Comparison and Proposal of Vulnerability Management Approaches in Yocto-Based Linux for the EU CRA

Transcript

1. Comparison and Proposal of Vulnerability Management Approaches in Yocto-Based Linux

   for the EU CRA January 15, 2026 Akihiko Takahashi, Fujitsu Limited ©2026 Fujitsu Limited 1

2. OSSJ2025のスライドはこちら ©2026 Fujitsu Limited 2

3. $ whoami ⚫ Account ⚫ Qiita : @flying-pan ⚫ LinkedIn

   : https://www.linkedin.com/in/ak ihiko-takahashi-26b1a52ab/ ⚫ Job Responsibilities ⚫ Developer of Linux Distributions for Edge Computing ⚫ Infrastructure Engineer for Cloud Fujitsu ltd Akihiko Takahashi ⚫ Community ⚫ OpenSSF SBOM Everywhere SIG ⚫ Japan Technical Jamboree ⚫ yocto project ⚫ OpenChain Japan WG ⚫ Technical Background ⚫ Hobby ⚫ Mini 4WD ⚫ Skiing ⚫ Jazz ©2026 Fujitsu Limited 3

4. Target Audience of This Presentation ⚫Main Target Audience ⚫Manufacturers subject

   to EU CRA (Cyber Resilience Act) who are currently using Yocto Project. ⚫ (Rationale: This presentation aims to provide information that can assist them in considering their compliance requirements.) ⚫Secondary Target Audiences ⚫Manufacturers not subject to the CRA but using Yocto Project. ⚫ (Rationale: Vulnerability management principles often overlap, and this presentation may offer insightful information for them.) ⚫Anyone interested in the topic of embedded Linux security. ⚫ (Rationale: We aim to provide valuable information for a broad audience interested in this topic.) ©2026 Fujitsu Limited 4

5. Note ⚫This presentation does not give any legal advice about

   EU CRA (Cyber Resilience Act). ⚫The presenter is not a legal expert and cannot take responsibility for any detailed interpretation of the law. ⚫The main purpose of this presentation is to focus on studying and comparing how to report security issues in Yocto Linux. Thank you for your understanding. ©2026 Fujitsu Limited 5

6. Agenda 1. Overview 2. Core Keywords 3. Designing Vulnerability-Aware Releases

   4. Tools and Methods Overview 5. Evaluation of Tools and Methods 6. Conclusions ©2026 Fujitsu Limited 6

7. 2. Core Keywords ©2026 Fujitsu Limited 7

8. yocto ⚫The standard tool for generating embedded Linux ⚫Generates Linux

   images, packages, SBOM, and VEX based on recipes, which serve as blueprints ⚫Recipes can also include CVE patches and Not Affected information ©2026 Fujitsu Limited yocto is a tool for generating Linux distributions, and it is also an OSS project 8

9. Article 14 Reporting obligations of manufacturers in CRA 1/3 ⚫Since

   9/11/2026 Article 14 of EU Cyber Resilience Act ©2026 Fujitsu Limited 9

10. Article 14 Reporting obligations of manufacturers in CRA 2/3 ⚫Scope

    ⚫Manufacturers of products with digital elements. ⚫Reporting recipients ⚫Via the single reporting platform, simultaneously to: ⚫ the CSIRT designated as coordinator ⚫ ENISA. ⚫Covered events ⚫Actively exploited vulnerabilities in the product with digital elements. ⚫Severe incidents having an impact on the security of the product with digital elements ©2026 Fujitsu Limited 10

11. Article 14 Reporting obligations of manufacturers in CRA 3/3 ⚫Reporting

    timeline (general) ⚫Early warning ≦ 24 h ⚫Initial notification ≦ 72 h ⚫Final report: ⚫ Final report ≦ 14 days after a fix for Actively Exploited vulnerabilities ⚫ Final report ≦ 1 month after we are notified of a severe incident. ⚫User notification obligation ⚫Inform affected (or all) users of risks and user-side mitigations (preferably machine-readable) ⚫CSIRT may notify if manufacturer fails. ©2026 Fujitsu Limited Article 64 Penalties Fines up to EUR 15,000,000 or 2.5% of the total worldwide annual turnover, whichever is higher. 11

12. 3. Designing Vulnerability-Aware Releases ©2026 Fujitsu Limited 12

13. Focus on Determining Actively exploited vulnerabilities ⚫Determine whether a vulnerability

    is actively exploited ⚫Reporting & User notification ⚫Early warning ≦ 24 h ⚫Initial notification ≦ 72 h ⚫Vulnerability ≦ 14 days after a fix is available ⚫Notify users, providing the information in a machine-readable format ©2026 Fujitsu Limited In this study, we focus on identifying actively exploited vulnerabilities. 13

14. State transition diagram for release and vulnerability management ©2026 Fujitsu

    Limited Release Daily run Deployed Potentially Actively Exploited Vulnerability is found by CI/CD Fixed Affected Build & Deploy CI/CD Fix Investigate Vulnerability Handle false positives Trace Vulnerability CI/CD Not Affected CI/CD : CI/CD : Manually Potentially Actively Exploited Vulnerability is not found 14

15. 4. Tools and Methods Overview ©2026 Fujitsu Limited 15

16. List of Implementation Methods A)yocto cve-check B)yocto-vex-check C)OWASP Dependency-Track D)sbom-cve-check(*)

    (Investigating) ©2026 Fujitsu Limited (*)… https://github.com/bootlin/sbom-cve-check 16

17. yocto cve-check 1/2 ⚫Description It cross-checks each software component’s recipe

    name and version information against a CVE database and generates reports per recipe as well as per image. ⚫Yocto standard feature ⚫Vulnerability data sources ⚫NVD Data Feeds ©2026 Fujitsu Limited yocto project official document (*) (*)…https://docs.yoctoproject.org/dev/dev-manual/vulnerabilities.html 17

18. yocto cve-check 2/2 ⚫ Input (Except for the vulnerability data

    sources) ⚫Recipes ⚫ Output ⚫ Original format(.json) ⚫ False Positive Recording Area ⚫ Recipes ⚫ How to use ⚫ INHERIT += “cve-check” ⚫ NOTE ⚫ It cannot run at the same time as vex.bbclass. They are exclusive. ©2026 Fujitsu Limited 18

19. yocto-vex-check (*) yocto-vex-check 1/3 ⚫ Description This is a next-generation

    standard feature in yocto. yocto-vex-check uses CVE information created by vex.bbclass and SPDX metadata created by create-spdx.bbclass in the yocto Project. It checks vulnerabilities quickly without running bitbake, and it helps you do an efficient security review. ⚫ Yocto standard feature (planned) ⚫ vex.bbclass (yocto-5.1 later) ⚫ yocto-vex-check (coming soon) ⚫ Vulnerability data sources ⚫ NVD Data Feeds ⚫ CVE ©2026 Fujitsu Limited (*)… https://ygreky.com/2025/02/yocto-vex-check/ 19

20. yocto-vex-check 2/3 ⚫ Input (Except for the vulnerability data sources)

    ⚫SPDX2.2 ⚫cve metadata by vex.bbclass ⚫ Output ⚫ OpenVEX(.json) ⚫ False Positive Recording Area ⚫ Recipes ⚫ OpenVEX (status (“not_affected”)) ⚫ How to use ⚫ INHERIT += “vex” ⚫ Run yocto-vex-check script(*) after bitbake ©2026 Fujitsu Limited (*)… https://gitlab.com/ygreky/public/yocto-vex-check 20

21. yocto-vex-check 3/3 ⚫ NOTE ⚫ This is the phase before

    Yocto integration, and we are waiting for the official release. ⚫ There are several bugs. ⚫ In this investigation, vulnerability matching with NVD Data Feeds could not be performed due to errors. ⚫ It cannot run at the same time as cve-check.bbclass. They are exclusive. ©2026 Fujitsu Limited 21

22. OWASP Dependency-Track 1/2 ⚫ Description This platform imports CycloneDX data.

    It centrally manages software components, such as libraries that the software depends on. It provides a UI to analyze these components and to show and reduce vulnerability risks across the whole software supply chain. ⚫ Not yocto standard feature ⚫ Vulnerability data sources ⚫ NVD ⚫ Dependency Track supports multiple vulnerability data sources, but in this approach, only NVD can be used. This is because create-spdx does not output PURL information, making it impossible to integrate with other data sources. ©2026 Fujitsu Limited 22

23. OWASP Dependency-Track 2/2 ⚫ Input (Except for the vulnerability data

    sources) ⚫ CycloneDX ⚫ Output ⚫ CycloneDX ⚫ False Positive Recording Area ⚫ In Dependency Track ⚫ How to use ⚫ Generate CycloneDX from the build results of Yocto and import it into Dependency Track. ⚫ NOTE ⚫ Yocto does not provide a standard feature to output CycloneDX. ⚫ In this approach, we examined the use of OpenSSF protobom/sbom-convert. ©2026 Fujitsu Limited 23

24. 5. Evaluation of Tools and Methods ©2026 Fujitsu Limited 24

25. Verification Target for Evaluation ⚫Release products : Killer Gateway (*)

    ⚫Use cases : Data Collection Gateway for Smart Grid ⚫Hardware : Raspberry-pi4 ⚫yocto Version : yocto-5.1 ⚫Repositories : ⚫ poky ⚫ meta-raspberrypi ⚫ meta-openembedded ⚫ meta-killer-gateway (Original for this study) ⚫The number of packages :1,883 ©2026 Fujitsu Limited (*)…Please refer ossj2025-killer-gateway-repo-manifests 25

26. CI/CD Environment for Evaluation ⚫CI/CD ⚫Github Actions ⚫self-hosted-runner in Azure

    Kubernetes Service (Actions Runner Controller) ⚫Build Machine (Worker node) ⚫vCPU : 16 ⚫Mem : 64 GiB ©2026 Fujitsu Limited 26

27. Definition of Terms ⚫AE Vul ⚫It is a short form

    of “Actively Exploited Vulnerability.” ⚫Potentially Actively Exploited Vulnerability ⚫A vulnerability that may be categorized as an Actively Exploited Vulnerability, while still having the possibility of being a false positive. ⚫In this study, this classification is based on matching the vulnerability list of released products with CISA KEV and ENISA API data (details are provided below). ©2026 Fujitsu Limited 27

28. Scenario for Evaluation 1/4 ©2026 Fujitsu Limited 3/28 Release Fixed

    Products 4/10 4/12 9/5 9/7 Release Products Potentially AE vulns Detection by CI/CD Potentially AE vul Detection by CI/CD Investigate AE vulns by manually False Positive Determination AE vulns Determination Initial notification Final report 9/10 Build & Deploy Products 9/12 9/26 ~ ~ ~ ~ Early warning Investigate AE vulns by manually 2025 Notify users Notify users ≦24h ≦72h ≦14d 28

29. Scenario for Evaluation 2/4 ©2026 Fujitsu Limited 3/28 Release Fixed

    Products 4/10 4/12 9/5 9/7 Release Products Potentially AE vulns Detection by CI/CD Potentially AE vul Detection by CI/CD Investigate AE vulns by manually False Positive Determination AE vulns Determination Initial notification Final report 9/10 Build & Deploy Products 9/12 9/26 ~ ~ ~ ~ Early warning Investigate AE vulns by manually 2025 Notify users Notify users ≦24h ≦72h ≦14d CVE-2024-53150, CVE-2024-53197 Kernel vulnerabilities The vulnerability codes are excluded due to the disabled kernel config. CVE-2025-38352 Kernel vulnerabilities Reference The number of Kernel vulnerabilities in NVD. 2023 : 610 2024 : 4433 2025 : 3218 (~2025/11) 29

30. Scenario for Evaluation 3/4 ©2026 Fujitsu Limited 3/28 Release Fixed

    Products 4/10 4/12 9/5 9/7 Release Products Investigate AE vulns by manually False Positive Determination AE vulns Determination Initial notification Final report 9/10 Build & Deploy Products 9/12 9/26 ~ ~ ~ ~ Early warning Investigate AE vulns by manually 2025 Notify users Notify users Potentially AE vulns Detection by CI/CD Potentially AE vul Detection by CI/CD Handle false positives Release Daily run Build & Deploy CI/CD Fix Investigate Vulnerability Trace Vulnerability CI/CD State transition ≦14d 30

31. Scenario for Evaluation 4/4 ©2026 Fujitsu Limited 3/28 Release Fixed

    Products 4/10 4/12 9/5 9/7 Release Products Investigate AE vulns by manually False Positive Determination AE vulns Determination Initial notification Final report 9/10 Build & Deploy Products 9/12 9/26 ~ ~ ~ ~ Early warning Investigate AE vulns by manually 2025 Notify users Notify users Potentially AE vulns Detection by CI/CD Potentially AE vul Detection by CI/CD Handle false positives Release Daily run Build & Deploy CI/CD Fix Investigate Vulnerability Trace Vulnerability CI/CD State transition ≦24h ≦72h ≦14d 31

32. 時間の都合でSKIP！！ OSSJ2025のスライドを参照ください。 ©2026 Fujitsu Limited 32

33. Evaluation Results 1/3 ©2026 Fujitsu Limited Item yocto cve-check yocto-vex-check

    OWASP Dependency-Track Run time of “Build & Deploy” step 60 min 60 min 60 min Run time of “Trace Vulnerability” step 13.5 min (*) 2 min (*) - Vulnerability data sources • NVD Data Feeds • NVD Data Feeds • CVE • NVD Data Feeds Output Vulnerability format • cve-check original format (.json) • OpenVEX (.json) • Not investigated (*)… We do not include the time to download the vulnerability DB in the measurement. 33

34. Evaluation Results 2/3 ©2026 Fujitsu Limited Item yocto cve-check yocto-vex-check

    OWASP Dependency-Track Pros • Lower CI/CD setup cost than the other option • “Vulnerability Tracing” step is 7× faster than cve-check • Two vulnerability sources: NVD and CVE • Can make OpenVEX • Rich UI • Many features Cons • You must run bitbake each time to check vulnerabilities • You must keep the Yocto cache • This is the phase before Yocto integration (waiting for official release) • The supported SPDX version is 2.2, which is outdated. • Hard to convert yocto results to CycloneDX for Dependency-Track (no stable path today; sbom-convert has issues) • Cannot pass recipe patches or CVE_STATUS (Ignored / Fixed) into Dependency-Track 34

35. Evaluation Results 3/3 ©2026 Fujitsu Limited Item yocto cve-check yocto-vex-check

    OWASP Dependency-Track Can use now? Yes No No If works as planned ★★☆ ★★★ ★★☆ NOTE - • RFC stage (waiting for official release) • Best choice after release • No stable way to make CycloneDX (when using sbom-convert) 35

36. 6. Conclusions ©2026 Fujitsu Limited 36

37. まとめ ⚫ビルド・デプロイ段階から、リリースされた成果物に対して Actively Exploited Vulnerabilityの検出を定期的に監視する までの、3つのアプローチを紹介しました。 ⚫今回比較した中で、現時点で実現可能な手段はyocto cve-check、 将来性があるのがyocto-vex-checkです。 ⚫それぞれのアプローチで課題があります。

    ©2026 Fujitsu Limited 37

38. 今後の取り組み ⚫yoctoでDependency Trackを使用できるようにつなぎこみ ⚫sbom-cve-checkの評価（現在評価中） ⚫AGLのAAAとのコラボレーションの検討 ©2026 Fujitsu Limited 38

39. Thank you ©2026 Fujitsu Limited

40. References ⚫ yocto PROJECT ⚫ https://www.yoctoproject.org/ ⚫ Cyber Resilience Act

    ⚫ https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act ⚫ OpenSSF protobom/sbom-convert ⚫ https://github.com/protobom/sbom-convert ⚫ yocto-vex-check ⚫ https://gitlab.com/ygreky/public/yocto-vex-check ⚫ OWASP Dependency-Track ⚫ https://owasp.org/www-project-dependency-track/ ⚫ sbom-cve-check ⚫ https://github.com/bootlin/sbom-cve-check ⚫ ossj2025-killer-gateway-repo-manifests ⚫ https://github.com/ubinux/ossj2025-killer-gateway-repo-manifests ©2026 Fujitsu Limited 40

41. Appendix ©2026 Fujitsu Limited 41

42. Process Flow for Determining Actively Exploited Vulnerabilities of 3Methods ©2026

    Fujitsu Limited Trace Vulnerability Build & Deploy yocto bitbake SPDX2.2 NVD cve metadata sstate-cache Manifest yocto bitbake cve-check yocto-vex- check Conversion Recipes Fixed CycloneDX1.5 Potentially AE Vul check Potentially AE list cve Open VEX CycloneDX VEX protobom/ sbom-convert SPDX2.2 Manifest update SPDX version SPDX2.3 Download cache Remove some fields Fix CycloneDX CycloneDX 1.5 SPDX2.3 Fixed CycloneDX1.5 START END Manufacturer CISA KEV ENISA API 42