1 files changed, 50 insertions, 2 deletions
diff --git a/documentation/ref-manual/classes.rst b/documentation/ref-manual/classes.rst
index 1880e44486..cce0269b9a 100644
--- a/documentation/ref-manual/classes.rst
+++ b/documentation/ref-manual/classes.rst
@@ -412,13 +412,61 @@ discussion on these cross-compilation tools.
 =====================
 The :ref:`cve-check <ref-classes-cve-check>` class looks for known CVEs (Common Vulnerabilities
-and Exposures) while building an image. This class is meant to be
+and Exposures) while building with BitBake. This class is meant to be
 inherited globally from a configuration file::
   INHERIT += "cve-check"
+To filter out obsolete CVE database entries which are known not to impact software from Poky and OE-Core,
+add following line to the build configuration file::
+   include cve-extra-exclusions.inc
 You can also look for vulnerabilities in specific packages by passing
-``-c cve_check`` to BitBake. You will find details in the
+``-c cve_check`` to BitBake.
+After building the software with Bitbake, CVE check output reports are available in ``tmp/deploy/cve``
+and image specific summaries in ``tmp/deploy/images/*.cve`` or ``tmp/deploy/images/*.json`` files.
+When building, the CVE checker will emit build time warnings for any detected
+issues which are in the state ``Unpatched``, meaning that CVE issue seems to affect the software component
+and version being compiled and no patches to address the issue are applied. Other states
+for detected CVE issues are: ``Patched`` meaning that a patch to address the issue is already
+applied, and ``Ignored`` meaning that the issue can be ignored.
+The ``Patched`` state of a CVE issue is detected from patch files with the format
+``CVE-ID.patch``, e.g. ``CVE-2019-20633.patch``, in the :term:`SRC_URI` and using
+CVE metadata of format ``CVE: CVE-ID`` in the commit message of the patch file.
+If the recipe lists the ``CVE-ID`` in :term:`CVE_CHECK_IGNORE` variable, then the CVE state is reported
+as ``Ignored``. Multiple CVEs can be listed separated by spaces. Example::
+   CVE_CHECK_IGNORE += "CVE-2020-29509 CVE-2020-29511"
+If CVE check reports that a recipe contains false positives or false negatives, these may be
+fixed in recipes by adjusting the CVE product name using :term:`CVE_PRODUCT` and :term:`CVE_VERSION` variables.
+:term:`CVE_PRODUCT` defaults to the plain recipe name :term:`BPN` which can be adjusted to one or more CVE
+database vendor and product pairs using the syntax::
+   CVE_PRODUCT = "flex_project:flex"
+where ``flex_project`` is the CVE database vendor name and ``flex`` is the product name. Similarly
+if the default recipe version :term:`PV` does not match the version numbers of the software component
+in upstream releases or the CVE database, then the :term:`CVE_VERSION` variable can be used to set the
+CVE database compatible version number, for example::
+   CVE_VERSION = "2.39"
+Any bugs or missing or incomplete information in the CVE database entries should be fixed in the CVE database
+via the `NVD feedback form <https://nvd.nist.gov/info/contact-form>`__.
+Users should note that security is a process, not a product, and thus also CVE checking, analyzing results,
+patching and updating the software should be done as a regular process. The data and assumptions
+required for CVE checker to reliably detect issues are frequently broken in various ways.
+These can only be detected by reviewing the details of the issues and iterating over the generated reports,
+and following what happens in other Linux distributions and in the greater open source community.
+You will find some more details in the
 ":ref:`dev-manual/common-tasks:checking for vulnerabilities`"
 section in the Development Tasks Manual.

diff --git a/documentation/ref-manual/classes.rst b/documentation/ref-manual/classes.rst index 1880e44486..cce0269b9a 100644 --- a/documentation/ref-manual/classes.rst +++ b/documentation/ref-manual/classes.rst
@@ -412,13 +412,61 @@ discussion on these cross-compilation tools.
412	=====================	412	=====================
413		413
414	The :ref:`cve-check <ref-classes-cve-check>` class looks for known CVEs (Common Vulnerabilities	414	The :ref:`cve-check <ref-classes-cve-check>` class looks for known CVEs (Common Vulnerabilities
415	and Exposures) while building an image. This class is meant to be	415	and Exposures) while building with BitBake. This class is meant to be
416	inherited globally from a configuration file::	416	inherited globally from a configuration file::
417		417
418	INHERIT += "cve-check"	418	INHERIT += "cve-check"
419		419
		420	To filter out obsolete CVE database entries which are known not to impact software from Poky and OE-Core,
		421	add following line to the build configuration file::
		422
		423	include cve-extra-exclusions.inc
		424
420	You can also look for vulnerabilities in specific packages by passing	425	You can also look for vulnerabilities in specific packages by passing
421	``-c cve_check`` to BitBake. You will find details in the	426	``-c cve_check`` to BitBake.
		427
		428	After building the software with Bitbake, CVE check output reports are available in ``tmp/deploy/cve``
		429	and image specific summaries in ``tmp/deploy/images/.cve`` or ``tmp/deploy/images/.json`` files.
		430
		431	When building, the CVE checker will emit build time warnings for any detected
		432	issues which are in the state ``Unpatched``, meaning that CVE issue seems to affect the software component
		433	and version being compiled and no patches to address the issue are applied. Other states
		434	for detected CVE issues are: ``Patched`` meaning that a patch to address the issue is already
		435	applied, and ``Ignored`` meaning that the issue can be ignored.
		436
		437	The ``Patched`` state of a CVE issue is detected from patch files with the format
		438	``CVE-ID.patch``, e.g. ``CVE-2019-20633.patch``, in the :term:`SRC_URI` and using
		439	CVE metadata of format ``CVE: CVE-ID`` in the commit message of the patch file.
		440
		441	If the recipe lists the ``CVE-ID`` in :term:`CVE_CHECK_IGNORE` variable, then the CVE state is reported
		442	as ``Ignored``. Multiple CVEs can be listed separated by spaces. Example::
		443
		444	CVE_CHECK_IGNORE += "CVE-2020-29509 CVE-2020-29511"
		445
		446	If CVE check reports that a recipe contains false positives or false negatives, these may be
		447	fixed in recipes by adjusting the CVE product name using :term:`CVE_PRODUCT` and :term:`CVE_VERSION` variables.
		448	:term:`CVE_PRODUCT` defaults to the plain recipe name :term:`BPN` which can be adjusted to one or more CVE
		449	database vendor and product pairs using the syntax::
		450
		451	CVE_PRODUCT = "flex_project:flex"
		452
		453	where ``flex_project`` is the CVE database vendor name and ``flex`` is the product name. Similarly
		454	if the default recipe version :term:`PV` does not match the version numbers of the software component
		455	in upstream releases or the CVE database, then the :term:`CVE_VERSION` variable can be used to set the
		456	CVE database compatible version number, for example::
		457
		458	CVE_VERSION = "2.39"
		459
		460	Any bugs or missing or incomplete information in the CVE database entries should be fixed in the CVE database
		461	via the `NVD feedback form <https://nvd.nist.gov/info/contact-form>`__.
		462
		463	Users should note that security is a process, not a product, and thus also CVE checking, analyzing results,
		464	patching and updating the software should be done as a regular process. The data and assumptions
		465	required for CVE checker to reliably detect issues are frequently broken in various ways.
		466	These can only be detected by reviewing the details of the issues and iterating over the generated reports,
		467	and following what happens in other Linux distributions and in the greater open source community.
		468
		469	You will find some more details in the
422	":ref:`dev-manual/common-tasks:checking for vulnerabilities`"	470	":ref:`dev-manual/common-tasks:checking for vulnerabilities`"
423	section in the Development Tasks Manual.	471	section in the Development Tasks Manual.
424		472