Quickstart guide for Yocto projects

Prerequisites

Build your image. Make sure that you have the following inherits in your layer which is necessary to create spdx and yocto cve sources for vulnscout:

    inherit create-spdx
    inherit cve-check

Copy bin/vulnscout.sh into root of the project.
Create .vulnscout folder at the root of your project. Copy the yocto.rc conf file from bin/.vulnscout-example in the vulnscout repository into your .vulnscout folder.
Modify the necessary paths in yocto.rc to use your spdx and cve files as sources. If you have a meta-cyclonedx layer, you can also use CDX_SOURCES, otherwise, comment out the variable.

Note	Cyclonedx generates SBOM of all the packages in your project, not only those used to create a particular image.

Run ./vulnscout.sh --verbose scan to run a scan and open http://localhost:7275 to view the results.

Note	The `--verbose` option is to see all the logs. You can omit that if you prefer quiet mode.

Make use of filters in each tab. For example, under the Vulnerabilities title in the interface, you can Hide (already) fixed vulnerabilities.
Check the .vulnscout/output to see the default reports and sboms created by vulnscout. Other reports/sboms are available under the Exports title in the interface.
The default summary report lists only CVEs with more than 50% EPSS. To change that you need to add a custom template in .vulnscout/templates and add its name in the GENERATE_DOCUMENTS variable in yocto.rc. An example template is provided in this repository at bin/.vulnscout-example/templates/report_template_summary.adoc. Its generated report will display up to 15 vulnerabilities with more than 0% EPSS and also list the package information.

Note	For more information on customizing template, see `WRITING_TEMPLATES.adoc`.