diff options
| author | Mikko Rapeli <mikko.rapeli@linaro.org> | 2022-10-26 16:12:05 +0300 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-10-28 15:48:03 +0100 |
| commit | 362477c421e8d2d82a3751e353f615a74b937435 (patch) | |
| tree | 6b97583b8630c3d49078eb923c6f784240fc0a7a /documentation | |
| parent | 8a9ac57515d1299359b5ec4d949f207b9455281b (diff) | |
| download | poky-362477c421e8d2d82a3751e353f615a74b937435.tar.gz | |
ref-manual: classes.rst: improve documentation for cve-check.bbclass
It is a quite important tool for maintaining yocto based products
so documentation should include the best practices.
(From yocto-docs rev: 3f7d09fc3c96f29ab80a2cb893c9b4b19a75a769)
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Reviewed-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'documentation')
| -rw-r--r-- | documentation/ref-manual/classes.rst | 52 |
1 files changed, 50 insertions, 2 deletions
diff --git a/documentation/ref-manual/classes.rst b/documentation/ref-manual/classes.rst index 1880e44486..cce0269b9a 100644 --- a/documentation/ref-manual/classes.rst +++ b/documentation/ref-manual/classes.rst | |||
| @@ -412,13 +412,61 @@ discussion on these cross-compilation tools. | |||
| 412 | ===================== | 412 | ===================== |
| 413 | 413 | ||
| 414 | The :ref:`cve-check <ref-classes-cve-check>` class looks for known CVEs (Common Vulnerabilities | 414 | The :ref:`cve-check <ref-classes-cve-check>` class looks for known CVEs (Common Vulnerabilities |
| 415 | and Exposures) while building an image. This class is meant to be | 415 | and Exposures) while building with BitBake. This class is meant to be |
| 416 | inherited globally from a configuration file:: | 416 | inherited globally from a configuration file:: |
| 417 | 417 | ||
| 418 | INHERIT += "cve-check" | 418 | INHERIT += "cve-check" |
| 419 | 419 | ||
| 420 | To filter out obsolete CVE database entries which are known not to impact software from Poky and OE-Core, | ||
| 421 | add following line to the build configuration file:: | ||
| 422 | |||
| 423 | include cve-extra-exclusions.inc | ||
| 424 | |||
| 420 | You can also look for vulnerabilities in specific packages by passing | 425 | You can also look for vulnerabilities in specific packages by passing |
| 421 | ``-c cve_check`` to BitBake. You will find details in the | 426 | ``-c cve_check`` to BitBake. |
| 427 | |||
| 428 | After building the software with Bitbake, CVE check output reports are available in ``tmp/deploy/cve`` | ||
| 429 | and image specific summaries in ``tmp/deploy/images/*.cve`` or ``tmp/deploy/images/*.json`` files. | ||
| 430 | |||
| 431 | When building, the CVE checker will emit build time warnings for any detected | ||
| 432 | issues which are in the state ``Unpatched``, meaning that CVE issue seems to affect the software component | ||
| 433 | and version being compiled and no patches to address the issue are applied. Other states | ||
| 434 | for detected CVE issues are: ``Patched`` meaning that a patch to address the issue is already | ||
| 435 | applied, and ``Ignored`` meaning that the issue can be ignored. | ||
| 436 | |||
| 437 | The ``Patched`` state of a CVE issue is detected from patch files with the format | ||
| 438 | ``CVE-ID.patch``, e.g. ``CVE-2019-20633.patch``, in the :term:`SRC_URI` and using | ||
| 439 | CVE metadata of format ``CVE: CVE-ID`` in the commit message of the patch file. | ||
| 440 | |||
| 441 | If the recipe lists the ``CVE-ID`` in :term:`CVE_CHECK_IGNORE` variable, then the CVE state is reported | ||
| 442 | as ``Ignored``. Multiple CVEs can be listed separated by spaces. Example:: | ||
| 443 | |||
| 444 | CVE_CHECK_IGNORE += "CVE-2020-29509 CVE-2020-29511" | ||
| 445 | |||
| 446 | If CVE check reports that a recipe contains false positives or false negatives, these may be | ||
| 447 | fixed in recipes by adjusting the CVE product name using :term:`CVE_PRODUCT` and :term:`CVE_VERSION` variables. | ||
| 448 | :term:`CVE_PRODUCT` defaults to the plain recipe name :term:`BPN` which can be adjusted to one or more CVE | ||
| 449 | database vendor and product pairs using the syntax:: | ||
| 450 | |||
| 451 | CVE_PRODUCT = "flex_project:flex" | ||
| 452 | |||
| 453 | where ``flex_project`` is the CVE database vendor name and ``flex`` is the product name. Similarly | ||
| 454 | if the default recipe version :term:`PV` does not match the version numbers of the software component | ||
| 455 | in upstream releases or the CVE database, then the :term:`CVE_VERSION` variable can be used to set the | ||
| 456 | CVE database compatible version number, for example:: | ||
| 457 | |||
| 458 | CVE_VERSION = "2.39" | ||
| 459 | |||
| 460 | Any bugs or missing or incomplete information in the CVE database entries should be fixed in the CVE database | ||
| 461 | via the `NVD feedback form <https://nvd.nist.gov/info/contact-form>`__. | ||
| 462 | |||
| 463 | Users should note that security is a process, not a product, and thus also CVE checking, analyzing results, | ||
| 464 | patching and updating the software should be done as a regular process. The data and assumptions | ||
| 465 | required for CVE checker to reliably detect issues are frequently broken in various ways. | ||
| 466 | These can only be detected by reviewing the details of the issues and iterating over the generated reports, | ||
| 467 | and following what happens in other Linux distributions and in the greater open source community. | ||
| 468 | |||
| 469 | You will find some more details in the | ||
| 422 | ":ref:`dev-manual/common-tasks:checking for vulnerabilities`" | 470 | ":ref:`dev-manual/common-tasks:checking for vulnerabilities`" |
| 423 | section in the Development Tasks Manual. | 471 | section in the Development Tasks Manual. |
| 424 | 472 | ||