1 files changed, 17 insertions, 0 deletions
diff --git a/documentation/migration-guides/release-notes-5.2.rst b/documentation/migration-guides/release-notes-5.2.rst
index 417b202cdb..d7115230dc 100644
--- a/documentation/migration-guides/release-notes-5.2.rst
+++ b/documentation/migration-guides/release-notes-5.2.rst
@@ -402,6 +402,23 @@ New Features / Enhancements in |yocto-ver|
 Known Issues in |yocto-ver|
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-  The :ref:`ref-classes-cve-check` class is based on the `National
+   Vulnerability Database <https://nvd.nist.gov/>`__ (NVD). Since the beginning
+   of 2024, the maintainers of this database have stopped annotating CVEs with
+   the affected CPEs. This prevents the :ref:`ref-classes-cve-check` class to
+   properly report CVEs as CPEs are used to match Yocto recipes with CVEs
+   affecting them. As a result, the current CVE reports may look good but the
+   reality is that some vulnerabilities are just not reported.
+   During that time, users may look up the 'CVE database
+   <https://www.cve.org/>'__ for entries concerning software they use, or follow
+   release notes of such projects closely.
+   Please note, that the :ref:`ref-classes-cve-check` tool has always been a
+   helper tool, and users are advised to always review the final result. Results
+   of an automatic scan may not take into account configuration options,
+   compiler options and other factors.
 Recipe License changes in |yocto-ver|
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

diff --git a/documentation/migration-guides/release-notes-5.2.rst b/documentation/migration-guides/release-notes-5.2.rst index 417b202cdb..d7115230dc 100644 --- a/documentation/migration-guides/release-notes-5.2.rst +++ b/documentation/migration-guides/release-notes-5.2.rst
@@ -402,6 +402,23 @@ New Features / Enhancements in \|yocto-ver\|
402	Known Issues in \|yocto-ver\|	402	Known Issues in \|yocto-ver\|
403	~~~~~~~~~~~~~~~~~~~~~~~~~~~	403	~~~~~~~~~~~~~~~~~~~~~~~~~~~
404		404
		405	- The :ref:`ref-classes-cve-check` class is based on the `National
		406	Vulnerability Database <https://nvd.nist.gov/>`__ (NVD). Since the beginning
		407	of 2024, the maintainers of this database have stopped annotating CVEs with
		408	the affected CPEs. This prevents the :ref:`ref-classes-cve-check` class to
		409	properly report CVEs as CPEs are used to match Yocto recipes with CVEs
		410	affecting them. As a result, the current CVE reports may look good but the
		411	reality is that some vulnerabilities are just not reported.
		412
		413	During that time, users may look up the 'CVE database
		414	<https://www.cve.org/>'__ for entries concerning software they use, or follow
		415	release notes of such projects closely.
		416
		417	Please note, that the :ref:`ref-classes-cve-check` tool has always been a
		418	helper tool, and users are advised to always review the final result. Results
		419	of an automatic scan may not take into account configuration options,
		420	compiler options and other factors.
		421
405	Recipe License changes in \|yocto-ver\|	422	Recipe License changes in \|yocto-ver\|
406	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~	423	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
407		424