vulnerabilities/classes: remove references to cve-check text format

The text format has been removed, so also remove references and examples using this format. Replace with examples with the JSON format. (From yocto-docs rev: a52cd7bcadccc53e982f90d6e170d00798322597) Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Marta Rybczynska <rybczynska@gmail.com> 2025-02-18 16:55:29 +0100
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2025-02-26 14:49:27 +0000
commit: 8bb220aa1112f93af0a8b6577f34e095492baa52 (patch)
tree: 1eb31bba181acf8a42894f26481162dd408797db /documentation/dev-manual/vulnerabilities.rst
parent: b3347ef7269c55c5750ca21b87396af4a0cf2644 (diff)
download: poky-8bb220aa1112f93af0a8b6577f34e095492baa52.tar.gz
1 files changed, 68 insertions, 28 deletions
diff --git a/documentation/dev-manual/vulnerabilities.rst b/documentation/dev-manual/vulnerabilities.rst
index 983d4ad3c6..d901ff975b 100644
--- a/documentation/dev-manual/vulnerabilities.rst
+++ b/documentation/dev-manual/vulnerabilities.rst
@@ -66,37 +66,77 @@ found in ``build/tmp/deploy/cve``.
 For example the CVE check report for the ``flex-native`` recipe looks like::
-   $ cat poky/build/tmp/deploy/cve/flex-native
+   $ cat ./tmp/deploy/cve/flex-native_cve.json
-   LAYER: meta
+   {
-   PACKAGE NAME: flex-native
+     "version": "1",
-   PACKAGE VERSION: 2.6.4
+     "package": [
-   CVE: CVE-2016-6354
+       {
-   CVE STATUS: Patched
+         "name": "flex-native",
-   CVE SUMMARY: Heap-based buffer overflow in the yy_get_next_buffer function in Flex before 2.6.1 might allow context-dependent attackers to cause a denial of service or possibly execute arbitrary code via vectors involving num_to_read.
+         "layer": "meta",
-   CVSS v2 BASE SCORE: 7.5
+         "version": "2.6.4",
-   CVSS v3 BASE SCORE: 9.8
+         "products": [
-   VECTOR: NETWORK
+           {
-   MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6354
+             "product": "flex",
+             "cvesInRecord": "No"
-   LAYER: meta
+           },
-   PACKAGE NAME: flex-native
+           {
-   PACKAGE VERSION: 2.6.4
+             "product": "flex",
-   CVE: CVE-2019-6293
+             "cvesInRecord": "Yes"
-   CVE STATUS: Ignored
+           }
-   CVE SUMMARY: An issue was discovered in the function mark_beginning_as_normal in nfa.c in flex 2.6.4. There is a stack exhaustion problem caused by the mark_beginning_as_normal function making recursive calls to itself in certain scenarios involving lots of '*' characters. Remote attackers could leverage this vulnerability to cause a denial-of-service.
+         ],
-   CVSS v2 BASE SCORE: 4.3
+         "issue": [
-   CVSS v3 BASE SCORE: 5.5
+           {
-   VECTOR: NETWORK
+             "id": "CVE-2006-0459",
-   MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-6293
+             "status": "Patched",
+             "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-0459",
+             "summary": "flex.skl in Will Estes and John Millaway Fast Lexical Analyzer Generator (flex) before 2.5.33 does not allocate enough memory for grammars containing (1) REJECT statements or (2) trailing context rules, which causes flex to generate code that contains a buffer overflow that might allow context-dependent attackers to execute arbitrary code.",
+             "scorev2": "7.5",
+             "scorev3": "0.0",
+             "scorev4": "0.0",
+             "modified": "2024-11-21T00:06Z",
+             "vector": "NETWORK",
+             "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
+             "detail": "version-not-in-range"
+           },
+           {
+             "id": "CVE-2016-6354",
+             "status": "Patched",
+             "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6354",
+             "summary": "Heap-based buffer overflow in the yy_get_next_buffer function in Flex before 2.6.1 might allow context-dependent attackers to cause a denial of service or possibly execute arbitrary code via vectors involving num_to_read.",
+             "scorev2": "7.5",
+             "scorev3": "9.8",
+             "scorev4": "0.0",
+             "modified": "2024-11-21T02:55Z",
+             "vector": "NETWORK",
+             "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
+             "detail": "version-not-in-range"
+           },
+           {
+             "id": "CVE-2019-6293",
+             "status": "Ignored",
+             "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-6293",
+             "summary": "An issue was discovered in the function mark_beginning_as_normal in nfa.c in flex 2.6.4. There is a stack exhaustion problem caused by the mark_beginning_as_normal function making recursive calls to itself in certain scenarios involving lots of '*' characters. Remote attackers could leverage this vulnerability to cause a denial-of-service.",
+             "scorev2": "4.3",
+             "scorev3": "5.5",
+             "scorev4": "0.0",
+             "modified": "2024-11-21T04:46Z",
+             "vector": "NETWORK",
+             "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
+             "detail": "upstream-wontfix",
+             "description": "there is stack exhaustion but no bug and it is building the parser, not running it, effectively similar to a compiler ICE. Upstream no plans to address this."
+           }
+         ]
+       }
+     ]
+   }
 For images, a summary of all recipes included in the image and their CVEs is also
-generated in textual and JSON formats. These ``.cve`` and ``.json`` reports can be found
+generated in the JSON format. These ``.json`` reports can be found
 in the ``tmp/deploy/images`` directory for each compiled image.
 At build time CVE check will also throw warnings about ``Unpatched`` CVEs::
-   WARNING: flex-2.6.4-r0 do_cve_check: Found unpatched CVE (CVE-2019-6293), for more information check /poky/build/tmp/work/core2-64-poky-linux/flex/2.6.4-r0/temp/cve.log
+   WARNING: qemu-native-9.2.0-r0 do_cve_check: Found unpatched CVE (CVE-2023-1386)
-   WARNING: libarchive-3.5.1-r0 do_cve_check: Found unpatched CVE (CVE-2021-36976), for more information check /poky/build/tmp/work/core2-64-poky-linux/libarchive/3.5.1-r0/temp/cve.log
 It is also possible to check the CVE status of individual packages as follows::
@@ -115,10 +155,10 @@ upstream `NIST CVE database <https://nvd.nist.gov/>`__.
 The variable supports using vendor and product names like this::
-   CVE_PRODUCT = "flex_project:flex"
+   CVE_PRODUCT = "flex_project:flex westes:flex"
-In this example the vendor name used in the CVE database is ``flex_project`` and the
+In this example we have two possible vendors names,  ``flex_project`` and ``westes``,
-product is ``flex``. With this setting the ``flex`` recipe only maps to this specific
+with the product name ``flex``. With this setting the ``flex`` recipe only maps to this specific
 product and not products from other vendors with same name ``flex``.
 Similarly, when the recipe version :term:`PV` is not compatible with software versions used by
author	Marta Rybczynska <rybczynska@gmail.com>	2025-02-18 16:55:29 +0100
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2025-02-26 14:49:27 +0000
commit	8bb220aa1112f93af0a8b6577f34e095492baa52 (patch)
tree	1eb31bba181acf8a42894f26481162dd408797db /documentation/dev-manual/vulnerabilities.rst
parent	b3347ef7269c55c5750ca21b87396af4a0cf2644 (diff)
download	poky-8bb220aa1112f93af0a8b6577f34e095492baa52.tar.gz

diff --git a/documentation/dev-manual/vulnerabilities.rst b/documentation/dev-manual/vulnerabilities.rst index 983d4ad3c6..d901ff975b 100644 --- a/documentation/dev-manual/vulnerabilities.rst +++ b/documentation/dev-manual/vulnerabilities.rst
@@ -66,37 +66,77 @@ found in ``build/tmp/deploy/cve``.
66		66
67	For example the CVE check report for the ``flex-native`` recipe looks like::	67	For example the CVE check report for the ``flex-native`` recipe looks like::
68		68
69	$ cat poky/build/tmp/deploy/cve/flex-native	69	$ cat ./tmp/deploy/cve/flex-native_cve.json
70	LAYER: meta	70	{
71	PACKAGE NAME: flex-native	71	"version": "1",
72	PACKAGE VERSION: 2.6.4	72	"package": [
73	CVE: CVE-2016-6354	73	{
74	CVE STATUS: Patched	74	"name": "flex-native",
75	CVE SUMMARY: Heap-based buffer overflow in the yy_get_next_buffer function in Flex before 2.6.1 might allow context-dependent attackers to cause a denial of service or possibly execute arbitrary code via vectors involving num_to_read.	75	"layer": "meta",
76	CVSS v2 BASE SCORE: 7.5	76	"version": "2.6.4",
77	CVSS v3 BASE SCORE: 9.8	77	"products": [
78	VECTOR: NETWORK	78	{
79	MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6354	79	"product": "flex",
80		80	"cvesInRecord": "No"
81	LAYER: meta	81	},
82	PACKAGE NAME: flex-native	82	{
83	PACKAGE VERSION: 2.6.4	83	"product": "flex",
84	CVE: CVE-2019-6293	84	"cvesInRecord": "Yes"
85	CVE STATUS: Ignored	85	}
86	CVE SUMMARY: An issue was discovered in the function mark_beginning_as_normal in nfa.c in flex 2.6.4. There is a stack exhaustion problem caused by the mark_beginning_as_normal function making recursive calls to itself in certain scenarios involving lots of '*' characters. Remote attackers could leverage this vulnerability to cause a denial-of-service.	86	],
87	CVSS v2 BASE SCORE: 4.3	87	"issue": [
88	CVSS v3 BASE SCORE: 5.5	88	{
89	VECTOR: NETWORK	89	"id": "CVE-2006-0459",
90	MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-6293	90	"status": "Patched",
		91	"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-0459",
		92	"summary": "flex.skl in Will Estes and John Millaway Fast Lexical Analyzer Generator (flex) before 2.5.33 does not allocate enough memory for grammars containing (1) REJECT statements or (2) trailing context rules, which causes flex to generate code that contains a buffer overflow that might allow context-dependent attackers to execute arbitrary code.",
		93	"scorev2": "7.5",
		94	"scorev3": "0.0",
		95	"scorev4": "0.0",
		96	"modified": "2024-11-21T00:06Z",
		97	"vector": "NETWORK",
		98	"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
		99	"detail": "version-not-in-range"
		100	},
		101	{
		102	"id": "CVE-2016-6354",
		103	"status": "Patched",
		104	"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6354",
		105	"summary": "Heap-based buffer overflow in the yy_get_next_buffer function in Flex before 2.6.1 might allow context-dependent attackers to cause a denial of service or possibly execute arbitrary code via vectors involving num_to_read.",
		106	"scorev2": "7.5",
		107	"scorev3": "9.8",
		108	"scorev4": "0.0",
		109	"modified": "2024-11-21T02:55Z",
		110	"vector": "NETWORK",
		111	"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
		112	"detail": "version-not-in-range"
		113	},
		114	{
		115	"id": "CVE-2019-6293",
		116	"status": "Ignored",
		117	"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-6293",
		118	"summary": "An issue was discovered in the function mark_beginning_as_normal in nfa.c in flex 2.6.4. There is a stack exhaustion problem caused by the mark_beginning_as_normal function making recursive calls to itself in certain scenarios involving lots of '*' characters. Remote attackers could leverage this vulnerability to cause a denial-of-service.",
		119	"scorev2": "4.3",
		120	"scorev3": "5.5",
		121	"scorev4": "0.0",
		122	"modified": "2024-11-21T04:46Z",
		123	"vector": "NETWORK",
		124	"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
		125	"detail": "upstream-wontfix",
		126	"description": "there is stack exhaustion but no bug and it is building the parser, not running it, effectively similar to a compiler ICE. Upstream no plans to address this."
		127	}
		128	]
		129	}
		130	]
		131	}
91		132
92	For images, a summary of all recipes included in the image and their CVEs is also	133	For images, a summary of all recipes included in the image and their CVEs is also
93	generated in textual and JSON formats. These ``.cve`` and ``.json`` reports can be found	134	generated in the JSON format. These ``.json`` reports can be found
94	in the ``tmp/deploy/images`` directory for each compiled image.	135	in the ``tmp/deploy/images`` directory for each compiled image.
95		136
96	At build time CVE check will also throw warnings about ``Unpatched`` CVEs::	137	At build time CVE check will also throw warnings about ``Unpatched`` CVEs::
97		138
98	WARNING: flex-2.6.4-r0 do_cve_check: Found unpatched CVE (CVE-2019-6293), for more information check /poky/build/tmp/work/core2-64-poky-linux/flex/2.6.4-r0/temp/cve.log	139	WARNING: qemu-native-9.2.0-r0 do_cve_check: Found unpatched CVE (CVE-2023-1386)
99	WARNING: libarchive-3.5.1-r0 do_cve_check: Found unpatched CVE (CVE-2021-36976), for more information check /poky/build/tmp/work/core2-64-poky-linux/libarchive/3.5.1-r0/temp/cve.log
100		140
101	It is also possible to check the CVE status of individual packages as follows::	141	It is also possible to check the CVE status of individual packages as follows::
102		142
@@ -115,10 +155,10 @@ upstream `NIST CVE database <https://nvd.nist.gov/>`__.
115		155
116	The variable supports using vendor and product names like this::	156	The variable supports using vendor and product names like this::
117		157
118	CVE_PRODUCT = "flex_project:flex"	158	CVE_PRODUCT = "flex_project:flex westes:flex"
119		159
120	In this example the vendor name used in the CVE database is ``flex_project`` and the	160	In this example we have two possible vendors names, ``flex_project`` and ``westes``,
121	product is ``flex``. With this setting the ``flex`` recipe only maps to this specific	161	with the product name ``flex``. With this setting the ``flex`` recipe only maps to this specific
122	product and not products from other vendors with same name ``flex``.	162	product and not products from other vendors with same name ``flex``.
123		163
124	Similarly, when the recipe version :term:`PV` is not compatible with software versions used by	164	Similarly, when the recipe version :term:`PV` is not compatible with software versions used by