diff options
author | Andrej Valek <andrej.valek@siemens.com> | 2023-07-20 09:31:30 +0200 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2023-08-03 15:11:11 +0100 |
commit | e100e3e0b3f1968421cae59d4a8fb5ea2dfc38c3 (patch) | |
tree | 6bd9f9109a515026c377d1ae568381c6d0349093 /documentation/dev-manual | |
parent | db7217335ada1623ddd40d0124dacec751935592 (diff) | |
download | poky-e100e3e0b3f1968421cae59d4a8fb5ea2dfc38c3.tar.gz |
ref-manual: document CVE_STATUS and CVE_CHECK_STATUSMAP
Deprecate CVE_CHECK_IGNORE with CVE_STATUS
(From yocto-docs rev: 8b8054977f31e2d6090521a0102f066b6d563733)
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Reviewed-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'documentation/dev-manual')
-rw-r--r-- | documentation/dev-manual/new-recipe.rst | 3 | ||||
-rw-r--r-- | documentation/dev-manual/vulnerabilities.rst | 13 |
2 files changed, 10 insertions, 6 deletions
diff --git a/documentation/dev-manual/new-recipe.rst b/documentation/dev-manual/new-recipe.rst index 1be04a7657..af390773a9 100644 --- a/documentation/dev-manual/new-recipe.rst +++ b/documentation/dev-manual/new-recipe.rst | |||
@@ -1253,8 +1253,7 @@ In the following example, ``lz4`` is a makefile-based package:: | |||
1253 | 1253 | ||
1254 | S = "${WORKDIR}/git" | 1254 | S = "${WORKDIR}/git" |
1255 | 1255 | ||
1256 | # Fixed in r118, which is larger than the current version. | 1256 | CVE_STATUS[CVE-2014-4715] = "fixed-version: Fixed in r118, which is larger than the current version" |
1257 | CVE_CHECK_IGNORE += "CVE-2014-4715" | ||
1258 | 1257 | ||
1259 | EXTRA_OEMAKE = "PREFIX=${prefix} CC='${CC}' CFLAGS='${CFLAGS}' DESTDIR=${D} LIBDIR=${libdir} INCLUDEDIR=${includedir} BUILD_STATIC=no" | 1258 | EXTRA_OEMAKE = "PREFIX=${prefix} CC='${CC}' CFLAGS='${CFLAGS}' DESTDIR=${D} LIBDIR=${libdir} INCLUDEDIR=${includedir} BUILD_STATIC=no" |
1260 | 1259 | ||
diff --git a/documentation/dev-manual/vulnerabilities.rst b/documentation/dev-manual/vulnerabilities.rst index 0ee3ec52c5..6d87d02ecb 100644 --- a/documentation/dev-manual/vulnerabilities.rst +++ b/documentation/dev-manual/vulnerabilities.rst | |||
@@ -130,7 +130,8 @@ Fixing vulnerabilities in recipes | |||
130 | ================================= | 130 | ================================= |
131 | 131 | ||
132 | If a CVE security issue impacts a software component, it can be fixed by updating to a newer | 132 | If a CVE security issue impacts a software component, it can be fixed by updating to a newer |
133 | version of the software component or by applying a patch. For Poky and OE-Core master branches, updating | 133 | version of the software component, by applying a patch or by marking it as patched via |
134 | :term:`CVE_STATUS` variable flag. For Poky and OE-Core master branches, updating | ||
134 | to a newer software component release with fixes is the best option, but patches can be applied | 135 | to a newer software component release with fixes is the best option, but patches can be applied |
135 | if releases are not yet available. | 136 | if releases are not yet available. |
136 | 137 | ||
@@ -158,7 +159,8 @@ CVE checker will then capture this information and change the CVE status to ``Pa | |||
158 | in the generated reports. | 159 | in the generated reports. |
159 | 160 | ||
160 | If analysis shows that the CVE issue does not impact the recipe due to configuration, platform, | 161 | If analysis shows that the CVE issue does not impact the recipe due to configuration, platform, |
161 | version or other reasons, the CVE can be marked as ``Ignored`` using the :term:`CVE_CHECK_IGNORE` variable. | 162 | version or other reasons, the CVE can be marked as ``Ignored`` by using |
163 | the :term:`CVE_STATUS` variable flag with appropriate reason which is mapped to ``Ignored``. | ||
162 | As mentioned previously, if data in the CVE database is wrong, it is recommend to fix those | 164 | As mentioned previously, if data in the CVE database is wrong, it is recommend to fix those |
163 | issues in the CVE database directly. | 165 | issues in the CVE database directly. |
164 | 166 | ||
@@ -175,6 +177,8 @@ is found in the name of the file, the corresponding CVE is considered as patched | |||
175 | Don't forget that if multiple CVE IDs are found in the filename, only the last | 177 | Don't forget that if multiple CVE IDs are found in the filename, only the last |
176 | one is considered. Then, the code looks for ``CVE: CVE-ID`` lines in the patch | 178 | one is considered. Then, the code looks for ``CVE: CVE-ID`` lines in the patch |
177 | file. The found CVE IDs are also considered as patched. | 179 | file. The found CVE IDs are also considered as patched. |
180 | Additionally ``CVE_STATUS`` variable flags are parsed for reasons mapped to ``Patched`` | ||
181 | and these are also considered as patched. | ||
178 | 182 | ||
179 | Then, the code looks up all the CVE IDs in the NIST database for all the | 183 | Then, the code looks up all the CVE IDs in the NIST database for all the |
180 | products defined in :term:`CVE_PRODUCT`. Then, for each found CVE: | 184 | products defined in :term:`CVE_PRODUCT`. Then, for each found CVE: |
@@ -182,8 +186,9 @@ products defined in :term:`CVE_PRODUCT`. Then, for each found CVE: | |||
182 | - If the package name (:term:`PN`) is part of | 186 | - If the package name (:term:`PN`) is part of |
183 | :term:`CVE_CHECK_SKIP_RECIPE`, it is considered as ``Patched``. | 187 | :term:`CVE_CHECK_SKIP_RECIPE`, it is considered as ``Patched``. |
184 | 188 | ||
185 | - If the CVE ID is part of :term:`CVE_CHECK_IGNORE`, it is | 189 | - If the CVE ID has status ``CVE_STATUS[<CVE ID>] = "ignored"`` or if it's set to |
186 | set as ``Ignored``. | 190 | any reason which is mapped to status ``Ignored`` via ``CVE_CHECK_STATUSMAP``, |
191 | it is set as ``Ignored``. | ||
187 | 192 | ||
188 | - If the CVE ID is part of the patched CVE for the recipe, it is | 193 | - If the CVE ID is part of the patched CVE for the recipe, it is |
189 | already considered as ``Patched``. | 194 | already considered as ``Patched``. |