2 files changed, 28 insertions, 1 deletions
diff --git a/documentation/ref-manual/classes.rst b/documentation/ref-manual/classes.rst
index 49905f2725..a98a64c432 100644
--- a/documentation/ref-manual/classes.rst
+++ b/documentation/ref-manual/classes.rst
@@ -404,6 +404,22 @@ cross-compilation tools used for building SDKs. See the
 section in the Yocto Project Overview and Concepts Manual for more
 discussion on these cross-compilation tools.
+.. _ref-classes-cve-check:
+``cve-check.bbclass``
+=====================
+The ``cve-check`` class looks for known CVEs (Common Vulnerabilities
+and Exposures) while building an image. This class is meant to be
+inherited globally from a configuration file::
+   INHERIT += "cve-check"
+You can also look for vulnerabilities in specific packages by passing
+``-c cve_check`` to BitBake. You will find details in the
+":ref:`dev-manual/common-tasks:checking for vulnerabilities`"
+section in the Development Tasks Manual.
 .. _ref-classes-debian:
 ``debian.bbclass``
diff --git a/documentation/ref-manual/variables.rst b/documentation/ref-manual/variables.rst
index 1150940133..f6d248a193 100644
--- a/documentation/ref-manual/variables.rst
+++ b/documentation/ref-manual/variables.rst
@@ -1471,11 +1471,22 @@ system and gives an overview of their function and contents.
         variable only in certain contexts (e.g. when building for kernel
         and kernel module recipes).
+   :term:`CVE_CHECK_PN_WHITELIST`
+      The list of package names (:term:`PN`) for which
+      CVEs (Common Vulnerabilities and Exposures) are ignored.
+   :term:`CVE_CHECK_WHITELIST`
+      The list of CVE IDs which are ignored. Here is
+      an example from the :oe_layerindex:`Python3 recipe</layerindex/recipe/23823>`::
+         # This is windows only issue.
+         CVE_CHECK_WHITELIST += "CVE-2020-15523"
   :term:`CVE_PRODUCT`
      In a recipe, defines the name used to match the recipe name
      against the name in the upstream `NIST CVE database <https://nvd.nist.gov/>`__.
-      The default is ${:term:`BPN`}. If it does not match the name in NIST CVE
+      The default is ${:term:`BPN`}. If it does not match the name in the NIST CVE
      database or matches with multiple entries in the database, the default
      value needs to be changed.

diff --git a/documentation/ref-manual/classes.rst b/documentation/ref-manual/classes.rst index 49905f2725..a98a64c432 100644 --- a/documentation/ref-manual/classes.rst +++ b/documentation/ref-manual/classes.rst
@@ -404,6 +404,22 @@ cross-compilation tools used for building SDKs. See the
404	section in the Yocto Project Overview and Concepts Manual for more	404	section in the Yocto Project Overview and Concepts Manual for more
405	discussion on these cross-compilation tools.	405	discussion on these cross-compilation tools.
406		406
		407	.. _ref-classes-cve-check:
		408
		409	``cve-check.bbclass``
		410	=====================
		411
		412	The ``cve-check`` class looks for known CVEs (Common Vulnerabilities
		413	and Exposures) while building an image. This class is meant to be
		414	inherited globally from a configuration file::
		415
		416	INHERIT += "cve-check"
		417
		418	You can also look for vulnerabilities in specific packages by passing
		419	``-c cve_check`` to BitBake. You will find details in the
		420	":ref:`dev-manual/common-tasks:checking for vulnerabilities`"
		421	section in the Development Tasks Manual.
		422
407	.. _ref-classes-debian:	423	.. _ref-classes-debian:
408		424
409	``debian.bbclass``	425	``debian.bbclass``


diff --git a/documentation/ref-manual/variables.rst b/documentation/ref-manual/variables.rst index 1150940133..f6d248a193 100644 --- a/documentation/ref-manual/variables.rst +++ b/documentation/ref-manual/variables.rst
@@ -1471,11 +1471,22 @@ system and gives an overview of their function and contents.
1471	variable only in certain contexts (e.g. when building for kernel	1471	variable only in certain contexts (e.g. when building for kernel
1472	and kernel module recipes).	1472	and kernel module recipes).
1473		1473
		1474	:term:`CVE_CHECK_PN_WHITELIST`
		1475	The list of package names (:term:`PN`) for which
		1476	CVEs (Common Vulnerabilities and Exposures) are ignored.
		1477
		1478	:term:`CVE_CHECK_WHITELIST`
		1479	The list of CVE IDs which are ignored. Here is
		1480	an example from the :oe_layerindex:`Python3 recipe</layerindex/recipe/23823>`::
		1481
		1482	# This is windows only issue.
		1483	CVE_CHECK_WHITELIST += "CVE-2020-15523"
		1484
1474	:term:`CVE_PRODUCT`	1485	:term:`CVE_PRODUCT`
1475	In a recipe, defines the name used to match the recipe name	1486	In a recipe, defines the name used to match the recipe name
1476	against the name in the upstream `NIST CVE database <https://nvd.nist.gov/>`__.	1487	against the name in the upstream `NIST CVE database <https://nvd.nist.gov/>`__.
1477		1488
1478	The default is ${:term:`BPN`}. If it does not match the name in NIST CVE	1489	The default is ${:term:`BPN`}. If it does not match the name in the NIST CVE
1479	database or matches with multiple entries in the database, the default	1490	database or matches with multiple entries in the database, the default
1480	value needs to be changed.	1491	value needs to be changed.
1481		1492