Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/bootlin/meta-sbom-cve-check

Yocto layer for sbom-cve-check
https://github.com/bootlin/meta-sbom-cve-check

cve-scanning yocto-layer

Last synced: 3 months ago
JSON representation

Yocto layer for sbom-cve-check

Awesome Lists containing this project

README 

          
# meta-sbom-cve-check



This layer integrates the [sbom-cve-check](https://github.com/bootlin/sbom-cve-check)

utility into Yocto builds. It allows you to run the CVE analysis on the SPDX

Software Bill of Materials (SBOM) generated by Yocto.



## Features



- Provides `sbom-cve-check` as a native build-time utility

- Adds optionally a `do_sbom_cve_check` BitBake task that:

  * Run the CVE analysis on generated SBOM,

  * Deploys export files into the image deploy directory.



## Using sbom-cve-check native tool



### Requirements



- Yocto / OpenEmbedded build environment

- This layer is included in bblayers.conf



### Running sbom-cve-check from Yocto



To run `sbom-cve-check` from Yocto sysroot:



1. Clone and include this layer in your `bblayers.conf`:



```

$ git clone https://github.com/bootlin/meta-sbom-cve-check.git layers/meta-sbom-cve-check

```



2. Build the native tool:



```

bitbake python3-sbom-cve-check-native -caddto_recipe_sysroot

```



3. Run the tool like that, for example, to see the help:



```

oe-run-native python3-sbom-cve-check-native sbom-cve-check --help

```



## Using sbom-cve-check task



### Requirements



- Yocto / OpenEmbedded build environment

- This layer is included in bblayers.conf

- The `vex` class needs to be enabled globally

- Currently only SPDX3 is supported by the `sbom-cve-check` class

- On Scarthgap: SPDX2.2 needs to be disabled and SPDX3 enabled



### Enabling the task



To run a CVE analysis on the built image:



1. Clone and include this layer in your `bblayers.conf`.



2. Enable the `vex` class globally, typically in your `local.conf`:



```

INHERIT += "vex"

```



3. Enable `sbom-cve-check` class from your image recipe:



```

inherit sbom-cve-check

```



Alternatively the class can be inherited in all image recipes automatically using `IMAGE_CLASSES`, typically in your `local.conf`:



```

IMAGE_CLASSES += "sbom-cev-check"

```



4. Optionally configure CVE analysis by using the following variables:



 - `SBOM_CVE_CHECK_EXTRA_ARGS`: Allow to specify extra arguments to

   `sbom-cve-check`. For example to add filtering options.



 - `SBOM_CVE_CHECK_EXPORT_VARS`: List of variables that declare export files to

   generate. By default equal to `SBOM_CVE_CHECK_EXPORT_FILE`.



   Each variable must have the following flags set:

    - `[type]`: The type of export, which corresponds to the value set to the

      `--export-type` option flag (e.g., `csv` or `spdx3`).

    - `[ext]`: The file extension of the exported file that is going to be

      generated.



 - `SBOM_CVE_CHECK_EXPORT_FILE`: Default export file configuration.

   The `[type]` flag is set by default to `spdx3`, and the `[ext]` flag is set

   by default to `.cve-check.spdx.json`.



5. Build your target image.



   The resulting exported file, which is an SPDX3 file, will be available in the

   deploy directory, with this default name: `${IMAGE_NAME}.cve-check.spdx.json`



## Support



For issues or contributions, please open an issue or pull request on GitHub.