Skip to main content

Standalone CVE management tools for Yocto/OpenEmbedded — find fix commits, automate backporting, and resolve conflicts with AI

Project description

yocto-security-tools

Standalone CVE management tools for Yocto/OpenEmbedded Linux distributions.

Tools

Tool Purpose
cve-metadata-extractor Find fix commits for CVEs from multiple public sources (Debian, OSV, CVEList V5, Ubuntu, NVD)
cve-corrector Automate backporting CVE fixes to Yocto recipes using devtool
cve-agent Orchestrate CVE backporting with AI-assisted conflict resolution

Requirements

  • Python 3.9+
  • Git
  • For cve-corrector / cve-agent: a sourced Yocto build environment (BBPATH set)
  • For cve-agent: kiro-cli (or a custom AI backend plugin)

Installation

From PyPI

pip install yocto-security-tools

From source (development)

git clone https://github.com/Ericsson/yocto-security-tools.git
cd yocto-security-tools
pip install -e .

Quick Start

Find CVE fix metadata

# From Yocto cve-summary.json (output of sbom-cve-check)
cve-metadata-extractor --yocto-summary cve-summary.json --output cve-metadata.json

# For a specific CVE
cve-metadata-extractor --cve-id CVE-2024-1234 --cve-component-name openssl

Apply CVE patches

# Source your Yocto build environment first
source oe-init-build-env

# Apply a CVE fix
cve-corrector --cve-id CVE-2024-1234 --cve-info cve-metadata.json

# Resume after manual conflict resolution
cve-corrector --continue

AI-assisted backporting

# Requires kiro-cli (or another AI backend)
cve-agent --cve-id CVE-2024-1234 --cve-info cve-metadata.json --trust

# Batch mode
cve-agent --cve-list cves.txt --cve-info cve-metadata.json --trust

# Use a different AI backend
cve-agent --cve-id CVE-2024-1234 --cve-info cve-metadata.json --backend my_backend

How It Works

graph LR
    E["cve-metadata-extractor<br/>Find fix commits"] -->|cve-metadata.json| C["cve-corrector<br/>Apply patches via devtool"]
    C -->|exit code + state| A["cve-agent<br/>AI-assisted resolution"]
    A -->|subprocess| C

Each tool works independently. Chain them via --cve-info cve-metadata.json.

Supported Input Formats

Format Flag Description
cve-summary.json --yocto-summary Output from Yocto's sbom-cve-check class
Direct CVE ID --cve-id One or more CVE identifiers
CVE list file --cve-list Text file with one CVE ID per line (agent only)

Configuration

The extractor reads configuration from cve_metadata_extractor/config.json by default. Override with the CVE_EXTRACTOR_CONFIG environment variable.

Storage (XDG Compliant)

Directory Default Override
Persistent data ~/.local/share/yocto-security-tools/ CVE_TOOLS_DATA_DIR
Cache (expendable) ~/.cache/yocto-security-tools/ CVE_TOOLS_CACHE_DIR

Config Keys

Key Default Description
cvelistv5_url GitHub Git URL to clone CVEList V5 from
debian_tracker_url salsa.debian.org Git URL for Debian tracker
nvd_url GitHub Git URL for NVD data
oe_branches ["scarthgap"] OE branches to check for fix status

Environment Variables

Variable Purpose
CVE_EXTRACTOR_CONFIG Override config.json path
CVE_TOOLS_DATA_DIR Override XDG data directory
CVE_TOOLS_CACHE_DIR Override XDG cache directory
GITHUB_TOKEN GitHub API access (required for PR metadata)
OPENEMBEDDED_TOKEN OE mailing list API
BBPATH Required for cve-corrector/cve-agent (Yocto build env)
CVE_EXTRA_SOURCES_DIR Override plugin directory for extractor
CVE_EXTRA_BACKENDS_DIR Override plugin directory for agent backends

Plugin System

Add custom CVE data sources or AI backends by dropping .py files in the extra/ directory. See extra/README.md for the plugin development guide.

Quick Example: Custom Source

# extra/my_source.py
from cve_metadata_extractor.sources import CveSource, SOURCE_REGISTRY

class MySource(CveSource):
    name = 'my_source'
    def is_enabled(self, args): return True
    def extract(self, cve_id, stats): return [], [], [], []

SOURCE_REGISTRY.append(MySource())

Development

python3 -m venv venv
source venv/bin/activate
pip install -e ".[dev]"
pytest

See CONTRIBUTING.md for full development guidelines.

License

MIT — see LICENSE

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

yocto_security_tools-1.0.1.tar.gz (105.4 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

yocto_security_tools-1.0.1-py3-none-any.whl (130.3 kB view details)

Uploaded Python 3

File details

Details for the file yocto_security_tools-1.0.1.tar.gz.

File metadata

  • Download URL: yocto_security_tools-1.0.1.tar.gz
  • Upload date:
  • Size: 105.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for yocto_security_tools-1.0.1.tar.gz
Algorithm Hash digest
SHA256 c09ed2ffbfab7bd600acb9869a4724da4ae6e8e549a2d3b281bca1b5af3a7bfa
MD5 27958658ee14394f03bd6029dedb9ae6
BLAKE2b-256 8be2e9a3d0c976fea67a391a3e1fd9334142ac29858ba4c7a4cad81802f177cd

See more details on using hashes here.

Provenance

The following attestation bundles were made for yocto_security_tools-1.0.1.tar.gz:

Publisher: publish.yml on Ericsson/yocto-security-tools

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file yocto_security_tools-1.0.1-py3-none-any.whl.

File metadata

File hashes

Hashes for yocto_security_tools-1.0.1-py3-none-any.whl
Algorithm Hash digest
SHA256 501d936d89dae3f84876731ed34e689b91bef2e6bceb330cef10f6b186017cce
MD5 91133f5174ae8d39a7704226a8c4e7dc
BLAKE2b-256 95370be00289bf561787ac49459b80ced0b73f53a4b1c70c5b46179f075794cc

See more details on using hashes here.

Provenance

The following attestation bundles were made for yocto_security_tools-1.0.1-py3-none-any.whl:

Publisher: publish.yml on Ericsson/yocto-security-tools

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page