from YP mailinglist ...
> ----Original Message----
> Subject: cve-checker tool
>
> Hi guys,
>
> I have some questions regarding cve-check tool. I don't find anything
> about this tool in Yocto
> 2.2 release, dose documentation mention this tool and how to use it?
>
> Is this tool planned to be integrated with daily build so the Yocto project
> can detect Not addressed CVEs automatically?
>
> Mariano:
> Does this tool look at CVE tag inside the recipe as well or only checks the
> package version?
>
> Can this tool be used together with "meta-security-isafw" and get a fancy
> report?
There are some useful info in the cve-check.bbclass:
#In order to use this class just inherit the class in the
- local.conf file and it will add the cve_check task for
- every recipe. The task can be used per recipe, per image,
- or using the special cases "world" and "universe". The
- cve_check task will print a warning for every unpatched
- CVE found and generate a file in the recipe WORKDIR/cve
- directory. If an image is build it will generate a report
- in DEPLOY_DIR_IMAGE for all the packages used.
I see following logs are generated:
./unzip/1_6.0-r5/cve/cve.log
./gnutls/3.5.3-r0/cve/cve.log
./glibc/2.24-r0/cve/cve.log
./glibc-initial/2.24-r0/cve/cve.log
./foomatic-filters/4.0.17-r1/cve/cve.log
./bzip2/1.0.6-r5/cve/cve.log
./libxml2/2.9.4-r0/cve/cve.log
./perl/5.22.1-r0/cve/cve.log
./expat/2.2.0-r0/cve/cve.log
./flex/2.6.0-r0/cve/cve.log