manuals: initial documentation for CVE management

This starts to document vulnerability management and the use of the CVE_PRODUCT variable (From yocto-docs rev: 2b9199fe490cb3ec126bffc6518646194a94ace4) Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com> Reviewed-by: Quentin Schulz <foss@0leil.net> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Michael Opdenacker <michael.opdenacker@bootlin.com> 2021-07-30 20:52:16 +0200
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-08-02 17:46:39 +0100
commit: 76053e0f7849ff33428fd75c531c91ab375de8d3 (patch)
tree: b9a53009169d92808b80d8ad1295841d667176c1 /documentation/dev-manual
parent: 090384d9e74fddfdd38f4fd54b3dd39f5d5a8b24 (diff)
download: poky-76053e0f7849ff33428fd75c531c91ab375de8d3.tar.gz
1 files changed, 45 insertions, 0 deletions
diff --git a/documentation/dev-manual/common-tasks.rst b/documentation/dev-manual/common-tasks.rst
index 77af03b3ca..7fa0df4d39 100644
--- a/documentation/dev-manual/common-tasks.rst
+++ b/documentation/dev-manual/common-tasks.rst
@@ -10529,6 +10529,9 @@ follows:
 1. *Identify the bug or CVE to be fixed:* This information should be
   collected so that it can be included in your submission.
+   See :ref:`dev-manual/common-tasks:checking for vulnerabilities`
+   for details about CVE tracking.
 2. *Check if the fix is already present in the master branch:* This will
   result in the most straightforward path into the stable branch for the
   fix.
@@ -11091,6 +11094,48 @@ the license from the fetched source::
   NO_GENERIC_LICENSE[Firmware-Abilis] = "LICENSE.Abilis.txt"
+Checking for Vulnerabilities
+============================
+Vulnerabilities in images
+-------------------------
+The Yocto Project has an infrastructure to track and address unfixed
+known security vulnerabilities, as tracked by the public
+`Common Vulnerabilities and Exposures (CVE) <https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures>`__
+database.
+To know which packages are vulnerable to known security vulnerabilities,
+add the following setting to your configuration::
+   INHERIT += "cve-check"
+This way, at build time, BitBake will warn you about known CVEs
+as in the example below::
+   WARNING: flex-2.6.4-r0 do_cve_check: Found unpatched CVE (CVE-2019-6293), for more information check /poky/build/tmp/work/core2-64-poky-linux/flex/2.6.4-r0/temp/cve.log
+   WARNING: libarchive-3.5.1-r0 do_cve_check: Found unpatched CVE (CVE-2021-36976), for more information check /poky/build/tmp/work/core2-64-poky-linux/libarchive/3.5.1-r0/temp/cve.log
+It is also possible to check the CVE status of individual packages as follows::
+   bitbake -c cve_check flex libarchive
+Note that OpenEmbedded-Core keeps a list of known unfixed CVE issues which can
+be ignored. You can pass this list to the check as follows::
+   bitbake -c cve_check libarchive -R conf/distro/include/cve-extra-exclusions.inc
+Enabling vulnerabily tracking in recipes
+----------------------------------------
+The :term:`CVE_PRODUCT` variable defines the name used to match the recipe name
+against the name in the upstream `NIST CVE database <https://nvd.nist.gov/>`__.
+The CVE database is stored in :term:`DL_DIR` and can be inspected using
+``sqlite3`` command as follows::
+   sqlite3 downloads/CVE_CHECK/nvdcve_1.1.db .dump | grep CVE-2021-37462
 Using the Error Reporting Tool
 ==============================
author	Michael Opdenacker <michael.opdenacker@bootlin.com>	2021-07-30 20:52:16 +0200
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-08-02 17:46:39 +0100
commit	76053e0f7849ff33428fd75c531c91ab375de8d3 (patch)
tree	b9a53009169d92808b80d8ad1295841d667176c1 /documentation/dev-manual
parent	090384d9e74fddfdd38f4fd54b3dd39f5d5a8b24 (diff)
download	poky-76053e0f7849ff33428fd75c531c91ab375de8d3.tar.gz

diff --git a/documentation/dev-manual/common-tasks.rst b/documentation/dev-manual/common-tasks.rst index 77af03b3ca..7fa0df4d39 100644 --- a/documentation/dev-manual/common-tasks.rst +++ b/documentation/dev-manual/common-tasks.rst
@@ -10529,6 +10529,9 @@ follows:
10529	1. Identify the bug or CVE to be fixed: This information should be	10529	1. Identify the bug or CVE to be fixed: This information should be
10530	collected so that it can be included in your submission.	10530	collected so that it can be included in your submission.
10531		10531
		10532	See :ref:`dev-manual/common-tasks:checking for vulnerabilities`
		10533	for details about CVE tracking.
		10534
10532	2. Check if the fix is already present in the master branch: This will	10535	2. Check if the fix is already present in the master branch: This will
10533	result in the most straightforward path into the stable branch for the	10536	result in the most straightforward path into the stable branch for the
10534	fix.	10537	fix.
@@ -11091,6 +11094,48 @@ the license from the fetched source::
11091		11094
11092	NO_GENERIC_LICENSE[Firmware-Abilis] = "LICENSE.Abilis.txt"	11095	NO_GENERIC_LICENSE[Firmware-Abilis] = "LICENSE.Abilis.txt"
11093		11096
		11097	Checking for Vulnerabilities
		11098	============================
		11099
		11100	Vulnerabilities in images
		11101	-------------------------
		11102
		11103	The Yocto Project has an infrastructure to track and address unfixed
		11104	known security vulnerabilities, as tracked by the public
		11105	`Common Vulnerabilities and Exposures (CVE) <https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures>`__
		11106	database.
		11107
		11108	To know which packages are vulnerable to known security vulnerabilities,
		11109	add the following setting to your configuration::
		11110
		11111	INHERIT += "cve-check"
		11112
		11113	This way, at build time, BitBake will warn you about known CVEs
		11114	as in the example below::
		11115
		11116	WARNING: flex-2.6.4-r0 do_cve_check: Found unpatched CVE (CVE-2019-6293), for more information check /poky/build/tmp/work/core2-64-poky-linux/flex/2.6.4-r0/temp/cve.log
		11117	WARNING: libarchive-3.5.1-r0 do_cve_check: Found unpatched CVE (CVE-2021-36976), for more information check /poky/build/tmp/work/core2-64-poky-linux/libarchive/3.5.1-r0/temp/cve.log
		11118
		11119	It is also possible to check the CVE status of individual packages as follows::
		11120
		11121	bitbake -c cve_check flex libarchive
		11122
		11123	Note that OpenEmbedded-Core keeps a list of known unfixed CVE issues which can
		11124	be ignored. You can pass this list to the check as follows::
		11125
		11126	bitbake -c cve_check libarchive -R conf/distro/include/cve-extra-exclusions.inc
		11127
		11128	Enabling vulnerabily tracking in recipes
		11129	----------------------------------------
		11130
		11131	The :term:`CVE_PRODUCT` variable defines the name used to match the recipe name
		11132	against the name in the upstream `NIST CVE database <https://nvd.nist.gov/>`__.
		11133
		11134	The CVE database is stored in :term:`DL_DIR` and can be inspected using
		11135	``sqlite3`` command as follows::
		11136
		11137	sqlite3 downloads/CVE_CHECK/nvdcve_1.1.db .dump \| grep CVE-2021-37462
		11138
11094	Using the Error Reporting Tool	11139	Using the Error Reporting Tool
11095	==============================	11140	==============================
11096		11141