Generate CVE report for software packages after FCOS build?

Hi,

I was wondering if there is a way to generate a list of open/unpatched CVE’s for software packages that are integrated into an FCOS image during a cosa build step? If not, are there any recommended approaches for building up a list of open CVE’s for a Fedora CoreOS based system?

1 Like

CVEs can be created after an FCOS image build so we can not list them directly in the ostree commit. The information is fetched at runtime from the Fedora CVE database but only if you overlay packages right now. You might have to build a script pulling an image, looking at the RPM versions and then querying the Fedora CVE database.