Digi ConnectCore Security Services allow you to scan your firmware SBOM (Software Bill of Materials) for vulnerabilities after your firmware has been released or deployed, using Digi Remote Manager. This enables ongoing detection and remediation of security issues throughout your device’s lifecycle, helping ensure your devices remain protected against newly discovered threats.

This workflow is designed for teams who want to monitor production firmware images for vulnerabilities, by uploading their firmware and SBOM packages to Digi Remote Manager and performing CVE scans through its web interface.

By following the process below, you can upload your firmware and SBOM packages, perform CVE scans, and review detailed security reports to help ensure your device remains protected throughout its lifecycle. To do so, follow these steps:

  1. Create the update package

  2. Create the SBOM manifest package

  3. Upload the packages to Remote Manager firmware repository

  4. Scan the firmware SBOM and view the CVE report

1. Create the update package

To learn how to create the update package (.swu), see Build a software update package.

2. Create the SBOM manifest package

SBOM generation support in Digi Embedded Yocto is incorporated in the ccss class. This class must be inherited into your project’s conf/local.conf configuration file in order to generate SBOM manifest packages of your images:

conf/local.conf
INHERIT += "ccss"
This class adds additional dependencies and tasks that will slightly increase image build time.

With this class, an SBOM manifest package is created for any image built within your project, including ramdisk images. SBOM manifest packages are stored in your project’s root directory with the name CCSS_<image>-<timestamp>.zip, for example: CCSS_dey-image-webkit-20251003110223.zip

You can also enable SBOM generation only for a subset of images via the CCSS_ENABLE variable, for example:

conf/local.conf
INHERIT += "ccss"

# Disable global SBOM generation
CCSS_ENABLE = "0"

# Enable SBOM generation only for dey-image-qt and dey-image-webkit images
CCSS_ENABLE:pn-dey-image-qt = "1"
CCSS_ENABLE:pn-dey-image-webkit = "1"

3. Upload the packages to Remote Manager firmware repository

Custom update packages must be stored in the Digi Remote Manager firmware repository. Once your packages are in the repository, you can use them in Automations and Templates, as well as monitor and analyze them to look for CVE vulnerabilities if you have a subscription to Digi ConnectCore Security Services.

Each user can store up to 10 GB of custom firmware. After reaching this limit, you cannot upload custom firmware until you delete package(s). If you need more space, please contact a Digi representative.

Remote Manager repository is accessible using Remote Manager web service APIs and can be managed using:

See ConnectCore Cloud Services web services for more information on how to use web service APIs.

Firmware page

You can access Remote Manager firmware repository from the web interface and upload your devices firmware:

  1. Log in to your Remote Manager account (https://remotemanager.digi.com).

  2. Select System > Firmware on the left bar.

  3. Go to the Custom Device Firmware tab.

  4. Click the Add Firmware button to open the wizard.

  5. Fill the fields to identify this firmware in the repository.

Step 1: Details

  1. Select the Vendor ID called Digi ConnectCore (0xFE080003).

  2. Choose the Device Type of the devices you are going to update with this firmware. See Device type setting.

  3. Enter the Firmware Version of this package.

  4. Type the URL of the firmware Release Notes.

  5. Click Add files and select your update package (.swu) from your local file system.

  6. Click Continue.

Step 2: Security

  1. If you have a subscription to Digi ConnectCore Security Services, you can enable the SBOM CVE Analysis and Monitoring option to scan your firmware for vulnerabilities and get CVE reports:

    1. Choose the SBOM Scan Frequency, which is how often the firmware should be scanned for vulnerabilities. If you don’t want to scan it periodically, choose Manual.

    2. Choose whether you want to receive email notifications when scans are completed by enabling the Email Notification for CVE Scans option.

    3. Click Add file and select the SBOM manifest package (.zip) from your local file system.

  2. Otherwise, select the CVSS option that best describes this firmware. Choose the CVSS score of the most severe vulnerability fixed by this firmware version.

  3. Click Continue.

Step 3: Availability

  1. Choose if this firmware is Production ready or not.

  2. Choose if this firmware is Deprecated or not.

  3. If your Digi Remote Manager account has any subaccounts, choose whether this firmware is available for all subaccounts, some of them, or only for the current account.

  4. Click Create to upload your package to Remote Manager firmware repository. When the upload process finishes, a new entry in the table is added.

For extended Remote Manager web interface usage and reference information, see the Digi Remote Manager User Guide.

API Explorer and third party tools

You can use third-party tools or the API Explorer with v1/firmware API to create, list, update or remove custom firmware:

  1. Create a new custom firmware using curl tool.

    $ curl \
   -X POST \
   -u 'username:password' \
   -H X-Pretty:true \
   -H Content-Type:application/octet-stream \
   -F "image=@/path/to/the/swu/package/dey-image-webkit-swu-ccmp25-dvk_5.0.2.2.swu" \
    'https://remotemanager.digi.com/ws/v1/firmware/inventory/FE080003/ccmp25-dvk?firmware_version=5.0.2.2&information_link=https://www.mywebsite.com/my_release_notes&security_related=none&production=true&deprecated=false&filename=dey-image-webkit-swu-ccmp25-dvk_5.0.2.2.swu'

    Where:

    • username is your account username.

    • password is your account password.

    • /path/to/the/swu/package/dey-image-webkit-swu-ccmp25-dvk_5.0.2.2.swu is the absolute path to the firmware file in your development machine.

    The answer is similar to the following:

    {
  "location" : "https://remotemanager.digi.com/ws/v1/firmware/image/343236313933373135350a6363696d7839332d64766b0a36373130393633340a0a0a0a313639353338313831333134320a31383531",
  "vendor_id" : 4261937155,
  "type" : "ccmp25-dvk",
  "firmware_version" : "5.0.2.2",
  "file_size" : 204946944,
  "production" : true,
  "deprecated" : false,
  "filename" : "dey-image-webkit-swu-ccmp25-dvk_5.0.2.2.swu",
  "information_link" : "https://www.mywebsite.com/my_release_notes",
  "security_related" : "none",
  "sha_512" : "ec6f103e782c22eb160a159656f72b267a46fd016c63dbeca9425bbf331e766337150cc1aa5c4c6ca6aef5a640071f2da31647e92d463b3ab0110cc17257dca6",
  "sha3_512" : "9cb55e244baa3ea25e3781c16c3300b34f1a2be0de95c2d2ea36385f4d42f91d4ba3252e2d6e18ef648fa09881e3698fc04ff916b0def626e7218bc9d21393e7",
  "firmware_status" : "not_identified",
  "customer_id" : XXXX
}

    Where XXXX is your customer id.

    The Get Started with ConnectCore Cloud Services demo web application, used in the Get started guide, uploads new firware to Remote Manager firmware repository. See method list_repository() in drm_requests.py called when Update firmware button in Management page is clicked.

  2. List available custom device firmwares from API Explorer:

    1. Log in to your Remote Manager account (https://remotemanager.digi.com).

    2. Go to the System > API Explorer tab.

    3. Click the Examples combo.

    4. Select v1/firmare > List all custom device firmware.

    5. Click Send.

      In the Response, an entry corresponding to the new created firmware is listed:

      {
  "count": 1,
  "size": 1000,
  "list": [
    {
      "id": 481677,
      "deprecated": false,
      "file_size": 204946944,
      "filename": "dey-image-webkit-swu-ccmp25-dvk_5.0.2.2.swu",
      "firmware_status": "not_identified",
      "firmware_version": "5.0.2.2",
      "information_link": "https://www.mywebsite.com/my_release_notes",
      "location": "https://firmware.devicecloud.com/device_firmware/ccmp25-dvk/5.0.2.2/dey-image-webkit-swu-ccmp25-dvk_5.0.2.2.swu",
      "production": true,
      "security_related": "none",
      "sha_512": "ec6f103e782c22eb160a159656f72b267a46fd016c63dbeca9425bbf331e766337150cc1aa5c4c6ca6aef5a640071f2da31647e92d463b3ab0110cc17257dca6",
      "sha3_512": "9cb55e244baa3ea25e3781c16c3300b34f1a2be0de95c2d2ea36385f4d42f91d4ba3252e2d6e18ef648fa09881e3698fc04ff916b0def626e7218bc9d21393e7",
      "type": "ccmp25-dvk",
      "vendor_id": 4261937155,
      "vendor_name": "Digi ConnectCore",
      "update_time": "2023-09-22T11:24:00.000Z",
      "customer_id": XXXX
    }
  ]
}

      Where XXXX is your customer id.

    The Get Started with ConnectCore Cloud Services demo web application, used in the Get started guide, lists existing firmware versions in Remote Manager firmware repository. See method list_repository() in drm_requests.py called when Refresh button in Download from firmware repository tab of Management page is clicked.

You can use your preferred programming language to perform the update of your connected devices. See ConnectCore Cloud Services web services for more information.

4. Scan the firmware SBOM and view the CVE report

Once the firmware and SBOM manifest packages are in the Remote Manager repository, you can scan the firmware for CVE vulnerabilities and view the report:

  1. Log in to your Remote Manager account (https://remotemanager.digi.com).

  2. Select System > Firmware on the left bar.

  3. Go to the Custom Device Firmware tab.

  4. Select the firmware you want to scan from the table.

  5. Click the CVE Scans and Reports tab on the right panel.

    Firmware details

  6. Click the Scan Firmware button to start the scan. The scan process may take several minutes. Once the scan is complete, the scan entry updates in the table with the scan date, status, and number of issues found.

    Depending on your subscription to Digi ConnectCore Security Services, you may have a limited number of scans available per subscription period. You can check your subscription details and remaining scans in the System > Subscriptions section of Digi Remote Manager.

  7. Click the scan entry to view the detailed CVE report:

    1. The Summary tab shows an overview of the scan results, including the total number of issues found and their severity distribution.

      Summary tab

    2. The Vulnerabilities tab lists all identified packages with known vulnerabilities, including details such as CVE ID, severity, status, and attack vector. You can click on the CVE ID for each vulnerability to view more details in the NIST National Vulnerability Database.

      Vulnerabilities tab

      You can use the table filters to narrow down the list based on severity, status, or other criteria.

  8. If you want to download the report in PDF format, click the ··· button at the top right of the page and select Download CVE Report as PDF.

For information about scanning development firmware automatically (CI/CD), see Analyze development firmware (CI/CD).