diff --git a/documentation/dev-manual/new-recipe.rst b/documentation/dev-manual/new-recipe.rst index 4e74246a4..008f4b1ce 100644 --- a/documentation/dev-manual/new-recipe.rst +++ b/documentation/dev-manual/new-recipe.rst @@ -1253,8 +1253,8 @@ In the following example, ``lz4`` is a makefile-based package:: S = "${WORKDIR}/git" - # Fixed in r118, which is larger than the current version. - CVE_CHECK_IGNORE += "CVE-2014-4715" + CVE_STATUS[CVE-2014-4715] = "Patched" + CVE_STATUS_REASONING[CVE-2014-4715] = "Fixed in r118, which is larger than the current version" EXTRA_OEMAKE = "PREFIX=${prefix} CC='${CC}' CFLAGS='${CFLAGS}' DESTDIR=${D} LIBDIR=${libdir} INCLUDEDIR=${includedir} BUILD_STATIC=no" diff --git a/documentation/dev-manual/vulnerabilities.rst b/documentation/dev-manual/vulnerabilities.rst index 0ee3ec52c..071d80cbd 100644 --- a/documentation/dev-manual/vulnerabilities.rst +++ b/documentation/dev-manual/vulnerabilities.rst @@ -158,7 +158,8 @@ CVE checker will then capture this information and change the CVE status to ``Pa in the generated reports. If analysis shows that the CVE issue does not impact the recipe due to configuration, platform, -version or other reasons, the CVE can be marked as ``Ignored`` using the :term:`CVE_CHECK_IGNORE` variable. +version or other reasons, the CVE can be marked as ``Ignored`` or ``Not applicable`` using +the :term:`CVE_STATUS` variable flag. As mentioned previously, if data in the CVE database is wrong, it is recommend to fix those issues in the CVE database directly. @@ -182,11 +183,11 @@ products defined in :term:`CVE_PRODUCT`. Then, for each found CVE: - If the package name (:term:`PN`) is part of :term:`CVE_CHECK_SKIP_RECIPE`, it is considered as ``Patched``. -- If the CVE ID is part of :term:`CVE_CHECK_IGNORE`, it is - set as ``Ignored``. +- If the CVE ID has status ``CVE_STATUS[] = "Ignored"``, it is + set as ``Ignored`` as same as for ``CVE_STATUS[] = "Not applicable"``. -- If the CVE ID is part of the patched CVE for the recipe, it is - already considered as ``Patched``. +- If the CVE ID is part of the patched CVE for the recipe or has status + ``CVE_STATUS[] = "Patched"``, it is considered as ``Patched``. - Otherwise, the code checks whether the recipe version (:term:`PV`) is within the range of versions impacted by the CVE. If so, the CVE diff --git a/documentation/ref-manual/classes.rst b/documentation/ref-manual/classes.rst index ab1628401..04c992a6b 100644 --- a/documentation/ref-manual/classes.rst +++ b/documentation/ref-manual/classes.rst @@ -517,10 +517,13 @@ The ``Patched`` state of a CVE issue is detected from patch files with the forma ``CVE-ID.patch``, e.g. ``CVE-2019-20633.patch``, in the :term:`SRC_URI` and using CVE metadata of format ``CVE: CVE-ID`` in the commit message of the patch file. -If the recipe lists the ``CVE-ID`` in :term:`CVE_CHECK_IGNORE` variable, then the CVE state is reported -as ``Ignored``. Multiple CVEs can be listed separated by spaces. Example:: +If the recipe adds the ``CVE-ID`` as flag of :term:`CVE_STATUS` variable with status +``Ignored`` or ``Not applicable``, then the CVE state is reported as ``Ignored``:: - CVE_CHECK_IGNORE += "CVE-2020-29509 CVE-2020-29511" + CVE_STATUS[CVE-2020-15523] = "Ignored" + +Possible CVE's statuses are ``Ignored``, ``Not applicable`` and ``Patched``. Check :term:`CVE_STATUS` +for more details. If CVE check reports that a recipe contains false positives or false negatives, these may be fixed in recipes by adjusting the CVE product name using :term:`CVE_PRODUCT` and :term:`CVE_VERSION` variables. diff --git a/documentation/ref-manual/variables.rst b/documentation/ref-manual/variables.rst index 6ee65e178..9575c5371 100644 --- a/documentation/ref-manual/variables.rst +++ b/documentation/ref-manual/variables.rst @@ -1653,11 +1653,7 @@ system and gives an overview of their function and contents. and kernel module recipes). :term:`CVE_CHECK_IGNORE` - The list of CVE IDs which are ignored. Here is - an example from the :oe_layerindex:`Python3 recipe`:: - - # This is windows only issue. - CVE_CHECK_IGNORE += "CVE-2020-15523" + Is deprecated and should be replaced by :term:`CVE_STATUS` :term:`CVE_CHECK_SHOW_WARNINGS` Specifies whether or not the :ref:`ref-classes-cve-check` @@ -1698,6 +1694,33 @@ system and gives an overview of their function and contents. CVE_PRODUCT = "vendor:package" + :term:`CVE_STATUS` + The CVE ID which is patched or should be ignored. Here is + an example from the :oe_layerindex:`Python3 recipe`:: + + CVE_STATUS[CVE-2020-15523] = "Ignored" + + Possible CVE's statuses ``Ignored``, ``Not applicable`` or ``Patched``, while the ``reasoning`` + is optional. + + :term:`CVE_STATUS_GROUPS` + If there is a many CVEs with the same status and reason can by simplified by using this + variable instead of many similar lines with :term:`CVE_STATUS` and :term:`CVE_STATUS_REASONING`:: + + CVE_STATUS_GROUPS = "CVE_STATUS_WIN CVE_STATUS_PATCHED" + CVE_STATUS_WIN = "CVE-1234-0001 CVE-1234-0002" + CVE_STATUS_WIN[status] = "Not applicable" + CVE_STATUS_WIN[reason] = "Issue only applies on Windows" + + CVE_STATUS_PATCHED = "CVE-1234-0003 CVE-1234-0004" + CVE_STATUS_PATCHED[status] = "Patched" + CVE_STATUS_PATCHED[reason] = "Fixed externally" + + :term:`CVE_STATUS_REASONING` + Optional explanation for :term:`CVE_STATUS`:: + + CVE_STATUS_REASONING[CVE-2020-15523] = "Issue only applies on Windows" + :term:`CVE_VERSION` In a recipe, defines the version used to match the recipe version against the version in the `NIST CVE database `__