1 files changed, 73 insertions, 29 deletions
diff --git a/documentation/dev-manual/vulnerabilities.rst b/documentation/dev-manual/vulnerabilities.rst
index 1bc2a85929..5331a63991 100644
--- a/documentation/dev-manual/vulnerabilities.rst
+++ b/documentation/dev-manual/vulnerabilities.rst
@@ -22,7 +22,7 @@ issues may be impacting Poky and OE-Core. It is up to the maintainers, users,
 contributors and anyone interested in the issues to investigate and possibly fix them by
 updating software components to newer versions or by applying patches to address them.
 It is recommended to work with Poky and OE-Core upstream maintainers and submit
-patches to fix them, see ":doc:`../contributor-guide/submit-changes`" for details.
+patches to fix them, see ":doc:`/contributor-guide/submit-changes`" for details.
 Vulnerability check at build time
 =================================
@@ -57,42 +57,86 @@ applied and that the issue needs to be investigated. ``Ignored`` means that afte
 analysis, it has been deemed to ignore the issue as it for example affects
 the software component on a different operating system platform.
+By default, no NVD API key is used to retrieve data from the CVE database, which
+results in larger delays between NVD API requests. See the :term:`NVDCVE_API_KEY`
+documentation on how to request and set a NVD API key.
 After a build with CVE check enabled, reports for each compiled source recipe will be
 found in ``build/tmp/deploy/cve``.
 For example the CVE check report for the ``flex-native`` recipe looks like::
-   $ cat poky/build/tmp/deploy/cve/flex-native
+   $ cat ./tmp/deploy/cve/flex-native_cve.json
-   LAYER: meta
+   {
-   PACKAGE NAME: flex-native
+     "version": "1",
-   PACKAGE VERSION: 2.6.4
+     "package": [
-   CVE: CVE-2016-6354
+       {
-   CVE STATUS: Patched
+         "name": "flex-native",
-   CVE SUMMARY: Heap-based buffer overflow in the yy_get_next_buffer function in Flex before 2.6.1 might allow context-dependent attackers to cause a denial of service or possibly execute arbitrary code via vectors involving num_to_read.
+         "layer": "meta",
-   CVSS v2 BASE SCORE: 7.5
+         "version": "2.6.4",
-   CVSS v3 BASE SCORE: 9.8
+         "products": [
-   VECTOR: NETWORK
+           {
-   MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6354
+             "product": "flex",
+             "cvesInRecord": "No"
-   LAYER: meta
+           },
-   PACKAGE NAME: flex-native
+           {
-   PACKAGE VERSION: 2.6.4
+             "product": "flex",
-   CVE: CVE-2019-6293
+             "cvesInRecord": "Yes"
-   CVE STATUS: Ignored
+           }
-   CVE SUMMARY: An issue was discovered in the function mark_beginning_as_normal in nfa.c in flex 2.6.4. There is a stack exhaustion problem caused by the mark_beginning_as_normal function making recursive calls to itself in certain scenarios involving lots of '*' characters. Remote attackers could leverage this vulnerability to cause a denial-of-service.
+         ],
-   CVSS v2 BASE SCORE: 4.3
+         "issue": [
-   CVSS v3 BASE SCORE: 5.5
+           {
-   VECTOR: NETWORK
+             "id": "CVE-2006-0459",
-   MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-6293
+             "status": "Patched",
+             "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-0459",
+             "summary": "flex.skl in Will Estes and John Millaway Fast Lexical Analyzer Generator (flex) before 2.5.33 does not allocate enough memory for grammars containing (1) REJECT statements or (2) trailing context rules, which causes flex to generate code that contains a buffer overflow that might allow context-dependent attackers to execute arbitrary code.",
+             "scorev2": "7.5",
+             "scorev3": "0.0",
+             "scorev4": "0.0",
+             "modified": "2024-11-21T00:06Z",
+             "vector": "NETWORK",
+             "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
+             "detail": "version-not-in-range"
+           },
+           {
+             "id": "CVE-2016-6354",
+             "status": "Patched",
+             "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6354",
+             "summary": "Heap-based buffer overflow in the yy_get_next_buffer function in Flex before 2.6.1 might allow context-dependent attackers to cause a denial of service or possibly execute arbitrary code via vectors involving num_to_read.",
+             "scorev2": "7.5",
+             "scorev3": "9.8",
+             "scorev4": "0.0",
+             "modified": "2024-11-21T02:55Z",
+             "vector": "NETWORK",
+             "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
+             "detail": "version-not-in-range"
+           },
+           {
+             "id": "CVE-2019-6293",
+             "status": "Ignored",
+             "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-6293",
+             "summary": "An issue was discovered in the function mark_beginning_as_normal in nfa.c in flex 2.6.4. There is a stack exhaustion problem caused by the mark_beginning_as_normal function making recursive calls to itself in certain scenarios involving lots of '*' characters. Remote attackers could leverage this vulnerability to cause a denial-of-service.",
+             "scorev2": "4.3",
+             "scorev3": "5.5",
+             "scorev4": "0.0",
+             "modified": "2024-11-21T04:46Z",
+             "vector": "NETWORK",
+             "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
+             "detail": "upstream-wontfix",
+             "description": "there is stack exhaustion but no bug and it is building the parser, not running it, effectively similar to a compiler ICE. Upstream no plans to address this."
+           }
+         ]
+       }
+     ]
+   }
 For images, a summary of all recipes included in the image and their CVEs is also
-generated in textual and JSON formats. These ``.cve`` and ``.json`` reports can be found
+generated in the JSON format. These ``.json`` reports can be found
 in the ``tmp/deploy/images`` directory for each compiled image.
 At build time CVE check will also throw warnings about ``Unpatched`` CVEs::
-   WARNING: flex-2.6.4-r0 do_cve_check: Found unpatched CVE (CVE-2019-6293), for more information check /poky/build/tmp/work/core2-64-poky-linux/flex/2.6.4-r0/temp/cve.log
+   WARNING: qemu-native-9.2.0-r0 do_cve_check: Found unpatched CVE (CVE-2023-1386)
-   WARNING: libarchive-3.5.1-r0 do_cve_check: Found unpatched CVE (CVE-2021-36976), for more information check /poky/build/tmp/work/core2-64-poky-linux/libarchive/3.5.1-r0/temp/cve.log
 It is also possible to check the CVE status of individual packages as follows::
@@ -111,10 +155,10 @@ upstream `NIST CVE database <https://nvd.nist.gov/>`__.
 The variable supports using vendor and product names like this::
-   CVE_PRODUCT = "flex_project:flex"
+   CVE_PRODUCT = "flex_project:flex westes:flex"
-In this example the vendor name used in the CVE database is ``flex_project`` and the
+In this example we have two possible vendors names,  ``flex_project`` and ``westes``,
-product is ``flex``. With this setting the ``flex`` recipe only maps to this specific
+with the product name ``flex``. With this setting the ``flex`` recipe only maps to this specific
 product and not products from other vendors with same name ``flex``.
 Similarly, when the recipe version :term:`PV` is not compatible with software versions used by

diff --git a/documentation/dev-manual/vulnerabilities.rst b/documentation/dev-manual/vulnerabilities.rst index 1bc2a85929..5331a63991 100644 --- a/documentation/dev-manual/vulnerabilities.rst +++ b/documentation/dev-manual/vulnerabilities.rst
@@ -22,7 +22,7 @@ issues may be impacting Poky and OE-Core. It is up to the maintainers, users,
22	contributors and anyone interested in the issues to investigate and possibly fix them by	22	contributors and anyone interested in the issues to investigate and possibly fix them by
23	updating software components to newer versions or by applying patches to address them.	23	updating software components to newer versions or by applying patches to address them.
24	It is recommended to work with Poky and OE-Core upstream maintainers and submit	24	It is recommended to work with Poky and OE-Core upstream maintainers and submit
25	patches to fix them, see ":doc:`../contributor-guide/submit-changes`" for details.	25	patches to fix them, see ":doc:`/contributor-guide/submit-changes`" for details.
26		26
27	Vulnerability check at build time	27	Vulnerability check at build time
28	=================================	28	=================================
@@ -57,42 +57,86 @@ applied and that the issue needs to be investigated. ``Ignored`` means that afte
57	analysis, it has been deemed to ignore the issue as it for example affects	57	analysis, it has been deemed to ignore the issue as it for example affects
58	the software component on a different operating system platform.	58	the software component on a different operating system platform.
59		59
		60	By default, no NVD API key is used to retrieve data from the CVE database, which
		61	results in larger delays between NVD API requests. See the :term:`NVDCVE_API_KEY`
		62	documentation on how to request and set a NVD API key.
		63
60	After a build with CVE check enabled, reports for each compiled source recipe will be	64	After a build with CVE check enabled, reports for each compiled source recipe will be
61	found in ``build/tmp/deploy/cve``.	65	found in ``build/tmp/deploy/cve``.
62		66
63	For example the CVE check report for the ``flex-native`` recipe looks like::	67	For example the CVE check report for the ``flex-native`` recipe looks like::
64		68
65	$ cat poky/build/tmp/deploy/cve/flex-native	69	$ cat ./tmp/deploy/cve/flex-native_cve.json
66	LAYER: meta	70	{
67	PACKAGE NAME: flex-native	71	"version": "1",
68	PACKAGE VERSION: 2.6.4	72	"package": [
69	CVE: CVE-2016-6354	73	{
70	CVE STATUS: Patched	74	"name": "flex-native",
71	CVE SUMMARY: Heap-based buffer overflow in the yy_get_next_buffer function in Flex before 2.6.1 might allow context-dependent attackers to cause a denial of service or possibly execute arbitrary code via vectors involving num_to_read.	75	"layer": "meta",
72	CVSS v2 BASE SCORE: 7.5	76	"version": "2.6.4",
73	CVSS v3 BASE SCORE: 9.8	77	"products": [
74	VECTOR: NETWORK	78	{
75	MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6354	79	"product": "flex",
76		80	"cvesInRecord": "No"
77	LAYER: meta	81	},
78	PACKAGE NAME: flex-native	82	{
79	PACKAGE VERSION: 2.6.4	83	"product": "flex",
80	CVE: CVE-2019-6293	84	"cvesInRecord": "Yes"
81	CVE STATUS: Ignored	85	}
82	CVE SUMMARY: An issue was discovered in the function mark_beginning_as_normal in nfa.c in flex 2.6.4. There is a stack exhaustion problem caused by the mark_beginning_as_normal function making recursive calls to itself in certain scenarios involving lots of '*' characters. Remote attackers could leverage this vulnerability to cause a denial-of-service.	86	],
83	CVSS v2 BASE SCORE: 4.3	87	"issue": [
84	CVSS v3 BASE SCORE: 5.5	88	{
85	VECTOR: NETWORK	89	"id": "CVE-2006-0459",
86	MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-6293	90	"status": "Patched",
		91	"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-0459",
		92	"summary": "flex.skl in Will Estes and John Millaway Fast Lexical Analyzer Generator (flex) before 2.5.33 does not allocate enough memory for grammars containing (1) REJECT statements or (2) trailing context rules, which causes flex to generate code that contains a buffer overflow that might allow context-dependent attackers to execute arbitrary code.",
		93	"scorev2": "7.5",
		94	"scorev3": "0.0",
		95	"scorev4": "0.0",
		96	"modified": "2024-11-21T00:06Z",
		97	"vector": "NETWORK",
		98	"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
		99	"detail": "version-not-in-range"
		100	},
		101	{
		102	"id": "CVE-2016-6354",
		103	"status": "Patched",
		104	"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6354",
		105	"summary": "Heap-based buffer overflow in the yy_get_next_buffer function in Flex before 2.6.1 might allow context-dependent attackers to cause a denial of service or possibly execute arbitrary code via vectors involving num_to_read.",
		106	"scorev2": "7.5",
		107	"scorev3": "9.8",
		108	"scorev4": "0.0",
		109	"modified": "2024-11-21T02:55Z",
		110	"vector": "NETWORK",
		111	"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
		112	"detail": "version-not-in-range"
		113	},
		114	{
		115	"id": "CVE-2019-6293",
		116	"status": "Ignored",
		117	"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-6293",
		118	"summary": "An issue was discovered in the function mark_beginning_as_normal in nfa.c in flex 2.6.4. There is a stack exhaustion problem caused by the mark_beginning_as_normal function making recursive calls to itself in certain scenarios involving lots of '*' characters. Remote attackers could leverage this vulnerability to cause a denial-of-service.",
		119	"scorev2": "4.3",
		120	"scorev3": "5.5",
		121	"scorev4": "0.0",
		122	"modified": "2024-11-21T04:46Z",
		123	"vector": "NETWORK",
		124	"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
		125	"detail": "upstream-wontfix",
		126	"description": "there is stack exhaustion but no bug and it is building the parser, not running it, effectively similar to a compiler ICE. Upstream no plans to address this."
		127	}
		128	]
		129	}
		130	]
		131	}
87		132
88	For images, a summary of all recipes included in the image and their CVEs is also	133	For images, a summary of all recipes included in the image and their CVEs is also
89	generated in textual and JSON formats. These ``.cve`` and ``.json`` reports can be found	134	generated in the JSON format. These ``.json`` reports can be found
90	in the ``tmp/deploy/images`` directory for each compiled image.	135	in the ``tmp/deploy/images`` directory for each compiled image.
91		136
92	At build time CVE check will also throw warnings about ``Unpatched`` CVEs::	137	At build time CVE check will also throw warnings about ``Unpatched`` CVEs::
93		138
94	WARNING: flex-2.6.4-r0 do_cve_check: Found unpatched CVE (CVE-2019-6293), for more information check /poky/build/tmp/work/core2-64-poky-linux/flex/2.6.4-r0/temp/cve.log	139	WARNING: qemu-native-9.2.0-r0 do_cve_check: Found unpatched CVE (CVE-2023-1386)
95	WARNING: libarchive-3.5.1-r0 do_cve_check: Found unpatched CVE (CVE-2021-36976), for more information check /poky/build/tmp/work/core2-64-poky-linux/libarchive/3.5.1-r0/temp/cve.log
96		140
97	It is also possible to check the CVE status of individual packages as follows::	141	It is also possible to check the CVE status of individual packages as follows::
98		142
@@ -111,10 +155,10 @@ upstream `NIST CVE database <https://nvd.nist.gov/>`__.
111		155
112	The variable supports using vendor and product names like this::	156	The variable supports using vendor and product names like this::
113		157
114	CVE_PRODUCT = "flex_project:flex"	158	CVE_PRODUCT = "flex_project:flex westes:flex"
115		159
116	In this example the vendor name used in the CVE database is ``flex_project`` and the	160	In this example we have two possible vendors names, ``flex_project`` and ``westes``,
117	product is ``flex``. With this setting the ``flex`` recipe only maps to this specific	161	with the product name ``flex``. With this setting the ``flex`` recipe only maps to this specific
118	product and not products from other vendors with same name ``flex``.	162	product and not products from other vendors with same name ``flex``.
119		163
120	Similarly, when the recipe version :term:`PV` is not compatible with software versions used by	164	Similarly, when the recipe version :term:`PV` is not compatible with software versions used by