1 files changed, 337 insertions, 0 deletions
diff --git a/documentation/dev-manual/vulnerabilities.rst b/documentation/dev-manual/vulnerabilities.rst
new file mode 100644
index 0000000000..5331a63991
--- /dev/null
+++ b/documentation/dev-manual/vulnerabilities.rst
@@ -0,0 +1,337 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+Checking for Vulnerabilities
+****************************
+Vulnerabilities in Poky and OE-Core
+===================================
+The Yocto Project has an infrastructure to track and address unfixed
+known security vulnerabilities, as tracked by the public
+:wikipedia:`Common Vulnerabilities and Exposures (CVE) <Common_Vulnerabilities_and_Exposures>`
+database.
+The Yocto Project maintains a `list of known vulnerabilities
+<https://autobuilder.yocto.io/pub/non-release/patchmetrics/>`__
+for packages in Poky and OE-Core, tracking the evolution of the number of
+unpatched CVEs and the status of patches. Such information is available for
+the current development version and for each supported release.
+Security is a process, not a product, and thus at any time, a number of security
+issues may be impacting Poky and OE-Core. It is up to the maintainers, users,
+contributors and anyone interested in the issues to investigate and possibly fix them by
+updating software components to newer versions or by applying patches to address them.
+It is recommended to work with Poky and OE-Core upstream maintainers and submit
+patches to fix them, see ":doc:`/contributor-guide/submit-changes`" for details.
+Vulnerability check at build time
+=================================
+To enable a check for CVE security vulnerabilities using
+:ref:`ref-classes-cve-check` in the specific image or target you are building,
+add the following setting to your configuration::
+   INHERIT += "cve-check"
+The CVE database contains some old incomplete entries which have been
+deemed not to impact Poky or OE-Core. These CVE entries can be excluded from the
+check using build configuration::
+   include conf/distro/include/cve-extra-exclusions.inc
+With this CVE check enabled, BitBake build will try to map each compiled software component
+recipe name and version information to the CVE database and generate recipe and
+image specific reports. These reports will contain:
+-  metadata about the software component like names and versions
+-  metadata about the CVE issue such as description and NVD link
+-  for each software component, a list of CVEs which are possibly impacting this version
+-  status of each CVE: ``Patched``, ``Unpatched`` or ``Ignored``
+The status ``Patched`` means that a patch file to address the security issue has been
+applied. ``Unpatched`` status means that no patches to address the issue have been
+applied and that the issue needs to be investigated. ``Ignored`` means that after
+analysis, it has been deemed to ignore the issue as it for example affects
+the software component on a different operating system platform.
+By default, no NVD API key is used to retrieve data from the CVE database, which
+results in larger delays between NVD API requests. See the :term:`NVDCVE_API_KEY`
+documentation on how to request and set a NVD API key.
+After a build with CVE check enabled, reports for each compiled source recipe will be
+found in ``build/tmp/deploy/cve``.
+For example the CVE check report for the ``flex-native`` recipe looks like::
+   $ cat ./tmp/deploy/cve/flex-native_cve.json
+   {
+     "version": "1",
+     "package": [
+       {
+         "name": "flex-native",
+         "layer": "meta",
+         "version": "2.6.4",
+         "products": [
+           {
+             "product": "flex",
+             "cvesInRecord": "No"
+           },
+           {
+             "product": "flex",
+             "cvesInRecord": "Yes"
+           }
+         ],
+         "issue": [
+           {
+             "id": "CVE-2006-0459",
+             "status": "Patched",
+             "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-0459",
+             "summary": "flex.skl in Will Estes and John Millaway Fast Lexical Analyzer Generator (flex) before 2.5.33 does not allocate enough memory for grammars containing (1) REJECT statements or (2) trailing context rules, which causes flex to generate code that contains a buffer overflow that might allow context-dependent attackers to execute arbitrary code.",
+             "scorev2": "7.5",
+             "scorev3": "0.0",
+             "scorev4": "0.0",
+             "modified": "2024-11-21T00:06Z",
+             "vector": "NETWORK",
+             "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
+             "detail": "version-not-in-range"
+           },
+           {
+             "id": "CVE-2016-6354",
+             "status": "Patched",
+             "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6354",
+             "summary": "Heap-based buffer overflow in the yy_get_next_buffer function in Flex before 2.6.1 might allow context-dependent attackers to cause a denial of service or possibly execute arbitrary code via vectors involving num_to_read.",
+             "scorev2": "7.5",
+             "scorev3": "9.8",
+             "scorev4": "0.0",
+             "modified": "2024-11-21T02:55Z",
+             "vector": "NETWORK",
+             "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
+             "detail": "version-not-in-range"
+           },
+           {
+             "id": "CVE-2019-6293",
+             "status": "Ignored",
+             "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-6293",
+             "summary": "An issue was discovered in the function mark_beginning_as_normal in nfa.c in flex 2.6.4. There is a stack exhaustion problem caused by the mark_beginning_as_normal function making recursive calls to itself in certain scenarios involving lots of '*' characters. Remote attackers could leverage this vulnerability to cause a denial-of-service.",
+             "scorev2": "4.3",
+             "scorev3": "5.5",
+             "scorev4": "0.0",
+             "modified": "2024-11-21T04:46Z",
+             "vector": "NETWORK",
+             "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
+             "detail": "upstream-wontfix",
+             "description": "there is stack exhaustion but no bug and it is building the parser, not running it, effectively similar to a compiler ICE. Upstream no plans to address this."
+           }
+         ]
+       }
+     ]
+   }
+For images, a summary of all recipes included in the image and their CVEs is also
+generated in the JSON format. These ``.json`` reports can be found
+in the ``tmp/deploy/images`` directory for each compiled image.
+At build time CVE check will also throw warnings about ``Unpatched`` CVEs::
+   WARNING: qemu-native-9.2.0-r0 do_cve_check: Found unpatched CVE (CVE-2023-1386)
+It is also possible to check the CVE status of individual packages as follows::
+   bitbake -c cve_check flex libarchive
+Fixing CVE product name and version mappings
+============================================
+By default, :ref:`ref-classes-cve-check` uses the recipe name :term:`BPN` as CVE
+product name when querying the CVE database. If this mapping contains false positives, e.g.
+some reported CVEs are not for the software component in question, or false negatives like
+some CVEs are not found to impact the recipe when they should, then the problems can be
+in the recipe name to CVE product mapping. These mapping issues can be fixed by setting
+the :term:`CVE_PRODUCT` variable inside the recipe. This defines the name of the software component in the
+upstream `NIST CVE database <https://nvd.nist.gov/>`__.
+The variable supports using vendor and product names like this::
+   CVE_PRODUCT = "flex_project:flex westes:flex"
+In this example we have two possible vendors names,  ``flex_project`` and ``westes``,
+with the product name ``flex``. With this setting the ``flex`` recipe only maps to this specific
+product and not products from other vendors with same name ``flex``.
+Similarly, when the recipe version :term:`PV` is not compatible with software versions used by
+the upstream software component releases and the CVE database, these can be fixed using
+the :term:`CVE_VERSION` variable.
+Note that if the CVE entries in the NVD database contain bugs or have missing or incomplete
+information, it is recommended to fix the information there directly instead of working
+around the issues possibly for a long time in Poky and OE-Core side recipes. Feedback to
+NVD about CVE entries can be provided through the `NVD contact form <https://nvd.nist.gov/info/contact-form>`__.
+Fixing vulnerabilities in recipes
+=================================
+Suppose a CVE security issue impacts a software component. In that case, it can
+be fixed by updating to a newer version, by applying a patch, or by marking it
+as patched via :term:`CVE_STATUS` variable flag. For Poky and OE-Core master
+branches, updating to a more recent software component release with fixes is
+the best option, but patches can be applied if releases are not yet available.
+For stable branches, we want to avoid API (Application Programming Interface)
+or ABI (Application Binary Interface) breakages. When submitting an update,
+a minor version update of a component is preferred if the version is
+backward-compatible. Many software components have backward-compatible stable
+versions, with a notable example of the Linux kernel. However, if the new
+version does or likely might introduce incompatibilities, extracting and
+backporting patches is preferred.
+Here is an example of fixing CVE security issues with patch files,
+an example from the :oe_layerindex:`ffmpeg recipe for dunfell </layerindex/recipe/122174>`::
+   SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \
+              file://mips64_cpu_detection.patch \
+              file://CVE-2020-12284.patch \
+              file://0001-libavutil-include-assembly-with-full-path-from-sourc.patch \
+              file://CVE-2021-3566.patch \
+              file://CVE-2021-38291.patch \
+              file://CVE-2022-1475.patch \
+              file://CVE-2022-3109.patch \
+              file://CVE-2022-3341.patch \
+              file://CVE-2022-48434.patch \
+          "
+The recipe has both generic and security-related fixes. The CVE patch files are named
+according to the CVE they fix.
+When preparing the patch file, take the original patch from the upstream repository.
+Do not use patches from different distributions, except if it is the only available source.
+Modify the patch adding OE-related metadata. We will follow the example of the
+``CVE-2022-3341.patch``.
+The original `commit message <https://github.com/FFmpeg/FFmpeg/commit/9cf652cef49d74afe3d454f27d49eb1a1394951e.patch/>`__
+is::
+   From 9cf652cef49d74afe3d454f27d49eb1a1394951e Mon Sep 17 00:00:00 2001
+   From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+   Date: Wed, 23 Feb 2022 10:31:59 +0800
+   Subject: [PATCH] avformat/nutdec: Add check for avformat_new_stream
+   Check for failure of avformat_new_stream() and propagate
+   the error code.
+   Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+   ---
+    libavformat/nutdec.c | 16 ++++++++++++----
+    1 file changed, 12 insertions(+), 4 deletions(-)
+For the correct operations of the ``cve-check``, it requires the CVE
+identification in a ``CVE:`` tag of the patch file commit message using
+the format::
+   CVE: CVE-2022-3341
+It is also recommended to add the ``Upstream-Status:`` tag with a link
+to the original patch and sign-off by people working on the backport.
+If there are any modifications to the original patch, note them in
+the ``Comments:`` tag.
+With the additional information, the header of the patch file in OE-core becomes::
+   From 9cf652cef49d74afe3d454f27d49eb1a1394951e Mon Sep 17 00:00:00 2001
+   From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+   Date: Wed, 23 Feb 2022 10:31:59 +0800
+   Subject: [PATCH] avformat/nutdec: Add check for avformat_new_stream
+   Check for failure of avformat_new_stream() and propagate
+   the error code.
+   Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+   CVE: CVE-2022-3341
+   Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/9cf652cef49d74afe3d454f27d49eb1a1394951e]
+   Comments: Refreshed Hunk
+   Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
+   Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
+   ---
+    libavformat/nutdec.c | 16 ++++++++++++----
+    1 file changed, 12 insertions(+), 4 deletions(-)
+A good practice is to include the CVE identifier in the patch file name, the patch file
+commit message and optionally in the recipe commit message.
+CVE checker will then capture this information and change the CVE status to ``Patched``
+in the generated reports.
+If analysis shows that the CVE issue does not impact the recipe due to configuration, platform,
+version or other reasons, the CVE can be marked as ``Ignored`` by using
+the :term:`CVE_STATUS` variable flag with appropriate reason which is mapped to ``Ignored``.
+The entry should have the format like::
+   CVE_STATUS[CVE-2016-10642] = "cpe-incorrect: This is specific to the npm package that installs cmake, so isn't relevant to OpenEmbedded"
+As mentioned previously, if data in the CVE database is wrong, it is recommended
+to fix those issues in the CVE database (NVD in the case of OE-core and Poky)
+directly.
+Note that if there are many CVEs with the same status and reason, those can be
+shared by using the :term:`CVE_STATUS_GROUPS` variable.
+Recipes can be completely skipped by CVE check by including the recipe name in
+the :term:`CVE_CHECK_SKIP_RECIPE` variable.
+Implementation details
+======================
+Here's what the :ref:`ref-classes-cve-check` class does to find unpatched CVE IDs.
+First the code goes through each patch file provided by a recipe. If a valid CVE ID
+is found in the name of the file, the corresponding CVE is considered as patched.
+Don't forget that if multiple CVE IDs are found in the filename, only the last
+one is considered. Then, the code looks for ``CVE: CVE-ID`` lines in the patch
+file. The found CVE IDs are also considered as patched.
+Additionally ``CVE_STATUS`` variable flags are parsed for reasons mapped to ``Patched``
+and these are also considered as patched.
+Then, the code looks up all the CVE IDs in the NIST database for all the
+products defined in :term:`CVE_PRODUCT`. Then, for each found CVE:
+-  If the package name (:term:`PN`) is part of
+   :term:`CVE_CHECK_SKIP_RECIPE`, it is considered as ``Patched``.
+-  If the CVE ID has status ``CVE_STATUS[<CVE ID>] = "ignored"`` or if it's set to
+   any reason which is mapped to status ``Ignored`` via ``CVE_CHECK_STATUSMAP``,
+   it is  set as ``Ignored``.
+-  If the CVE ID is part of the patched CVE for the recipe, it is
+   already considered as ``Patched``.
+-  Otherwise, the code checks whether the recipe version (:term:`PV`)
+   is within the range of versions impacted by the CVE. If so, the CVE
+   is considered as ``Unpatched``.
+The CVE database is stored in :term:`DL_DIR` and can be inspected using
+``sqlite3`` command as follows::
+   sqlite3 downloads/CVE_CHECK/nvdcve_1.1.db .dump | grep CVE-2021-37462
+When analyzing CVEs, it is recommended to:
+-  study the latest information in `CVE database <https://nvd.nist.gov/vuln/search>`__.
+-  check how upstream developers of the software component addressed the issue, e.g.
+   what patch was applied, which upstream release contains the fix.
+-  check what other Linux distributions like `Debian <https://security-tracker.debian.org/tracker/>`__
+   did to analyze and address the issue.
+-  follow security notices from other Linux distributions.
+-  follow public `open source security mailing lists <https://oss-security.openwall.org/wiki/mailing-lists>`__ for
+   discussions and advance notifications of CVE bugs and software releases with fixes.

diff --git a/documentation/dev-manual/vulnerabilities.rst b/documentation/dev-manual/vulnerabilities.rst new file mode 100644 index 0000000000..5331a63991 --- /dev/null +++ b/documentation/dev-manual/vulnerabilities.rst
@@ -0,0 +1,337 @@
	1	.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
	2
	3	Checking for Vulnerabilities
	4	****************************
	5
	6	Vulnerabilities in Poky and OE-Core
	7	===================================
	8
	9	The Yocto Project has an infrastructure to track and address unfixed
	10	known security vulnerabilities, as tracked by the public
	11	:wikipedia:`Common Vulnerabilities and Exposures (CVE) <Common_Vulnerabilities_and_Exposures>`
	12	database.
	13
	14	The Yocto Project maintains a `list of known vulnerabilities
	15	<https://autobuilder.yocto.io/pub/non-release/patchmetrics/>`__
	16	for packages in Poky and OE-Core, tracking the evolution of the number of
	17	unpatched CVEs and the status of patches. Such information is available for
	18	the current development version and for each supported release.
	19
	20	Security is a process, not a product, and thus at any time, a number of security
	21	issues may be impacting Poky and OE-Core. It is up to the maintainers, users,
	22	contributors and anyone interested in the issues to investigate and possibly fix them by
	23	updating software components to newer versions or by applying patches to address them.
	24	It is recommended to work with Poky and OE-Core upstream maintainers and submit
	25	patches to fix them, see ":doc:`/contributor-guide/submit-changes`" for details.
	26
	27	Vulnerability check at build time
	28	=================================
	29
	30	To enable a check for CVE security vulnerabilities using
	31	:ref:`ref-classes-cve-check` in the specific image or target you are building,
	32	add the following setting to your configuration::
	33
	34	INHERIT += "cve-check"
	35
	36	The CVE database contains some old incomplete entries which have been
	37	deemed not to impact Poky or OE-Core. These CVE entries can be excluded from the
	38	check using build configuration::
	39
	40	include conf/distro/include/cve-extra-exclusions.inc
	41
	42	With this CVE check enabled, BitBake build will try to map each compiled software component
	43	recipe name and version information to the CVE database and generate recipe and
	44	image specific reports. These reports will contain:
	45
	46	- metadata about the software component like names and versions
	47
	48	- metadata about the CVE issue such as description and NVD link
	49
	50	- for each software component, a list of CVEs which are possibly impacting this version
	51
	52	- status of each CVE: ``Patched``, ``Unpatched`` or ``Ignored``
	53
	54	The status ``Patched`` means that a patch file to address the security issue has been
	55	applied. ``Unpatched`` status means that no patches to address the issue have been
	56	applied and that the issue needs to be investigated. ``Ignored`` means that after
	57	analysis, it has been deemed to ignore the issue as it for example affects
	58	the software component on a different operating system platform.
	59
	60	By default, no NVD API key is used to retrieve data from the CVE database, which
	61	results in larger delays between NVD API requests. See the :term:`NVDCVE_API_KEY`
	62	documentation on how to request and set a NVD API key.
	63
	64	After a build with CVE check enabled, reports for each compiled source recipe will be
	65	found in ``build/tmp/deploy/cve``.
	66
	67	For example the CVE check report for the ``flex-native`` recipe looks like::
	68
	69	$ cat ./tmp/deploy/cve/flex-native_cve.json
	70	{
	71	"version": "1",
	72	"package": [
	73	{
	74	"name": "flex-native",
	75	"layer": "meta",
	76	"version": "2.6.4",
	77	"products": [
	78	{
	79	"product": "flex",
	80	"cvesInRecord": "No"
	81	},
	82	{
	83	"product": "flex",
	84	"cvesInRecord": "Yes"
	85	}
	86	],
	87	"issue": [
	88	{
	89	"id": "CVE-2006-0459",
	90	"status": "Patched",
	91	"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-0459",
	92	"summary": "flex.skl in Will Estes and John Millaway Fast Lexical Analyzer Generator (flex) before 2.5.33 does not allocate enough memory for grammars containing (1) REJECT statements or (2) trailing context rules, which causes flex to generate code that contains a buffer overflow that might allow context-dependent attackers to execute arbitrary code.",
	93	"scorev2": "7.5",
	94	"scorev3": "0.0",
	95	"scorev4": "0.0",
	96	"modified": "2024-11-21T00:06Z",
	97	"vector": "NETWORK",
	98	"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
	99	"detail": "version-not-in-range"
	100	},
	101	{
	102	"id": "CVE-2016-6354",
	103	"status": "Patched",
	104	"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6354",
	105	"summary": "Heap-based buffer overflow in the yy_get_next_buffer function in Flex before 2.6.1 might allow context-dependent attackers to cause a denial of service or possibly execute arbitrary code via vectors involving num_to_read.",
	106	"scorev2": "7.5",
	107	"scorev3": "9.8",
	108	"scorev4": "0.0",
	109	"modified": "2024-11-21T02:55Z",
	110	"vector": "NETWORK",
	111	"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
	112	"detail": "version-not-in-range"
	113	},
	114	{
	115	"id": "CVE-2019-6293",
	116	"status": "Ignored",
	117	"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-6293",
	118	"summary": "An issue was discovered in the function mark_beginning_as_normal in nfa.c in flex 2.6.4. There is a stack exhaustion problem caused by the mark_beginning_as_normal function making recursive calls to itself in certain scenarios involving lots of '*' characters. Remote attackers could leverage this vulnerability to cause a denial-of-service.",
	119	"scorev2": "4.3",
	120	"scorev3": "5.5",
	121	"scorev4": "0.0",
	122	"modified": "2024-11-21T04:46Z",
	123	"vector": "NETWORK",
	124	"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
	125	"detail": "upstream-wontfix",
	126	"description": "there is stack exhaustion but no bug and it is building the parser, not running it, effectively similar to a compiler ICE. Upstream no plans to address this."
	127	}
	128	]
	129	}
	130	]
	131	}
	132
	133	For images, a summary of all recipes included in the image and their CVEs is also
	134	generated in the JSON format. These ``.json`` reports can be found
	135	in the ``tmp/deploy/images`` directory for each compiled image.
	136
	137	At build time CVE check will also throw warnings about ``Unpatched`` CVEs::
	138
	139	WARNING: qemu-native-9.2.0-r0 do_cve_check: Found unpatched CVE (CVE-2023-1386)
	140
	141	It is also possible to check the CVE status of individual packages as follows::
	142
	143	bitbake -c cve_check flex libarchive
	144
	145	Fixing CVE product name and version mappings
	146	============================================
	147
	148	By default, :ref:`ref-classes-cve-check` uses the recipe name :term:`BPN` as CVE
	149	product name when querying the CVE database. If this mapping contains false positives, e.g.
	150	some reported CVEs are not for the software component in question, or false negatives like
	151	some CVEs are not found to impact the recipe when they should, then the problems can be
	152	in the recipe name to CVE product mapping. These mapping issues can be fixed by setting
	153	the :term:`CVE_PRODUCT` variable inside the recipe. This defines the name of the software component in the
	154	upstream `NIST CVE database <https://nvd.nist.gov/>`__.
	155
	156	The variable supports using vendor and product names like this::
	157
	158	CVE_PRODUCT = "flex_project:flex westes:flex"
	159
	160	In this example we have two possible vendors names, ``flex_project`` and ``westes``,
	161	with the product name ``flex``. With this setting the ``flex`` recipe only maps to this specific
	162	product and not products from other vendors with same name ``flex``.
	163
	164	Similarly, when the recipe version :term:`PV` is not compatible with software versions used by
	165	the upstream software component releases and the CVE database, these can be fixed using
	166	the :term:`CVE_VERSION` variable.
	167
	168	Note that if the CVE entries in the NVD database contain bugs or have missing or incomplete
	169	information, it is recommended to fix the information there directly instead of working
	170	around the issues possibly for a long time in Poky and OE-Core side recipes. Feedback to
	171	NVD about CVE entries can be provided through the `NVD contact form <https://nvd.nist.gov/info/contact-form>`__.
	172
	173	Fixing vulnerabilities in recipes
	174	=================================
	175
	176	Suppose a CVE security issue impacts a software component. In that case, it can
	177	be fixed by updating to a newer version, by applying a patch, or by marking it
	178	as patched via :term:`CVE_STATUS` variable flag. For Poky and OE-Core master
	179	branches, updating to a more recent software component release with fixes is
	180	the best option, but patches can be applied if releases are not yet available.
	181
	182	For stable branches, we want to avoid API (Application Programming Interface)
	183	or ABI (Application Binary Interface) breakages. When submitting an update,
	184	a minor version update of a component is preferred if the version is
	185	backward-compatible. Many software components have backward-compatible stable
	186	versions, with a notable example of the Linux kernel. However, if the new
	187	version does or likely might introduce incompatibilities, extracting and
	188	backporting patches is preferred.
	189
	190	Here is an example of fixing CVE security issues with patch files,
	191	an example from the :oe_layerindex:`ffmpeg recipe for dunfell </layerindex/recipe/122174>`::
	192
	193	SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \
	194	file://mips64_cpu_detection.patch \
	195	file://CVE-2020-12284.patch \
	196	file://0001-libavutil-include-assembly-with-full-path-from-sourc.patch \
	197	file://CVE-2021-3566.patch \
	198	file://CVE-2021-38291.patch \
	199	file://CVE-2022-1475.patch \
	200	file://CVE-2022-3109.patch \
	201	file://CVE-2022-3341.patch \
	202	file://CVE-2022-48434.patch \
	203	"
	204
	205	The recipe has both generic and security-related fixes. The CVE patch files are named
	206	according to the CVE they fix.
	207
	208	When preparing the patch file, take the original patch from the upstream repository.
	209	Do not use patches from different distributions, except if it is the only available source.
	210
	211	Modify the patch adding OE-related metadata. We will follow the example of the
	212	``CVE-2022-3341.patch``.
	213
	214	The original `commit message <https://github.com/FFmpeg/FFmpeg/commit/9cf652cef49d74afe3d454f27d49eb1a1394951e.patch/>`__
	215	is::
	216
	217	From 9cf652cef49d74afe3d454f27d49eb1a1394951e Mon Sep 17 00:00:00 2001
	218	From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
	219	Date: Wed, 23 Feb 2022 10:31:59 +0800
	220	Subject: [PATCH] avformat/nutdec: Add check for avformat_new_stream
	221
	222	Check for failure of avformat_new_stream() and propagate
	223	the error code.
	224
	225	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
	226	---
	227	libavformat/nutdec.c \| 16 ++++++++++++----
	228	1 file changed, 12 insertions(+), 4 deletions(-)
	229
	230
	231	For the correct operations of the ``cve-check``, it requires the CVE
	232	identification in a ``CVE:`` tag of the patch file commit message using
	233	the format::
	234
	235	CVE: CVE-2022-3341
	236
	237	It is also recommended to add the ``Upstream-Status:`` tag with a link
	238	to the original patch and sign-off by people working on the backport.
	239	If there are any modifications to the original patch, note them in
	240	the ``Comments:`` tag.
	241
	242	With the additional information, the header of the patch file in OE-core becomes::
	243
	244	From 9cf652cef49d74afe3d454f27d49eb1a1394951e Mon Sep 17 00:00:00 2001
	245	From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
	246	Date: Wed, 23 Feb 2022 10:31:59 +0800
	247	Subject: [PATCH] avformat/nutdec: Add check for avformat_new_stream
	248
	249	Check for failure of avformat_new_stream() and propagate
	250	the error code.
	251
	252	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
	253
	254	CVE: CVE-2022-3341
	255
	256	Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/9cf652cef49d74afe3d454f27d49eb1a1394951e]
	257
	258	Comments: Refreshed Hunk
	259	Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
	260	Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
	261	---
	262	libavformat/nutdec.c \| 16 ++++++++++++----
	263	1 file changed, 12 insertions(+), 4 deletions(-)
	264
	265	A good practice is to include the CVE identifier in the patch file name, the patch file
	266	commit message and optionally in the recipe commit message.
	267
	268	CVE checker will then capture this information and change the CVE status to ``Patched``
	269	in the generated reports.
	270
	271	If analysis shows that the CVE issue does not impact the recipe due to configuration, platform,
	272	version or other reasons, the CVE can be marked as ``Ignored`` by using
	273	the :term:`CVE_STATUS` variable flag with appropriate reason which is mapped to ``Ignored``.
	274	The entry should have the format like::
	275
	276	CVE_STATUS[CVE-2016-10642] = "cpe-incorrect: This is specific to the npm package that installs cmake, so isn't relevant to OpenEmbedded"
	277
	278	As mentioned previously, if data in the CVE database is wrong, it is recommended
	279	to fix those issues in the CVE database (NVD in the case of OE-core and Poky)
	280	directly.
	281
	282	Note that if there are many CVEs with the same status and reason, those can be
	283	shared by using the :term:`CVE_STATUS_GROUPS` variable.
	284
	285	Recipes can be completely skipped by CVE check by including the recipe name in
	286	the :term:`CVE_CHECK_SKIP_RECIPE` variable.
	287
	288	Implementation details
	289	======================
	290
	291	Here's what the :ref:`ref-classes-cve-check` class does to find unpatched CVE IDs.
	292
	293	First the code goes through each patch file provided by a recipe. If a valid CVE ID
	294	is found in the name of the file, the corresponding CVE is considered as patched.
	295	Don't forget that if multiple CVE IDs are found in the filename, only the last
	296	one is considered. Then, the code looks for ``CVE: CVE-ID`` lines in the patch
	297	file. The found CVE IDs are also considered as patched.
	298	Additionally ``CVE_STATUS`` variable flags are parsed for reasons mapped to ``Patched``
	299	and these are also considered as patched.
	300
	301	Then, the code looks up all the CVE IDs in the NIST database for all the
	302	products defined in :term:`CVE_PRODUCT`. Then, for each found CVE:
	303
	304	- If the package name (:term:`PN`) is part of
	305	:term:`CVE_CHECK_SKIP_RECIPE`, it is considered as ``Patched``.
	306
	307	- If the CVE ID has status ``CVE_STATUS[<CVE ID>] = "ignored"`` or if it's set to
	308	any reason which is mapped to status ``Ignored`` via ``CVE_CHECK_STATUSMAP``,
	309	it is set as ``Ignored``.
	310
	311	- If the CVE ID is part of the patched CVE for the recipe, it is
	312	already considered as ``Patched``.
	313
	314	- Otherwise, the code checks whether the recipe version (:term:`PV`)
	315	is within the range of versions impacted by the CVE. If so, the CVE
	316	is considered as ``Unpatched``.
	317
	318	The CVE database is stored in :term:`DL_DIR` and can be inspected using
	319	``sqlite3`` command as follows::
	320
	321	sqlite3 downloads/CVE_CHECK/nvdcve_1.1.db .dump \| grep CVE-2021-37462
	322
	323	When analyzing CVEs, it is recommended to:
	324
	325	- study the latest information in `CVE database <https://nvd.nist.gov/vuln/search>`__.
	326
	327	- check how upstream developers of the software component addressed the issue, e.g.
	328	what patch was applied, which upstream release contains the fix.
	329
	330	- check what other Linux distributions like `Debian <https://security-tracker.debian.org/tracker/>`__
	331	did to analyze and address the issue.
	332
	333	- follow security notices from other Linux distributions.
	334
	335	- follow public `open source security mailing lists <https://oss-security.openwall.org/wiki/mailing-lists>`__ for
	336	discussions and advance notifications of CVE bugs and software releases with fixes.
	337