BitVex
Automated CRA Compliance for Embedded Linux
Generate spec-compliant OpenVEX reports from Yocto builds by filtering CVEs against your actual hardware configuration.
Getting Started · Features · CLI Reference · Integration · Architecture
The Problem
The EU Cyber Resilience Act (CRA) mandates vulnerability disclosure for connected devices. If you build embedded Linux products with Yocto, you face a critical challenge:
Your SBOM lists 200+ packages. A scanner flags 500 CVEs. How many actually affect your device?
Most are false positives:
| False Positive Source | Why It Doesn't Apply |
|---|---|
gcc-native, cmake-native |
Host-only build tools, never deployed on target |
CONFIG_BT drivers |
Kernel compiled without Bluetooth support |
| WiFi chipset firmware | status = "disabled" in your Device Tree |
Manual triage of hundreds of CVEs per build is unsustainable. BitVex automates it.
What BitVex Does
BitVex takes three inputs from your Yocto build and produces an auditable VEX document:
┌─────────────┐ ┌──────────────┐ ┌─────────────┐
│ SBOM │ │ Kernel │ │ Device │
│ (SPDX) │ │ .config │ │ Tree │
└──────┬──────┘ └──────┬───────┘ └──────┬──────┘
│ │ │
└───────────────────┼────────────────────┘
│
┌──────▼──────┐
│ BitVex │
└──────┬──────┘
│
┌──────▼──────┐
│ OpenVEX │
│ Report │
└─────────────┘
Result: A machine-readable document that tells scanners exactly which CVEs are real, which are mitigated by your hardware config, and why.
Features
Core Filters
| Filter | Input | Rule | OpenVEX Justification |
|---|---|---|---|
| Native Recipes | SBOM package names | Packages ending in -native are build host tools |
component_not_present |
| Kernel Config | .config file |
Drivers with CONFIG_XXX not set to =y or =m |
vulnerable_code_not_present |
| Device Tree | .dts source |
Peripherals with status = "disabled" |
vulnerable_code_not_in_execute_path |
Rules Engine
Define custom filtering rules in bitvex.toml:
[]
= "Mi Empresa <security@empresa.com>"
[[]]
= "OpenSSL parcheado"
= "CVE-2024-12345"
= "openssl"
= "not_affected"
= "vulnerable_code_not_present"
= "Parcheado manualmente en nuestra build"
[[]]
= "WiFi deshabilitado"
= "CVE-2024-*"
= "linux-firmware"
= "not_affected"
= "component_not_present"
Offline Mode
Download the OSV vulnerability database and scan without internet — perfect for air-gapped environments:
# Download (~35 MB for Linux + Alpine + crates.io)
# Scan offline
SBOM Diff
Compare two builds and see what changed:
╔══════════════════════════════════════════════════════╗
║ BitVex - SBOM Diff Report ║
╠══════════════════════════════════════════════════════╣
║ Packages added: 5 ║
║ Packages removed: 2 ║
║ Packages updated: 12 ║
╚══════════════════════════════════════════════════════╝
Download Profiles
Choose your database size based on your needs:
| Profile | Ecosystems | Size | Use case |
|---|---|---|---|
small |
Linux | ~29 MB | Kernel-only devices |
medium |
Linux, Alpine, crates.io | ~35 MB | Typical embedded |
big |
+ Debian, PyPI | ~116 MB | Full coverage |
complete |
All 10 ecosystems | ~822 MB | Maximum audit |
Getting Started
Prerequisites
- Rust 1.85+ (install via rustup)
- Three files from your Yocto build:
- SBOM in SPDX JSON format (generated by
meta-spdxscannerorsyft) - Kernel
.configfile - Device Tree source (
.dts)
- SBOM in SPDX JSON format (generated by
Install
Quick Start
# 1. Download vulnerability database (one time, ~35 MB)
# 2. Scan your build
# 3. Or scan offline (no internet needed)
Output
╔══════════════════════════════════════════════════════╗
║ BitVex - CRA Compliance Report ║
╠══════════════════════════════════════════════════════╣
║ Total packages analyzed: 142 ║
║ Native packages filtered: 23 ║
║ Kernel drivers filtered: 12 ║
║ DTS disabled filtered: 5 ║
║ ───────────────────────────────────── ║
║ CVEs marked not_affected: 40 ║
║ CVEs marked fixed: 0 ║
║ Real CVEs to address: 12 ║
╚══════════════════════════════════════════════════════╝
CLI Reference
Scan Mode (default)
bitvex [OPTIONS] --sbom <PATH> --kernel-config <PATH> --device-tree <PATH>
Options:
--sbom <PATH> SBOM in SPDX JSON format
--kernel-config <PATH> Linux kernel .config file
--device-tree <PATH> Device Tree source (.dts)
-o, --output <PATH> Output OpenVEX file [default: bitvex-report.vex.json]
--author <STRING> VEX document author
--rules <PATH> Path to bitvex.toml rules file
--offline Use offline OSV database
--download-db Download DB before scanning
--profile <PROFILE> Download profile (small/medium/big/complete)
-y, --yes Skip confirmation prompts
-v, --verbose Enable debug logging
Diff Mode
bitvex diff --old <PATH> --new <PATH> [--output <PATH>]
Download Database
bitvex download-db [OPTIONS]
Options:
--db-path <PATH> Custom database path
--ecosystems <LIST> Comma-separated ecosystems
--profile <PROFILE> small | medium | big | complete
-y, --yes Skip confirmation prompt
Integration
CI/CD Pipeline
# GitHub Actions example
- name: Download OSV Database
run: bitvex download-db --profile medium -y
- name: Generate VEX Report
run: |
bitvex \
--offline \
--sbom build/image-spdx.json \
--kernel-config build/.config \
--device-tree build/board.dts \
--output vex-report.vex.json \
--author "${{ github.repository_owner }} <ci@${{ github.repository_owner }}.com>"
- name: Upload VEX Artifact
uses: actions/upload-artifact@v4
with:
name: vex-report
path: vex-report.vex.json
Yocto Integration
Add BitVex to your Yocto build as a post-build step in local.conf:
# Generate VEX report after image build
IMAGE_POSTPROCESS_COMMAND += "generate_vex_report; "
generate_vex_report() {
bitvex \
--offline \
--sbom ${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}.spdx.json \
--kernel-config ${STAGING_KERNEL_BUILDDIR}/.config \
--device-tree ${STAGING_KERNEL_BUILDDIR}/arch/${ARCH}/boot/dts/*.dts \
--output ${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}.vex.json
}
Input Format Requirements
Produced by Yocto's meta-spdxscanner or tools like syft. Required fields per package:
name— package identifierversionInfo— version stringexternalRefs— optionalpurl(Package URL)
Standard Linux kernel configuration. Located at ${STAGING_KERNEL_BUILDDIR}/.config in a Yocto build.
Source format, not compiled .dtb. To decompile:
In Yocto, the preprocessed DTS is typically in ${STAGING_KERNEL_BUILDDIR}/arch/${ARCH}/boot/dts/.
Architecture
src/
├── main.rs Pipeline orchestration
├── lib.rs Public API exports
├── cli.rs CLI args + subcommands (clap)
├── sbom/
│ ├── spdx.rs SPDX JSON parser
│ └── diff.rs SBOM diff engine
├── osv/
│ ├── client.rs Async OSV API client (online)
│ ├── offline.rs Offline OSV provider
│ └── db.rs DB download with profiles + progress
├── filters/
│ ├── native.rs Host-only recipe filter
│ ├── kernel_config.rs .config cross-reference
│ ├── device_tree.rs DTS status cross-reference
│ └── rules.rs Custom rules engine
├── rules/
│ └── mod.rs bitvex.toml parser + rule matching
├── vex/
│ └── openvex.rs OpenVEX v0.2.0 generator
└── output/
└── console.rs Console summary formatter
Development
Security Model
BitVex follows the principle of least privilege:
- No credentials required — OSV API is free and anonymous
- No data sent — only package names/versions are transmitted to OSV
- Offline mode — download DB once, scan without internet
- Local processing — all filtering happens on your machine
- Deterministic output — same inputs produce the same VEX document
License
This project is licensed under the Server Side Public License (SSPL-1.0).
What this means:
- You can use, modify, and distribute BitVex freely for internal/non-commercial purposes
- If you offer BitVex as a service (SaaS), you must make your entire service stack open source under SSPL-1.0
- For commercial licensing or OEM integration, contact the author
Author: Manuel Neto Romero
Acknowledgments
- OpenVEX — VEX specification
- OSV — vulnerability database
- CISA — VEX minimum requirements
- Yocto Project — embedded Linux build system