How to run CVE checks using the Yocto Project

Introduction

This is a high-level tutorial and the intention is not to cover the Yocto Project in depth. If you are interested in detailed information, we recommend that you read the Yocto Project Mega-Manual.

It is estimated that more than 90% of all IoT device compromises are due to exploits of known vulnerabilities. As a producer of connected devices, it is critical that all software is frequently scanned against known vulnerabilities as defined in the Common Vulnerabilities and Exposures (CVE) database. All connected devices use third party libraries and software – including Linux and popular protocols — that hackers try to find holes in. Doing a scan once before shipping a device does not suffice. Scanning must be an ongoing exercise. Preferably the scan happens on the device, but it is also possible to do a scan against an inventory database if the vendor has full control of all the software running on the device.

This tutorial will cover how to utilize the Yocto Project to perform CVE scans on built images, getting necessary data to perform detailed security analysis of your product.

Prerequisites

To follow this tutorial, you will need:

Step 1 - Enabling CVE check

The Yocto Project provides a cve-check class which can be enabled to perform scans on packages for public CVE’s. You can use this feature to scan individual packages but also on images (which will perform a scan on all packages that are included by that specific image).

It utilizes the NATIONAL VULNERABILITY DATABASE, from which it performs the lookup.

To enable the CVE check you can add the following to e.g local.conf:

INHERIT += "cve-check"

Once this is enabled you can run CVE checks on individual packages, e.g openssl:

bitbake -c cve_check openssl

The above command will produce output similar to the following if unpatched CVE’s where found:

WARNING: openssl-1.1.1b-r0 do_cve_check: Found unpatched CVE (CVE-2016-7798 CVE-2018-16395 CVE-2019-0190 CVE-2019-1547 CVE-2019-1549 CVE-2019-1552 CVE-2019-1563), for more information check …

These CVE’s might not all be relevant to your use-case and you will need to review each CVE to perform a more detailed analysis to determinate the impact.

If we take a closer look at one of the reported CVE’s above, CVE-2016-7798, we can see that this specific CVE relates to the Ruby gem for openssl. For the sake of the example lets say that this CVE does not apply since I am not using Ruby. In this case we can whitelist this specific CVE to reduce the noise in the provided report.

Whitelist CVE-2016-7798 by adding the following to e.g local.conf:

CVE_CHECK_WHITELIST = "CVE-2016-7798"

There is one additional variable (CVE_CHECK_PN_WHITELIST) which one can use to skip CVE checks on packages, e.g:

CVE_CHECK_PN_WHITELIST = "openssl"

NOTE! This should be used with care as it can hide CVE’s which might have a high severity.

Further we can perform CVE checks on an image by simply running (with cve-check enable):

bitbake core-image-base

NOTE! This should work with any image and core-image-base is only used as one example.

This will produce detailed a report in the deploy directory which one can access using the following:

cat tmp/deploy/images/*/core-image-base-*.cve

Review the above report and analyze the severity of each CVE to your specific use-case. You can then use the whitelist variables to reduce the noise.

Conclusion

In this tutorial, we have covered how to perform basic CVE checks using the Yocto Project in the hopes that it will get you to start thinking about CVE’s and maybe integrate this in your release flow ensuring a high-quality product with security in mind.

Please take note of the disclaimer in the Yocto Project cve-check class:

# DISCLAIMER
#
# This class/tool is meant to be used as support and not
# the only method to check against CVEs. Running this tool
# doesn't guarantee your packages are free of CVEs.

Even though the coverage might not be 100% using only this method, it is definitely a good starting point in creating more secure products.


Yocto Project and all related marks and logos are trademarks of The Linux Foundation. This website is not, in any way, endorsed by the Yocto Project or The Linux Foundation.


If this tutorial was useful to you, please press like, or leave a thank you note to the contributor who put valuable time into this and made it available to you. It will be much appreciated!

7 Likes

It seems that cve-check class is broken in Sumo as it depended on Intels cve-check-tool https://github.com/clearlinux/cve-check-tool which seems to be no longer maintained and fails to extract the cve archives.

Thud and upwards is required as the bitbake class has been rewritten to not use this dependency

1 Like