From 76053e0f7849ff33428fd75c531c91ab375de8d3 Mon Sep 17 00:00:00 2001 From: Michael Opdenacker Date: Fri, 30 Jul 2021 20:52:16 +0200 Subject: [PATCH] manuals: initial documentation for CVE management This starts to document vulnerability management and the use of the CVE_PRODUCT variable (From yocto-docs rev: 2b9199fe490cb3ec126bffc6518646194a94ace4) Signed-off-by: Michael Opdenacker Reviewed-by: Quentin Schulz Signed-off-by: Richard Purdie --- documentation/dev-manual/common-tasks.rst | 45 +++++++++++++++++++++++ documentation/ref-manual/variables.rst | 12 ++++++ 2 files changed, 57 insertions(+) diff --git a/documentation/dev-manual/common-tasks.rst b/documentation/dev-manual/common-tasks.rst index 77af03b3ca..7fa0df4d39 100644 --- a/documentation/dev-manual/common-tasks.rst +++ b/documentation/dev-manual/common-tasks.rst @@ -10529,6 +10529,9 @@ follows: 1. *Identify the bug or CVE to be fixed:* This information should be collected so that it can be included in your submission. + See :ref:`dev-manual/common-tasks:checking for vulnerabilities` + for details about CVE tracking. + 2. *Check if the fix is already present in the master branch:* This will result in the most straightforward path into the stable branch for the fix. @@ -11091,6 +11094,48 @@ the license from the fetched source:: NO_GENERIC_LICENSE[Firmware-Abilis] = "LICENSE.Abilis.txt" +Checking for Vulnerabilities +============================ + +Vulnerabilities in images +------------------------- + +The Yocto Project has an infrastructure to track and address unfixed +known security vulnerabilities, as tracked by the public +`Common Vulnerabilities and Exposures (CVE) `__ +database. + +To know which packages are vulnerable to known security vulnerabilities, +add the following setting to your configuration:: + + INHERIT += "cve-check" + +This way, at build time, BitBake will warn you about known CVEs +as in the example below:: + + WARNING: flex-2.6.4-r0 do_cve_check: Found unpatched CVE (CVE-2019-6293), for more information check /poky/build/tmp/work/core2-64-poky-linux/flex/2.6.4-r0/temp/cve.log + WARNING: libarchive-3.5.1-r0 do_cve_check: Found unpatched CVE (CVE-2021-36976), for more information check /poky/build/tmp/work/core2-64-poky-linux/libarchive/3.5.1-r0/temp/cve.log + +It is also possible to check the CVE status of individual packages as follows:: + + bitbake -c cve_check flex libarchive + +Note that OpenEmbedded-Core keeps a list of known unfixed CVE issues which can +be ignored. You can pass this list to the check as follows:: + + bitbake -c cve_check libarchive -R conf/distro/include/cve-extra-exclusions.inc + +Enabling vulnerabily tracking in recipes +---------------------------------------- + +The :term:`CVE_PRODUCT` variable defines the name used to match the recipe name +against the name in the upstream `NIST CVE database `__. + +The CVE database is stored in :term:`DL_DIR` and can be inspected using +``sqlite3`` command as follows:: + + sqlite3 downloads/CVE_CHECK/nvdcve_1.1.db .dump | grep CVE-2021-37462 + Using the Error Reporting Tool ============================== diff --git a/documentation/ref-manual/variables.rst b/documentation/ref-manual/variables.rst index b61de1993d..1150940133 100644 --- a/documentation/ref-manual/variables.rst +++ b/documentation/ref-manual/variables.rst @@ -1471,6 +1471,18 @@ system and gives an overview of their function and contents. variable only in certain contexts (e.g. when building for kernel and kernel module recipes). + :term:`CVE_PRODUCT` + In a recipe, defines the name used to match the recipe name + against the name in the upstream `NIST CVE database `__. + + The default is ${:term:`BPN`}. If it does not match the name in NIST CVE + database or matches with multiple entries in the database, the default + value needs to be changed. + + Here is an example from the :oe_layerindex:`Berkeley DB recipe `:: + + CVE_PRODUCT = "oracle_berkeley_db berkeley_db" + :term:`CVSDIR` The directory in which files checked out under the CVS system are stored.