Detecting and Fixing CVE Security Issues in Yocto-Based Embedded Linux Distributions - Mikko Rapeli

Explore the process of detecting and fixing CVE security issues in Yocto-based embedded Linux distributions in this 36-minute conference talk by Mikko Rapeli. Learn how to utilize the Yocto CVE checker to identify security vulnerabilities in your product, apply fixes for detected issues, and navigate common challenges in this critical aspect of software development. Gain insights into best practices for maintaining high-quality software projects, including CVE scanning tooling, inputs and outputs, and the application of security fixes. Delve into topics such as poky reference distribution, layered architecture, differences between Debian/Ubuntu and Yocto, Bitbake recipes, CVE data fields, and CPE. Understand the limitations of CVE scanning and patching, addressing issues like name and version matching, embedded source code, and incomplete CVE data. Benefit from years of experience as you explore this essential aspect of embedded Linux security.

Intro
Motivation
poky reference distribution
Layered architecture
Differences between Debian/Ubuntu and yocto?
Bitbake recipe is the source package
What is a CVE security issue?
CVE data fields
Example CVE
CPE: Common Platform Enumeration
CVE data is buggy
Linux distro users?
What yocto CVE check does?
CVE check output for busybox
Yocto community maintenance
Update or patch?
Update minor version
Full distro version updates
Problems and limitations in yocto CVE scanning and patching, and CVE scanning in general
Fix name matching with CVE_PRODUCT
Fix version matching with CVE_VERSION
Emedded source code in open source
Embedded open source SW inside binaries
Bad CVE data
Incomplete CVE data
Too complex patches