diff options
Diffstat (limited to 'documentation')
-rw-r--r-- | documentation/dev-manual/new-recipe.rst | 3 | ||||
-rw-r--r-- | documentation/dev-manual/vulnerabilities.rst | 13 | ||||
-rw-r--r-- | documentation/ref-manual/classes.rst | 6 | ||||
-rw-r--r-- | documentation/ref-manual/variables.rst | 34 |
4 files changed, 42 insertions, 14 deletions
diff --git a/documentation/dev-manual/new-recipe.rst b/documentation/dev-manual/new-recipe.rst index 1be04a7657..af390773a9 100644 --- a/documentation/dev-manual/new-recipe.rst +++ b/documentation/dev-manual/new-recipe.rst | |||
@@ -1253,8 +1253,7 @@ In the following example, ``lz4`` is a makefile-based package:: | |||
1253 | 1253 | ||
1254 | S = "${WORKDIR}/git" | 1254 | S = "${WORKDIR}/git" |
1255 | 1255 | ||
1256 | # Fixed in r118, which is larger than the current version. | 1256 | CVE_STATUS[CVE-2014-4715] = "fixed-version: Fixed in r118, which is larger than the current version" |
1257 | CVE_CHECK_IGNORE += "CVE-2014-4715" | ||
1258 | 1257 | ||
1259 | EXTRA_OEMAKE = "PREFIX=${prefix} CC='${CC}' CFLAGS='${CFLAGS}' DESTDIR=${D} LIBDIR=${libdir} INCLUDEDIR=${includedir} BUILD_STATIC=no" | 1258 | EXTRA_OEMAKE = "PREFIX=${prefix} CC='${CC}' CFLAGS='${CFLAGS}' DESTDIR=${D} LIBDIR=${libdir} INCLUDEDIR=${includedir} BUILD_STATIC=no" |
1260 | 1259 | ||
diff --git a/documentation/dev-manual/vulnerabilities.rst b/documentation/dev-manual/vulnerabilities.rst index 0ee3ec52c5..6d87d02ecb 100644 --- a/documentation/dev-manual/vulnerabilities.rst +++ b/documentation/dev-manual/vulnerabilities.rst | |||
@@ -130,7 +130,8 @@ Fixing vulnerabilities in recipes | |||
130 | ================================= | 130 | ================================= |
131 | 131 | ||
132 | If a CVE security issue impacts a software component, it can be fixed by updating to a newer | 132 | If a CVE security issue impacts a software component, it can be fixed by updating to a newer |
133 | version of the software component or by applying a patch. For Poky and OE-Core master branches, updating | 133 | version of the software component, by applying a patch or by marking it as patched via |
134 | :term:`CVE_STATUS` variable flag. For Poky and OE-Core master branches, updating | ||
134 | to a newer software component release with fixes is the best option, but patches can be applied | 135 | to a newer software component release with fixes is the best option, but patches can be applied |
135 | if releases are not yet available. | 136 | if releases are not yet available. |
136 | 137 | ||
@@ -158,7 +159,8 @@ CVE checker will then capture this information and change the CVE status to ``Pa | |||
158 | in the generated reports. | 159 | in the generated reports. |
159 | 160 | ||
160 | If analysis shows that the CVE issue does not impact the recipe due to configuration, platform, | 161 | If analysis shows that the CVE issue does not impact the recipe due to configuration, platform, |
161 | version or other reasons, the CVE can be marked as ``Ignored`` using the :term:`CVE_CHECK_IGNORE` variable. | 162 | version or other reasons, the CVE can be marked as ``Ignored`` by using |
163 | the :term:`CVE_STATUS` variable flag with appropriate reason which is mapped to ``Ignored``. | ||
162 | As mentioned previously, if data in the CVE database is wrong, it is recommend to fix those | 164 | As mentioned previously, if data in the CVE database is wrong, it is recommend to fix those |
163 | issues in the CVE database directly. | 165 | issues in the CVE database directly. |
164 | 166 | ||
@@ -175,6 +177,8 @@ is found in the name of the file, the corresponding CVE is considered as patched | |||
175 | Don't forget that if multiple CVE IDs are found in the filename, only the last | 177 | Don't forget that if multiple CVE IDs are found in the filename, only the last |
176 | one is considered. Then, the code looks for ``CVE: CVE-ID`` lines in the patch | 178 | one is considered. Then, the code looks for ``CVE: CVE-ID`` lines in the patch |
177 | file. The found CVE IDs are also considered as patched. | 179 | file. The found CVE IDs are also considered as patched. |
180 | Additionally ``CVE_STATUS`` variable flags are parsed for reasons mapped to ``Patched`` | ||
181 | and these are also considered as patched. | ||
178 | 182 | ||
179 | Then, the code looks up all the CVE IDs in the NIST database for all the | 183 | Then, the code looks up all the CVE IDs in the NIST database for all the |
180 | products defined in :term:`CVE_PRODUCT`. Then, for each found CVE: | 184 | products defined in :term:`CVE_PRODUCT`. Then, for each found CVE: |
@@ -182,8 +186,9 @@ products defined in :term:`CVE_PRODUCT`. Then, for each found CVE: | |||
182 | - If the package name (:term:`PN`) is part of | 186 | - If the package name (:term:`PN`) is part of |
183 | :term:`CVE_CHECK_SKIP_RECIPE`, it is considered as ``Patched``. | 187 | :term:`CVE_CHECK_SKIP_RECIPE`, it is considered as ``Patched``. |
184 | 188 | ||
185 | - If the CVE ID is part of :term:`CVE_CHECK_IGNORE`, it is | 189 | - If the CVE ID has status ``CVE_STATUS[<CVE ID>] = "ignored"`` or if it's set to |
186 | set as ``Ignored``. | 190 | any reason which is mapped to status ``Ignored`` via ``CVE_CHECK_STATUSMAP``, |
191 | it is set as ``Ignored``. | ||
187 | 192 | ||
188 | - If the CVE ID is part of the patched CVE for the recipe, it is | 193 | - If the CVE ID is part of the patched CVE for the recipe, it is |
189 | already considered as ``Patched``. | 194 | already considered as ``Patched``. |
diff --git a/documentation/ref-manual/classes.rst b/documentation/ref-manual/classes.rst index 4577baba3e..a7819d5b60 100644 --- a/documentation/ref-manual/classes.rst +++ b/documentation/ref-manual/classes.rst | |||
@@ -517,10 +517,10 @@ The ``Patched`` state of a CVE issue is detected from patch files with the forma | |||
517 | ``CVE-ID.patch``, e.g. ``CVE-2019-20633.patch``, in the :term:`SRC_URI` and using | 517 | ``CVE-ID.patch``, e.g. ``CVE-2019-20633.patch``, in the :term:`SRC_URI` and using |
518 | CVE metadata of format ``CVE: CVE-ID`` in the commit message of the patch file. | 518 | CVE metadata of format ``CVE: CVE-ID`` in the commit message of the patch file. |
519 | 519 | ||
520 | If the recipe lists the ``CVE-ID`` in :term:`CVE_CHECK_IGNORE` variable, then the CVE state is reported | 520 | If the recipe adds ``CVE-ID`` as flag of the :term:`CVE_STATUS` variable with status |
521 | as ``Ignored``. Multiple CVEs can be listed separated by spaces. Example:: | 521 | mapped to ``Ignored``, then the CVE state is reported as ``Ignored``:: |
522 | 522 | ||
523 | CVE_CHECK_IGNORE += "CVE-2020-29509 CVE-2020-29511" | 523 | CVE_STATUS[CVE-2020-15523] = "not-applicable-platform: Issue only applies on Windows" |
524 | 524 | ||
525 | If CVE check reports that a recipe contains false positives or false negatives, these may be | 525 | If CVE check reports that a recipe contains false positives or false negatives, these may be |
526 | fixed in recipes by adjusting the CVE product name using :term:`CVE_PRODUCT` and :term:`CVE_VERSION` variables. | 526 | fixed in recipes by adjusting the CVE product name using :term:`CVE_PRODUCT` and :term:`CVE_VERSION` variables. |
diff --git a/documentation/ref-manual/variables.rst b/documentation/ref-manual/variables.rst index ac5b97a526..def98de307 100644 --- a/documentation/ref-manual/variables.rst +++ b/documentation/ref-manual/variables.rst | |||
@@ -1653,11 +1653,7 @@ system and gives an overview of their function and contents. | |||
1653 | and kernel module recipes). | 1653 | and kernel module recipes). |
1654 | 1654 | ||
1655 | :term:`CVE_CHECK_IGNORE` | 1655 | :term:`CVE_CHECK_IGNORE` |
1656 | The list of CVE IDs which are ignored. Here is | 1656 | This variable is deprecated and should be replaced by :term:`CVE_STATUS`. |
1657 | an example from the :oe_layerindex:`Python3 recipe</layerindex/recipe/23823>`:: | ||
1658 | |||
1659 | # This is windows only issue. | ||
1660 | CVE_CHECK_IGNORE += "CVE-2020-15523" | ||
1661 | 1657 | ||
1662 | :term:`CVE_CHECK_SHOW_WARNINGS` | 1658 | :term:`CVE_CHECK_SHOW_WARNINGS` |
1663 | Specifies whether or not the :ref:`ref-classes-cve-check` | 1659 | Specifies whether or not the :ref:`ref-classes-cve-check` |
@@ -1698,6 +1694,34 @@ system and gives an overview of their function and contents. | |||
1698 | 1694 | ||
1699 | CVE_PRODUCT = "vendor:package" | 1695 | CVE_PRODUCT = "vendor:package" |
1700 | 1696 | ||
1697 | :term:`CVE_STATUS` | ||
1698 | The CVE ID which is patched or should be ignored. Here is | ||
1699 | an example from the :oe_layerindex:`Python3 recipe</layerindex/recipe/23823>`:: | ||
1700 | |||
1701 | CVE_STATUS[CVE-2020-15523] = "not-applicable-platform: Issue only applies on Windows" | ||
1702 | |||
1703 | It has the format "reason: description" and the description is optional. | ||
1704 | The Reason is mapped to the final CVE state by mapping via | ||
1705 | :term:`CVE_CHECK_STATUSMAP` | ||
1706 | |||
1707 | :term:`CVE_STATUS_GROUPS` | ||
1708 | If there are many CVEs with the same status and reason, they can by simplified by using this | ||
1709 | variable instead of many similar lines with :term:`CVE_STATUS`:: | ||
1710 | |||
1711 | CVE_STATUS_GROUPS = "CVE_STATUS_WIN CVE_STATUS_PATCHED" | ||
1712 | |||
1713 | CVE_STATUS_WIN = "CVE-1234-0001 CVE-1234-0002" | ||
1714 | CVE_STATUS_WIN[status] = "not-applicable-platform: Issue only applies on Windows" | ||
1715 | CVE_STATUS_PATCHED = "CVE-1234-0003 CVE-1234-0004" | ||
1716 | CVE_STATUS_PATCHED[status] = "fixed-version: Fixed externally" | ||
1717 | |||
1718 | :term:`CVE_CHECK_STATUSMAP` | ||
1719 | Mapping variable for all possible reasons of :term:`CVE_STATUS`: | ||
1720 | ``Patched``, ``Unpatched`` and ``Ignored``. | ||
1721 | See :ref:`ref-classes-cve-check` or ``meta/conf/cve-check-map.conf`` for more details:: | ||
1722 | |||
1723 | CVE_CHECK_STATUSMAP[cpe-incorrect] = "Ignored" | ||
1724 | |||
1701 | :term:`CVE_VERSION` | 1725 | :term:`CVE_VERSION` |
1702 | In a recipe, defines the version used to match the recipe version | 1726 | In a recipe, defines the version used to match the recipe version |
1703 | against the version in the `NIST CVE database <https://nvd.nist.gov/>`__ | 1727 | against the version in the `NIST CVE database <https://nvd.nist.gov/>`__ |