Vulnerability Management at a Scale for the Yocto Project

The Yocto Project offers the cve-check class to allow users to check for known vulnerabilities in the packages they include in their distribution. However, the CRA (Cyber Resilience Act) and changes around vulnerability databases require a different approach. The move to multiple databases and more dynamic vulnerability checking is in progress.

In this talk, we will explain the ongoing move to external checking for vulnerabilities in the Yocto Project. This will allow users to verify their distribution years after the release without the original build directory.

As the future of the NVD (National Vulnerability Database) is unknown, we are also considering using other databases, starting with raw data from the CVE (Common Vulnerability Enumeration) program.

The audience will also discover VEX (Vulnerability Exchange), allowing per-product annotations of vulnerabilities: you can finally say, "Not affected, we disabled the vulnerable configuration option!"

This talk is 25 minutes; if we have 50, we can add more content and examples.