mirror of
https://git.yoctoproject.org/poky
synced 2026-02-11 03:03:02 +01:00
dev-manual: common-tasks.rst: fix typos
(From yocto-docs rev: 680f48a94cec063779797c55a9bfe461289a98e3) Signed-off-by: Ulrich Ölmann <u.oelmann@pengutronix.de> Reviewed-by: Michael Opdenacker <michael.opdenacker@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Ulrich Ölmann
committed by
Richard Purdie
Richard Purdie
parent
e1b27258d5
commit
7f3e02fe74
@@ -11518,7 +11518,7 @@ applied and that the issue needs to be investigated. ``Ignored`` means that afte
|
||||
analysis, it has been deemed to ignore the issue as it for example affects
|
||||
the software component on a different operating system platform.
|
||||
|
||||
After build with CVE check enabled, reports for each compiled source recipe will be
|
||||
After a build with CVE check enabled, reports for each compiled source recipe will be
|
||||
found in ``build/tmp/deploy/cve``.
|
||||
|
||||
For example the CVE check report for the ``flex-native`` recipe looks like::
|
||||
@@ -11567,36 +11567,36 @@ product name when querying the CVE database. If this mapping contains false posi
|
||||
some reported CVEs are not for the software component in question, or false negatives like
|
||||
some CVEs are not found to impact the recipe when they should, then the problems can be
|
||||
in the recipe name to CVE product mapping. These mapping issues can be fixed by setting
|
||||
the :term:`CVE_PRODUCT` variable inside the recipe. This defines the name of software component in the
|
||||
the :term:`CVE_PRODUCT` variable inside the recipe. This defines the name of the software component in the
|
||||
upstream `NIST CVE database <https://nvd.nist.gov/>`__.
|
||||
|
||||
The variable supports using vendor and product names like this::
|
||||
|
||||
CVE_PRODUCT = "flex_project:flex"
|
||||
|
||||
In this example from the vendor name used in CVE database is ``flex_project`` and
|
||||
In this example the vendor name used in the CVE database is ``flex_project`` and the
|
||||
product is ``flex``. With this setting the ``flex`` recipe only maps to this specific
|
||||
product and not products from other vendors with same name ``flex``.
|
||||
|
||||
Similary, when the recipe version :term:`PV` is not compatible with software versions used by
|
||||
Similarly, when the recipe version :term:`PV` is not compatible with software versions used by
|
||||
the upstream software component releases and the CVE database, these can be fixed using
|
||||
:term:`CVE_VERSION` variable.
|
||||
the :term:`CVE_VERSION` variable.
|
||||
|
||||
Note that if the CVE entries in NVD databse contain bugs or have missing or incomplete
|
||||
Note that if the CVE entries in the NVD database contain bugs or have missing or incomplete
|
||||
information, it is recommended to fix the information there directly instead of working
|
||||
around the issues for a possibly long time in Poky and OE-Core side recipes. Feedback to
|
||||
NVD about CVEs entries can be provided through the `NVD contact form <https://nvd.nist.gov/info/contact-form>`__.
|
||||
around the issues possibly for a long time in Poky and OE-Core side recipes. Feedback to
|
||||
NVD about CVE entries can be provided through the `NVD contact form <https://nvd.nist.gov/info/contact-form>`__.
|
||||
|
||||
Fixing vulnerabilities in recipes
|
||||
---------------------------------
|
||||
|
||||
If a CVE security issue impacts a software component, it can be fixed by updating to a newer
|
||||
version of the software component or by applying a patch. For Poky and OE-Core master branches, updating
|
||||
to newer software component release with fixes is the best option, but patches can be applied
|
||||
to a newer software component release with fixes is the best option, but patches can be applied
|
||||
if releases are not yet available.
|
||||
|
||||
For stable branches, it is preferred to apply patches for the issues. For some software
|
||||
components minor version updates can also applied if they are backwards compatible.
|
||||
components minor version updates can also be applied if they are backwards compatible.
|
||||
|
||||
Here is an example of fixing CVE security issues with patch files,
|
||||
an example from the :oe_layerindex:`ffmpeg recipe</layerindex/recipe/47350>`::
|
||||
@@ -11610,8 +11610,8 @@ an example from the :oe_layerindex:`ffmpeg recipe</layerindex/recipe/47350>`::
|
||||
file://fix-CVE-2020-22033-CVE-2020-22019.patch \
|
||||
file://fix-CVE-2021-33815.patch \
|
||||
|
||||
A good practice is to include the CVE identifier in both patch file name
|
||||
and inside the patch file commit message use the format::
|
||||
A good practice is to include the CVE identifier in both the patch file name
|
||||
and inside the patch file commit message using the format::
|
||||
|
||||
CVE: CVE-2020-22033
|
||||
|
||||
@@ -11619,7 +11619,7 @@ CVE checker will then capture this information and change the CVE status to ``Pa
|
||||
in the generated reports.
|
||||
|
||||
If analysis shows that the CVE issue does not impact the recipe due to configuration, platform,
|
||||
version or other reasons, the CVE can be marked as ``Ignored`` using :term:`CVE_CHECK_IGNORE` variable.
|
||||
version or other reasons, the CVE can be marked as ``Ignored`` using the :term:`CVE_CHECK_IGNORE` variable.
|
||||
As mentioned previously, if data in the CVE database is wrong, it is recommend to fix those
|
||||
issues in the CVE database directly.
|
||||
|
||||
|
||||
Reference in New Issue
Block a user