CVE Processes of Open Source Projects

Common Vulnerabilities and Exposures (CVE) is a way of identification of known (cyber)security vulnerabilities in products. The vulnerabilities are identified by unique numbers, called CVE numbers. In this document we describe the processes related to vulnerability reporting, preparing patches and deploying them (called CVE processes) used in various Open Source projects, especially including those upstream to the AllScenariosOS.

The CVE database is available with a search option.

Yocto is leaving the security to the user - product developer.

Stable branches are updated for security fixes. Yocto LTS updates Bitbake, OE-Core, meta-yocto, and yocto-docs. Other layers are not included in the LTS.

Public mailing list

Checking for CVEs
Yocto provides cve-check.bbclass that allows checking for the CVEs in the NVD

The class allows to define a product name or version for the CVE check if it is different from the ones in the Yocto recipes. There is a regular run on the OE layers and results sent to the public public list.

Reporting CVEs to Yocto
A private mailing list should be used security [at] yoctoproject [dot] org If it is an upstream issue, they forward it to the corresponding upstream project. They may also report it to the linux-disto list to synchronize a release.

Yocto security policy: Security - Yocto Project
A slide set about CVE monitoring (including Yocto):

Eclipse Foundation projects

Bug reporting
Bug fixes are handled by each project, recommended to use Bugzilla.

Projects do have different policies:
Mosquitto is asking for direct reporting to Eclipse Bugzilla/Eclipse security team.
Jetty has a proper address for security issues.

Checking for CVEs
Found no process for automatic check of CVEs. It is up to the project to file for one.

Reporting CVEs to an Eclipse project
The private list to report undisclosed issues is

Issues may be also reported to Eclipse Foundation’s Bugzilla instance, where it must be tagged as commiter_only. In this case they are visible to all commiters.

Commiters from the project need to apply for CVE numbers handled by the Eclipse foundation. There is a strong preferences for asking for a CVE just before making the issue public.

Security issues are resolved by the project team, the Eclipse Security team provides assistance.

Vulnerability policy
A discussion about the Eclipse CVE assignement process (February 2021)

Debian handles issues for its upstream projects, releasing Debian Security Advisories (DSA) if an important issue affects a Debian package.

Bug reporting
Everyone can report a bug in Debian to the Debian bug tracker (BTS). If it is a security issue, the person should contact the security team instead at BTS should be used only if the issue if already public.

Checking for CVEs
Debian has a security tracker downloading automatically all new CVEs and reporting the current status on the security tracker website. The source code of the tracker is available from
git clone

The tracker includes data files. New CVE entries should be checked manually, to verify the CVE description, if the package is in Debian, if it has a vulnerable version, and check any errors there might be in the CVE description. They tag non-Debian packages as Not-For-Us (NFU). A set of scripts in the tracker parses the status and generates the website content.

If the issue exists in Debian, there should be a bug filled in BTS and the right package maintainers informed. They should prepare the big fix changing as little ABI as possible.

Security updates in Debian are handed by the security team directly.

Debian security team manual
secuity bug tracker for issues from upstream

Note: the NVD database might be updates much later (days, weeks…) after the CVE is released.

1 Like

Our vulnerability process and bug policy have been approved. You can access a FAQ.

CVE identification and tracking approaches used by linux distros

Arch Linux approach

  • CVE identification: this is not automated and relies on community reports / security team findings
  • CVE tracking: they use a custom tracker (github repo). From personal analysis it is not able to print reports and it’s not well automated, but it’s very simple and intuitive to use.

Fedora approach

  • CVE identification: same as arch
  • CVE tracking: they use bugzilla filing CVEs (and other security related issues) with a special tag. CVEs are treated as a special kind of bugs.

Many of the big distros don’t implement an automated CVE identification (or at least the security doesn’t tell us?), they often rely on the community.

Automated vulnerability discovery


This is the most promising open source scanner I found, from the repo we can read:

Vuls is a tool created to solve the problems listed above. It has the following characteristics.

  • Informs users of the vulnerabilities that are related to the system.
  • Informs users of the servers that are affected.
  • Vulnerability detection is done automatically to prevent any oversight.
  • A report is generated on a regular basis using CRON or other methods. to manage vulnerability.

It can do local or remote scanning (via SSH) and scan for many different kind stuff,
please refer to VulS README for more info.
(To be tested with Oniro)


OpenVAS is a full-featured vulnerability scanner. Its capabilities include unauthenticated and authenticated testing, various high-level and low-level internet and industrial protocols, performance tuning for large-scale scans and a powerful internal programming language to implement any type of vulnerability test.
[Source: openvas[.]org]

OpenVAS is a open source penetration testing tool that can be useful for finding vulnerabilities (form misconfiguration or not patched CVEs).
It can generate security reports (in XML format, to get a pretty look we need a converter) after the scanning over the network the target host (It does NOT run locally on the target).

Commercial products

Unfortunately for us there are very few open source vulnerability scanners, may of them are subscription based. Some examples:

  • NXP Vigiles
  • WhiteSource Software