diff options
author | Andrej Valek <andrej.valek@siemens.com> | 2023-07-20 09:31:30 +0200 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2023-08-03 15:11:11 +0100 |
commit | e100e3e0b3f1968421cae59d4a8fb5ea2dfc38c3 (patch) | |
tree | 6bd9f9109a515026c377d1ae568381c6d0349093 /documentation/ref-manual | |
parent | db7217335ada1623ddd40d0124dacec751935592 (diff) | |
download | poky-e100e3e0b3f1968421cae59d4a8fb5ea2dfc38c3.tar.gz |
ref-manual: document CVE_STATUS and CVE_CHECK_STATUSMAP
Deprecate CVE_CHECK_IGNORE with CVE_STATUS
(From yocto-docs rev: 8b8054977f31e2d6090521a0102f066b6d563733)
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Reviewed-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'documentation/ref-manual')
-rw-r--r-- | documentation/ref-manual/classes.rst | 6 | ||||
-rw-r--r-- | documentation/ref-manual/variables.rst | 34 |
2 files changed, 32 insertions, 8 deletions
diff --git a/documentation/ref-manual/classes.rst b/documentation/ref-manual/classes.rst index 4577baba3e..a7819d5b60 100644 --- a/documentation/ref-manual/classes.rst +++ b/documentation/ref-manual/classes.rst | |||
@@ -517,10 +517,10 @@ The ``Patched`` state of a CVE issue is detected from patch files with the forma | |||
517 | ``CVE-ID.patch``, e.g. ``CVE-2019-20633.patch``, in the :term:`SRC_URI` and using | 517 | ``CVE-ID.patch``, e.g. ``CVE-2019-20633.patch``, in the :term:`SRC_URI` and using |
518 | CVE metadata of format ``CVE: CVE-ID`` in the commit message of the patch file. | 518 | CVE metadata of format ``CVE: CVE-ID`` in the commit message of the patch file. |
519 | 519 | ||
520 | If the recipe lists the ``CVE-ID`` in :term:`CVE_CHECK_IGNORE` variable, then the CVE state is reported | 520 | If the recipe adds ``CVE-ID`` as flag of the :term:`CVE_STATUS` variable with status |
521 | as ``Ignored``. Multiple CVEs can be listed separated by spaces. Example:: | 521 | mapped to ``Ignored``, then the CVE state is reported as ``Ignored``:: |
522 | 522 | ||
523 | CVE_CHECK_IGNORE += "CVE-2020-29509 CVE-2020-29511" | 523 | CVE_STATUS[CVE-2020-15523] = "not-applicable-platform: Issue only applies on Windows" |
524 | 524 | ||
525 | If CVE check reports that a recipe contains false positives or false negatives, these may be | 525 | If CVE check reports that a recipe contains false positives or false negatives, these may be |
526 | fixed in recipes by adjusting the CVE product name using :term:`CVE_PRODUCT` and :term:`CVE_VERSION` variables. | 526 | fixed in recipes by adjusting the CVE product name using :term:`CVE_PRODUCT` and :term:`CVE_VERSION` variables. |
diff --git a/documentation/ref-manual/variables.rst b/documentation/ref-manual/variables.rst index ac5b97a526..def98de307 100644 --- a/documentation/ref-manual/variables.rst +++ b/documentation/ref-manual/variables.rst | |||
@@ -1653,11 +1653,7 @@ system and gives an overview of their function and contents. | |||
1653 | and kernel module recipes). | 1653 | and kernel module recipes). |
1654 | 1654 | ||
1655 | :term:`CVE_CHECK_IGNORE` | 1655 | :term:`CVE_CHECK_IGNORE` |
1656 | The list of CVE IDs which are ignored. Here is | 1656 | This variable is deprecated and should be replaced by :term:`CVE_STATUS`. |
1657 | an example from the :oe_layerindex:`Python3 recipe</layerindex/recipe/23823>`:: | ||
1658 | |||
1659 | # This is windows only issue. | ||
1660 | CVE_CHECK_IGNORE += "CVE-2020-15523" | ||
1661 | 1657 | ||
1662 | :term:`CVE_CHECK_SHOW_WARNINGS` | 1658 | :term:`CVE_CHECK_SHOW_WARNINGS` |
1663 | Specifies whether or not the :ref:`ref-classes-cve-check` | 1659 | Specifies whether or not the :ref:`ref-classes-cve-check` |
@@ -1698,6 +1694,34 @@ system and gives an overview of their function and contents. | |||
1698 | 1694 | ||
1699 | CVE_PRODUCT = "vendor:package" | 1695 | CVE_PRODUCT = "vendor:package" |
1700 | 1696 | ||
1697 | :term:`CVE_STATUS` | ||
1698 | The CVE ID which is patched or should be ignored. Here is | ||
1699 | an example from the :oe_layerindex:`Python3 recipe</layerindex/recipe/23823>`:: | ||
1700 | |||
1701 | CVE_STATUS[CVE-2020-15523] = "not-applicable-platform: Issue only applies on Windows" | ||
1702 | |||
1703 | It has the format "reason: description" and the description is optional. | ||
1704 | The Reason is mapped to the final CVE state by mapping via | ||
1705 | :term:`CVE_CHECK_STATUSMAP` | ||
1706 | |||
1707 | :term:`CVE_STATUS_GROUPS` | ||
1708 | If there are many CVEs with the same status and reason, they can by simplified by using this | ||
1709 | variable instead of many similar lines with :term:`CVE_STATUS`:: | ||
1710 | |||
1711 | CVE_STATUS_GROUPS = "CVE_STATUS_WIN CVE_STATUS_PATCHED" | ||
1712 | |||
1713 | CVE_STATUS_WIN = "CVE-1234-0001 CVE-1234-0002" | ||
1714 | CVE_STATUS_WIN[status] = "not-applicable-platform: Issue only applies on Windows" | ||
1715 | CVE_STATUS_PATCHED = "CVE-1234-0003 CVE-1234-0004" | ||
1716 | CVE_STATUS_PATCHED[status] = "fixed-version: Fixed externally" | ||
1717 | |||
1718 | :term:`CVE_CHECK_STATUSMAP` | ||
1719 | Mapping variable for all possible reasons of :term:`CVE_STATUS`: | ||
1720 | ``Patched``, ``Unpatched`` and ``Ignored``. | ||
1721 | See :ref:`ref-classes-cve-check` or ``meta/conf/cve-check-map.conf`` for more details:: | ||
1722 | |||
1723 | CVE_CHECK_STATUSMAP[cpe-incorrect] = "Ignored" | ||
1724 | |||
1701 | :term:`CVE_VERSION` | 1725 | :term:`CVE_VERSION` |
1702 | In a recipe, defines the version used to match the recipe version | 1726 | In a recipe, defines the version used to match the recipe version |
1703 | against the version in the `NIST CVE database <https://nvd.nist.gov/>`__ | 1727 | against the version in the `NIST CVE database <https://nvd.nist.gov/>`__ |