Skip to content

michaelopdenacker/meta-vulnscout

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
classes
classes
 
 
conf
conf
 
 
doc
doc
 
 
recipes-core/images
recipes-core/images
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

Vulnscout logo License

meta-vulnscout is a Yocto meta-layer that uses vulnscout to scan a project, export its Software Bill of Materials (SBOM), and list the vulnerabilities that affect it. Support for Cyclone DX, SPDX, Yocto JSON files, and Open VEX.

Prerequisites

The command docker-compose or docker compose should be available on the host device.

Requirements

This layer, named meta-vulnscout, requires your project to be built with the generation of an SBOM and a CVE report.

If this is not the case yet, you can simply do the following to build/conf/local.conf:

INHERIT += "create-spdx"
INHERIT += "cve-check"
include conf/distro/include/cve-extra-exclusions.inc

Also, if you can add an extra parameter if you use Cyclone DX Software Bill of Materials with the following layer https://github.com/savoirfairelinux/meta-cyclonedx.git :

INHERIT += "cyclonedx-export"

Also, for a faster NVD database downloading during vulnscout setup, you can set a NVD key with the variable NVDCVE_API_KEY.

Yocto Documentation reference : https://docs.yoctoproject.org/ref-manual/variables.html#term-NVDCVE_API_KEY

You can generate a new NVD key at : https://nvd.nist.gov/developers/request-an-api-key

Installation

To install this meta-layer, simply clone the repository into the sources directory and add it to your build/conf/bblayers.conf file:

$ cd sources
$ git clone https://github.com/savoirfairelinux/meta-vulnscout.git

And in your bblayers.conf file:

BBLAYERS += "/path/to/meta-cyclonedx"

Configuration

To enable and configure Vulnscout, you simply add inherit vulnscout in your image recipe.

This project contains an example as described in recipes-core/images/core-image-minimal.bbappend.

Building

You can build your image as you normally would.

As a result, you should see a new .vulnscout folder in ${TOPDIR}/.. (can be modified with variable VULNSCOUT_ROOT_DIR).

The scan and analysis of vulnerabilities can start with the yocto command:

bitbake core-image-minimal-yoctolabs -c vulnscout

Or you can do it manually with the command:

docker compose -f "<project_root>/.vulnscout/core-image-minimal-yoctolabs/docker-compose.yml" up

Without a custom configuration, a web interface will be started at the address http://localhost:7275.

Result

Screenshot

License

Copyright (C) 2017-2025 Savoir-faire Linux, Inc.

meta-vulnscout is released under the Apache 2 license.

About

No description, website, or topics provided.

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • BitBake 100.0%