migration-guides/release-notes-5.2: add known issue on stalled NVD

Add an entry to the known issue as the NVD is not up-to-date, the
impact on current CVE reports and future plans for the Yocto Project.

Follows the discussion on:
https://lists.openembedded.org/g/openembedded-core/message/212446

(From yocto-docs rev: c83aa6649fb7bca7e6b393356c8268aa4f18dc4b)

Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

1 files changed, 17 insertions, 0 deletions

diff --git a/documentation/migration-guides/release-notes-5.2.rst b/documentation/migration-guides/release-notes-5.2.rst
index 417b202cdb..d7115230dc 100644
--- a/documentation/migration-guides/release-notes-5.2.rst
+++ b/documentation/migration-guides/release-notes-5.2.rst
@@ -402,6 +402,23 @@ New Features / Enhancements in |yocto-ver|
 Known Issues in |yocto-ver|
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
+-  The :ref:`ref-classes-cve-check` class is based on the `National
+   Vulnerability Database <https://nvd.nist.gov/>`__ (NVD). Since the beginning
+   of 2024, the maintainers of this database have stopped annotating CVEs with
+   the affected CPEs. This prevents the :ref:`ref-classes-cve-check` class to
+   properly report CVEs as CPEs are used to match Yocto recipes with CVEs
+   affecting them. As a result, the current CVE reports may look good but the
+   reality is that some vulnerabilities are just not reported.
+
+   During that time, users may look up the 'CVE database
+   <https://www.cve.org/>'__ for entries concerning software they use, or follow
+   release notes of such projects closely.
+
+   Please note, that the :ref:`ref-classes-cve-check` tool has always been a
+   helper tool, and users are advised to always review the final result. Results
+   of an automatic scan may not take into account configuration options,
+   compiler options and other factors.
+
 Recipe License changes in |yocto-ver|
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~