mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-04-30 12:32:12 +02:00
Code Issues Packages Projects Releases Wiki Activity

manuals: further documentation for cve-check

Browse Source 
This adds details about the actual implementation
of vulnerability checks, about how to fix or ignore
vulnerabilities in recipes, and documents the
CVE_CHECK_PN_WHITELIST and CVE_CHECK_WHITELIST variables.

(From yocto-docs rev: 55886d211218b3a604c2f8a29c854685ebf284dd)

Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
Reviewed-by: Quentin Schulz <foss@0leil.net>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Michael Opdenacker
2021-08-06 12:33:04 +02:00
committed by Richard Purdie
parent 23e640b809
commit 4c7e3b64bc
3 changed files with 97 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
documentation/ref-manual/classes.rst
View File

@@ -404,6 +404,22 @@ cross-compilation tools used for building SDKs. See the
section in the Yocto Project Overview and Concepts Manual for more
discussion on these cross-compilation tools.
.. _ref-classes-cve-check:
``cve-check.bbclass``
=====================
The ``cve-check`` class looks for known CVEs (Common Vulnerabilities
and Exposures) while building an image. This class is meant to be
inherited globally from a configuration file::
INHERIT += "cve-check"
You can also look for vulnerabilities in specific packages by passing
``-c cve_check`` to BitBake. You will find details in the
":ref:`dev-manual/common-tasks:checking for vulnerabilities`"
section in the Development Tasks Manual.
.. _ref-classes-debian:
``debian.bbclass``

13
documentation/ref-manual/variables.rst
View File

@@ -1471,11 +1471,22 @@ system and gives an overview of their function and contents.
variable only in certain contexts (e.g. when building for kernel
and kernel module recipes).
:term:`CVE_CHECK_PN_WHITELIST`
The list of package names (:term:`PN`) for which
CVEs (Common Vulnerabilities and Exposures) are ignored.
:term:`CVE_CHECK_WHITELIST`
The list of CVE IDs which are ignored. Here is
an example from the :oe_layerindex:`Python3 recipe</layerindex/recipe/23823>`::
# This is windows only issue.
CVE_CHECK_WHITELIST += "CVE-2020-15523"
:term:`CVE_PRODUCT`
In a recipe, defines the name used to match the recipe name
against the name in the upstream `NIST CVE database <https://nvd.nist.gov/>`__.
The default is ${:term:`BPN`}. If it does not match the name in NIST CVE
The default is ${:term:`BPN`}. If it does not match the name in the NIST CVE
database or matches with multiple entries in the database, the default
value needs to be changed.