.. |br| raw:: html

   <br/>

.. _cve-management-index:

CVE Management
==============


CVE (Common Vulnerabilities and Exposures) management is the ongoing process of 
identifying, assessing, remediating and monitoring known security vulnerabilities 
in IT systems. It forms the backbone of modern vulnerability management, 
helping to protect systems from cyber attacks.

The CVE management lifecycle can be divided into four key stages:

**1. Identification**

Inventory of all software components in use and comparison with the publicly 
accessible CVE database. Code analysis tools and vulnerability scanners 
support this continuous monitoring.


**2. Assessment**

Determining the relevance of the security vulnerability to your own system. 
This is usually done using the standardised CVSS (Common Vulnerability Scoring System), 
which rates severity on a scale of 0.0 to 10.0.

**3. Prioritisation & Resolution (Patch Management)**

Risk-based prioritisation of vulnerabilities to address the most critical threats first. 
These are usually resolved by installing patches, software updates or making adjustments to 
the system configuration.

**4. Reporting & Documentation**

Documentation of all actions and ongoing monitoring of the system software to minimise 
security vulnerabilities in the long term and ensure compliance with regulatory requirements.


Yocto support
-------------


The cve-check class
^^^^^^^^^^^^^^^^^^^
To run a check for CVE security vulnerabilities use the cve-check class on the specific image or target you're building.
Therfore, add the following to ``conf/local.conf``:

   .. code-block:: text

      INHERIT += "cve-check"

cve-check is Yocto’s traditional class, integrated into the build flow.



* How it works: 
  It compares the names and versions of the built recipe packages with the CVE databases stored in Yocto.
* Output:
  It generates reports (in JSON format) listing which CVEs may apply to a package.
* Limitation:
  It is heavily dependent on the original build directory and relies on the (often incomplete) CPE information in the databases.



Please see also the chapter `Vulnerability check at build time`_ of the Yocto documentation.


The vex class
^^^^^^^^^^^^^


The vex class is the modern, standardised successor of the cve-check class and was developed to meet the requirements 
of modern security standards (such as the EU Cyber Resilience Act).

* How it works: 
  It generates structured VEX documents in OpenVEX format. It not only indicates whether a package is vulnerable, 
  but also whether the vulnerability can actually be exploited in the specific context of the 
  system (e.g. if vulnerable configurations have been disabled).

* Advantage of independence: 
  Unlike cve-check, vex works closely with the SPDX Software Bill of Materials (SBOM). 
  This means that vulnerability scans can be carried out completely independently of the 
  original BitBake build process, based on data sets created during the last build,  and at a later stage.




To use the vex-class, add the following to ``conf/local.conf``:

   .. code-block:: text

      INHERIT += "vex"


.. admonition:: Please note
   :class: note

   The vex class was introduced as new Yocto feature with version 6.0 (Wrynose). Meanwhile, it was back ported to the Scarthgap LTS 
   version and is available since release point Yocto-5.0.15. Please be aware, that the vex class is incompatibel with the cve-check
   class. If you will use the vex class, please delete the cve-check class from your local.conf.


CVE mangement with open source tools
------------------------------------


There are a number of very expensive tools available for CVE management. However, there are also some free open-source solutions.
One of this is `VulnScout`_. VulnScout is designed to analyse and identify vulnerabilities in software components 
and dependencies using an SBOM and cve- or vex-data generated during the build.


Installation of VulnScout
^^^^^^^^^^^^^^^^^^^^^^^^^

VulnScout provides a Yocto Layer to scan data during the build process. **meta-vulnscout** is a Yocto meta-layer that uses 
VulnScout to scan a project, export its Software Bill of Materials (SBOM), and list the vulnerabilities affecting it.

Currently the supported formats are: CycloneDX, SPDX, Yocto JSON files, and OpenVEX.


For installation, clone the git repository in your layers directory:

   .. code-block:: text

      cd <path-to-your-BSP-installation>/layers
      git clone -b scarthgap https://github.com/savoirfairelinux/meta-vulnscout.git


And the new layer in your bblayers.conf file:


   .. code-block:: text

      BBLAYERS += "${BSPDIR}/layers/meta-vulnscout"


To enable and configure VulnScout for all images, add the following lines to your local.conf:

   .. code-block:: text

      # Required settings for VulnScout
      require conf/distro/include/vulnscout-core.inc


The scan and analysis of vulnerabilities can be started with:

   .. code-block:: text

      bitbake karo-image-weston -c vulnscout



Then open your browser to view the results:

   .. code-block:: text

      http://localhost:7275




   .. _`Vulnerability check at build time`: https://docs.yoctoproject.org/scarthgap/dev-manual/vulnerabilities.html#checking-for-vulnerabilities
   .. _`VulnScout`: https://vulnscout.readthedocs.io/en/v0.14/introduction.html