How to Use Security Vulnerability Notification in Factory
Summary
This HOWTO covers the process of generating a CVE report for a Factory workorder. Notifications can be pulled on-demand in two ways:
- Desktop Factory
- LinuxLink Web
Workorders scanned by either method, and the resulting reports, will be available on the Security Notification Management page in LinuxLink, where subscriptions for weekly email notifications can be configured per workorder.
Using the Desktop Factory
Prerequisites
- A LinuxLink API keyfile must be installed.
- A subscription allowing security notification must be active.
- A valid seat for the subscription must be assigned to your user account.
Configuration
Configuration for Security Notifications can be done under the "Advanced Build Configuration" menu when running make menuconfig. There are two relevant options:- Check for CVEs (default enabled) -- Runs checkcves automatically when issuing a bare make or make checkupdates command.
- Subscribe to weekly CVE notifications -- When enabled, any make command which triggers a CVE check will also mark the workorder in its current state for weekly email notification with a new report. This is intended to be enabled when the state of the workorder is a configuration you wish to track security updates in, then disabled in subsequent builds. You can also toggle subscription on the LinuxLink website.
Generating the Report Manually
Regardless of the option above to scan automatically, you can trigger a report at any time by running the make checkcves command directly.
$ make checkcves
Example Command Line Output:
Any results found for packages in the workorder are displayed in the terminal:
Package: kernel Version: 4.9 CVE ID: CVE-2017-1000251 URL: https://nvd.nist.gov/vuln/detail/CVE-2017-1000251 CVSSv2: 8.3 Vector: ADJACENT_NETWORK Status: Fixed
You also receive a link to the online report, which includes a high-level summary and useful charts.
See below for more information about the possible Status values.
Using the LinuxLink Site
Uploading a Workorder
From the Security Notification Management page, an existing workorder can be uploaded. This will add the config to the page and generate a CVE report.
- Click the Upload Config button and choose the Factory Workorder type.
- Select the Factory workorder file (.config in the top level Factory directory).
- Click Upload.
After the upload and initial report are ready, you will be redirected to the report page. Return to the Notification Management page to toggle the subscription setting, delete the config and its associated reports, or upload another.
Generating a New Report (for an existing workorder)
For existing configurations, already uploaded or synced from a Desktop operation, a new report can be generated on-demand in two ways.
- From the list of configurations on the Notification Management page, click the new link in the corresponding row.
- From the list of previous reports for a specific workorder (the all link for the config row on the Notification Management page), click the Generate New Report button near the top.
Understanding the CVE report
The desktop and web results both list all CVEs found to be relevant to the current workorder. This means that any CVE listed does affect the corresponding package at the currently used version. However, there is more context available in the "Status" field of the report. Below is the explanation of those values.
| Status | Meaning |
|---|---|
| Fixed | A patch to address the CVE is applied in the workorder |
| Unfixed | No patch is currently available |
| Unfixed, Patch not Applied | The local Factory has a patch for this CVE but it is not applied in the workorder. This usually means you should accept patch list updates by running make menuupdate |
| Unfixed, Upgrade Factory | A newer version of the Desktop Factory contains a patch or version upgrade which addresses this CVE |
