Skip to content

ebail/meta-vulnscout

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

17 Commits
classes
classes
 
 
conf
conf
 
 
doc
doc
 
 
recipes-core/images
recipes-core/images
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

Vulnscout logo License

meta-vulnscout is a Yocto meta-layer that uses vulnscout to scan a project, export its Software Bill of Materials (SBOM), and list the vulnerabilities that affect it. Support for Cyclone DX, SPDX, Yocto JSON files, and Open VEX.

Prerequisites

The command docker-compose or docker compose should be available on the host device.

Requirements

This layer, named meta-vulnscout, requires your project to be built with the generation of an SBOM and a CVE report.

If this is not the case yet, you can simply add the following to build/conf/local.conf:

INHERIT += "cve-check"
include conf/distro/include/cve-extra-exclusions.inc

You may also need to add INHERIT += "create-spdx" if you are not using the default poky distro and if your used distro doesn't inherit it already.

Also, if you can add an extra parameter if you use Cyclone DX Software Bill of Materials with the following layer https://github.com/savoirfairelinux/meta-cyclonedx.git :

INHERIT += "cyclonedx-export"

Also, for a faster NVD database downloading during vulnscout setup, you can set a NVD key with the variable NVDCVE_API_KEY.

Yocto Documentation reference : https://docs.yoctoproject.org/ref-manual/variables.html#term-NVDCVE_API_KEY

You can generate a new NVD key at : https://nvd.nist.gov/developers/request-an-api-key

Installation

To install this meta-layer, simply clone the repository into the sources directory and add it to your build/conf/bblayers.conf file:

$ cd sources
$ git clone https://github.com/savoirfairelinux/meta-vulnscout.git

And in your bblayers.conf file:

BBLAYERS += "/path/to/meta-vulnscout"

Configuration

To enable and configure Vulnscout, you simply add inherit vulnscout in your image recipe.

This project contains an example as described in recipes-core/images/core-image-minimal.bbappend.

Building

You can build your image as you normally would.

As a result, you should see a new .vulnscout folder in ${TOPDIR}/.. (can be modified with variable VULNSCOUT_ROOT_DIR).

The scan and analysis of vulnerabilities can start with the yocto command:

bitbake core-image-minimal-yoctolabs -c vulnscout

Or you can do it manually with the command:

docker compose -f "<project_root>/.vulnscout/core-image-minimal-yoctolabs/docker-compose.yml" up

Without a custom configuration, a web interface will be started at the address http://localhost:7275.

Result

Screenshot

License

Copyright (C) 2017-2025 Savoir-faire Linux, Inc.

meta-vulnscout is released under the Apache 2 license.

About

No description, website, or topics provided.

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • BitBake 100.0%