2 files changed, 69 insertions, 29 deletions
diff --git a/documentation/dev-manual/vulnerabilities.rst b/documentation/dev-manual/vulnerabilities.rst
index 983d4ad3c6..d901ff975b 100644
--- a/documentation/dev-manual/vulnerabilities.rst
+++ b/documentation/dev-manual/vulnerabilities.rst
@@ -66,37 +66,77 @@ found in ``build/tmp/deploy/cve``.
 For example the CVE check report for the ``flex-native`` recipe looks like::
-   $ cat poky/build/tmp/deploy/cve/flex-native
+   $ cat ./tmp/deploy/cve/flex-native_cve.json
-   LAYER: meta
+   {
-   PACKAGE NAME: flex-native
+     "version": "1",
-   PACKAGE VERSION: 2.6.4
+     "package": [
-   CVE: CVE-2016-6354
+       {
-   CVE STATUS: Patched
+         "name": "flex-native",
-   CVE SUMMARY: Heap-based buffer overflow in the yy_get_next_buffer function in Flex before 2.6.1 might allow context-dependent attackers to cause a denial of service or possibly execute arbitrary code via vectors involving num_to_read.
+         "layer": "meta",
-   CVSS v2 BASE SCORE: 7.5
+         "version": "2.6.4",
-   CVSS v3 BASE SCORE: 9.8
+         "products": [
-   VECTOR: NETWORK
+           {
-   MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6354
+             "product": "flex",
+             "cvesInRecord": "No"
-   LAYER: meta
+           },
-   PACKAGE NAME: flex-native
+           {
-   PACKAGE VERSION: 2.6.4
+             "product": "flex",
-   CVE: CVE-2019-6293
+             "cvesInRecord": "Yes"
-   CVE STATUS: Ignored
+           }
-   CVE SUMMARY: An issue was discovered in the function mark_beginning_as_normal in nfa.c in flex 2.6.4. There is a stack exhaustion problem caused by the mark_beginning_as_normal function making recursive calls to itself in certain scenarios involving lots of '*' characters. Remote attackers could leverage this vulnerability to cause a denial-of-service.
+         ],
-   CVSS v2 BASE SCORE: 4.3
+         "issue": [
-   CVSS v3 BASE SCORE: 5.5
+           {
-   VECTOR: NETWORK
+             "id": "CVE-2006-0459",
-   MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-6293
+             "status": "Patched",
+             "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-0459",
+             "summary": "flex.skl in Will Estes and John Millaway Fast Lexical Analyzer Generator (flex) before 2.5.33 does not allocate enough memory for grammars containing (1) REJECT statements or (2) trailing context rules, which causes flex to generate code that contains a buffer overflow that might allow context-dependent attackers to execute arbitrary code.",
+             "scorev2": "7.5",
+             "scorev3": "0.0",
+             "scorev4": "0.0",
+             "modified": "2024-11-21T00:06Z",
+             "vector": "NETWORK",
+             "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
+             "detail": "version-not-in-range"
+           },
+           {
+             "id": "CVE-2016-6354",
+             "status": "Patched",
+             "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6354",
+             "summary": "Heap-based buffer overflow in the yy_get_next_buffer function in Flex before 2.6.1 might allow context-dependent attackers to cause a denial of service or possibly execute arbitrary code via vectors involving num_to_read.",
+             "scorev2": "7.5",
+             "scorev3": "9.8",
+             "scorev4": "0.0",
+             "modified": "2024-11-21T02:55Z",
+             "vector": "NETWORK",
+             "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
+             "detail": "version-not-in-range"
+           },
+           {
+             "id": "CVE-2019-6293",
+             "status": "Ignored",
+             "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-6293",
+             "summary": "An issue was discovered in the function mark_beginning_as_normal in nfa.c in flex 2.6.4. There is a stack exhaustion problem caused by the mark_beginning_as_normal function making recursive calls to itself in certain scenarios involving lots of '*' characters. Remote attackers could leverage this vulnerability to cause a denial-of-service.",
+             "scorev2": "4.3",
+             "scorev3": "5.5",
+             "scorev4": "0.0",
+             "modified": "2024-11-21T04:46Z",
+             "vector": "NETWORK",
+             "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
+             "detail": "upstream-wontfix",
+             "description": "there is stack exhaustion but no bug and it is building the parser, not running it, effectively similar to a compiler ICE. Upstream no plans to address this."
+           }
+         ]
+       }
+     ]
+   }
 For images, a summary of all recipes included in the image and their CVEs is also
-generated in textual and JSON formats. These ``.cve`` and ``.json`` reports can be found
+generated in the JSON format. These ``.json`` reports can be found
 in the ``tmp/deploy/images`` directory for each compiled image.
 At build time CVE check will also throw warnings about ``Unpatched`` CVEs::
-   WARNING: flex-2.6.4-r0 do_cve_check: Found unpatched CVE (CVE-2019-6293), for more information check /poky/build/tmp/work/core2-64-poky-linux/flex/2.6.4-r0/temp/cve.log
+   WARNING: qemu-native-9.2.0-r0 do_cve_check: Found unpatched CVE (CVE-2023-1386)
-   WARNING: libarchive-3.5.1-r0 do_cve_check: Found unpatched CVE (CVE-2021-36976), for more information check /poky/build/tmp/work/core2-64-poky-linux/libarchive/3.5.1-r0/temp/cve.log
 It is also possible to check the CVE status of individual packages as follows::
@@ -115,10 +155,10 @@ upstream `NIST CVE database <https://nvd.nist.gov/>`__.
 The variable supports using vendor and product names like this::
-   CVE_PRODUCT = "flex_project:flex"
+   CVE_PRODUCT = "flex_project:flex westes:flex"
-In this example the vendor name used in the CVE database is ``flex_project`` and the
+In this example we have two possible vendors names,  ``flex_project`` and ``westes``,
-product is ``flex``. With this setting the ``flex`` recipe only maps to this specific
+with the product name ``flex``. With this setting the ``flex`` recipe only maps to this specific
 product and not products from other vendors with same name ``flex``.
 Similarly, when the recipe version :term:`PV` is not compatible with software versions used by
diff --git a/documentation/ref-manual/classes.rst b/documentation/ref-manual/classes.rst
index 925fc8a676..2db94ce710 100644
--- a/documentation/ref-manual/classes.rst
+++ b/documentation/ref-manual/classes.rst
@@ -563,7 +563,7 @@ You can also look for vulnerabilities in specific packages by passing
 ``-c cve_check`` to BitBake.
 After building the software with Bitbake, CVE check output reports are available in ``tmp/deploy/cve``
-and image specific summaries in ``tmp/deploy/images/*.cve`` or ``tmp/deploy/images/*.json`` files.
+and image specific summaries in ``tmp/deploy/images/*.json`` files.
 When building, the CVE checker will emit build time warnings for any detected
 issues which are in the state ``Unpatched``, meaning that CVE issue seems to affect the software component

diff --git a/documentation/dev-manual/vulnerabilities.rst b/documentation/dev-manual/vulnerabilities.rst index 983d4ad3c6..d901ff975b 100644 --- a/documentation/dev-manual/vulnerabilities.rst +++ b/documentation/dev-manual/vulnerabilities.rst
@@ -66,37 +66,77 @@ found in ``build/tmp/deploy/cve``.
66		66
67	For example the CVE check report for the ``flex-native`` recipe looks like::	67	For example the CVE check report for the ``flex-native`` recipe looks like::
68		68
69	$ cat poky/build/tmp/deploy/cve/flex-native	69	$ cat ./tmp/deploy/cve/flex-native_cve.json
70	LAYER: meta	70	{
71	PACKAGE NAME: flex-native	71	"version": "1",
72	PACKAGE VERSION: 2.6.4	72	"package": [
73	CVE: CVE-2016-6354	73	{
74	CVE STATUS: Patched	74	"name": "flex-native",
75	CVE SUMMARY: Heap-based buffer overflow in the yy_get_next_buffer function in Flex before 2.6.1 might allow context-dependent attackers to cause a denial of service or possibly execute arbitrary code via vectors involving num_to_read.	75	"layer": "meta",
76	CVSS v2 BASE SCORE: 7.5	76	"version": "2.6.4",
77	CVSS v3 BASE SCORE: 9.8	77	"products": [
78	VECTOR: NETWORK	78	{
79	MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6354	79	"product": "flex",
80		80	"cvesInRecord": "No"
81	LAYER: meta	81	},
82	PACKAGE NAME: flex-native	82	{
83	PACKAGE VERSION: 2.6.4	83	"product": "flex",
84	CVE: CVE-2019-6293	84	"cvesInRecord": "Yes"
85	CVE STATUS: Ignored	85	}
86	CVE SUMMARY: An issue was discovered in the function mark_beginning_as_normal in nfa.c in flex 2.6.4. There is a stack exhaustion problem caused by the mark_beginning_as_normal function making recursive calls to itself in certain scenarios involving lots of '*' characters. Remote attackers could leverage this vulnerability to cause a denial-of-service.	86	],
87	CVSS v2 BASE SCORE: 4.3	87	"issue": [
88	CVSS v3 BASE SCORE: 5.5	88	{
89	VECTOR: NETWORK	89	"id": "CVE-2006-0459",
90	MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-6293	90	"status": "Patched",
		91	"link": "https://nvd.nist.gov/vuln/detail/CVE-2006-0459",
		92	"summary": "flex.skl in Will Estes and John Millaway Fast Lexical Analyzer Generator (flex) before 2.5.33 does not allocate enough memory for grammars containing (1) REJECT statements or (2) trailing context rules, which causes flex to generate code that contains a buffer overflow that might allow context-dependent attackers to execute arbitrary code.",
		93	"scorev2": "7.5",
		94	"scorev3": "0.0",
		95	"scorev4": "0.0",
		96	"modified": "2024-11-21T00:06Z",
		97	"vector": "NETWORK",
		98	"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
		99	"detail": "version-not-in-range"
		100	},
		101	{
		102	"id": "CVE-2016-6354",
		103	"status": "Patched",
		104	"link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6354",
		105	"summary": "Heap-based buffer overflow in the yy_get_next_buffer function in Flex before 2.6.1 might allow context-dependent attackers to cause a denial of service or possibly execute arbitrary code via vectors involving num_to_read.",
		106	"scorev2": "7.5",
		107	"scorev3": "9.8",
		108	"scorev4": "0.0",
		109	"modified": "2024-11-21T02:55Z",
		110	"vector": "NETWORK",
		111	"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
		112	"detail": "version-not-in-range"
		113	},
		114	{
		115	"id": "CVE-2019-6293",
		116	"status": "Ignored",
		117	"link": "https://nvd.nist.gov/vuln/detail/CVE-2019-6293",
		118	"summary": "An issue was discovered in the function mark_beginning_as_normal in nfa.c in flex 2.6.4. There is a stack exhaustion problem caused by the mark_beginning_as_normal function making recursive calls to itself in certain scenarios involving lots of '*' characters. Remote attackers could leverage this vulnerability to cause a denial-of-service.",
		119	"scorev2": "4.3",
		120	"scorev3": "5.5",
		121	"scorev4": "0.0",
		122	"modified": "2024-11-21T04:46Z",
		123	"vector": "NETWORK",
		124	"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
		125	"detail": "upstream-wontfix",
		126	"description": "there is stack exhaustion but no bug and it is building the parser, not running it, effectively similar to a compiler ICE. Upstream no plans to address this."
		127	}
		128	]
		129	}
		130	]
		131	}
91		132
92	For images, a summary of all recipes included in the image and their CVEs is also	133	For images, a summary of all recipes included in the image and their CVEs is also
93	generated in textual and JSON formats. These ``.cve`` and ``.json`` reports can be found	134	generated in the JSON format. These ``.json`` reports can be found
94	in the ``tmp/deploy/images`` directory for each compiled image.	135	in the ``tmp/deploy/images`` directory for each compiled image.
95		136
96	At build time CVE check will also throw warnings about ``Unpatched`` CVEs::	137	At build time CVE check will also throw warnings about ``Unpatched`` CVEs::
97		138
98	WARNING: flex-2.6.4-r0 do_cve_check: Found unpatched CVE (CVE-2019-6293), for more information check /poky/build/tmp/work/core2-64-poky-linux/flex/2.6.4-r0/temp/cve.log	139	WARNING: qemu-native-9.2.0-r0 do_cve_check: Found unpatched CVE (CVE-2023-1386)
99	WARNING: libarchive-3.5.1-r0 do_cve_check: Found unpatched CVE (CVE-2021-36976), for more information check /poky/build/tmp/work/core2-64-poky-linux/libarchive/3.5.1-r0/temp/cve.log
100		140
101	It is also possible to check the CVE status of individual packages as follows::	141	It is also possible to check the CVE status of individual packages as follows::
102		142
@@ -115,10 +155,10 @@ upstream `NIST CVE database <https://nvd.nist.gov/>`__.
115		155
116	The variable supports using vendor and product names like this::	156	The variable supports using vendor and product names like this::
117		157
118	CVE_PRODUCT = "flex_project:flex"	158	CVE_PRODUCT = "flex_project:flex westes:flex"
119		159
120	In this example the vendor name used in the CVE database is ``flex_project`` and the	160	In this example we have two possible vendors names, ``flex_project`` and ``westes``,
121	product is ``flex``. With this setting the ``flex`` recipe only maps to this specific	161	with the product name ``flex``. With this setting the ``flex`` recipe only maps to this specific
122	product and not products from other vendors with same name ``flex``.	162	product and not products from other vendors with same name ``flex``.
123		163
124	Similarly, when the recipe version :term:`PV` is not compatible with software versions used by	164	Similarly, when the recipe version :term:`PV` is not compatible with software versions used by


diff --git a/documentation/ref-manual/classes.rst b/documentation/ref-manual/classes.rst index 925fc8a676..2db94ce710 100644 --- a/documentation/ref-manual/classes.rst +++ b/documentation/ref-manual/classes.rst
@@ -563,7 +563,7 @@ You can also look for vulnerabilities in specific packages by passing
563	``-c cve_check`` to BitBake.	563	``-c cve_check`` to BitBake.
564		564
565	After building the software with Bitbake, CVE check output reports are available in ``tmp/deploy/cve``	565	After building the software with Bitbake, CVE check output reports are available in ``tmp/deploy/cve``
566	and image specific summaries in ``tmp/deploy/images/.cve`` or ``tmp/deploy/images/.json`` files.	566	and image specific summaries in ``tmp/deploy/images/*.json`` files.
567		567
568	When building, the CVE checker will emit build time warnings for any detected	568	When building, the CVE checker will emit build time warnings for any detected
569	issues which are in the state ``Unpatched``, meaning that CVE issue seems to affect the software component	569	issues which are in the state ``Unpatched``, meaning that CVE issue seems to affect the software component