diff options
author | Michael Opdenacker <michael.opdenacker@bootlin.com> | 2021-07-30 20:52:16 +0200 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2021-08-02 17:46:39 +0100 |
commit | 76053e0f7849ff33428fd75c531c91ab375de8d3 (patch) | |
tree | b9a53009169d92808b80d8ad1295841d667176c1 /documentation/dev-manual | |
parent | 090384d9e74fddfdd38f4fd54b3dd39f5d5a8b24 (diff) | |
download | poky-76053e0f7849ff33428fd75c531c91ab375de8d3.tar.gz |
manuals: initial documentation for CVE management
This starts to document vulnerability management
and the use of the CVE_PRODUCT variable
(From yocto-docs rev: 2b9199fe490cb3ec126bffc6518646194a94ace4)
Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
Reviewed-by: Quentin Schulz <foss@0leil.net>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'documentation/dev-manual')
-rw-r--r-- | documentation/dev-manual/common-tasks.rst | 45 |
1 files changed, 45 insertions, 0 deletions
diff --git a/documentation/dev-manual/common-tasks.rst b/documentation/dev-manual/common-tasks.rst index 77af03b3ca..7fa0df4d39 100644 --- a/documentation/dev-manual/common-tasks.rst +++ b/documentation/dev-manual/common-tasks.rst | |||
@@ -10529,6 +10529,9 @@ follows: | |||
10529 | 1. *Identify the bug or CVE to be fixed:* This information should be | 10529 | 1. *Identify the bug or CVE to be fixed:* This information should be |
10530 | collected so that it can be included in your submission. | 10530 | collected so that it can be included in your submission. |
10531 | 10531 | ||
10532 | See :ref:`dev-manual/common-tasks:checking for vulnerabilities` | ||
10533 | for details about CVE tracking. | ||
10534 | |||
10532 | 2. *Check if the fix is already present in the master branch:* This will | 10535 | 2. *Check if the fix is already present in the master branch:* This will |
10533 | result in the most straightforward path into the stable branch for the | 10536 | result in the most straightforward path into the stable branch for the |
10534 | fix. | 10537 | fix. |
@@ -11091,6 +11094,48 @@ the license from the fetched source:: | |||
11091 | 11094 | ||
11092 | NO_GENERIC_LICENSE[Firmware-Abilis] = "LICENSE.Abilis.txt" | 11095 | NO_GENERIC_LICENSE[Firmware-Abilis] = "LICENSE.Abilis.txt" |
11093 | 11096 | ||
11097 | Checking for Vulnerabilities | ||
11098 | ============================ | ||
11099 | |||
11100 | Vulnerabilities in images | ||
11101 | ------------------------- | ||
11102 | |||
11103 | The Yocto Project has an infrastructure to track and address unfixed | ||
11104 | known security vulnerabilities, as tracked by the public | ||
11105 | `Common Vulnerabilities and Exposures (CVE) <https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures>`__ | ||
11106 | database. | ||
11107 | |||
11108 | To know which packages are vulnerable to known security vulnerabilities, | ||
11109 | add the following setting to your configuration:: | ||
11110 | |||
11111 | INHERIT += "cve-check" | ||
11112 | |||
11113 | This way, at build time, BitBake will warn you about known CVEs | ||
11114 | as in the example below:: | ||
11115 | |||
11116 | WARNING: flex-2.6.4-r0 do_cve_check: Found unpatched CVE (CVE-2019-6293), for more information check /poky/build/tmp/work/core2-64-poky-linux/flex/2.6.4-r0/temp/cve.log | ||
11117 | WARNING: libarchive-3.5.1-r0 do_cve_check: Found unpatched CVE (CVE-2021-36976), for more information check /poky/build/tmp/work/core2-64-poky-linux/libarchive/3.5.1-r0/temp/cve.log | ||
11118 | |||
11119 | It is also possible to check the CVE status of individual packages as follows:: | ||
11120 | |||
11121 | bitbake -c cve_check flex libarchive | ||
11122 | |||
11123 | Note that OpenEmbedded-Core keeps a list of known unfixed CVE issues which can | ||
11124 | be ignored. You can pass this list to the check as follows:: | ||
11125 | |||
11126 | bitbake -c cve_check libarchive -R conf/distro/include/cve-extra-exclusions.inc | ||
11127 | |||
11128 | Enabling vulnerabily tracking in recipes | ||
11129 | ---------------------------------------- | ||
11130 | |||
11131 | The :term:`CVE_PRODUCT` variable defines the name used to match the recipe name | ||
11132 | against the name in the upstream `NIST CVE database <https://nvd.nist.gov/>`__. | ||
11133 | |||
11134 | The CVE database is stored in :term:`DL_DIR` and can be inspected using | ||
11135 | ``sqlite3`` command as follows:: | ||
11136 | |||
11137 | sqlite3 downloads/CVE_CHECK/nvdcve_1.1.db .dump | grep CVE-2021-37462 | ||
11138 | |||
11094 | Using the Error Reporting Tool | 11139 | Using the Error Reporting Tool |
11095 | ============================== | 11140 | ============================== |
11096 | 11141 | ||