meta-sbom-cve-check

This layer integrates the sbom-cve-check utility into Yocto builds. It allows you to run the CVE analysis on the SPDX Software Bill of Materials (SBOM) generated by Yocto.

Features

• Provides sbom-cve-check as a native build-time utility
• Adds optionally a do_sbom_cve_check BitBake task that:
  • Run the CVE analysis on generated SBOM,
  • Deploys export files into the image deploy directory.

Using sbom-cve-check native tool

Requirements

• Yocto / OpenEmbedded build environment
• Supported Yocto versions are Scarthgap, Walnascar and Whinlatter
• This layer is included in bblayers.conf

Running sbom-cve-check from Yocto

To run sbom-cve-check from Yocto sysroot:

1. Clone and include this layer in your bblayers.conf:

$ git clone https://github.com/bootlin/meta-sbom-cve-check.git layers/meta-sbom-cve-check

2. Build the native tool:

bitbake python3-sbom-cve-check-native -caddto_recipe_sysroot

3. Run the tool like that, for example, to see the help:

oe-run-native python3-sbom-cve-check-native sbom-cve-check --help

Using sbom-cve-check task

Requirements

• Yocto / OpenEmbedded build environment
• This layer is included in bblayers.conf
• The vex class needs to be enabled globally
• Currently only SPDX3 is supported by the sbom-cve-check class
• On Scarthgap: SPDX2.2 needs to be disabled and SPDX3 enabled

Enabling the task

To run a CVE analysis on the built image:

1. Clone and include this layer in your bblayers.conf.

2. Enable sbom-cve-check class from your image recipe:

inherit sbom-cve-check

Alternatively the class can be inherited in all image recipes automatically using IMAGE_CLASSES, typically in your local.conf:

IMAGE_CLASSES:append = " sbom-cve-check"

3. Configure mandatory settings, typically in your local.conf:

• Enable the vex class globally:

  INHERIT += "vex"
  

• Enable SPDX3 SBOM generation:

  INHERIT:remove = "create-spdx"
  INHERIT += "create-spdx-3.0"
  

• Use latest revision of CVE databases:

  SRCREV:pn-sbom-cve-check-update-nvd-native = "${AUTOREV}"
  SRCREV:pn-sbom-cve-check-update-cvelist-native = "${AUTOREV}"
  

4. Optionally extracts compiled sources of the kernel recipe:

   SPDX_INCLUDE_COMPILED_SOURCES:pn-linux-yocto = "1"
   

5. Optionally configure CVE analysis by using the following variables:

• SBOM_CVE_CHECK_EXTRA_ARGS: Allow to specify extra arguments to sbom-cve-check. For example to add filtering options.

• SBOM_CVE_CHECK_EXPORT_VARS: List of variables that declare export files to generate. By default equal to SBOM_CVE_CHECK_EXPORT_SPDX3 SBOM_CVE_CHECK_EXPORT_CVECHECK.

  Each variable must have the following flags set:

  • [type]: The type of export, which corresponds to the value set to the --export-type option flag (e.g., csv or spdx3).
  • [ext]: The file extension of the exported file that is going to be generated.

• SBOM_CVE_CHECK_EXPORT_SPDX3: Export configuration to generate an SPDX3 SBOM file. The [type] flag is set to spdx3, and the [ext] flag is set to .sbom-cve-check.spdx.json.

• SBOM_CVE_CHECK_EXPORT_CVECHECK: Export configuration to generate a JSON manifest. The [type] flag is set to yocto-cve-check-manifest, and the [ext] flag is set to .sbom-cve-check.yocto.json.

6. Build your target image.

   The resulting exported files will be available in the deploy directory, with this default name (for SPDX3): ${IMAGE_NAME}.sbom-cve-check.spdx.json

Support

For issues or contributions, please open an issue or pull request on GitHub.