1 files changed, 108 insertions, 1 deletions
diff --git a/documentation/ref-manual/variables.rst b/documentation/ref-manual/variables.rst
index 47462233c9..c182478a31 100644
--- a/documentation/ref-manual/variables.rst
+++ b/documentation/ref-manual/variables.rst
@@ -1469,15 +1469,31 @@ system and gives an overview of their function and contents.
         # This is windows only issue.
         CVE_CHECK_IGNORE += "CVE-2020-15523"
+   :term:`CVE_CHECK_SHOW_WARNINGS`
+      Specifies whether or not the :ref:`cve-check <ref-classes-cve-check>`
+      class should generate warning messages on the console when unpatched
+      CVEs are found. The default is "1", but you may wish to set it to "0" if
+      you are already examining/processing the logs after the build has
+      completed and thus do not need the warning messages.
   :term:`CVE_CHECK_SKIP_RECIPE`
      The list of package names (:term:`PN`) for which
      CVEs (Common Vulnerabilities and Exposures) are ignored.
+   :term:`CVE_DB_UPDATE_INTERVAL`
+      Specifies the CVE database update interval in seconds, as used by
+      ``cve-update-db-native``. The default value is "86400" i.e. once a day
+      (24*60*60). If the value is set to "0" then the update will be forced
+      every time. Alternatively, a negative value e.g. "-1" will disable
+      updates entirely.
   :term:`CVE_PRODUCT`
      In a recipe, defines the name used to match the recipe name
      against the name in the upstream `NIST CVE database <https://nvd.nist.gov/>`__.
-      The default is ${:term:`BPN`}. If it does not match the name in the NIST CVE
+      The default is ${:term:`BPN`} (except for recipes that inherit the
+      :ref:`pypi <ref-classes-pypi>` class where it is set based upon
+      :term:`PYPI_PACKAGE`). If it does not match the name in the NIST CVE
      database or matches with multiple entries in the database, the default
      value needs to be changed.
@@ -1492,6 +1508,18 @@ system and gives an overview of their function and contents.
         CVE_PRODUCT = "vendor:package"
+   :term:`CVE_VERSION`
+      In a recipe, defines the version used to match the recipe version
+      against the version in the `NIST CVE database <https://nvd.nist.gov/>`__
+      when usign :ref:`cve-check <ref-classes-cve-check>`.
+      The default is ${:term:`PV`} but if recipes use custom version numbers
+      which do not map to upstream software component release versions and the versions
+      used in the CVE database, then this variable can be used to set the
+      version number for :ref:`cve-check <ref-classes-cve-check>`. Example::
+          CVE_VERSION = "2.39"
   :term:`CVSDIR`
      The directory in which files checked out under the CVS system are
      stored.
@@ -6089,6 +6117,14 @@ system and gives an overview of their function and contents.
      :term:`PV` is the default value of the :term:`PKGV` variable.
+   :term:`PYPI_PACKAGE`
+      When inheriting the :ref:`pypi <ref-classes-pypi>` class, specifies the
+      `PyPI <https://pypi.org/>`__ package name to be built. The default value
+      is set based upon :term:`BPN` (stripping any "python-" or "python3-"
+      prefix off if present), however for some packages it will need to be set
+      explicitly if that will not match the package name (e.g. where the
+      package name has a prefix, underscores, uppercase letters etc.)
   :term:`PYTHON_ABI`
      When used by recipes that inherit the
      :ref:`setuptools3 <ref-classes-setuptools3>` class, denotes the
@@ -7058,6 +7094,77 @@ system and gives an overview of their function and contents.
         You can specify only a single URL in :term:`SOURCE_MIRROR_URL`.
+   :term:`SPDX_ARCHIVE_PACKAGED`
+      This option allows to add to :term:`SPDX` output compressed archives
+      of the files in the generated target packages.
+      Such archives are available in
+      ``tmp/deploy/spdx/MACHINE/packages/packagename.tar.zst``
+      under the :term:`Build Directory`.
+      Enable this option as follows::
+         SPDX_ARCHIVE_PACKAGED = "1"
+      According to our tests on release 4.1 "langdale", building
+      ``core-image-minimal`` for the ``qemux86-64`` machine, enabling this
+      option multiplied the size of the ``tmp/deploy/spdx`` directory by a
+      factor of 13 (+1.6 GiB for this image), compared to just using the
+      :ref:`create-spdx <ref-classes-create-spdx>` class with no option.
+      Note that this option doesn't increase the size of :term:`SPDX`
+      files in ``tmp/deploy/images/MACHINE``.
+   :term:`SPDX_ARCHIVE_SOURCES`
+      This option allows to add to :term:`SPDX` output compressed archives
+      of the sources for packages installed on the target. It currently
+      only works when :term:`SPDX_INCLUDE_SOURCES` is set.
+      This is one way of fulfilling "source code access" license
+      requirements.
+      Such source archives are available in
+      ``tmp/deploy/spdx/MACHINE/recipes/recipe-packagename.tar.zst``
+      under the :term:`Build Directory`.
+      Enable this option as follows::
+         SPDX_INCLUDE_SOURCES = "1"
+         SPDX_ARCHIVE_SOURCES = "1"
+      According to our tests on release 4.1 "langdale", building
+      ``core-image-minimal`` for the ``qemux86-64`` machine, enabling
+      these options multiplied the size of the ``tmp/deploy/spdx``
+      directory by a factor of 11 (+1.4 GiB for this image),
+      compared to just using the :ref:`create-spdx <ref-classes-create-spdx>`
+      class with no option.
+      Note that using this option only marginally increases the size
+      of the :term:`SPDX` output in ``tmp/deploy/images/MACHINE/``
+      (+ 0.07\% with the tested image), compared to just enabling
+      :term:`SPDX_INCLUDE_SOURCES`.
+   :term:`SPDX_INCLUDE_SOURCES`
+      This option allows to add a description of the source files used to build
+      the host tools and the target packages, to the ``spdx.json`` files in
+      ``tmp/deploy/spdx/MACHINE/recipes/`` under the :term:`Build Directory`.
+      As a consequence, the ``spdx.json`` files under the ``by-namespace`` and
+      ``packages`` subdirectories in ``tmp/deploy/spdx/MACHINE`` are also
+      modified to include references to such source file descriptions.
+      Enable this option as follows::
+         SPDX_INCLUDE_SOURCES = "1"
+      According to our tests on release 4.1 "langdale", building
+      ``core-image-minimal`` for the ``qemux86-64`` machine, enabling
+      this option multiplied the total size of the ``tmp/deploy/spdx``
+      directory by a factor of 3  (+291 MiB for this image),
+      and the size of the ``IMAGE-MACHINE.spdx.tar.zst`` in
+      ``tmp/deploy/images/MACHINE`` by a factor of 130 (+15 MiB for this
+      image), compared to just using the
+      :ref:`create-spdx <ref-classes-create-spdx>` class with no option.
   :term:`SPDXLICENSEMAP`
      Maps commonly used license names to their SPDX counterparts found in
      ``meta/files/common-licenses/``. For the default :term:`SPDXLICENSEMAP`

diff --git a/documentation/ref-manual/variables.rst b/documentation/ref-manual/variables.rst index 47462233c9..c182478a31 100644 --- a/documentation/ref-manual/variables.rst +++ b/documentation/ref-manual/variables.rst
@@ -1469,15 +1469,31 @@ system and gives an overview of their function and contents.
1469	# This is windows only issue.	1469	# This is windows only issue.
1470	CVE_CHECK_IGNORE += "CVE-2020-15523"	1470	CVE_CHECK_IGNORE += "CVE-2020-15523"
1471		1471
		1472	:term:`CVE_CHECK_SHOW_WARNINGS`
		1473	Specifies whether or not the :ref:`cve-check <ref-classes-cve-check>`
		1474	class should generate warning messages on the console when unpatched
		1475	CVEs are found. The default is "1", but you may wish to set it to "0" if
		1476	you are already examining/processing the logs after the build has
		1477	completed and thus do not need the warning messages.
		1478
1472	:term:`CVE_CHECK_SKIP_RECIPE`	1479	:term:`CVE_CHECK_SKIP_RECIPE`
1473	The list of package names (:term:`PN`) for which	1480	The list of package names (:term:`PN`) for which
1474	CVEs (Common Vulnerabilities and Exposures) are ignored.	1481	CVEs (Common Vulnerabilities and Exposures) are ignored.
1475		1482
		1483	:term:`CVE_DB_UPDATE_INTERVAL`
		1484	Specifies the CVE database update interval in seconds, as used by
		1485	``cve-update-db-native``. The default value is "86400" i.e. once a day
		1486	(246060). If the value is set to "0" then the update will be forced
		1487	every time. Alternatively, a negative value e.g. "-1" will disable
		1488	updates entirely.
		1489
1476	:term:`CVE_PRODUCT`	1490	:term:`CVE_PRODUCT`
1477	In a recipe, defines the name used to match the recipe name	1491	In a recipe, defines the name used to match the recipe name
1478	against the name in the upstream `NIST CVE database <https://nvd.nist.gov/>`__.	1492	against the name in the upstream `NIST CVE database <https://nvd.nist.gov/>`__.
1479		1493
1480	The default is ${:term:`BPN`}. If it does not match the name in the NIST CVE	1494	The default is ${:term:`BPN`} (except for recipes that inherit the
		1495	:ref:`pypi <ref-classes-pypi>` class where it is set based upon
		1496	:term:`PYPI_PACKAGE`). If it does not match the name in the NIST CVE
1481	database or matches with multiple entries in the database, the default	1497	database or matches with multiple entries in the database, the default
1482	value needs to be changed.	1498	value needs to be changed.
1483		1499
@@ -1492,6 +1508,18 @@ system and gives an overview of their function and contents.
1492		1508
1493	CVE_PRODUCT = "vendor:package"	1509	CVE_PRODUCT = "vendor:package"
1494		1510
		1511	:term:`CVE_VERSION`
		1512	In a recipe, defines the version used to match the recipe version
		1513	against the version in the `NIST CVE database <https://nvd.nist.gov/>`__
		1514	when usign :ref:`cve-check <ref-classes-cve-check>`.
		1515
		1516	The default is ${:term:`PV`} but if recipes use custom version numbers
		1517	which do not map to upstream software component release versions and the versions
		1518	used in the CVE database, then this variable can be used to set the
		1519	version number for :ref:`cve-check <ref-classes-cve-check>`. Example::
		1520
		1521	CVE_VERSION = "2.39"
		1522
1495	:term:`CVSDIR`	1523	:term:`CVSDIR`
1496	The directory in which files checked out under the CVS system are	1524	The directory in which files checked out under the CVS system are
1497	stored.	1525	stored.
@@ -6089,6 +6117,14 @@ system and gives an overview of their function and contents.
6089		6117
6090	:term:`PV` is the default value of the :term:`PKGV` variable.	6118	:term:`PV` is the default value of the :term:`PKGV` variable.
6091		6119
		6120	:term:`PYPI_PACKAGE`
		6121	When inheriting the :ref:`pypi <ref-classes-pypi>` class, specifies the
		6122	`PyPI <https://pypi.org/>`__ package name to be built. The default value
		6123	is set based upon :term:`BPN` (stripping any "python-" or "python3-"
		6124	prefix off if present), however for some packages it will need to be set
		6125	explicitly if that will not match the package name (e.g. where the
		6126	package name has a prefix, underscores, uppercase letters etc.)
		6127
6092	:term:`PYTHON_ABI`	6128	:term:`PYTHON_ABI`
6093	When used by recipes that inherit the	6129	When used by recipes that inherit the
6094	:ref:`setuptools3 <ref-classes-setuptools3>` class, denotes the	6130	:ref:`setuptools3 <ref-classes-setuptools3>` class, denotes the
@@ -7058,6 +7094,77 @@ system and gives an overview of their function and contents.
7058		7094
7059	You can specify only a single URL in :term:`SOURCE_MIRROR_URL`.	7095	You can specify only a single URL in :term:`SOURCE_MIRROR_URL`.
7060		7096
		7097	:term:`SPDX_ARCHIVE_PACKAGED`
		7098	This option allows to add to :term:`SPDX` output compressed archives
		7099	of the files in the generated target packages.
		7100
		7101	Such archives are available in
		7102	``tmp/deploy/spdx/MACHINE/packages/packagename.tar.zst``
		7103	under the :term:`Build Directory`.
		7104
		7105	Enable this option as follows::
		7106
		7107	SPDX_ARCHIVE_PACKAGED = "1"
		7108
		7109	According to our tests on release 4.1 "langdale", building
		7110	``core-image-minimal`` for the ``qemux86-64`` machine, enabling this
		7111	option multiplied the size of the ``tmp/deploy/spdx`` directory by a
		7112	factor of 13 (+1.6 GiB for this image), compared to just using the
		7113	:ref:`create-spdx <ref-classes-create-spdx>` class with no option.
		7114
		7115	Note that this option doesn't increase the size of :term:`SPDX`
		7116	files in ``tmp/deploy/images/MACHINE``.
		7117
		7118	:term:`SPDX_ARCHIVE_SOURCES`
		7119	This option allows to add to :term:`SPDX` output compressed archives
		7120	of the sources for packages installed on the target. It currently
		7121	only works when :term:`SPDX_INCLUDE_SOURCES` is set.
		7122
		7123	This is one way of fulfilling "source code access" license
		7124	requirements.
		7125
		7126	Such source archives are available in
		7127	``tmp/deploy/spdx/MACHINE/recipes/recipe-packagename.tar.zst``
		7128	under the :term:`Build Directory`.
		7129
		7130	Enable this option as follows::
		7131
		7132	SPDX_INCLUDE_SOURCES = "1"
		7133	SPDX_ARCHIVE_SOURCES = "1"
		7134
		7135	According to our tests on release 4.1 "langdale", building
		7136	``core-image-minimal`` for the ``qemux86-64`` machine, enabling
		7137	these options multiplied the size of the ``tmp/deploy/spdx``
		7138	directory by a factor of 11 (+1.4 GiB for this image),
		7139	compared to just using the :ref:`create-spdx <ref-classes-create-spdx>`
		7140	class with no option.
		7141
		7142	Note that using this option only marginally increases the size
		7143	of the :term:`SPDX` output in ``tmp/deploy/images/MACHINE/``
		7144	(+ 0.07\% with the tested image), compared to just enabling
		7145	:term:`SPDX_INCLUDE_SOURCES`.
		7146
		7147	:term:`SPDX_INCLUDE_SOURCES`
		7148	This option allows to add a description of the source files used to build
		7149	the host tools and the target packages, to the ``spdx.json`` files in
		7150	``tmp/deploy/spdx/MACHINE/recipes/`` under the :term:`Build Directory`.
		7151	As a consequence, the ``spdx.json`` files under the ``by-namespace`` and
		7152	``packages`` subdirectories in ``tmp/deploy/spdx/MACHINE`` are also
		7153	modified to include references to such source file descriptions.
		7154
		7155	Enable this option as follows::
		7156
		7157	SPDX_INCLUDE_SOURCES = "1"
		7158
		7159	According to our tests on release 4.1 "langdale", building
		7160	``core-image-minimal`` for the ``qemux86-64`` machine, enabling
		7161	this option multiplied the total size of the ``tmp/deploy/spdx``
		7162	directory by a factor of 3 (+291 MiB for this image),
		7163	and the size of the ``IMAGE-MACHINE.spdx.tar.zst`` in
		7164	``tmp/deploy/images/MACHINE`` by a factor of 130 (+15 MiB for this
		7165	image), compared to just using the
		7166	:ref:`create-spdx <ref-classes-create-spdx>` class with no option.
		7167
7061	:term:`SPDXLICENSEMAP`	7168	:term:`SPDXLICENSEMAP`
7062	Maps commonly used license names to their SPDX counterparts found in	7169	Maps commonly used license names to their SPDX counterparts found in
7063	``meta/files/common-licenses/``. For the default :term:`SPDXLICENSEMAP`	7170	``meta/files/common-licenses/``. For the default :term:`SPDXLICENSEMAP`