A Linux distribution is a great playing field for testing tools for vulnerability scanning. It is even a better playing field if it includes more operating system kernels, like the Eclipse Oniro project does. Eclipse Oniro targets the Internet of Things (IOT) domain, where fixing security issues is critical.

In this talk, Marta is going to present a return on experience of scanning for known vulerabilities (CVEs) in the Eclipse Oniro project. The presentation is going to start with an overview of tools based on Yocto's cve-check and additions from the Oniro project. Then it will cover examples of fixes, situations when we found errors in databases and tools, and how we fixed them. Finally, Marta is going to describe ideas of improvements in existing tools and propose new tools that can help the community.