diff mbox series

[v5] migration-guides/release-notes-5.2: add known issue on stalled NVD

Message ID 20250318-nvd-stalled-v5-1-49a981fe421a@bootlin.com
State Accepted
Headers show
Series [v5] migration-guides/release-notes-5.2: add known issue on stalled NVD | expand

Commit Message

Antonin Godard March 18, 2025, 2:39 p.m. UTC 
Add an entry to the known issue as the NVD is not up-to-date, the
impact on current CVE reports and future plans for the Yocto Project.

Follows the discussion on:
https://lists.openembedded.org/g/openembedded-core/message/212446

Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
---
Changes in v5:
- Rephrase first paragraph to be more precise on what exactly the
  problem is with the NVD database.
- Reviews by Marta (thank you!):
  - Rephrase the second paragraph.
  - Remove the last one.
- Link to v4: https://lore.kernel.org/r/20250317-nvd-stalled-v4-1-2eab55aa0fc0@bootlin.com

Changes in v4:
- Review by Quentin Schulz (thank you!):
  - Be more precise about what solution the YP team will try to solve.
  - Remove CVE Project potential candidate.
- Link to v3: https://lore.kernel.org/r/20250313-nvd-stalled-v3-1-1ee9b67a975c@bootlin.com

Changes in v3:
- Suggested by Marta (thank you!):
  - Add what users can do at the moment.
  - Simplify the sentence regarding the CVE Project.
- Link to v2: https://lore.kernel.org/r/20250311-nvd-stalled-v2-1-fd3825beaf01@bootlin.com

Changes in v2:
- Typos and suggestions from Quentin Schulz (thank you!)
- Link to v1: https://lore.kernel.org/r/20250311-nvd-stalled-v1-1-f383ddcf3316@bootlin.com
---
 .../migration-guides/release-notes-5.2.rst      | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)


---
base-commit: e608902ffae3af5ab0c5308b0550e49a790482f0
change-id: 20250311-nvd-stalled-ed957989e05a

Best regards,
diff mbox series

Patch

diff --git a/documentation/migration-guides/release-notes-5.2.rst b/documentation/migration-guides/release-notes-5.2.rst
index 417b202cd..d7115230d 100644
--- a/documentation/migration-guides/release-notes-5.2.rst
+++ b/documentation/migration-guides/release-notes-5.2.rst
@@ -402,6 +402,23 @@  New Features / Enhancements in |yocto-ver|
 Known Issues in |yocto-ver|
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
+-  The :ref:`ref-classes-cve-check` class is based on the `National
+   Vulnerability Database <https://nvd.nist.gov/>`__ (NVD). Since the beginning
+   of 2024, the maintainers of this database have stopped annotating CVEs with
+   the affected CPEs. This prevents the :ref:`ref-classes-cve-check` class to
+   properly report CVEs as CPEs are used to match Yocto recipes with CVEs
+   affecting them. As a result, the current CVE reports may look good but the
+   reality is that some vulnerabilities are just not reported.
+
+   During that time, users may look up the 'CVE database
+   <https://www.cve.org/>'__ for entries concerning software they use, or follow
+   release notes of such projects closely.
+
+   Please note, that the :ref:`ref-classes-cve-check` tool has always been a
+   helper tool, and users are advised to always review the final result. Results
+   of an automatic scan may not take into account configuration options,
+   compiler options and other factors.
+
 Recipe License changes in |yocto-ver|
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~