Standalone CVE management tools for Yocto/OpenEmbedded — find fix commits, automate backporting, and resolve conflicts with AI
Project description
yocto-security-tools
Standalone CVE management tools for Yocto/OpenEmbedded Linux distributions.
Tools
| Tool | Purpose |
|---|---|
| cve-metadata-extractor | Find fix commits for CVEs from multiple public sources (Debian, OSV, CVEList V5, Ubuntu, NVD) |
| cve-corrector | Automate backporting CVE fixes to Yocto recipes using devtool |
| cve-agent | Orchestrate CVE backporting with AI-assisted conflict resolution |
Requirements
- Python 3.9+
- Git
- For
cve-corrector/cve-agent: a sourced Yocto build environment (BBPATHset) - For
cve-agent: kiro-cli (or a custom AI backend plugin)
Installation
From PyPI
pip install yocto-security-tools
From source (development)
git clone https://github.com/Ericsson/yocto-security-tools.git
cd yocto-security-tools
pip install -e .
Quick Start
Find CVE fix metadata
# From Yocto cve-summary.json (output of sbom-cve-check)
cve-metadata-extractor --yocto-summary cve-summary.json --output cve-metadata.json
# For a specific CVE
cve-metadata-extractor --cve-id CVE-2024-1234 --cve-component-name openssl
Apply CVE patches
# Source your Yocto build environment first
source oe-init-build-env
# Apply a CVE fix
cve-corrector --cve-id CVE-2024-1234 --cve-info cve-metadata.json
# Resume after manual conflict resolution
cve-corrector --continue
AI-assisted backporting
# Requires kiro-cli (or another AI backend)
cve-agent --cve-id CVE-2024-1234 --cve-info cve-metadata.json --trust
# Batch mode
cve-agent --cve-list cves.txt --cve-info cve-metadata.json --trust
# Use a different AI backend
cve-agent --cve-id CVE-2024-1234 --cve-info cve-metadata.json --backend my_backend
How It Works
graph LR
E["cve-metadata-extractor<br/>Find fix commits"] -->|cve-metadata.json| C["cve-corrector<br/>Apply patches via devtool"]
C -->|exit code + state| A["cve-agent<br/>AI-assisted resolution"]
A -->|subprocess| C
Each tool works independently. Chain them via --cve-info cve-metadata.json.
Supported Input Formats
| Format | Flag | Description |
|---|---|---|
| cve-summary.json | --yocto-summary |
Output from Yocto's sbom-cve-check class |
| Direct CVE ID | --cve-id |
One or more CVE identifiers |
| CVE list file | --cve-list |
Text file with one CVE ID per line (agent only) |
Configuration
The extractor reads configuration from cve_metadata_extractor/config.json by default.
Override with the CVE_EXTRACTOR_CONFIG environment variable.
Storage (XDG Compliant)
| Directory | Default | Override |
|---|---|---|
| Persistent data | ~/.local/share/yocto-security-tools/ |
CVE_TOOLS_DATA_DIR |
| Cache (expendable) | ~/.cache/yocto-security-tools/ |
CVE_TOOLS_CACHE_DIR |
Config Keys
| Key | Default | Description |
|---|---|---|
cvelistv5_url |
GitHub | Git URL to clone CVEList V5 from |
debian_tracker_url |
salsa.debian.org | Git URL for Debian tracker |
nvd_url |
GitHub | Git URL for NVD data |
oe_branches |
["scarthgap"] |
OE branches to check for fix status |
Environment Variables
| Variable | Purpose |
|---|---|
CVE_EXTRACTOR_CONFIG |
Override config.json path |
CVE_TOOLS_DATA_DIR |
Override XDG data directory |
CVE_TOOLS_CACHE_DIR |
Override XDG cache directory |
GITHUB_TOKEN |
GitHub API access (required for PR metadata) |
OPENEMBEDDED_TOKEN |
OE mailing list API |
BBPATH |
Required for cve-corrector/cve-agent (Yocto build env) |
CVE_EXTRA_SOURCES_DIR |
Override plugin directory for extractor |
CVE_EXTRA_BACKENDS_DIR |
Override plugin directory for agent backends |
Plugin System
Add custom CVE data sources or AI backends by dropping .py files in the extra/ directory. See extra/README.md for the plugin development guide.
Quick Example: Custom Source
# extra/my_source.py
from cve_metadata_extractor.sources import CveSource, SOURCE_REGISTRY
class MySource(CveSource):
name = 'my_source'
def is_enabled(self, args): return True
def extract(self, cve_id, stats): return [], [], [], []
SOURCE_REGISTRY.append(MySource())
Development
python3 -m venv venv
source venv/bin/activate
pip install -e ".[dev]"
pytest
See CONTRIBUTING.md for full development guidelines.
License
MIT — see LICENSE
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file yocto_security_tools-1.0.1.tar.gz.
File metadata
- Download URL: yocto_security_tools-1.0.1.tar.gz
- Upload date:
- Size: 105.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
c09ed2ffbfab7bd600acb9869a4724da4ae6e8e549a2d3b281bca1b5af3a7bfa
|
|
| MD5 |
27958658ee14394f03bd6029dedb9ae6
|
|
| BLAKE2b-256 |
8be2e9a3d0c976fea67a391a3e1fd9334142ac29858ba4c7a4cad81802f177cd
|
Provenance
The following attestation bundles were made for yocto_security_tools-1.0.1.tar.gz:
Publisher:
publish.yml on Ericsson/yocto-security-tools
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
yocto_security_tools-1.0.1.tar.gz -
Subject digest:
c09ed2ffbfab7bd600acb9869a4724da4ae6e8e549a2d3b281bca1b5af3a7bfa - Sigstore transparency entry: 2062027828
- Sigstore integration time:
-
Permalink:
Ericsson/yocto-security-tools@66e179a2397d06137ded237c3d05d26bc52e11cd -
Branch / Tag:
refs/tags/v1.0.1 - Owner: https://github.com/Ericsson
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@66e179a2397d06137ded237c3d05d26bc52e11cd -
Trigger Event:
release
-
Statement type:
File details
Details for the file yocto_security_tools-1.0.1-py3-none-any.whl.
File metadata
- Download URL: yocto_security_tools-1.0.1-py3-none-any.whl
- Upload date:
- Size: 130.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
501d936d89dae3f84876731ed34e689b91bef2e6bceb330cef10f6b186017cce
|
|
| MD5 |
91133f5174ae8d39a7704226a8c4e7dc
|
|
| BLAKE2b-256 |
95370be00289bf561787ac49459b80ced0b73f53a4b1c70c5b46179f075794cc
|
Provenance
The following attestation bundles were made for yocto_security_tools-1.0.1-py3-none-any.whl:
Publisher:
publish.yml on Ericsson/yocto-security-tools
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
yocto_security_tools-1.0.1-py3-none-any.whl -
Subject digest:
501d936d89dae3f84876731ed34e689b91bef2e6bceb330cef10f6b186017cce - Sigstore transparency entry: 2062028234
- Sigstore integration time:
-
Permalink:
Ericsson/yocto-security-tools@66e179a2397d06137ded237c3d05d26bc52e11cd -
Branch / Tag:
refs/tags/v1.0.1 - Owner: https://github.com/Ericsson
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@66e179a2397d06137ded237c3d05d26bc52e11cd -
Trigger Event:
release
-
Statement type: