meta-vulnscout is a Yocto meta-layer that uses vulnscout to scan a project, export its Software Bill of Materials (SBOM), and list the vulnerabilities that affect it.
Support for Cyclone DX, SPDX, Yocto JSON files, and Open VEX.
The command docker-compose or docker compose should be available on the host device.
The python3-packaging package should be installed on the build host. If you are running in CQFD, you should add it in .cqfd/docker/Dockerfile.
To install this meta-layer, simply clone the repository into the sources directory and add it to your build/conf/bblayers.conf file:
$ cd sources
$ git clone https://github.com/savoirfairelinux/meta-vulnscout.gitIf you are using submodules to manage your sub-repos, you should include this meta-layer using the following commands:
$ cd sources
$ git submodule add https://github.com/savoirfairelinux/meta-vulnscout.gitAnd in your bblayers.conf file:
BBLAYERS += "/path/to/meta-vulnscout"To enable and configure Vulnscout, you simply add inherit vulnscout in your image recipe.
This project contains an example as described in recipes-core/images/core-image-minimal.bbappend.
meta-vulnscout provides other classes for accurate cve-check file generation:
-kernel_generate_cve_exclusions.bbclass can be used to integrate a library lib/vulnscout/generate_cve_exclusions_py derived from the script genere-cve-exclusion.
It provides extra kernel CVE details and information through the variable CVE_STATUS.
To integrate this script, a .bbappend on the kernel recipe can be used to add inherit kernel_generate_cve_exclusions as shown on the available example at meta-vulnscout/recipes-kernel/linux/linux-yocto_%.bbappend
-improve_kernel_cve_report.bbclass can be used to integrate the script improve_kernel_cve_report.py (reference : improve_kernel_cve_report).
It reduces CVE false positives by 70%-80% and provides detailed responses for all kernel-related CVEs by analyzing the files used to build the kernel.
To integrate this script, a .bbappend on the image recipe can be used to add inherit improve_kernel_cve_report as shown on the available example at meta-vulnscout/recipes-core/images/core-image-minimal.bbappend. \
-kernel_filter_nonbuilt_cves.bbclass can be used to update the cve-check file by removing CVEs based on elements that aren't present in the built kernel. A CVE linked with a driver that isn't compiled doesn't make your kernel vulnerable to it.
It reduces the number of kernel CVEs to deal with by around 70%.
To integrate this class, a simple inherit kernel_filter_nonbuilt_cves is required in the kernel recipe. After a kernel build tree, new files will be located in your deploy directory. A file with .kernel_remaining_cves.json extension will contain the remaining active cves, a second file with .kernel_removed_cves.json contains the details of CVEs that don't apply to your system.
Also, the virtual kernel cve-check file will be affected and the final cve-check manifest will be affected by this class analysis setting all nonbuilt CVEs to Ignored status with details set to cve-not-compiled-in-kernel and description to kernel_filter_nonbuilt_cves detected that this CVE is not affecting the current kernel build..
After a normal build, you should see a new .vulnscout folder in ${TOPDIR}/.. (can be modified with variable VULNSCOUT_ROOT_DIR).
The scan and analysis of vulnerabilities can start with the yocto command:
bitbake core-image-minimal -c vulnscoutVulnScout Docker container can also be started without rescanning for new CVEs with the following command:
bitbake core-image-minimal -c do_vulnscout_no_scanOr you can do it manually with the command:
docker compose -f "<project_root>/.vulnscout/core-image-minimal/docker-compose.yml" upWithout a custom configuration, a web interface will be started at the address http://localhost:7275.
It is possible to launch Vulnscout in a CI mode, without the web interface.
To launch vulnscout in a CI mode, use this command:
bitbake core-image-minimal -c vulnscout_ciAll the files generated by vulnscout will be placed by default here: <project_root>/.vulnscout/core-image-minimal/output
Options
vulnscout in CI mode can be launched with a specific fail condition using an environment variable.
First you need to export the environment variable B_ENV_PASSTHROUGH_ADDITIONS+=" VULNSCOUT_FAIL_CONDITION"
Either way, by using the export command:
export BB_ENV_PASSTHROUGH="VULNSCOUT_FAIL_CONDITION"Or every time you launch vulnscout in the CI mode:
BB_ENV_PASSTHROUGH="VULNSCOUT_FAIL_CONDITION" bitbake core-image-minimal -c vulnscout_ciNow you can precise the fail condition with the VULNSCOUT_FAIL_CONDITION variable every time you use vulnscout in CI mode:
VULNSCOUT_FAIL_CONDITION="cvss >= 9.0" BB_ENV_PASSTHROUGH="VULNSCOUT_FAIL_CONDITION" bitbake core-image-minimal -c vulnscout_ciWith this command, vulnscout will list all the CVEs of the vulnerabilities with a CVSS score equal to or higher than 9.0.
It's possible to set more than one condition:
VULNSCOUT_FAIL_CONDITION="cvss >= 9.0 or (cvss >= 7.0 and epss >= 50%)" bitbake core-image-minimal -c vulnscout_ciWith this command, vulnscout will list all vulnerabilities critical (CVSS >= 9.0) or those with both a high CVSS and EPSS score.
Note
Setting up the fail condition this way will overload the "VULNSCOUT_ENV_FAIL_CONDITION" variable in the vulnscout.bbclass
Warning
If you set the "VULNSCOUT_FAIL_CONDITION" with the export command in your shell, it will always uses it until you set it to null
Also, for a faster NVD database downloading during VulnScout setup, you can set a NVD key with the variable NVDCVE_API_KEY.
Yocto Documentation reference : https://docs.yoctoproject.org/ref-manual/variables.html#term-NVDCVE_API_KEY
You can generate a new NVD key at : https://nvd.nist.gov/developers/request-an-api-key
The Yocto task vulnscout creates and starts the Docker container with a Web interface available.
Using a Docker container to build the project requires additional configuration to access the web interface.
Indeed, the web interface won't be mapped to the host if the building Docker container is not properly configured.
CQFD requires adding docker-compose (for Ubuntu 22.04 and earlier) or docker-compose-v2 (for Ubuntu 24.04 and later) to your .cfqd/docker/Dockerfile and exporting the following variable:
export CQFD_EXTRA_RUN_ARGS="-v /run/docker.sock:/run/docker.sock"For a permanent change, you can instead modify the .cqfdrc file with
docker_run_args="-v /run/docker.sock:/run/docker.sock".
Now, you can build your image and use the vulnscout task with one of these commands:
If you use CQFD and KAS
cqfd kas shell -c "bitbake -c <your_Yocto_image> -c vulnscout"If you use CQFD and the script build.sh made by Savoir-Faire Linux
cqfd run ./build.sh -- bitbake <your_Yocto_image> -c vulnscoutIf the container can't be configured (e.g., with kas-container). Vulnscout web interface can still be run directly on the host with the ' docker-compose` command.
In the recent update of Whinlatter, a new script named "improve_kernel_cve_report.py" has been realesed.
This script is better at finding CVEs then cve-check so it is now used by default with meta-vulnscount.
If you want to no use this script you only need to set VULNSCOUT_KERNEL_IMPROVE_CVE to false in the vulnscout.bbclass file.
Warning
To use this script, is it needed to clone this project https://git.kernel.org/pub/scm/linux/security/vulns.git/log/ which contain the vulnerabilities.
meta-vulnscout will automated clone and use the project when the variable VULNSCOUT_KERNEL_IMPROVE_CVE is set to true.
The script is only working whith SPDX 3.0
Copyright (C) 2017-2025 Savoir-faire Linux, Inc.
meta-vulnscout is released under the Apache 2 license.
