From 4c7e3b64bc9cefb05fa4a995e83bb0f90160a9fc Mon Sep 17 00:00:00 2001 From: Michael Opdenacker Date: Fri, 6 Aug 2021 12:33:04 +0200 Subject: manuals: further documentation for cve-check This adds details about the actual implementation of vulnerability checks, about how to fix or ignore vulnerabilities in recipes, and documents the CVE_CHECK_PN_WHITELIST and CVE_CHECK_WHITELIST variables. (From yocto-docs rev: 55886d211218b3a604c2f8a29c854685ebf284dd) Signed-off-by: Michael Opdenacker Reviewed-by: Quentin Schulz Signed-off-by: Richard Purdie --- documentation/ref-manual/classes.rst | 16 ++++++++++++++++ documentation/ref-manual/variables.rst | 13 ++++++++++++- 2 files changed, 28 insertions(+), 1 deletion(-) (limited to 'documentation/ref-manual') diff --git a/documentation/ref-manual/classes.rst b/documentation/ref-manual/classes.rst index 49905f2725..a98a64c432 100644 --- a/documentation/ref-manual/classes.rst +++ b/documentation/ref-manual/classes.rst @@ -404,6 +404,22 @@ cross-compilation tools used for building SDKs. See the section in the Yocto Project Overview and Concepts Manual for more discussion on these cross-compilation tools. +.. _ref-classes-cve-check: + +``cve-check.bbclass`` +===================== + +The ``cve-check`` class looks for known CVEs (Common Vulnerabilities +and Exposures) while building an image. This class is meant to be +inherited globally from a configuration file:: + + INHERIT += "cve-check" + +You can also look for vulnerabilities in specific packages by passing +``-c cve_check`` to BitBake. You will find details in the +":ref:`dev-manual/common-tasks:checking for vulnerabilities`" +section in the Development Tasks Manual. + .. _ref-classes-debian: ``debian.bbclass`` diff --git a/documentation/ref-manual/variables.rst b/documentation/ref-manual/variables.rst index 1150940133..f6d248a193 100644 --- a/documentation/ref-manual/variables.rst +++ b/documentation/ref-manual/variables.rst @@ -1471,11 +1471,22 @@ system and gives an overview of their function and contents. variable only in certain contexts (e.g. when building for kernel and kernel module recipes). + :term:`CVE_CHECK_PN_WHITELIST` + The list of package names (:term:`PN`) for which + CVEs (Common Vulnerabilities and Exposures) are ignored. + + :term:`CVE_CHECK_WHITELIST` + The list of CVE IDs which are ignored. Here is + an example from the :oe_layerindex:`Python3 recipe`:: + + # This is windows only issue. + CVE_CHECK_WHITELIST += "CVE-2020-15523" + :term:`CVE_PRODUCT` In a recipe, defines the name used to match the recipe name against the name in the upstream `NIST CVE database `__. - The default is ${:term:`BPN`}. If it does not match the name in NIST CVE + The default is ${:term:`BPN`}. If it does not match the name in the NIST CVE database or matches with multiple entries in the database, the default value needs to be changed. -- cgit v1.2.3-54-g00ecf