* [PATCH v2] manuals: initial documentation for CVE management
[not found] <169784CA8E208BFA.17923@lists.yoctoproject.org>
@ 2021-08-02 14:54 ` Michael Opdenacker
2021-08-02 15:08 ` [docs] " Quentin Schulz
2021-08-02 15:10 ` Steve Sakoman
0 siblings, 2 replies; 4+ messages in thread
From: Michael Opdenacker @ 2021-08-02 14:54 UTC (permalink / raw)
To: docs; +Cc: Michael Opdenacker
This starts to document vulnerability management
and the use of the CVE_PRODUCT variable
Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
---
documentation/dev-manual/common-tasks.rst | 45 +++++++++++++++++++++++
documentation/ref-manual/variables.rst | 12 ++++++
2 files changed, 57 insertions(+)
diff --git a/documentation/dev-manual/common-tasks.rst b/documentation/dev-manual/common-tasks.rst
index 9a6f4e1a8e..5905a650ba 100644
--- a/documentation/dev-manual/common-tasks.rst
+++ b/documentation/dev-manual/common-tasks.rst
@@ -10528,6 +10528,9 @@ follows:
1. *Identify the bug or CVE to be fixed:* This information should be
collected so that it can be included in your submission.
+ See :ref:`dev-manual/common-tasks:checking for vulnerabilities`
+ for details about CVE tracking.
+
2. *Check if the fix is already present in the master branch:* This will
result in the most straightforward path into the stable branch for the
fix.
@@ -11090,6 +11093,48 @@ the license from the fetched source::
NO_GENERIC_LICENSE[Firmware-Abilis] = "LICENSE.Abilis.txt"
+Checking for Vulnerabilities
+============================
+
+Vulnerabilities in images
+-------------------------
+
+The Yocto Project has an infrastructure to track and address unfixed
+known security vulnerabilities, as tracked by the public
+`Common Vulnerabilities and Exposures (CVE) <https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures>`__
+database.
+
+To know which packages are vulnerable to known security vulnerabilities,
+add the following setting to your configuration::
+
+ INHERIT += "cve-check"
+
+This way, at build time, BitBake will warn you about known CVEs
+as in the example below::
+
+ WARNING: flex-2.6.4-r0 do_cve_check: Found unpatched CVE (CVE-2019-6293), for more information check /poky/build/tmp/work/core2-64-poky-linux/flex/2.6.4-r0/temp/cve.log
+ WARNING: libarchive-3.5.1-r0 do_cve_check: Found unpatched CVE (CVE-2021-36976), for more information check /poky/build/tmp/work/core2-64-poky-linux/libarchive/3.5.1-r0/temp/cve.log
+
+It is also possible to check the CVE status of individual packages as follows::
+
+ bitbake -c cve_check flex libarchive
+
+Note that OpenEmbedded-Core keeps a list of known unfixed CVE issues which can
+be ignored. You can pass this list to the check as follows::
+
+ bitbake -c cve_check libarchive -R conf/distro/include/cve-extra-exclusions.inc
+
+Enabling vulnerabily tracking in recipes
+----------------------------------------
+
+The :term:`CVE_PRODUCT` variable defines the name used to match the recipe name
+against the name in the upstream `NIST CVE database <https://nvd.nist.gov/>`__.
+
+The CVE database is stored in :term:`DL_DIR` and can be inspected using
+``sqlite3`` command as follows::
+
+ sqlite3 downloads/CVE_CHECK/nvdcve_1.1.db .dump | grep CVE-2021-37462
+
Using the Error Reporting Tool
==============================
diff --git a/documentation/ref-manual/variables.rst b/documentation/ref-manual/variables.rst
index b61de1993d..1150940133 100644
--- a/documentation/ref-manual/variables.rst
+++ b/documentation/ref-manual/variables.rst
@@ -1471,6 +1471,18 @@ system and gives an overview of their function and contents.
variable only in certain contexts (e.g. when building for kernel
and kernel module recipes).
+ :term:`CVE_PRODUCT`
+ In a recipe, defines the name used to match the recipe name
+ against the name in the upstream `NIST CVE database <https://nvd.nist.gov/>`__.
+
+ The default is ${:term:`BPN`}. If it does not match the name in NIST CVE
+ database or matches with multiple entries in the database, the default
+ value needs to be changed.
+
+ Here is an example from the :oe_layerindex:`Berkeley DB recipe </layerindex/recipe/544>`::
+
+ CVE_PRODUCT = "oracle_berkeley_db berkeley_db"
+
:term:`CVSDIR`
The directory in which files checked out under the CVS system are
stored.
--
2.25.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [docs] [PATCH v2] manuals: initial documentation for CVE management
2021-08-02 14:54 ` [PATCH v2] manuals: initial documentation for CVE management Michael Opdenacker
@ 2021-08-02 15:08 ` Quentin Schulz
2021-08-02 15:10 ` Steve Sakoman
1 sibling, 0 replies; 4+ messages in thread
From: Quentin Schulz @ 2021-08-02 15:08 UTC (permalink / raw)
To: Michael Opdenacker; +Cc: docs
On Mon, Aug 02, 2021 at 04:54:54PM +0200, Michael Opdenacker wrote:
> This starts to document vulnerability management
> and the use of the CVE_PRODUCT variable
>
> Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
Reviewed-by: Quentin Schulz <foss@0leil.net>
Thanks!
Quentin
> ---
> documentation/dev-manual/common-tasks.rst | 45 +++++++++++++++++++++++
> documentation/ref-manual/variables.rst | 12 ++++++
> 2 files changed, 57 insertions(+)
>
> diff --git a/documentation/dev-manual/common-tasks.rst b/documentation/dev-manual/common-tasks.rst
> index 9a6f4e1a8e..5905a650ba 100644
> --- a/documentation/dev-manual/common-tasks.rst
> +++ b/documentation/dev-manual/common-tasks.rst
> @@ -10528,6 +10528,9 @@ follows:
> 1. *Identify the bug or CVE to be fixed:* This information should be
> collected so that it can be included in your submission.
>
> + See :ref:`dev-manual/common-tasks:checking for vulnerabilities`
> + for details about CVE tracking.
> +
> 2. *Check if the fix is already present in the master branch:* This will
> result in the most straightforward path into the stable branch for the
> fix.
> @@ -11090,6 +11093,48 @@ the license from the fetched source::
>
> NO_GENERIC_LICENSE[Firmware-Abilis] = "LICENSE.Abilis.txt"
>
> +Checking for Vulnerabilities
> +============================
> +
> +Vulnerabilities in images
> +-------------------------
> +
> +The Yocto Project has an infrastructure to track and address unfixed
> +known security vulnerabilities, as tracked by the public
> +`Common Vulnerabilities and Exposures (CVE) <https://urldefense.proofpoint.com/v2/url?u=https-3A__en.wikipedia.org_wiki_Common-5FVulnerabilities-5Fand-5FExposures&d=DwIDAg&c=_sEr5x9kUWhuk4_nFwjJtA&r=LYjLexDn7rXIzVmkNPvw5ymA1XTSqHGq8yBP6m6qZZ4njZguQhZhkI_-172IIy1t&m=68NX1nF_VEaY3qnIv6t_na2KkkI92s-zN9-O0I-RXpY&s=4YQ4OIpH6f0vjS8ACzzw1ByorF7Q1oJngybYpJGHV6c&e= >`__
> +database.
> +
> +To know which packages are vulnerable to known security vulnerabilities,
> +add the following setting to your configuration::
> +
> + INHERIT += "cve-check"
> +
> +This way, at build time, BitBake will warn you about known CVEs
> +as in the example below::
> +
> + WARNING: flex-2.6.4-r0 do_cve_check: Found unpatched CVE (CVE-2019-6293), for more information check /poky/build/tmp/work/core2-64-poky-linux/flex/2.6.4-r0/temp/cve.log
> + WARNING: libarchive-3.5.1-r0 do_cve_check: Found unpatched CVE (CVE-2021-36976), for more information check /poky/build/tmp/work/core2-64-poky-linux/libarchive/3.5.1-r0/temp/cve.log
> +
> +It is also possible to check the CVE status of individual packages as follows::
> +
> + bitbake -c cve_check flex libarchive
> +
> +Note that OpenEmbedded-Core keeps a list of known unfixed CVE issues which can
> +be ignored. You can pass this list to the check as follows::
> +
> + bitbake -c cve_check libarchive -R conf/distro/include/cve-extra-exclusions.inc
> +
> +Enabling vulnerabily tracking in recipes
> +----------------------------------------
> +
> +The :term:`CVE_PRODUCT` variable defines the name used to match the recipe name
> +against the name in the upstream `NIST CVE database <https://urldefense.proofpoint.com/v2/url?u=https-3A__nvd.nist.gov_&d=DwIDAg&c=_sEr5x9kUWhuk4_nFwjJtA&r=LYjLexDn7rXIzVmkNPvw5ymA1XTSqHGq8yBP6m6qZZ4njZguQhZhkI_-172IIy1t&m=68NX1nF_VEaY3qnIv6t_na2KkkI92s-zN9-O0I-RXpY&s=0qXvZ3HFd274JdraF3trFIxk0WTdWJUEOBl4wpOHCA4&e= >`__.
> +
> +The CVE database is stored in :term:`DL_DIR` and can be inspected using
> +``sqlite3`` command as follows::
> +
> + sqlite3 downloads/CVE_CHECK/nvdcve_1.1.db .dump | grep CVE-2021-37462
> +
> Using the Error Reporting Tool
> ==============================
>
> diff --git a/documentation/ref-manual/variables.rst b/documentation/ref-manual/variables.rst
> index b61de1993d..1150940133 100644
> --- a/documentation/ref-manual/variables.rst
> +++ b/documentation/ref-manual/variables.rst
> @@ -1471,6 +1471,18 @@ system and gives an overview of their function and contents.
> variable only in certain contexts (e.g. when building for kernel
> and kernel module recipes).
>
> + :term:`CVE_PRODUCT`
> + In a recipe, defines the name used to match the recipe name
> + against the name in the upstream `NIST CVE database <https://urldefense.proofpoint.com/v2/url?u=https-3A__nvd.nist.gov_&d=DwIDAg&c=_sEr5x9kUWhuk4_nFwjJtA&r=LYjLexDn7rXIzVmkNPvw5ymA1XTSqHGq8yBP6m6qZZ4njZguQhZhkI_-172IIy1t&m=68NX1nF_VEaY3qnIv6t_na2KkkI92s-zN9-O0I-RXpY&s=0qXvZ3HFd274JdraF3trFIxk0WTdWJUEOBl4wpOHCA4&e= >`__.
> +
> + The default is ${:term:`BPN`}. If it does not match the name in NIST CVE
> + database or matches with multiple entries in the database, the default
> + value needs to be changed.
> +
> + Here is an example from the :oe_layerindex:`Berkeley DB recipe </layerindex/recipe/544>`::
> +
> + CVE_PRODUCT = "oracle_berkeley_db berkeley_db"
> +
> :term:`CVSDIR`
> The directory in which files checked out under the CVS system are
> stored.
> --
> 2.25.1
>
>
>
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [docs] [PATCH v2] manuals: initial documentation for CVE management
2021-08-02 14:54 ` [PATCH v2] manuals: initial documentation for CVE management Michael Opdenacker
2021-08-02 15:08 ` [docs] " Quentin Schulz
@ 2021-08-02 15:10 ` Steve Sakoman
2021-08-02 15:47 ` Michael Opdenacker
1 sibling, 1 reply; 4+ messages in thread
From: Steve Sakoman @ 2021-08-02 15:10 UTC (permalink / raw)
To: Michael Opdenacker; +Cc: YP docs mailing list
On Mon, Aug 2, 2021 at 4:55 AM Michael Opdenacker
<michael.opdenacker@bootlin.com> wrote:
>
> This starts to document vulnerability management
> and the use of the CVE_PRODUCT variable
>
> Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
This looks good! Thanks for documenting this. I'll pull this into
the dunfell docs too.
Steve
> documentation/dev-manual/common-tasks.rst | 45 +++++++++++++++++++++++
> documentation/ref-manual/variables.rst | 12 ++++++
> 2 files changed, 57 insertions(+)
>
> diff --git a/documentation/dev-manual/common-tasks.rst b/documentation/dev-manual/common-tasks.rst
> index 9a6f4e1a8e..5905a650ba 100644
> --- a/documentation/dev-manual/common-tasks.rst
> +++ b/documentation/dev-manual/common-tasks.rst
> @@ -10528,6 +10528,9 @@ follows:
> 1. *Identify the bug or CVE to be fixed:* This information should be
> collected so that it can be included in your submission.
>
> + See :ref:`dev-manual/common-tasks:checking for vulnerabilities`
> + for details about CVE tracking.
> +
> 2. *Check if the fix is already present in the master branch:* This will
> result in the most straightforward path into the stable branch for the
> fix.
> @@ -11090,6 +11093,48 @@ the license from the fetched source::
>
> NO_GENERIC_LICENSE[Firmware-Abilis] = "LICENSE.Abilis.txt"
>
> +Checking for Vulnerabilities
> +============================
> +
> +Vulnerabilities in images
> +-------------------------
> +
> +The Yocto Project has an infrastructure to track and address unfixed
> +known security vulnerabilities, as tracked by the public
> +`Common Vulnerabilities and Exposures (CVE) <https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures>`__
> +database.
> +
> +To know which packages are vulnerable to known security vulnerabilities,
> +add the following setting to your configuration::
> +
> + INHERIT += "cve-check"
> +
> +This way, at build time, BitBake will warn you about known CVEs
> +as in the example below::
> +
> + WARNING: flex-2.6.4-r0 do_cve_check: Found unpatched CVE (CVE-2019-6293), for more information check /poky/build/tmp/work/core2-64-poky-linux/flex/2.6.4-r0/temp/cve.log
> + WARNING: libarchive-3.5.1-r0 do_cve_check: Found unpatched CVE (CVE-2021-36976), for more information check /poky/build/tmp/work/core2-64-poky-linux/libarchive/3.5.1-r0/temp/cve.log
> +
> +It is also possible to check the CVE status of individual packages as follows::
> +
> + bitbake -c cve_check flex libarchive
> +
> +Note that OpenEmbedded-Core keeps a list of known unfixed CVE issues which can
> +be ignored. You can pass this list to the check as follows::
> +
> + bitbake -c cve_check libarchive -R conf/distro/include/cve-extra-exclusions.inc
> +
> +Enabling vulnerabily tracking in recipes
> +----------------------------------------
> +
> +The :term:`CVE_PRODUCT` variable defines the name used to match the recipe name
> +against the name in the upstream `NIST CVE database <https://nvd.nist.gov/>`__.
> +
> +The CVE database is stored in :term:`DL_DIR` and can be inspected using
> +``sqlite3`` command as follows::
> +
> + sqlite3 downloads/CVE_CHECK/nvdcve_1.1.db .dump | grep CVE-2021-37462
> +
> Using the Error Reporting Tool
> ==============================
>
> diff --git a/documentation/ref-manual/variables.rst b/documentation/ref-manual/variables.rst
> index b61de1993d..1150940133 100644
> --- a/documentation/ref-manual/variables.rst
> +++ b/documentation/ref-manual/variables.rst
> @@ -1471,6 +1471,18 @@ system and gives an overview of their function and contents.
> variable only in certain contexts (e.g. when building for kernel
> and kernel module recipes).
>
> + :term:`CVE_PRODUCT`
> + In a recipe, defines the name used to match the recipe name
> + against the name in the upstream `NIST CVE database <https://nvd.nist.gov/>`__.
> +
> + The default is ${:term:`BPN`}. If it does not match the name in NIST CVE
> + database or matches with multiple entries in the database, the default
> + value needs to be changed.
> +
> + Here is an example from the :oe_layerindex:`Berkeley DB recipe </layerindex/recipe/544>`::
> +
> + CVE_PRODUCT = "oracle_berkeley_db berkeley_db"
> +
> :term:`CVSDIR`
> The directory in which files checked out under the CVS system are
> stored.
> --
> 2.25.1
>
>
>
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [docs] [PATCH v2] manuals: initial documentation for CVE management
2021-08-02 15:10 ` Steve Sakoman
@ 2021-08-02 15:47 ` Michael Opdenacker
0 siblings, 0 replies; 4+ messages in thread
From: Michael Opdenacker @ 2021-08-02 15:47 UTC (permalink / raw)
To: Steve Sakoman, Quentin Schulz; +Cc: YP docs mailing list
Quentin, Steve,
On 8/2/21 5:10 PM, Steve Sakoman wrote:
> On Mon, Aug 2, 2021 at 4:55 AM Michael Opdenacker
> <michael.opdenacker@bootlin.com> wrote:
>> This starts to document vulnerability management
>> and the use of the CVE_PRODUCT variable
>>
>> Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
> This looks good! Thanks for documenting this. I'll pull this into
> the dunfell docs too.
Thanks for the reviews. I merged the change into master-next
Cheers
Michael.
--
Michael Opdenacker, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-08-02 15:47 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <169784CA8E208BFA.17923@lists.yoctoproject.org>
2021-08-02 14:54 ` [PATCH v2] manuals: initial documentation for CVE management Michael Opdenacker
2021-08-02 15:08 ` [docs] " Quentin Schulz
2021-08-02 15:10 ` Steve Sakoman
2021-08-02 15:47 ` Michael Opdenacker
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.