From 66aac2588d7b28b28694af48eac6d9b368098ba2 Mon Sep 17 00:00:00 2001
From: Noe Galea <ngalea@thegoodpenguin.co.uk>
Date: Fri, 17 May 2024 20:27:24 +0100
Subject: manuals: document NVDCVE_API_KEY variable

Add brief documentation of NVDCVE_API_KEY variable, that was added
in 4.2.3, and emphasize that its use results in lower NVD API request
times.

(From yocto-docs rev: 9c7b452441bad2d7c929383d4665dfddb8f7ea72)

Signed-off-by: Noe Galea <ngalea@thegoodpenguin.co.uk>
Reviewed-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
Reviewed-by: Andrew Murray <amurray@thegoodpenguin.co.uk>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 documentation/dev-manual/vulnerabilities.rst | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'documentation/dev-manual')

diff --git a/documentation/dev-manual/vulnerabilities.rst b/documentation/dev-manual/vulnerabilities.rst
index 1bc2a85929..983d4ad3c6 100644
--- a/documentation/dev-manual/vulnerabilities.rst
+++ b/documentation/dev-manual/vulnerabilities.rst
@@ -57,6 +57,10 @@ applied and that the issue needs to be investigated. ``Ignored`` means that afte
 analysis, it has been deemed to ignore the issue as it for example affects
 the software component on a different operating system platform.
 
+By default, no NVD API key is used to retrieve data from the CVE database, which
+results in larger delays between NVD API requests. See the :term:`NVDCVE_API_KEY`
+documentation on how to request and set a NVD API key.
+
 After a build with CVE check enabled, reports for each compiled source recipe will be
 found in ``build/tmp/deploy/cve``.
 
-- 
cgit v1.2.3-54-g00ecf