The Linux Foundation Member Summit 2021

Scanning and alerting on known vulnerabilities has become an important part of proactive open source management process. This should be a key responsibility of every product security and open source program office. Most vendor tools are focused on the web/application/mobile development ecosystems and typically find vulnerabilities for unaltered dependencies or minimally altered vendored open source. However in embedded software, dependencies may be vendored in source form and modified extensively for the platform. Also embedded build tools such as bitbake allow dependencies to be patched as part of the build. In these cases security scanning can’t just be a static process based on the repository uploaded to your choice of git platform. There is a need to scan during the build process, comparing code against the individual vulnerability patches and their fixes. This can generate a lot of data! In this presentation, we will discuss how we have integrated this vulnerability level scanning into our various environments, the tools we built and will release as open source along with we how we normalize the output and are integrating into our bug tracking and disclosure systems.