manuals: initial documentation for CVE management

This starts to document vulnerability management and the use of the CVE_PRODUCT variable (From yocto-docs rev: 2b9199fe490cb3ec126bffc6518646194a94ace4) Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com> Reviewed-by: Quentin Schulz <foss@0leil.net> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Michael Opdenacker <michael.opdenacker@bootlin.com> 2021-07-30 20:52:16 +0200
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-08-02 17:46:39 +0100
commit: 76053e0f7849ff33428fd75c531c91ab375de8d3 (patch)
tree: b9a53009169d92808b80d8ad1295841d667176c1 /documentation
parent: 090384d9e74fddfdd38f4fd54b3dd39f5d5a8b24 (diff)
download: poky-76053e0f7849ff33428fd75c531c91ab375de8d3.tar.gz
2 files changed, 57 insertions, 0 deletions
diff --git a/documentation/dev-manual/common-tasks.rst b/documentation/dev-manual/common-tasks.rst
index 77af03b3ca..7fa0df4d39 100644
--- a/documentation/dev-manual/common-tasks.rst
+++ b/documentation/dev-manual/common-tasks.rst
@@ -10529,6 +10529,9 @@ follows:
 1. *Identify the bug or CVE to be fixed:* This information should be
   collected so that it can be included in your submission.
+   See :ref:`dev-manual/common-tasks:checking for vulnerabilities`
+   for details about CVE tracking.
 2. *Check if the fix is already present in the master branch:* This will
   result in the most straightforward path into the stable branch for the
   fix.
@@ -11091,6 +11094,48 @@ the license from the fetched source::
   NO_GENERIC_LICENSE[Firmware-Abilis] = "LICENSE.Abilis.txt"
+Checking for Vulnerabilities
+============================
+Vulnerabilities in images
+-------------------------
+The Yocto Project has an infrastructure to track and address unfixed
+known security vulnerabilities, as tracked by the public
+`Common Vulnerabilities and Exposures (CVE) <https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures>`__
+database.
+To know which packages are vulnerable to known security vulnerabilities,
+add the following setting to your configuration::
+   INHERIT += "cve-check"
+This way, at build time, BitBake will warn you about known CVEs
+as in the example below::
+   WARNING: flex-2.6.4-r0 do_cve_check: Found unpatched CVE (CVE-2019-6293), for more information check /poky/build/tmp/work/core2-64-poky-linux/flex/2.6.4-r0/temp/cve.log
+   WARNING: libarchive-3.5.1-r0 do_cve_check: Found unpatched CVE (CVE-2021-36976), for more information check /poky/build/tmp/work/core2-64-poky-linux/libarchive/3.5.1-r0/temp/cve.log
+It is also possible to check the CVE status of individual packages as follows::
+   bitbake -c cve_check flex libarchive
+Note that OpenEmbedded-Core keeps a list of known unfixed CVE issues which can
+be ignored. You can pass this list to the check as follows::
+   bitbake -c cve_check libarchive -R conf/distro/include/cve-extra-exclusions.inc
+Enabling vulnerabily tracking in recipes
+----------------------------------------
+The :term:`CVE_PRODUCT` variable defines the name used to match the recipe name
+against the name in the upstream `NIST CVE database <https://nvd.nist.gov/>`__.
+The CVE database is stored in :term:`DL_DIR` and can be inspected using
+``sqlite3`` command as follows::
+   sqlite3 downloads/CVE_CHECK/nvdcve_1.1.db .dump | grep CVE-2021-37462
 Using the Error Reporting Tool
 ==============================
diff --git a/documentation/ref-manual/variables.rst b/documentation/ref-manual/variables.rst
index b61de1993d..1150940133 100644
--- a/documentation/ref-manual/variables.rst
+++ b/documentation/ref-manual/variables.rst
@@ -1471,6 +1471,18 @@ system and gives an overview of their function and contents.
         variable only in certain contexts (e.g. when building for kernel
         and kernel module recipes).
+   :term:`CVE_PRODUCT`
+      In a recipe, defines the name used to match the recipe name
+      against the name in the upstream `NIST CVE database <https://nvd.nist.gov/>`__.
+      The default is ${:term:`BPN`}. If it does not match the name in NIST CVE
+      database or matches with multiple entries in the database, the default
+      value needs to be changed.
+      Here is an example from the :oe_layerindex:`Berkeley DB recipe </layerindex/recipe/544>`::
+         CVE_PRODUCT = "oracle_berkeley_db berkeley_db"
   :term:`CVSDIR`
      The directory in which files checked out under the CVS system are
      stored.
author	Michael Opdenacker <michael.opdenacker@bootlin.com>	2021-07-30 20:52:16 +0200
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-08-02 17:46:39 +0100
commit	76053e0f7849ff33428fd75c531c91ab375de8d3 (patch)
tree	b9a53009169d92808b80d8ad1295841d667176c1 /documentation
parent	090384d9e74fddfdd38f4fd54b3dd39f5d5a8b24 (diff)
download	poky-76053e0f7849ff33428fd75c531c91ab375de8d3.tar.gz

diff --git a/documentation/dev-manual/common-tasks.rst b/documentation/dev-manual/common-tasks.rst index 77af03b3ca..7fa0df4d39 100644 --- a/documentation/dev-manual/common-tasks.rst +++ b/documentation/dev-manual/common-tasks.rst
@@ -10529,6 +10529,9 @@ follows:
10529	1. Identify the bug or CVE to be fixed: This information should be	10529	1. Identify the bug or CVE to be fixed: This information should be
10530	collected so that it can be included in your submission.	10530	collected so that it can be included in your submission.
10531		10531
		10532	See :ref:`dev-manual/common-tasks:checking for vulnerabilities`
		10533	for details about CVE tracking.
		10534
10532	2. Check if the fix is already present in the master branch: This will	10535	2. Check if the fix is already present in the master branch: This will
10533	result in the most straightforward path into the stable branch for the	10536	result in the most straightforward path into the stable branch for the
10534	fix.	10537	fix.
@@ -11091,6 +11094,48 @@ the license from the fetched source::
11091		11094
11092	NO_GENERIC_LICENSE[Firmware-Abilis] = "LICENSE.Abilis.txt"	11095	NO_GENERIC_LICENSE[Firmware-Abilis] = "LICENSE.Abilis.txt"
11093		11096
		11097	Checking for Vulnerabilities
		11098	============================
		11099
		11100	Vulnerabilities in images
		11101	-------------------------
		11102
		11103	The Yocto Project has an infrastructure to track and address unfixed
		11104	known security vulnerabilities, as tracked by the public
		11105	`Common Vulnerabilities and Exposures (CVE) <https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures>`__
		11106	database.
		11107
		11108	To know which packages are vulnerable to known security vulnerabilities,
		11109	add the following setting to your configuration::
		11110
		11111	INHERIT += "cve-check"
		11112
		11113	This way, at build time, BitBake will warn you about known CVEs
		11114	as in the example below::
		11115
		11116	WARNING: flex-2.6.4-r0 do_cve_check: Found unpatched CVE (CVE-2019-6293), for more information check /poky/build/tmp/work/core2-64-poky-linux/flex/2.6.4-r0/temp/cve.log
		11117	WARNING: libarchive-3.5.1-r0 do_cve_check: Found unpatched CVE (CVE-2021-36976), for more information check /poky/build/tmp/work/core2-64-poky-linux/libarchive/3.5.1-r0/temp/cve.log
		11118
		11119	It is also possible to check the CVE status of individual packages as follows::
		11120
		11121	bitbake -c cve_check flex libarchive
		11122
		11123	Note that OpenEmbedded-Core keeps a list of known unfixed CVE issues which can
		11124	be ignored. You can pass this list to the check as follows::
		11125
		11126	bitbake -c cve_check libarchive -R conf/distro/include/cve-extra-exclusions.inc
		11127
		11128	Enabling vulnerabily tracking in recipes
		11129	----------------------------------------
		11130
		11131	The :term:`CVE_PRODUCT` variable defines the name used to match the recipe name
		11132	against the name in the upstream `NIST CVE database <https://nvd.nist.gov/>`__.
		11133
		11134	The CVE database is stored in :term:`DL_DIR` and can be inspected using
		11135	``sqlite3`` command as follows::
		11136
		11137	sqlite3 downloads/CVE_CHECK/nvdcve_1.1.db .dump \| grep CVE-2021-37462
		11138
11094	Using the Error Reporting Tool	11139	Using the Error Reporting Tool
11095	==============================	11140	==============================
11096		11141


diff --git a/documentation/ref-manual/variables.rst b/documentation/ref-manual/variables.rst index b61de1993d..1150940133 100644 --- a/documentation/ref-manual/variables.rst +++ b/documentation/ref-manual/variables.rst
@@ -1471,6 +1471,18 @@ system and gives an overview of their function and contents.
1471	variable only in certain contexts (e.g. when building for kernel	1471	variable only in certain contexts (e.g. when building for kernel
1472	and kernel module recipes).	1472	and kernel module recipes).
1473		1473
		1474	:term:`CVE_PRODUCT`
		1475	In a recipe, defines the name used to match the recipe name
		1476	against the name in the upstream `NIST CVE database <https://nvd.nist.gov/>`__.
		1477
		1478	The default is ${:term:`BPN`}. If it does not match the name in NIST CVE
		1479	database or matches with multiple entries in the database, the default
		1480	value needs to be changed.
		1481
		1482	Here is an example from the :oe_layerindex:`Berkeley DB recipe </layerindex/recipe/544>`::
		1483
		1484	CVE_PRODUCT = "oracle_berkeley_db berkeley_db"
		1485
1474	:term:`CVSDIR`	1486	:term:`CVSDIR`
1475	The directory in which files checked out under the CVS system are	1487	The directory in which files checked out under the CVS system are
1476	stored.	1488	stored.