diff options
Diffstat (limited to 'poky/documentation/dev-manual/common-tasks.rst')
-rw-r--r-- | poky/documentation/dev-manual/common-tasks.rst | 60 |
1 files changed, 53 insertions, 7 deletions
diff --git a/poky/documentation/dev-manual/common-tasks.rst b/poky/documentation/dev-manual/common-tasks.rst index 2af289617..7fa0df4d3 100644 --- a/poky/documentation/dev-manual/common-tasks.rst +++ b/poky/documentation/dev-manual/common-tasks.rst @@ -872,7 +872,7 @@ a recipe and using :term:`EXTRA_IMAGE_FEATURES` from within your :term:`Build Directory`. To understand how these features work, the best reference is -``meta/classes/core-image.bbclass``. This class lists out the available +``meta/classes/image.bbclass``. This class lists out the available :term:`IMAGE_FEATURES` of which most map to package groups while some, such as ``debug-tweaks`` and ``read-only-rootfs``, resolve as general configuration settings. @@ -4384,7 +4384,7 @@ directory: variable, inherit the :ref:`own-mirrors <ref-classes-own-mirrors>` class, and use the - :term:`bitbake:BB_NO_NETWORK` + :term:`BB_NO_NETWORK` variable to your ``local.conf``. :: @@ -4457,7 +4457,7 @@ variable for more information: - :term:`BB_NUMBER_THREADS`: The maximum number of threads BitBake simultaneously executes. -- :term:`bitbake:BB_NUMBER_PARSE_THREADS`: +- :term:`BB_NUMBER_PARSE_THREADS`: The number of threads BitBake uses during parsing. - :term:`PARALLEL_MAKE`: Extra @@ -7288,7 +7288,8 @@ The ``devtool edit-recipe`` command lets you take a look at the recipe:: npmsw://${THISDIR}/${BPN}/npm-shrinkwrap.json \ " S = "${WORKDIR}/npm" - inherit npm LICENSE_${PN} = "MIT" + inherit npm + LICENSE_${PN} = "MIT" LICENSE_${PN}-accepts = "MIT" LICENSE_${PN}-array-flatten = "MIT" ... @@ -9121,7 +9122,7 @@ BitBake has determined by doing the following: The output of ``bitbake-dumpsig`` also includes the value each variable had, a list of dependencies for each variable, and - :term:`bitbake:BB_HASHBASE_WHITELIST` + :term:`BB_HASHBASE_WHITELIST` information. There is also a ``bitbake-diffsigs`` command for comparing two @@ -9358,7 +9359,7 @@ log to ``${T}/log.do_``\ `task`, and can also log to standard output - ``bb.debug(level, msg)``: Writes "DEBUG: msg" to the log. Also logs to stdout if the log level is greater than or equal to - level. See the ":ref:`-D <bitbake:bitbake-user-manual/bitbake-user-manual-intro:usage and syntax>`" option + level. See the ":ref:`bitbake:bitbake-user-manual/bitbake-user-manual-intro:usage and syntax`" option in the BitBake User Manual for more information. - ``bb.warn(msg)``: Writes "WARNING: msg" to the log while also @@ -10528,6 +10529,9 @@ follows: 1. *Identify the bug or CVE to be fixed:* This information should be collected so that it can be included in your submission. + See :ref:`dev-manual/common-tasks:checking for vulnerabilities` + for details about CVE tracking. + 2. *Check if the fix is already present in the master branch:* This will result in the most straightforward path into the stable branch for the fix. @@ -10928,7 +10932,7 @@ concerned with GPL code as identified by running the following script: p=${p%-*} # Only archive GPL packages (update *GPL* regex for your license check) numfiles=`ls tmp/deploy/licenses/$p/*GPL* 2> /dev/null | wc -l` - if [ $numfiles -gt 1 ]; then + if [ $numfiles -ge 1 ]; then echo Archiving $p mkdir -p $src_release_dir/$p/source cp $d/* $src_release_dir/$p/source 2> /dev/null @@ -11090,6 +11094,48 @@ the license from the fetched source:: NO_GENERIC_LICENSE[Firmware-Abilis] = "LICENSE.Abilis.txt" +Checking for Vulnerabilities +============================ + +Vulnerabilities in images +------------------------- + +The Yocto Project has an infrastructure to track and address unfixed +known security vulnerabilities, as tracked by the public +`Common Vulnerabilities and Exposures (CVE) <https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures>`__ +database. + +To know which packages are vulnerable to known security vulnerabilities, +add the following setting to your configuration:: + + INHERIT += "cve-check" + +This way, at build time, BitBake will warn you about known CVEs +as in the example below:: + + WARNING: flex-2.6.4-r0 do_cve_check: Found unpatched CVE (CVE-2019-6293), for more information check /poky/build/tmp/work/core2-64-poky-linux/flex/2.6.4-r0/temp/cve.log + WARNING: libarchive-3.5.1-r0 do_cve_check: Found unpatched CVE (CVE-2021-36976), for more information check /poky/build/tmp/work/core2-64-poky-linux/libarchive/3.5.1-r0/temp/cve.log + +It is also possible to check the CVE status of individual packages as follows:: + + bitbake -c cve_check flex libarchive + +Note that OpenEmbedded-Core keeps a list of known unfixed CVE issues which can +be ignored. You can pass this list to the check as follows:: + + bitbake -c cve_check libarchive -R conf/distro/include/cve-extra-exclusions.inc + +Enabling vulnerabily tracking in recipes +---------------------------------------- + +The :term:`CVE_PRODUCT` variable defines the name used to match the recipe name +against the name in the upstream `NIST CVE database <https://nvd.nist.gov/>`__. + +The CVE database is stored in :term:`DL_DIR` and can be inspected using +``sqlite3`` command as follows:: + + sqlite3 downloads/CVE_CHECK/nvdcve_1.1.db .dump | grep CVE-2021-37462 + Using the Error Reporting Tool ============================== |