yocto-metrics

This page shows Common Vulnerabilities and Exposures (CVEs) metrics gathered from the Yocto Project autobuilder in graphs. It is updated daily to show the current status of the project.

Each graph (except the pie chart) has an x-axis and a y-axis:

The x-axis represents time. You can filter by time-range using the zoom bar at the bottom.
The y-axis represents the amount of something (CVEs, patches, errors etc.) at a particular point in time. You can zoom here as well, using the bar on the right.

Click on the items in the legend to toggle the visibility of the corresponding line on the graph.

Note the grey, vertical lines representing releases. These lines are not part of the graph’s data but are added to highlight release points in time. They denote the release of new versions or updates of the software. This helps you correlate vulnerability trends with software releases, which can indicate whether vulnerabilities were addressed in a particular release.

Current CVE status for OE-Core/Poky

This section provides a detailed overview of the current status of CVEs for each branch in the OE-Core/Poky repository.

When you click on a branch name, a summary count of CVEs related to that branch is displayed. This count includes the total number of CVEs reported for that branch and so gives a quick overview of the security status of the branch.

Below the summary count, you'll find links to more detailed information about CVEs for that branch. You can easily access more detailed information at the National Vulnerability Database (NVD), about CVEs for each branch by clicking on the provided links.

master

scarthgap

nanbield

kirkstone

dunfell

CVE Trends for `OE-Core/Poky`

This graph shows the trends of CVEs affecting the OE-Core/Poky repository over time.

It shows how many vulnerabilities have been identified within the OE-Core/Poky repository, per branch. The colored lines show the trend of CVEs for each branch, allowing you to see how vulnerabilities evolve over time.

Current Patch Status Metrics

This graph shows the latest patch breakdown metrics.

Hover over a section to see the amount of patches with each status.

Patch Upstream-Status Counts (OE-Core meta directory)

The following two graphs provide insights into the status of patches in the OE-Core meta directory with respect to their upstream status. The upstream status of a patch refers to its relationship with the original source or upstream project from which the patch originates.

Upstream status categories explained

Backport:

The patch has been backported from a newer version of the software or a different branch to an older version or a specific branch.

Backported patches show efforts to apply fixes or features from newer versions to older versions or specific branches.

Deferred:

The patch has been postponed or deferred for later consideration or implementation.

Deferred patches might indicate areas where further review or discussion is needed before applying the patches upstream.

Inappropriate:

This status indicates that the patch is deemed inappropriate for upstream inclusion.

High counts of inappropriate patches might indicate a need for better review processes or clearer guidelines for contributions.

Submitted:

The patch has been submitted upstream but hasn't received a definitive response yet. It’s a transitional state between "Pending" and "Accepted" or "Rejected". Patches in this state are awaiting review and acceptance or rejection by upstream maintainers.

Submitted patches reflect ongoing contributions to upstream projects. A high number of submitted patches might indicate active engagement with upstream maintainers.

Pending:

The patch is pending review or has not yet been applied upstream.

High counts of pending patches might suggest a backlog in the review process or challenges in getting patches accepted upstream.

Denied:

The patch has been rejected upstream, often due to conflicts, incompatibilities, or not meeting project standards.

Rejected patches could signify issues with patch quality, conflicts, or discrepancies between the patch and upstream requirements.

Inactive-Upstream

The upstream is no longer available, due to lack of activity for several years.

Inactive-Upstream patches indicate that the original source code repository is defunct, with no recent commit or releases, and unaddressed bug reports and merge requests. There is no longer active maintenance or development from the original project maintainers to merge the patch.

Total:

The total count of patches in the OE-Core meta directory, regardless of their upstream status.

This provides context for the distribution of patches across different statuses.

Patch Tag Error Counts (OE-Core meta directory)

The Patch Tag Error Counts graph shows the statuses "Malformed Upstream-Status" and "Malformed Signed-off-by" to provide insight into the quality and completeness of patches in the OE-Core meta directory.

Malformed status categories explained

Malformed Upstream-Status:

This category indicates patches with improperly formatted or missing upstream status tags.

A malformed upstream status could be a result of missing or incorrectly formatted tags such as "Upstream-Status:", which is a common tag used to specify the status of the patch upstream.

Patches with malformed upstream status might not be properly tracked or considered for upstream inclusion, as they lack necessary metadata for review.

High counts in this category might indicate issues with patch submission processes or lack of adherence to patch submission guidelines. These patches might be at risk of being overlooked or rejected during the review process due to incomplete metadata.

Malformed Signed-off-by:

This category represents patches with improperly formatted or missing "Signed-off-by" lines. The "Signed-off-by" line in a patch is a tag that signifies the authorship and acknowledgment of the patch. A malformed "Signed-off-by" line could be due to missing or incorrectly formatted authorship information. Properly formatted "Signed-off-by" lines are essential for maintaining authorship attribution and legal compliance.

This category reflects issues with patch authorship and acknowledgment. Patches with malformed "Signed-off-by" lines might lack proper attribution, which can lead to confusion about ownership and legal compliance. Such patches might require additional verification or correction before being considered for inclusion.

Total:

The total count of patches in the OE-Core meta directory, regardless of their upstream status.

This provides context for the distribution of patches across different statuses.

Recipe Count (OE-Core meta directory)

This graph displays the number of recipes. It provides insights into the growth and evolution of the OE-Core meta directory by tracking the number of recipes over time.

A recipe in the context of Yocto and the OE-Core meta directory refers to a set of instructions or metadata files that describe how to build a particular software package. These recipes typically include information about where to obtain the source code, how to configure it, and how to build and install it into the target system.

An increasing recipe count indicates the addition of new software packages or updates to existing ones. It reflects the growth of the OE-Core meta directory over time. A higher recipe count often means better software coverage, allowing users to build a wider range of software packages for their embedded systems. With more recipes, there’s increased maintenance effort to ensure that recipes are up-to-date, correctly configured, and build without errors.