:  CVE-2019-9192\n        URL:     https://nvd.nist.gov/vuln/detail/CVE-2019-9192\n        CVSSv3:  7.5\n        Vector:  NETWORK\n        Status:  Unfixed\n\n        Recipe:  glibc\n        Version: 2.28\n        CVE ID:  CVE-2016-10739\n        URL:     https://nvd.nist.gov/vuln/detail/CVE-2016-10739\n        CVSSv3:  5.3\n        Vector:  LOCAL\n        Status:  Unfixed, Patch Available\n        Patched in meta-timesys-security commit(s):\n        * bfb9cf83582e4cffd6c9cdbadddc68302fa350cc\n\n        Recipe:  linux-yocto\n        Version: 4.18.27\n        CVE ID:  CVE-2019-9162\n        URL:     https://nvd.nist.gov/vuln/detail/CVE-2019-9162\n        CVSSv3:  7.8\n        Vector:  LOCAL\n        Status:  Unfixed\n```\n\n\n### CVE Manifest\n\nThe Vigiles CVE Scanner creates and sends a manifest describing your build to the Vigiles Server. This manifest is located at\n\n```sh\n$ readlink vigiles/core-image-minimal-cve.json \ncore-image-minimal/core-image-minimal-2019-09-09_23.08.28-cve.json\n```\n\nIn the event that something goes wrong, or if the results seem incorrect, this file may offer insight as to why.\nIt's important to include this file with any support request.\n\n\nAdvanced Usage\n==============\n\n### Custom Manifest and Report Names\n\nBy default, the Vigiles Manifest and CVE Report files are named after the base\nimage that is built (from the Yocto variable \"IMAGE_BASENAME\"). This can be\noverridden with by setting the configuration variable \"VIGILES_MANIFEST_NAME\" in _conf/local.conf_:\n\n```\nVIGILES_MANIFEST_NAME = \"Custom-Build-Name\"\n```\n\nInstead of e.g.\n\n```\n./vigiles\n├── core-image-minimal/\n├── core-image-minimal-cve.json\n└── core-image-minimal-report.txt\n```\n\n.. this will be the result:\n\n```\n./vigiles\n├── Custom-Build-Name/\n├── Custom-Build-Name-cve.json -\u003e Custom-Build-Name/Custom-Build-Name-2020-11-25_20.28.09-cve.json\n└── Custom-Build-Name-report.txt -\u003e Custom-Build-Name/Custom-Build-Name-2020-11-25_20.28.09-report.txt\n```\n\n\n### Whitelisting CVEs\nSome packages may have CVEs associated with them that are known to not affect\na particular machine or configuration. \nA user may set the VIGILES_WHITELIST variable in local.conf to\nthe path of a CSV file containing a list of CVEs to omit from the Vigiles\nReport.\n\nThe CSV expects CVE ID (required field) and package, version, and description (optional fields) per line. \nAny additional fields will be ignored.\n\nFor example both are valid\n\n\u003cpre\u003e\n$ cat $HOME/projects/yocto/vigiles-not-affected.csv\n\ncve-id,package,version,description\nCVE-2019-1010023,glibc,2.39,External whitelist\nCVE-2019-1010024,glibc,2.39,External whitelist\n\n\u003c/pre\u003e\n\n\u003cpre\u003e\n$ cat $HOME/projects/yocto/vigiles-not-affected.csv\n\nCVE-2019-1010023\nCVE-2019-1010024\n\u003c/pre\u003e\n\n\n\n### Kernel Config Filter\n\nThe Vigiles CVE Scanner can be configured to upload a Linux Kernel _.config_ file along with the SBOM. This filter will reduce the number of kernel CVEs reported by removing those related to features which are not being built for your kernel. There are 2 ways to enable this feature -- Automatic Detection or Manual Specification\n\n* Automatic Detection\n\nThis will use the _.config_ for the kernel specified in ```PREFERRED_PROVIDER_virtual/kernel``` once the yocto task ```do_configure``` is executed. \n\n\n```\nVIGILES_KERNEL_CONFIG = \"auto\"\n```\n\n\n* Manual Specification\n\n**NOTE: This must be a _full_ kernel config, not a defconfig!**\n\n```\nVIGILES_KERNEL_CONFIG = \"/projects/kernel/linux-4.14-ts+imx-1.0/.config\"\n```\n\n\n### U-Boot Config Filter\n\nThe Vigiles CVE Scanner can be configured to upload a U-Boot _.config_ file along with the SBOM. This filter will reduce the number of U-Boot CVEs reported by removing those related to features which are not being built for your U-Boot. There are 2 ways to enable this feature -- Automatic Detection or Manual Specification\n\n* Automatic Detection\n\nThis will use the _.config_ for the U-Boot specified in ```PREFERRED_PROVIDER_virtual/bootloader``` once the Yocto task ```do_configure``` is executed. \n\n\n```\nVIGILES_UBOOT_CONFIG = \"auto\"\n```\n\n\n* Manual Specification\n\n**NOTE: This must be a _full_ U-Boot config, not a defconfig!**\n\n```\nVIGILES_UBOOT_CONFIG = \"\u003c/projects/uboot/uboot-2020.04/.config\u003e\"\n```\n\n\n### Specifying a Vigiles API Key File\n\nA Vigiles API Key is required to run the Vigiles CVE Scanner and generate CVE reports.\n\nTo use an alternate key, or a key in a non-default location, you can specify the location in _conf/local.conf_ with a statement like the following:\n\n```\nVIGILES_KEY_FILE = \"/tools/timesys/linuxlink_key\"\n```\n\nIf set, this option can be overridden on the command line by setting the\nenvironment variable VIGILES_KEY_FILE to the location of an alternate Key\nFile. This feature can be used by developers to use a personal/local key\nwithout having to change a shared local.conf for a board.\n\n\n### Specifying a Product or Manifest\n\nBy default your manifest will be uploaded to the top-level folder of your \"Private Workspace\" Product on the Vigiles Dashboard. This can be changed by downloading the \"Dashboard Config\" for an alternative Product and/or Folder and specifying it in your local.conf file.\n\nIf set, this option can be overridden on the command line by setting the\nenvironment variable VIGILES_DASHBOARD_CONFIG to the location of an alternate\nDashboard Config file. This feature can be used by developers to use a\npersonal/local key without having to change a shared local.conf for a board.\n\n\u003eNew Products can be defined by clicking on the \"New Product\" product link and specifying a name. To download the Dashboard Config for the top-level folder of that Product, click on the \"Product Settings\" link and you will see a preview of the dashboard config file. You can copy the contents and create the file for yourself or choose to download it with the buttons on the right.\n\n\n\u003eOnce a new product is created, sub-folders may be created by clicking on the \"Create Folder\" and specifying a name. The Dashboard Config for that Folder (in that Product) may be downloaded by first clicking on/opening the Folder, then clicking the \"Folder Settings\" link and choosing to copy or download the config for that folder.\n\nDashboard Config files will be downloaded by default to e.g. ```\"${HOME}/Downloads/\u003cproduct name\u003e_\u003cfolder name\u003e_dashboard_config\"```. Once moving and/or renaming it as necessary, you can control the behavior of Vigiles with meta-timesys by modifying ```conf/local.conf``` to set the appropriate variable:\n\n\n```sh\nVIGILES_DASHBOARD_CONFIG = \"${HOME}/timesys/dashboard_config\"\n```\n\n\n### Dynamic subfolder creation\nIf a Dashboard Config is used, a subfolder name can be specified for dynamic folder creation. Manifests will be uploaded to a subfolder with this name within the location specified in the Dashbord Config. If one does not exist, it will be created. This option will be overridden by the environment variable ```VIGILES_SUBFOLDER_NAME```. You can control the behavior of Vigiles with meta-timesys by modifying ```conf/local.conf``` to set the appropriate variable:\n\n```sh\nVIGILES_SUBFOLDER_NAME = \"Release X.x\"\n```\n\n\n### Specifying Additional Packages to Check\n\nIn some cases, a BSP may want to include packages that are built outside of\nthe Bitbake/Yocto process. If this is required, ```VIGILES_EXTRA_PACKAGES```\nmay be used to specify one or more CSV (comma-separated-value) files that\ndescribe the extra packages to include in the CVE check.\n\nFor example, one may set this in their local.conf:\n\n```\nVIGILES_EXTRA_PACKAGES = \"${HOME}/projects/this-bsp/non-yocto/yocto-extra.csv\"\n```\n\nor perhaps:\n\n```\nVIGILES_EXTRA_PACKAGES = \" \\\n\t${HOME}/projects/this-bsp/non-yocto/yocto-extra-boot.csv \\\n\t${HOME}/projects/this-bsp/non-yocto/yocto-extra-ui.csv   \\\n\"\n```\n\nIn order to explicitly include packages which are built by the Bitbake/Yocto\nprocess but for some reason not present in rootfs manifest (e.g.\nsome bootloader or custom firmware may be not picked up through the recursive\nRDEPENDS for the image), ```VIGILES_EXTRA_BACKFILL``` may be used.\n\nFor example, one may set this in their local.conf:\n\n```\nVIGILES_EXTRA_BACKFILL = \"some-firmware-package\"\n```\n\n\n##### CSV Format\n\nThe CSV files consist of an optional header and the following fields:\n\n* Product - the CPE Name that packages use in CVEs\n* (optional) Version - the version of the package used.\n* (optional) License - the license of the package used\n\nThe following example shows the accepted syntax for expressing extra packages:\n\n```sh\n$ cat yocto-extra.csv\nproduct,version,license\navahi,0.6\nbash,4.0\nbash,4.1,GPL 3.0\nbusybox,\nudev,,\"GPLv2.0+, LGPL-2.1+\"\n```\n\n\n### Excluding Packages From the CVE Check\n\nIn some cases, a BSP may want to _exclude_ packages from the Vigiles Report;\nfor instance to condense the output by removing packages that are 'installed'\nbut have no files (e.g. packagegroups or those that only install data files).\n\nThis can be done by setting ```VIGILES_EXCLUDE``` to a space-separated list\nof one or more CSV files that contain a list of packages to drop from the\ngenerated manifest before it is submitted for the CVE check.\n\nFor example, in ```conf/local.conf```:\n\n```\nVIGILES_EXCLUDE = \"${TOPDIR}/vigiles-exclude.csv\"\n```\n\nAnd in ```${TOPDIR}/vigiles-exclude.csv```:\n\n\n```\nlinux-libc-headers\nopkg-utils\npackagegroup-core-boot\n```\n\n\u003eNote: filtering of packages is performed as the final step in constructing\n\u003ethe manifest, after any additional packages are included.\n\n\n### Uploading the Manifest (Only)\n\nIn some cases, it may be desired to upload the Vigiles Manifest for a build\nwithout generating a CVE Report. This can speed up build times and ease\nreporting of automated bulk builds.\n\nThis behavior can be enabled by setting the boolean variable\n```VIGILES_UPLOAD_ONLY``` to '1' or 'True' in ```conf/local.conf```\n\n\n```\nVIGILES_UPLOAD_ONLY = \"1\"\n```\n\nInstead of a text report and a link to the online report, a link to the\nVigiles Dashboard (as specified with VIGILES_DASHBOARD_CONFIG) or Private Workspace\n(if no dashboard config is specified)\nwill be displayed, from where it can be then be\nscanned by the Vigiles Service.\n\n\n### Exclude packages with \"CLOSED\" License in SBOM\n\nPackages that have a closed license are included in the SBOM by default.\n\nTo exclude these packages, set ```VIGILES_INCLUDE_CLOSED_LICENSES```\nto \"0\" or \"False\" in ```conf/local.conf```.\n\n```\nVIGILES_INCLUDE_CLOSED_LICENSES = \"0\"\n```\n\n\n### Exclude native and build-only packages in SBOM\n\nTo exclude all packages except backfill packages (packages built during the BitBake process\nbut not listed in the SBOM, because they may not be a part of the final rootfs manifest or \ndependencies of its packages e.g., glibc) and packages present in rootfs\nmanifest, set VIGILES_SBOM_ROOTFS_MANIFEST_ONLY = \"1\"\n\n**Note:** This might result in the SBOM which is not NTIA compliant.\n\n\n### Disable SBOM and Report generation for initramfs image\n\nSBOM and report generation for the initramfs image can be disabled in local conf.\nBoth Initramfs SBOM and report are generated by default if INITRAMFS_IMAGE is set.\n\nTo disable initramfs SBOM generation set VIGILES_DISABLE_INITRAMFS_SBOM = \"1\"\n\nNote: If Generating initramfs SBOM is disabled it will disable initramfs report generation by default.\n\n```\nVIGILES_DISABLE_INITRAMFS_SBOM = \"1\"\n```\n\nTo disable initramfs report generation only, set VIGILES_DISABLE_INITRAMFS_REPORT = \"1\"\n```\nVIGILES_DISABLE_INITRAMFS_REPORT = \"1\"\n```\n\n### Setting Error Level for Vigiles Errors\n\nUsers can configure the VIGILES_ERROR_LEVEL in conf/local.conf to control how errors related to vigiles check are logged. Depending on the specific use case, the error level can be set to `FATAL`, `ERROR`, `WARNING` or `INFO` to log error messages as bitbake's fatal, error, warn or plain logs. The default is set to `INFO`.\n\n```\nVIGILES_ERROR_LEVEL = \"FATAL\"\n```\n\n### Specifying ecosystems that should be used for generating report (Enterprise Vigiles Only)\n\nEcosystems could be specified to include ecosystem specific vulnerabilities into the vulnerability report.\nThis feature is currently available for Enterprise vigiles only.\n\nTo specify ecosystems to be used set VIGILES_ECOSYSTEMS to a comma seperated string of ecosystems\n\n```\nVIGILES_ECOSYSTEMS = \"Linux, Maven, PyPI, Ubuntu:20.04:LTS\"\n```\n\nTo include all the ecosystems set VIGILES_ECOSYSTEMS to \"all\"\n\n```\nVIGILES_ECOSYSTEMS = \"all\"\n```\n\nBelow is the list of valid ecosystems that can be used\n```\nAlmaLinux:\n['AlmaLinux', 'AlmaLinux:8', 'AlmaLinux:9']\n\nAlpine:\n['Alpine', 'Alpine:v3.10', 'Alpine:v3.11', 'Alpine:v3.12', 'Alpine:v3.13', 'Alpine:v3.14', 'Alpine:v3.15', 'Alpine:v3.16',\n 'Alpine:v3.17', 'Alpine:v3.18', 'Alpine:v3.19', 'Alpine:v3.2', 'Alpine:v3.20', 'Alpine:v3.3', 'Alpine:v3.4', 'Alpine:v3.5',\n 'Alpine:v3.6', 'Alpine:v3.7', 'Alpine:v3.8', 'Alpine:v3.9']\n\nDebian:\n['Debian', 'Debian:10', 'Debian:11', 'Debian:12', 'Debian:13', 'Debian:3.0', 'Debian:3.1', 'Debian:4.0', 'Debian:5.0',\n 'Debian:6.0', 'Debian:7', 'Debian:8', 'Debian:9']\n\nRocky:\n['Rocky Linux', 'Rocky Linux:8', 'Rocky Linux:9']\n\nUbuntu:\n['Ubuntu', 'Ubuntu:14.04:LTS', 'Ubuntu:16.04:LTS', 'Ubuntu:18.04:LTS', 'Ubuntu:20.04:LTS', 'Ubuntu:22.04:LTS', 'Ubuntu:23.10',\n 'Ubuntu:24.04:LTS', 'Ubuntu:Pro:14.04:LTS', 'Ubuntu:Pro:16.04:LTS', 'Ubuntu:Pro:18.04:LTS', 'Ubuntu:Pro:20.04:LTS',\n 'Ubuntu:Pro:22.04:LTS', 'Ubuntu:Pro:24.04:LTS']\n\nOthers:\n['Android', 'Bitnami', 'CRAN', 'GIT', 'GSD', 'GitHub Actions', 'Go', 'Hackage', 'Hex', 'Linux', 'Maven', 'NuGet', 'OSS-Fuzz',\n 'Packagist', 'Pub', 'PyPI', 'RubyGems', 'SwiftURL', 'UVI', 'crates.io', 'npm']\n\n```\n\n\n### Subscribe SBOM Report Notification (Enterprise Vigiles Only)\n\nSBOM report notifications can be configured in `local.conf` using `VIGILES_NOTIFICATION_FREQUENCY`. This setting allows users to set notification frequency for their report\nThis feature is currently available for Enterprise vigiles only.\n\nBy default, it is empty (`\"\"`), meaning no subscription setting will be applied\n\nTo enable notifications, set one of the following values:\n\n```\n\"none\", \"daily\", \"weekly\", \"monthly\"\n```\n\nFor example, To enable weekly notifications, set:\n\n```\nVIGILES_NOTIFICATION_FREQUENCY = \"weekly\"\n```\n\n\n### Package Lifecycle Information\n\nSome users may want to set package lifecycle information in the package recipes and have it included in the SBOM. This can be done using the following custom variables in the package recipes:\n\n```\nLIFECYCLE_RELEASE_DATE = \"2025-01-15\"\nLIFECYCLE_END_OF_LIFE   = \"2027-01-15\"\nLIFECYCLE_SUPPORT_LEVEL = \"Actively maintained\"\n```\nThese values will be collected and included in the SBOM for the corresponding packages.\n\nYou can also provide lifecycle information for additional packages using a CSV file referenced in ```VIGILES_EXTRA_PACKAGES```. Example CSV format:\n```\nproduct,version,license,release_date,end_of_life,level_of_support\navahi,0.6,MIT,2025-09-01,2026-01-01,Actively maintained\n```\n\nThe valid values for both ```LIFECYCLE_SUPPORT_LEVEL``` and the CSV column level_of_support are: ```Actively maintained```, ```No longer maintained```, ```Not available```, ```Abandoned```.\n\n\n### Specifying vulnerability report format\n\nUser can export the vulnerability report in various formats. \nTo export the report set `VIGILES_EXPORT_FORMAT` to any of the below choices in local.conf\n- pdf\n- pdfsummary\n- xlsx\n- csv\n- cyclonedx-vex\n- cyclonedx-sbom-vex\n\n```\nVIGILES_EXPORT_FORMAT = \"pdf\"\n```\n\nIf you choose to export the report in cyclonedx format, you need to specify additional details like\n`VIGILES_CYCLONEDX_FORMAT`\n- json [default]\n- xml\n\n`VIGILES_CYCLONEDX_VERSION`\n- 1.6 [default]\n- 1.5\n- 1.4\n\n```\nVIGILES_EXPORT_FORMAT = \"cyclonedx-vex\"\nVIGILES_CYCLONEDX_FORMAT = \"xml\"\nVIGILES_CYCLONEDX_VERSION = \"1.5\"\n```\n\n### Downloading converted SBOMs\n\nThis option allows SBOMs generated in vigiles format to be converted into standard SPDX or CycloneDX formats. When enabled, the converted SBOM is downloaded to `build/tmp/deploy/images/\u003cmachine\u003e/`.\n\n#### Enabling SBOM Download\nTo enable SBOM conversion and download, add the following to local.conf\n```\nVIGILES_ENABLE_DOWNLOAD_SBOM = \"1\"\n```\n\nIf enabled, it will download a CycloneDX 1.6 json format SBOM. To specify the spec, format and version of the SBOM, refer below:\n\n#### Specifying path to vigiles binary\nIf `VIGILES_BIN_PATH` variable is set, meta-timesys uses the specified binary to communicate with the Vigiles server and download the SBOM.\nIf it is not set, meta-timesys automatically installs [vigiles-cli](https://github.com/TimesysGit/vigiles-cli) into the native sysroot using the vigiles-cli-native recipe and uses it for SBOM downloads by default.\n\n**Note:** Using the latest version of vigiles-cli is recommended. However, if you need to use an older version, ensure it is v1.0.3 or higher.\n\nPath can be specified as below in local.conf\n\n```\nVIGILES_BIN_PATH = \"/usr/local/bin/vigiles\"\n```\n\n#### Selecting SBOM Specification\nYou can select the target SBOM specification using `VIGILES_DOWNLOAD_SBOM_SPEC`. Select any of the below choices:\n- spdx\n- spdx-lite\n- cyclonedx [default]\n\n```\nVIGILES_DOWNLOAD_SBOM_SPEC = \"spdx\"\n```\n\n#### Selecting the Output Format\nUse `VIGILES_DOWNLOAD_SBOM_FORMAT` to specify the output format of the converted SBOM:\n\n**Supported SPDX formats:**\n- tag\n- json\n- xlsx\n- xls\n- rdfxml\n- yaml\n- xml\n\n**Supported CycloneDX formats:**\n- json [default]\n- xml\n\n```\nVIGILES_DOWNLOAD_SBOM_FORMAT = \"tag\"\n```\n\n#### Selecting the Output Version\nUse `VIGILES_DOWNLOAD_SBOM_VERSION` to specify the output version of the converted SBOM:\n\n**SPDX versions:**\n- 2.2\n- 2.3\n\n**CycloneDX versions:**\n- 1.1\n- 1.2\n- 1.3\n- 1.4\n- 1.5\n- 1.6 [default]\n\n```\nVIGILES_DOWNLOAD_SBOM_VERSION = \"2.3\"\n```\n\nMaintenance\n===========\n\nThe Vigiles CVE Scanner and meta-timesys are maintained by [The Lynx Security team](mailto:vigiles@timesys.com).\n\nFor Updates, Support and More Information, please see:\n\n[Vigiles Website](https://www.lynx.com/solutions/vulnerability-mitigation-management)\n\nand\n\n[meta-timesys @ GitHub](https://github.com/TimesysGit/meta-timesys)\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftimesysgit%2Fmeta-timesys","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftimesysgit%2Fmeta-timesys","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftimesysgit%2Fmeta-timesys/lists"}