ref-manual: classes: cve_check: add note about remote patches

Document the change in behaviour in 5.0. (From yocto-docs rev: f7a223d4e78bee67107fa47e147208f57a2d9521) Signed-off-by: Paul Eggleton <paul.eggleton@microsoft.com> Reviewed-by: Michael Opdenacker <michael.opdenacker@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Paul Eggleton <bluelightning@bluelightning.org> 2024-04-14 13:43:12 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2024-04-16 07:55:42 +0100
commit: 7d41877ce9f17fe3f5f1827fad7589338d9f295b (patch)
tree: 007c7de869987aa05244f8726f806b1294e4ee82 /documentation/ref-manual
parent: 0ff0de3c65ebac324f5a9b1ff5495e5b50445df5 (diff)
download: poky-7d41877ce9f17fe3f5f1827fad7589338d9f295b.tar.gz
1 files changed, 7 insertions, 0 deletions
diff --git a/documentation/ref-manual/classes.rst b/documentation/ref-manual/classes.rst
index 8d69e9947f..9520d0bf7c 100644
--- a/documentation/ref-manual/classes.rst
+++ b/documentation/ref-manual/classes.rst
@@ -564,6 +564,13 @@ The ``Patched`` state of a CVE issue is detected from patch files with the forma
 ``CVE-ID.patch``, e.g. ``CVE-2019-20633.patch``, in the :term:`SRC_URI` and using
 CVE metadata of format ``CVE: CVE-ID`` in the commit message of the patch file.
+.. note::
+   Commit message metadata (``CVE: CVE-ID`` in a patch header) will not be scanned
+   in any patches that are remote, i.e. that are anything other than local files
+   referenced via ``file://`` in SRC_URI. However, a ``CVE-ID`` in a remote patch
+   file name itself will be registered.
 If the recipe adds ``CVE-ID`` as flag of the :term:`CVE_STATUS` variable with status
 mapped to ``Ignored``, then the CVE state is reported as ``Ignored``::
author	Paul Eggleton <bluelightning@bluelightning.org>	2024-04-14 13:43:12 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2024-04-16 07:55:42 +0100
commit	7d41877ce9f17fe3f5f1827fad7589338d9f295b (patch)
tree	007c7de869987aa05244f8726f806b1294e4ee82 /documentation/ref-manual
parent	0ff0de3c65ebac324f5a9b1ff5495e5b50445df5 (diff)
download	poky-7d41877ce9f17fe3f5f1827fad7589338d9f295b.tar.gz

diff --git a/documentation/ref-manual/classes.rst b/documentation/ref-manual/classes.rst index 8d69e9947f..9520d0bf7c 100644 --- a/documentation/ref-manual/classes.rst +++ b/documentation/ref-manual/classes.rst
@@ -564,6 +564,13 @@ The ``Patched`` state of a CVE issue is detected from patch files with the forma
564	``CVE-ID.patch``, e.g. ``CVE-2019-20633.patch``, in the :term:`SRC_URI` and using	564	``CVE-ID.patch``, e.g. ``CVE-2019-20633.patch``, in the :term:`SRC_URI` and using
565	CVE metadata of format ``CVE: CVE-ID`` in the commit message of the patch file.	565	CVE metadata of format ``CVE: CVE-ID`` in the commit message of the patch file.
566		566
		567	.. note::
		568
		569	Commit message metadata (``CVE: CVE-ID`` in a patch header) will not be scanned
		570	in any patches that are remote, i.e. that are anything other than local files
		571	referenced via ``file://`` in SRC_URI. However, a ``CVE-ID`` in a remote patch
		572	file name itself will be registered.
		573
567	If the recipe adds ``CVE-ID`` as flag of the :term:`CVE_STATUS` variable with status	574	If the recipe adds ``CVE-ID`` as flag of the :term:`CVE_STATUS` variable with status
568	mapped to ``Ignored``, then the CVE state is reported as ``Ignored``::	575	mapped to ``Ignored``, then the CVE state is reported as ``Ignored``::
569		576