SPDX and CVE documentation updates

Backporting from master the ones that are applicable to kirkstone. (From yocto-docs rev: c10d65ef3bbdf4fe3abc03e3aef3d4ca8c2ad87f) Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com> Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Michael Opdenacker <michael.opdenacker@bootlin.com> 2022-12-02 15:50:48 +0100
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2022-12-07 15:04:15 +0000
commit: c8839099506ee9c694f5b9da3ef6cc7cf0b2c142 (patch)
tree: 2ec7cac1be39f8765f1ebca1e19c1cdbe21af205 /documentation/ref-manual/classes.rst
parent: be95d5f93abf2bce807f33fa0d9ae38e49fdbcce (diff)
download: poky-c8839099506ee9c694f5b9da3ef6cc7cf0b2c142.tar.gz
1 files changed, 93 insertions, 3 deletions
diff --git a/documentation/ref-manual/classes.rst b/documentation/ref-manual/classes.rst
index a6dafe8f90..6e73c5d4fb 100644
--- a/documentation/ref-manual/classes.rst
+++ b/documentation/ref-manual/classes.rst
@@ -361,6 +361,32 @@ authors used.
 Both build methods inherit the ``cpan-base`` class for basic Perl
 support.
+.. _ref-classes-create-spdx:
+``create-spdx.bbclass``
+=======================
+The :ref:`create-spdx <ref-classes-create-spdx>` class provides support for
+automatically creating :term:`SPDX` :term:`SBOM` documents based upon image
+and SDK contents.
+This class is meant to be inherited globally from a configuration file::
+   INHERIT += "create-spdx"
+The toplevel :term:`SPDX` output file is generated in JSON format as a
+``IMAGE-MACHINE.spdx.json`` file in ``tmp/deploy/images/MACHINE/`` inside the
+:term:`Build Directory`. There are other related files in the same directory,
+as well as in ``tmp/deploy/spdx``.
+The exact behaviour of this class, and the amount of output can be controlled
+by the :term:`SPDX_ARCHIVE_PACKAGED`, :term:`SPDX_ARCHIVE_SOURCES` and
+:term:`SPDX_INCLUDE_SOURCES` variables.
+See the description of these variables and the
+":ref:`dev-manual/common-tasks:creating a software bill of materials`"
+section in the Yocto Project Development Manual for more details.
 .. _ref-classes-cross:
 ``cross.bbclass``
@@ -396,14 +422,62 @@ discussion on these cross-compilation tools.
 ``cve-check.bbclass``
 =====================
-The ``cve-check`` class looks for known CVEs (Common Vulnerabilities
+The :ref:`cve-check <ref-classes-cve-check>` class looks for known CVEs (Common Vulnerabilities
-and Exposures) while building an image. This class is meant to be
+and Exposures) while building with BitBake. This class is meant to be
 inherited globally from a configuration file::
   INHERIT += "cve-check"
+To filter out obsolete CVE database entries which are known not to impact software from Poky and OE-Core,
+add following line to the build configuration file::
+   include cve-extra-exclusions.inc
 You can also look for vulnerabilities in specific packages by passing
-``-c cve_check`` to BitBake. You will find details in the
+``-c cve_check`` to BitBake.
+After building the software with Bitbake, CVE check output reports are available in ``tmp/deploy/cve``
+and image specific summaries in ``tmp/deploy/images/*.cve`` or ``tmp/deploy/images/*.json`` files.
+When building, the CVE checker will emit build time warnings for any detected
+issues which are in the state ``Unpatched``, meaning that CVE issue seems to affect the software component
+and version being compiled and no patches to address the issue are applied. Other states
+for detected CVE issues are: ``Patched`` meaning that a patch to address the issue is already
+applied, and ``Ignored`` meaning that the issue can be ignored.
+The ``Patched`` state of a CVE issue is detected from patch files with the format
+``CVE-ID.patch``, e.g. ``CVE-2019-20633.patch``, in the :term:`SRC_URI` and using
+CVE metadata of format ``CVE: CVE-ID`` in the commit message of the patch file.
+If the recipe lists the ``CVE-ID`` in :term:`CVE_CHECK_IGNORE` variable, then the CVE state is reported
+as ``Ignored``. Multiple CVEs can be listed separated by spaces. Example::
+   CVE_CHECK_IGNORE += "CVE-2020-29509 CVE-2020-29511"
+If CVE check reports that a recipe contains false positives or false negatives, these may be
+fixed in recipes by adjusting the CVE product name using :term:`CVE_PRODUCT` and :term:`CVE_VERSION` variables.
+:term:`CVE_PRODUCT` defaults to the plain recipe name :term:`BPN` which can be adjusted to one or more CVE
+database vendor and product pairs using the syntax::
+   CVE_PRODUCT = "flex_project:flex"
+where ``flex_project`` is the CVE database vendor name and ``flex`` is the product name. Similarly
+if the default recipe version :term:`PV` does not match the version numbers of the software component
+in upstream releases or the CVE database, then the :term:`CVE_VERSION` variable can be used to set the
+CVE database compatible version number, for example::
+   CVE_VERSION = "2.39"
+Any bugs or missing or incomplete information in the CVE database entries should be fixed in the CVE database
+via the `NVD feedback form <https://nvd.nist.gov/info/contact-form>`__.
+Users should note that security is a process, not a product, and thus also CVE checking, analyzing results,
+patching and updating the software should be done as a regular process. The data and assumptions
+required for CVE checker to reliably detect issues are frequently broken in various ways.
+These can only be detected by reviewing the details of the issues and iterating over the generated reports,
+and following what happens in other Linux distributions and in the greater open source community.
+You will find some more details in the
 ":ref:`dev-manual/common-tasks:checking for vulnerabilities`"
 section in the Development Tasks Manual.
@@ -1975,6 +2049,22 @@ When inherited by a recipe, the ``perlnative`` class supports using the
 native version of Perl built by the build system rather than using the
 version provided by the build host.
+.. _ref-classes-pypi:
+``pypi.bbclass``
+================
+The :ref:`pypi <ref-classes-pypi>` class sets variables appropriately for recipes that build
+Python modules from `PyPI <https://pypi.org/>`__, the Python Package Index.
+By default it determines the PyPI package name based upon :term:`BPN`
+(stripping the "python-" or "python3-" prefix off if present), however in
+some cases you may need to set it manually in the recipe by setting
+:term:`PYPI_PACKAGE`.
+Variables set by the :ref:`pypi <ref-classes-pypi>` class include :term:`SRC_URI`, :term:`SECTION`,
+:term:`HOMEPAGE`, :term:`UPSTREAM_CHECK_URI`, :term:`UPSTREAM_CHECK_REGEX`
+and :term:`CVE_PRODUCT`.
 .. _ref-classes-python_flit_core:
 ``python_flit_core.bbclass``
author	Michael Opdenacker <michael.opdenacker@bootlin.com>	2022-12-02 15:50:48 +0100
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2022-12-07 15:04:15 +0000
commit	c8839099506ee9c694f5b9da3ef6cc7cf0b2c142 (patch)
tree	2ec7cac1be39f8765f1ebca1e19c1cdbe21af205 /documentation/ref-manual/classes.rst
parent	be95d5f93abf2bce807f33fa0d9ae38e49fdbcce (diff)
download	poky-c8839099506ee9c694f5b9da3ef6cc7cf0b2c142.tar.gz

diff --git a/documentation/ref-manual/classes.rst b/documentation/ref-manual/classes.rst index a6dafe8f90..6e73c5d4fb 100644 --- a/documentation/ref-manual/classes.rst +++ b/documentation/ref-manual/classes.rst
@@ -361,6 +361,32 @@ authors used.
361	Both build methods inherit the ``cpan-base`` class for basic Perl	361	Both build methods inherit the ``cpan-base`` class for basic Perl
362	support.	362	support.
363		363
		364	.. _ref-classes-create-spdx:
		365
		366	``create-spdx.bbclass``
		367	=======================
		368
		369	The :ref:`create-spdx <ref-classes-create-spdx>` class provides support for
		370	automatically creating :term:`SPDX` :term:`SBOM` documents based upon image
		371	and SDK contents.
		372
		373	This class is meant to be inherited globally from a configuration file::
		374
		375	INHERIT += "create-spdx"
		376
		377	The toplevel :term:`SPDX` output file is generated in JSON format as a
		378	``IMAGE-MACHINE.spdx.json`` file in ``tmp/deploy/images/MACHINE/`` inside the
		379	:term:`Build Directory`. There are other related files in the same directory,
		380	as well as in ``tmp/deploy/spdx``.
		381
		382	The exact behaviour of this class, and the amount of output can be controlled
		383	by the :term:`SPDX_ARCHIVE_PACKAGED`, :term:`SPDX_ARCHIVE_SOURCES` and
		384	:term:`SPDX_INCLUDE_SOURCES` variables.
		385
		386	See the description of these variables and the
		387	":ref:`dev-manual/common-tasks:creating a software bill of materials`"
		388	section in the Yocto Project Development Manual for more details.
		389
364	.. _ref-classes-cross:	390	.. _ref-classes-cross:
365		391
366	``cross.bbclass``	392	``cross.bbclass``
@@ -396,14 +422,62 @@ discussion on these cross-compilation tools.
396	``cve-check.bbclass``	422	``cve-check.bbclass``
397	=====================	423	=====================
398		424
399	The ``cve-check`` class looks for known CVEs (Common Vulnerabilities	425	The :ref:`cve-check <ref-classes-cve-check>` class looks for known CVEs (Common Vulnerabilities
400	and Exposures) while building an image. This class is meant to be	426	and Exposures) while building with BitBake. This class is meant to be
401	inherited globally from a configuration file::	427	inherited globally from a configuration file::
402		428
403	INHERIT += "cve-check"	429	INHERIT += "cve-check"
404		430
		431	To filter out obsolete CVE database entries which are known not to impact software from Poky and OE-Core,
		432	add following line to the build configuration file::
		433
		434	include cve-extra-exclusions.inc
		435
405	You can also look for vulnerabilities in specific packages by passing	436	You can also look for vulnerabilities in specific packages by passing
406	``-c cve_check`` to BitBake. You will find details in the	437	``-c cve_check`` to BitBake.
		438
		439	After building the software with Bitbake, CVE check output reports are available in ``tmp/deploy/cve``
		440	and image specific summaries in ``tmp/deploy/images/.cve`` or ``tmp/deploy/images/.json`` files.
		441
		442	When building, the CVE checker will emit build time warnings for any detected
		443	issues which are in the state ``Unpatched``, meaning that CVE issue seems to affect the software component
		444	and version being compiled and no patches to address the issue are applied. Other states
		445	for detected CVE issues are: ``Patched`` meaning that a patch to address the issue is already
		446	applied, and ``Ignored`` meaning that the issue can be ignored.
		447
		448	The ``Patched`` state of a CVE issue is detected from patch files with the format
		449	``CVE-ID.patch``, e.g. ``CVE-2019-20633.patch``, in the :term:`SRC_URI` and using
		450	CVE metadata of format ``CVE: CVE-ID`` in the commit message of the patch file.
		451
		452	If the recipe lists the ``CVE-ID`` in :term:`CVE_CHECK_IGNORE` variable, then the CVE state is reported
		453	as ``Ignored``. Multiple CVEs can be listed separated by spaces. Example::
		454
		455	CVE_CHECK_IGNORE += "CVE-2020-29509 CVE-2020-29511"
		456
		457	If CVE check reports that a recipe contains false positives or false negatives, these may be
		458	fixed in recipes by adjusting the CVE product name using :term:`CVE_PRODUCT` and :term:`CVE_VERSION` variables.
		459	:term:`CVE_PRODUCT` defaults to the plain recipe name :term:`BPN` which can be adjusted to one or more CVE
		460	database vendor and product pairs using the syntax::
		461
		462	CVE_PRODUCT = "flex_project:flex"
		463
		464	where ``flex_project`` is the CVE database vendor name and ``flex`` is the product name. Similarly
		465	if the default recipe version :term:`PV` does not match the version numbers of the software component
		466	in upstream releases or the CVE database, then the :term:`CVE_VERSION` variable can be used to set the
		467	CVE database compatible version number, for example::
		468
		469	CVE_VERSION = "2.39"
		470
		471	Any bugs or missing or incomplete information in the CVE database entries should be fixed in the CVE database
		472	via the `NVD feedback form <https://nvd.nist.gov/info/contact-form>`__.
		473
		474	Users should note that security is a process, not a product, and thus also CVE checking, analyzing results,
		475	patching and updating the software should be done as a regular process. The data and assumptions
		476	required for CVE checker to reliably detect issues are frequently broken in various ways.
		477	These can only be detected by reviewing the details of the issues and iterating over the generated reports,
		478	and following what happens in other Linux distributions and in the greater open source community.
		479
		480	You will find some more details in the
407	":ref:`dev-manual/common-tasks:checking for vulnerabilities`"	481	":ref:`dev-manual/common-tasks:checking for vulnerabilities`"
408	section in the Development Tasks Manual.	482	section in the Development Tasks Manual.
409		483
@@ -1975,6 +2049,22 @@ When inherited by a recipe, the ``perlnative`` class supports using the
1975	native version of Perl built by the build system rather than using the	2049	native version of Perl built by the build system rather than using the
1976	version provided by the build host.	2050	version provided by the build host.
1977		2051
		2052	.. _ref-classes-pypi:
		2053
		2054	``pypi.bbclass``
		2055	================
		2056
		2057	The :ref:`pypi <ref-classes-pypi>` class sets variables appropriately for recipes that build
		2058	Python modules from `PyPI <https://pypi.org/>`__, the Python Package Index.
		2059	By default it determines the PyPI package name based upon :term:`BPN`
		2060	(stripping the "python-" or "python3-" prefix off if present), however in
		2061	some cases you may need to set it manually in the recipe by setting
		2062	:term:`PYPI_PACKAGE`.
		2063
		2064	Variables set by the :ref:`pypi <ref-classes-pypi>` class include :term:`SRC_URI`, :term:`SECTION`,
		2065	:term:`HOMEPAGE`, :term:`UPSTREAM_CHECK_URI`, :term:`UPSTREAM_CHECK_REGEX`
		2066	and :term:`CVE_PRODUCT`.
		2067
1978	.. _ref-classes-python_flit_core:	2068	.. _ref-classes-python_flit_core:
1979		2069
1980	``python_flit_core.bbclass``	2070	``python_flit_core.bbclass``