diff options
Diffstat (limited to 'documentation/dev-manual/vulnerabilities.rst')
-rw-r--r-- | documentation/dev-manual/vulnerabilities.rst | 13 |
1 files changed, 9 insertions, 4 deletions
diff --git a/documentation/dev-manual/vulnerabilities.rst b/documentation/dev-manual/vulnerabilities.rst index 0ee3ec52c5..6d87d02ecb 100644 --- a/documentation/dev-manual/vulnerabilities.rst +++ b/documentation/dev-manual/vulnerabilities.rst | |||
@@ -130,7 +130,8 @@ Fixing vulnerabilities in recipes | |||
130 | ================================= | 130 | ================================= |
131 | 131 | ||
132 | If a CVE security issue impacts a software component, it can be fixed by updating to a newer | 132 | If a CVE security issue impacts a software component, it can be fixed by updating to a newer |
133 | version of the software component or by applying a patch. For Poky and OE-Core master branches, updating | 133 | version of the software component, by applying a patch or by marking it as patched via |
134 | :term:`CVE_STATUS` variable flag. For Poky and OE-Core master branches, updating | ||
134 | to a newer software component release with fixes is the best option, but patches can be applied | 135 | to a newer software component release with fixes is the best option, but patches can be applied |
135 | if releases are not yet available. | 136 | if releases are not yet available. |
136 | 137 | ||
@@ -158,7 +159,8 @@ CVE checker will then capture this information and change the CVE status to ``Pa | |||
158 | in the generated reports. | 159 | in the generated reports. |
159 | 160 | ||
160 | If analysis shows that the CVE issue does not impact the recipe due to configuration, platform, | 161 | If analysis shows that the CVE issue does not impact the recipe due to configuration, platform, |
161 | version or other reasons, the CVE can be marked as ``Ignored`` using the :term:`CVE_CHECK_IGNORE` variable. | 162 | version or other reasons, the CVE can be marked as ``Ignored`` by using |
163 | the :term:`CVE_STATUS` variable flag with appropriate reason which is mapped to ``Ignored``. | ||
162 | As mentioned previously, if data in the CVE database is wrong, it is recommend to fix those | 164 | As mentioned previously, if data in the CVE database is wrong, it is recommend to fix those |
163 | issues in the CVE database directly. | 165 | issues in the CVE database directly. |
164 | 166 | ||
@@ -175,6 +177,8 @@ is found in the name of the file, the corresponding CVE is considered as patched | |||
175 | Don't forget that if multiple CVE IDs are found in the filename, only the last | 177 | Don't forget that if multiple CVE IDs are found in the filename, only the last |
176 | one is considered. Then, the code looks for ``CVE: CVE-ID`` lines in the patch | 178 | one is considered. Then, the code looks for ``CVE: CVE-ID`` lines in the patch |
177 | file. The found CVE IDs are also considered as patched. | 179 | file. The found CVE IDs are also considered as patched. |
180 | Additionally ``CVE_STATUS`` variable flags are parsed for reasons mapped to ``Patched`` | ||
181 | and these are also considered as patched. | ||
178 | 182 | ||
179 | Then, the code looks up all the CVE IDs in the NIST database for all the | 183 | Then, the code looks up all the CVE IDs in the NIST database for all the |
180 | products defined in :term:`CVE_PRODUCT`. Then, for each found CVE: | 184 | products defined in :term:`CVE_PRODUCT`. Then, for each found CVE: |
@@ -182,8 +186,9 @@ products defined in :term:`CVE_PRODUCT`. Then, for each found CVE: | |||
182 | - If the package name (:term:`PN`) is part of | 186 | - If the package name (:term:`PN`) is part of |
183 | :term:`CVE_CHECK_SKIP_RECIPE`, it is considered as ``Patched``. | 187 | :term:`CVE_CHECK_SKIP_RECIPE`, it is considered as ``Patched``. |
184 | 188 | ||
185 | - If the CVE ID is part of :term:`CVE_CHECK_IGNORE`, it is | 189 | - If the CVE ID has status ``CVE_STATUS[<CVE ID>] = "ignored"`` or if it's set to |
186 | set as ``Ignored``. | 190 | any reason which is mapped to status ``Ignored`` via ``CVE_CHECK_STATUSMAP``, |
191 | it is set as ``Ignored``. | ||
187 | 192 | ||
188 | - If the CVE ID is part of the patched CVE for the recipe, it is | 193 | - If the CVE ID is part of the patched CVE for the recipe, it is |
189 | already considered as ``Patched``. | 194 | already considered as ``Patched``. |