diff options
Diffstat (limited to 'documentation/dev-manual/common-tasks.rst')
-rw-r--r-- | documentation/dev-manual/common-tasks.rst | 26 |
1 files changed, 13 insertions, 13 deletions
diff --git a/documentation/dev-manual/common-tasks.rst b/documentation/dev-manual/common-tasks.rst index c747c0deac..d99d327937 100644 --- a/documentation/dev-manual/common-tasks.rst +++ b/documentation/dev-manual/common-tasks.rst | |||
@@ -11518,7 +11518,7 @@ applied and that the issue needs to be investigated. ``Ignored`` means that afte | |||
11518 | analysis, it has been deemed to ignore the issue as it for example affects | 11518 | analysis, it has been deemed to ignore the issue as it for example affects |
11519 | the software component on a different operating system platform. | 11519 | the software component on a different operating system platform. |
11520 | 11520 | ||
11521 | After build with CVE check enabled, reports for each compiled source recipe will be | 11521 | After a build with CVE check enabled, reports for each compiled source recipe will be |
11522 | found in ``build/tmp/deploy/cve``. | 11522 | found in ``build/tmp/deploy/cve``. |
11523 | 11523 | ||
11524 | For example the CVE check report for the ``flex-native`` recipe looks like:: | 11524 | For example the CVE check report for the ``flex-native`` recipe looks like:: |
@@ -11567,36 +11567,36 @@ product name when querying the CVE database. If this mapping contains false posi | |||
11567 | some reported CVEs are not for the software component in question, or false negatives like | 11567 | some reported CVEs are not for the software component in question, or false negatives like |
11568 | some CVEs are not found to impact the recipe when they should, then the problems can be | 11568 | some CVEs are not found to impact the recipe when they should, then the problems can be |
11569 | in the recipe name to CVE product mapping. These mapping issues can be fixed by setting | 11569 | in the recipe name to CVE product mapping. These mapping issues can be fixed by setting |
11570 | the :term:`CVE_PRODUCT` variable inside the recipe. This defines the name of software component in the | 11570 | the :term:`CVE_PRODUCT` variable inside the recipe. This defines the name of the software component in the |
11571 | upstream `NIST CVE database <https://nvd.nist.gov/>`__. | 11571 | upstream `NIST CVE database <https://nvd.nist.gov/>`__. |
11572 | 11572 | ||
11573 | The variable supports using vendor and product names like this:: | 11573 | The variable supports using vendor and product names like this:: |
11574 | 11574 | ||
11575 | CVE_PRODUCT = "flex_project:flex" | 11575 | CVE_PRODUCT = "flex_project:flex" |
11576 | 11576 | ||
11577 | In this example from the vendor name used in CVE database is ``flex_project`` and | 11577 | In this example the vendor name used in the CVE database is ``flex_project`` and the |
11578 | product is ``flex``. With this setting the ``flex`` recipe only maps to this specific | 11578 | product is ``flex``. With this setting the ``flex`` recipe only maps to this specific |
11579 | product and not products from other vendors with same name ``flex``. | 11579 | product and not products from other vendors with same name ``flex``. |
11580 | 11580 | ||
11581 | Similary, when the recipe version :term:`PV` is not compatible with software versions used by | 11581 | Similarly, when the recipe version :term:`PV` is not compatible with software versions used by |
11582 | the upstream software component releases and the CVE database, these can be fixed using | 11582 | the upstream software component releases and the CVE database, these can be fixed using |
11583 | :term:`CVE_VERSION` variable. | 11583 | the :term:`CVE_VERSION` variable. |
11584 | 11584 | ||
11585 | Note that if the CVE entries in NVD databse contain bugs or have missing or incomplete | 11585 | Note that if the CVE entries in the NVD database contain bugs or have missing or incomplete |
11586 | information, it is recommended to fix the information there directly instead of working | 11586 | information, it is recommended to fix the information there directly instead of working |
11587 | around the issues for a possibly long time in Poky and OE-Core side recipes. Feedback to | 11587 | around the issues possibly for a long time in Poky and OE-Core side recipes. Feedback to |
11588 | NVD about CVEs entries can be provided through the `NVD contact form <https://nvd.nist.gov/info/contact-form>`__. | 11588 | NVD about CVE entries can be provided through the `NVD contact form <https://nvd.nist.gov/info/contact-form>`__. |
11589 | 11589 | ||
11590 | Fixing vulnerabilities in recipes | 11590 | Fixing vulnerabilities in recipes |
11591 | --------------------------------- | 11591 | --------------------------------- |
11592 | 11592 | ||
11593 | If a CVE security issue impacts a software component, it can be fixed by updating to a newer | 11593 | If a CVE security issue impacts a software component, it can be fixed by updating to a newer |
11594 | version of the software component or by applying a patch. For Poky and OE-Core master branches, updating | 11594 | version of the software component or by applying a patch. For Poky and OE-Core master branches, updating |
11595 | to newer software component release with fixes is the best option, but patches can be applied | 11595 | to a newer software component release with fixes is the best option, but patches can be applied |
11596 | if releases are not yet available. | 11596 | if releases are not yet available. |
11597 | 11597 | ||
11598 | For stable branches, it is preferred to apply patches for the issues. For some software | 11598 | For stable branches, it is preferred to apply patches for the issues. For some software |
11599 | components minor version updates can also applied if they are backwards compatible. | 11599 | components minor version updates can also be applied if they are backwards compatible. |
11600 | 11600 | ||
11601 | Here is an example of fixing CVE security issues with patch files, | 11601 | Here is an example of fixing CVE security issues with patch files, |
11602 | an example from the :oe_layerindex:`ffmpeg recipe</layerindex/recipe/47350>`:: | 11602 | an example from the :oe_layerindex:`ffmpeg recipe</layerindex/recipe/47350>`:: |
@@ -11610,8 +11610,8 @@ an example from the :oe_layerindex:`ffmpeg recipe</layerindex/recipe/47350>`:: | |||
11610 | file://fix-CVE-2020-22033-CVE-2020-22019.patch \ | 11610 | file://fix-CVE-2020-22033-CVE-2020-22019.patch \ |
11611 | file://fix-CVE-2021-33815.patch \ | 11611 | file://fix-CVE-2021-33815.patch \ |
11612 | 11612 | ||
11613 | A good practice is to include the CVE identifier in both patch file name | 11613 | A good practice is to include the CVE identifier in both the patch file name |
11614 | and inside the patch file commit message use the format:: | 11614 | and inside the patch file commit message using the format:: |
11615 | 11615 | ||
11616 | CVE: CVE-2020-22033 | 11616 | CVE: CVE-2020-22033 |
11617 | 11617 | ||
@@ -11619,7 +11619,7 @@ CVE checker will then capture this information and change the CVE status to ``Pa | |||
11619 | in the generated reports. | 11619 | in the generated reports. |
11620 | 11620 | ||
11621 | If analysis shows that the CVE issue does not impact the recipe due to configuration, platform, | 11621 | If analysis shows that the CVE issue does not impact the recipe due to configuration, platform, |
11622 | version or other reasons, the CVE can be marked as ``Ignored`` using :term:`CVE_CHECK_IGNORE` variable. | 11622 | version or other reasons, the CVE can be marked as ``Ignored`` using the :term:`CVE_CHECK_IGNORE` variable. |
11623 | As mentioned previously, if data in the CVE database is wrong, it is recommend to fix those | 11623 | As mentioned previously, if data in the CVE database is wrong, it is recommend to fix those |
11624 | issues in the CVE database directly. | 11624 | issues in the CVE database directly. |
11625 | 11625 | ||