mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-06-01 13:09:50 +00:00
Code Issues Projects Releases Wiki Activity

ref-manual: document CVE_STATUS and CVE_CHECK_STATUSMAP

Browse Source 
Deprecate CVE_CHECK_IGNORE with CVE_STATUS

(From yocto-docs rev: 8b8054977f31e2d6090521a0102f066b6d563733)

Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Reviewed-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Andrej Valek
2023-07-20 09:31:30 +02:00
committed by Richard Purdie
parent db7217335a
commit e100e3e0b3
4 changed files with 42 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files
documentation/ref-manual/variables.rst
+29 -5
View File
@@ -1653,11 +1653,7 @@ system and gives an overview of their function and contents.
and kernel module recipes).
:term:`CVE_CHECK_IGNORE`
The list of CVE IDs which are ignored. Here is
an example from the :oe_layerindex:`Python3 recipe</layerindex/recipe/23823>`::
# This is windows only issue.
CVE_CHECK_IGNORE += "CVE-2020-15523"
This variable is deprecated and should be replaced by :term:`CVE_STATUS`.
:term:`CVE_CHECK_SHOW_WARNINGS`
Specifies whether or not the :ref:`ref-classes-cve-check`
@@ -1698,6 +1694,34 @@ system and gives an overview of their function and contents.
CVE_PRODUCT = "vendor:package"
:term:`CVE_STATUS`
The CVE ID which is patched or should be ignored. Here is
an example from the :oe_layerindex:`Python3 recipe</layerindex/recipe/23823>`::
CVE_STATUS[CVE-2020-15523] = "not-applicable-platform: Issue only applies on Windows"
It has the format "reason: description" and the description is optional.
The Reason is mapped to the final CVE state by mapping via
:term:`CVE_CHECK_STATUSMAP`
:term:`CVE_STATUS_GROUPS`
If there are many CVEs with the same status and reason, they can by simplified by using this
variable instead of many similar lines with :term:`CVE_STATUS`::
CVE_STATUS_GROUPS = "CVE_STATUS_WIN CVE_STATUS_PATCHED"
CVE_STATUS_WIN = "CVE-1234-0001 CVE-1234-0002"
CVE_STATUS_WIN[status] = "not-applicable-platform: Issue only applies on Windows"
CVE_STATUS_PATCHED = "CVE-1234-0003 CVE-1234-0004"
CVE_STATUS_PATCHED[status] = "fixed-version: Fixed externally"
:term:`CVE_CHECK_STATUSMAP`
Mapping variable for all possible reasons of :term:`CVE_STATUS`:
``Patched``, ``Unpatched`` and ``Ignored``.
See :ref:`ref-classes-cve-check` or ``meta/conf/cve-check-map.conf`` for more details::
CVE_CHECK_STATUSMAP[cpe-incorrect] = "Ignored"
:term:`CVE_VERSION`
In a recipe, defines the version used to match the recipe version
against the version in the `NIST CVE database <https://nvd.nist.gov/>`__