From 869c4f3adbddaf20b456c396a56872d83e9dffb4 Mon Sep 17 00:00:00 2001 From: Antonin Godard Date: Tue, 18 Mar 2025 15:39:13 +0100 Subject: [PATCH] migration-guides/release-notes-5.2: add known issue on stalled NVD Add an entry to the known issue as the NVD is not up-to-date, the impact on current CVE reports and future plans for the Yocto Project. Follows the discussion on: https://lists.openembedded.org/g/openembedded-core/message/212446 (From yocto-docs rev: c83aa6649fb7bca7e6b393356c8268aa4f18dc4b) Signed-off-by: Antonin Godard Signed-off-by: Richard Purdie --- .../migration-guides/release-notes-5.2.rst | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/documentation/migration-guides/release-notes-5.2.rst b/documentation/migration-guides/release-notes-5.2.rst index 417b202cdb..d7115230dc 100644 --- a/documentation/migration-guides/release-notes-5.2.rst +++ b/documentation/migration-guides/release-notes-5.2.rst @@ -402,6 +402,23 @@ New Features / Enhancements in |yocto-ver| Known Issues in |yocto-ver| ~~~~~~~~~~~~~~~~~~~~~~~~~~~ +- The :ref:`ref-classes-cve-check` class is based on the `National + Vulnerability Database `__ (NVD). Since the beginning + of 2024, the maintainers of this database have stopped annotating CVEs with + the affected CPEs. This prevents the :ref:`ref-classes-cve-check` class to + properly report CVEs as CPEs are used to match Yocto recipes with CVEs + affecting them. As a result, the current CVE reports may look good but the + reality is that some vulnerabilities are just not reported. + + During that time, users may look up the 'CVE database + '__ for entries concerning software they use, or follow + release notes of such projects closely. + + Please note, that the :ref:`ref-classes-cve-check` tool has always been a + helper tool, and users are advised to always review the final result. Results + of an automatic scan may not take into account configuration options, + compiler options and other factors. + Recipe License changes in |yocto-ver| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~