2022-05-19 –, Kirkstone
The cve-check class in OpenEmbedded/Yocto allows to perform a check for known vulnerabilities in a given configuration. Recently the class has gained a new JSON-based output format and a possibility to report recipes without any known security issues. The Eclipse Oniro project team has also worked on fixing issues when running a 'world' build when using multiple layers. In this talk, Marta is going to explain reasons behind those features and how you can benefit from them. She will also describe issues the team encountered and their solutions.
Yocto/OpenEmbedded offers a possibility to check for known security vulnerabilities (CVEs, https://www.cve.org/) in a given image or configuration. The core of the functionality is the cve-check class, which functions verifies a package version against the data in the National Vulnerability Database (NVD, https://nvd.nist.gov/). Until recently, the only output format has been a text file. While easy to understand for a human, it is not designed for machine processing. The recent work has been to add another, JSON-based output, while keeping the old one for compatibility reasons. The new format allows easy machine processing, generation of statistics and the like. The talk will include: the introduction of the cve-check, descriptions of the text and JSON output formats, example tools for post-processing and various lessons learned while enabling a CVE-check for a complete Eclipse Oniro distribution.
Marta Rybczynska has network security background, 20 years of experience in Open Source including 15 years in embedded development.
She has been working with embedded operating systems like Linux and various real-time ones, system libraries and frameworks up to user interfaces. Her specialties are architecture-specific parts of the Linux kernel. In the past, Marta served as Vice-President and treasurer for KDE e.V. She has been involved in various Open Source projects, and also contributing kernel-related guest articles for LWN.net.
In 2021, she founded Syslinbit, an Open Source consulting company. She has been contributing to the Eclipse Oniro project from April 2021 as a consultant.
She has experience with presentations on both scientific and free software conferences, including LinuxCon, Open Source Summit, Embedded Linux Conference, Akademy, FOSDEM and FOSS-north.