Expand cve-check class documentation

Using backported content from the master branch (From yocto-docs rev: cfd9848fae96a2b047df22d1a8bd4821c3d71cbf) Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com> Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Michael Opdenacker <michael.opdenacker@bootlin.com> 2022-12-02 16:26:23 +0100
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2022-12-07 15:04:17 +0000
commit: 3ec705d3203766a9a437ef7c7837f820c0800ead (patch)
tree: c93f35434f26671f2be93d43c567734d904740b8
parent: 2c96490a293a3bdb1a71222b58537dccfc5c5d4c (diff)
download: poky-3ec705d3203766a9a437ef7c7837f820c0800ead.tar.gz
1 files changed, 50 insertions, 2 deletions
diff --git a/documentation/ref-manual/classes.rst b/documentation/ref-manual/classes.rst
index a2d743d568..03995e996d 100644
--- a/documentation/ref-manual/classes.rst
+++ b/documentation/ref-manual/classes.rst
@@ -430,13 +430,61 @@ discussion on these cross-compilation tools.
 =====================
 The :ref:`cve-check <ref-classes-cve-check>` class looks for known CVEs (Common Vulnerabilities
-and Exposures) while building an image. This class is meant to be
+and Exposures) while building with BitBake. This class is meant to be
 inherited globally from a configuration file::
   INHERIT += "cve-check"
+To filter out obsolete CVE database entries which are known not to impact software from Poky and OE-Core,
+add following line to the build configuration file::
+   include cve-extra-exclusions.inc
 You can also look for vulnerabilities in specific packages by passing
-``-c cve_check`` to BitBake. You will find details in the
+``-c cve_check`` to BitBake.
+After building the software with Bitbake, CVE check output reports are available in ``tmp/deploy/cve``
+and image specific summaries in ``tmp/deploy/images/*.cve`` or ``tmp/deploy/images/*.json`` files.
+When building, the CVE checker will emit build time warnings for any detected
+issues which are in the state ``Unpatched``, meaning that CVE issue seems to affect the software component
+and version being compiled and no patches to address the issue are applied. Other states
+for detected CVE issues are: ``Patched`` meaning that a patch to address the issue is already
+applied, and ``Ignored`` meaning that the issue can be ignored.
+The ``Patched`` state of a CVE issue is detected from patch files with the format
+``CVE-ID.patch``, e.g. ``CVE-2019-20633.patch``, in the :term:`SRC_URI` and using
+CVE metadata of format ``CVE: CVE-ID`` in the commit message of the patch file.
+If the recipe lists the ``CVE-ID`` in :term:`CVE_CHECK_IGNORE` variable, then the CVE state is reported
+as ``Ignored``. Multiple CVEs can be listed separated by spaces. Example::
+   CVE_CHECK_IGNORE += "CVE-2020-29509 CVE-2020-29511"
+If CVE check reports that a recipe contains false positives or false negatives, these may be
+fixed in recipes by adjusting the CVE product name using :term:`CVE_PRODUCT` and :term:`CVE_VERSION` variables.
+:term:`CVE_PRODUCT` defaults to the plain recipe name :term:`BPN` which can be adjusted to one or more CVE
+database vendor and product pairs using the syntax::
+   CVE_PRODUCT = "flex_project:flex"
+where ``flex_project`` is the CVE database vendor name and ``flex`` is the product name. Similarly
+if the default recipe version :term:`PV` does not match the version numbers of the software component
+in upstream releases or the CVE database, then the :term:`CVE_VERSION` variable can be used to set the
+CVE database compatible version number, for example::
+   CVE_VERSION = "2.39"
+Any bugs or missing or incomplete information in the CVE database entries should be fixed in the CVE database
+via the `NVD feedback form <https://nvd.nist.gov/info/contact-form>`__.
+Users should note that security is a process, not a product, and thus also CVE checking, analyzing results,
+patching and updating the software should be done as a regular process. The data and assumptions
+required for CVE checker to reliably detect issues are frequently broken in various ways.
+These can only be detected by reviewing the details of the issues and iterating over the generated reports,
+and following what happens in other Linux distributions and in the greater open source community.
+You will find some more details in the
 ":ref:`dev-manual/common-tasks:checking for vulnerabilities`"
 section in the Development Tasks Manual.
author	Michael Opdenacker <michael.opdenacker@bootlin.com>	2022-12-02 16:26:23 +0100
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2022-12-07 15:04:17 +0000
commit	3ec705d3203766a9a437ef7c7837f820c0800ead (patch)
tree	c93f35434f26671f2be93d43c567734d904740b8
parent	2c96490a293a3bdb1a71222b58537dccfc5c5d4c (diff)
download	poky-3ec705d3203766a9a437ef7c7837f820c0800ead.tar.gz

diff --git a/documentation/ref-manual/classes.rst b/documentation/ref-manual/classes.rst index a2d743d568..03995e996d 100644 --- a/documentation/ref-manual/classes.rst +++ b/documentation/ref-manual/classes.rst
@@ -430,13 +430,61 @@ discussion on these cross-compilation tools.
430	=====================	430	=====================
431		431
432	The :ref:`cve-check <ref-classes-cve-check>` class looks for known CVEs (Common Vulnerabilities	432	The :ref:`cve-check <ref-classes-cve-check>` class looks for known CVEs (Common Vulnerabilities
433	and Exposures) while building an image. This class is meant to be	433	and Exposures) while building with BitBake. This class is meant to be
434	inherited globally from a configuration file::	434	inherited globally from a configuration file::
435		435
436	INHERIT += "cve-check"	436	INHERIT += "cve-check"
437		437
		438	To filter out obsolete CVE database entries which are known not to impact software from Poky and OE-Core,
		439	add following line to the build configuration file::
		440
		441	include cve-extra-exclusions.inc
		442
438	You can also look for vulnerabilities in specific packages by passing	443	You can also look for vulnerabilities in specific packages by passing
439	``-c cve_check`` to BitBake. You will find details in the	444	``-c cve_check`` to BitBake.
		445
		446	After building the software with Bitbake, CVE check output reports are available in ``tmp/deploy/cve``
		447	and image specific summaries in ``tmp/deploy/images/.cve`` or ``tmp/deploy/images/.json`` files.
		448
		449	When building, the CVE checker will emit build time warnings for any detected
		450	issues which are in the state ``Unpatched``, meaning that CVE issue seems to affect the software component
		451	and version being compiled and no patches to address the issue are applied. Other states
		452	for detected CVE issues are: ``Patched`` meaning that a patch to address the issue is already
		453	applied, and ``Ignored`` meaning that the issue can be ignored.
		454
		455	The ``Patched`` state of a CVE issue is detected from patch files with the format
		456	``CVE-ID.patch``, e.g. ``CVE-2019-20633.patch``, in the :term:`SRC_URI` and using
		457	CVE metadata of format ``CVE: CVE-ID`` in the commit message of the patch file.
		458
		459	If the recipe lists the ``CVE-ID`` in :term:`CVE_CHECK_IGNORE` variable, then the CVE state is reported
		460	as ``Ignored``. Multiple CVEs can be listed separated by spaces. Example::
		461
		462	CVE_CHECK_IGNORE += "CVE-2020-29509 CVE-2020-29511"
		463
		464	If CVE check reports that a recipe contains false positives or false negatives, these may be
		465	fixed in recipes by adjusting the CVE product name using :term:`CVE_PRODUCT` and :term:`CVE_VERSION` variables.
		466	:term:`CVE_PRODUCT` defaults to the plain recipe name :term:`BPN` which can be adjusted to one or more CVE
		467	database vendor and product pairs using the syntax::
		468
		469	CVE_PRODUCT = "flex_project:flex"
		470
		471	where ``flex_project`` is the CVE database vendor name and ``flex`` is the product name. Similarly
		472	if the default recipe version :term:`PV` does not match the version numbers of the software component
		473	in upstream releases or the CVE database, then the :term:`CVE_VERSION` variable can be used to set the
		474	CVE database compatible version number, for example::
		475
		476	CVE_VERSION = "2.39"
		477
		478	Any bugs or missing or incomplete information in the CVE database entries should be fixed in the CVE database
		479	via the `NVD feedback form <https://nvd.nist.gov/info/contact-form>`__.
		480
		481	Users should note that security is a process, not a product, and thus also CVE checking, analyzing results,
		482	patching and updating the software should be done as a regular process. The data and assumptions
		483	required for CVE checker to reliably detect issues are frequently broken in various ways.
		484	These can only be detected by reviewing the details of the issues and iterating over the generated reports,
		485	and following what happens in other Linux distributions and in the greater open source community.
		486
		487	You will find some more details in the
440	":ref:`dev-manual/common-tasks:checking for vulnerabilities`"	488	":ref:`dev-manual/common-tasks:checking for vulnerabilities`"
441	section in the Development Tasks Manual.	489	section in the Development Tasks Manual.
442		490