I'm happy to say that automatic CVE metric tracking is now on the
autobuilder and automatically feeding to:

https://autobuilder.yocto.io/pub/non-release/patchmetrics/

and the git repository that backs it:

https://git.yoctoproject.org/yocto-metrics/log/

This is working for dunfell/kirkstone/master. It is enabled for
honister but doesn't work since the json CVE output for honister isn't
there.

Not sure if we want to add the json CVE output to honister to enable
that for the short time that release has left?

I plan to run the autobuilder job powering this nightly.

Currently it adds a json file for each run into the yocto-metrics
repository. These are 6MB each though so we're going to get into silly
amounts of data rather quickly so I may have to adjust it to just write
the latest. It would also help the size to use tabs instead of spaces
for indentation.

The autobuilder job currently throws warnings but I think Ross said
he'd send a patch to allow that to be configurable.

Also, this doesn't send the CVE emails Steve currently sends. It would
be possible to add, I'm hoping someone might like to send some patches!

Cheers,

Richard