diff options
author | Michael Opdenacker <michael.opdenacker@bootlin.com> | 2021-08-06 12:33:04 +0200 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2021-08-10 11:29:46 +0100 |
commit | 4c7e3b64bc9cefb05fa4a995e83bb0f90160a9fc (patch) | |
tree | 3af0de4c8c88564f93dfe0346c142f79f1cdfee8 /documentation/ref-manual | |
parent | 23e640b80933760fdfb65ac9f764b93a3cf298b5 (diff) | |
download | poky-4c7e3b64bc9cefb05fa4a995e83bb0f90160a9fc.tar.gz |
manuals: further documentation for cve-check
This adds details about the actual implementation
of vulnerability checks, about how to fix or ignore
vulnerabilities in recipes, and documents the
CVE_CHECK_PN_WHITELIST and CVE_CHECK_WHITELIST variables.
(From yocto-docs rev: 55886d211218b3a604c2f8a29c854685ebf284dd)
Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
Reviewed-by: Quentin Schulz <foss@0leil.net>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'documentation/ref-manual')
-rw-r--r-- | documentation/ref-manual/classes.rst | 16 | ||||
-rw-r--r-- | documentation/ref-manual/variables.rst | 13 |
2 files changed, 28 insertions, 1 deletions
diff --git a/documentation/ref-manual/classes.rst b/documentation/ref-manual/classes.rst index 49905f2725..a98a64c432 100644 --- a/documentation/ref-manual/classes.rst +++ b/documentation/ref-manual/classes.rst | |||
@@ -404,6 +404,22 @@ cross-compilation tools used for building SDKs. See the | |||
404 | section in the Yocto Project Overview and Concepts Manual for more | 404 | section in the Yocto Project Overview and Concepts Manual for more |
405 | discussion on these cross-compilation tools. | 405 | discussion on these cross-compilation tools. |
406 | 406 | ||
407 | .. _ref-classes-cve-check: | ||
408 | |||
409 | ``cve-check.bbclass`` | ||
410 | ===================== | ||
411 | |||
412 | The ``cve-check`` class looks for known CVEs (Common Vulnerabilities | ||
413 | and Exposures) while building an image. This class is meant to be | ||
414 | inherited globally from a configuration file:: | ||
415 | |||
416 | INHERIT += "cve-check" | ||
417 | |||
418 | You can also look for vulnerabilities in specific packages by passing | ||
419 | ``-c cve_check`` to BitBake. You will find details in the | ||
420 | ":ref:`dev-manual/common-tasks:checking for vulnerabilities`" | ||
421 | section in the Development Tasks Manual. | ||
422 | |||
407 | .. _ref-classes-debian: | 423 | .. _ref-classes-debian: |
408 | 424 | ||
409 | ``debian.bbclass`` | 425 | ``debian.bbclass`` |
diff --git a/documentation/ref-manual/variables.rst b/documentation/ref-manual/variables.rst index 1150940133..f6d248a193 100644 --- a/documentation/ref-manual/variables.rst +++ b/documentation/ref-manual/variables.rst | |||
@@ -1471,11 +1471,22 @@ system and gives an overview of their function and contents. | |||
1471 | variable only in certain contexts (e.g. when building for kernel | 1471 | variable only in certain contexts (e.g. when building for kernel |
1472 | and kernel module recipes). | 1472 | and kernel module recipes). |
1473 | 1473 | ||
1474 | :term:`CVE_CHECK_PN_WHITELIST` | ||
1475 | The list of package names (:term:`PN`) for which | ||
1476 | CVEs (Common Vulnerabilities and Exposures) are ignored. | ||
1477 | |||
1478 | :term:`CVE_CHECK_WHITELIST` | ||
1479 | The list of CVE IDs which are ignored. Here is | ||
1480 | an example from the :oe_layerindex:`Python3 recipe</layerindex/recipe/23823>`:: | ||
1481 | |||
1482 | # This is windows only issue. | ||
1483 | CVE_CHECK_WHITELIST += "CVE-2020-15523" | ||
1484 | |||
1474 | :term:`CVE_PRODUCT` | 1485 | :term:`CVE_PRODUCT` |
1475 | In a recipe, defines the name used to match the recipe name | 1486 | In a recipe, defines the name used to match the recipe name |
1476 | against the name in the upstream `NIST CVE database <https://nvd.nist.gov/>`__. | 1487 | against the name in the upstream `NIST CVE database <https://nvd.nist.gov/>`__. |
1477 | 1488 | ||
1478 | The default is ${:term:`BPN`}. If it does not match the name in NIST CVE | 1489 | The default is ${:term:`BPN`}. If it does not match the name in the NIST CVE |
1479 | database or matches with multiple entries in the database, the default | 1490 | database or matches with multiple entries in the database, the default |
1480 | value needs to be changed. | 1491 | value needs to be changed. |
1481 | 1492 | ||