1 files changed, 29 insertions, 5 deletions
diff --git a/documentation/ref-manual/variables.rst b/documentation/ref-manual/variables.rst
index ac5b97a526..def98de307 100644
--- a/documentation/ref-manual/variables.rst
+++ b/documentation/ref-manual/variables.rst
@@ -1653,11 +1653,7 @@ system and gives an overview of their function and contents.
         and kernel module recipes).
   :term:`CVE_CHECK_IGNORE`
-      The list of CVE IDs which are ignored. Here is
+      This variable is deprecated and should be replaced by :term:`CVE_STATUS`.
-      an example from the :oe_layerindex:`Python3 recipe</layerindex/recipe/23823>`::
-         # This is windows only issue.
-         CVE_CHECK_IGNORE += "CVE-2020-15523"
   :term:`CVE_CHECK_SHOW_WARNINGS`
      Specifies whether or not the :ref:`ref-classes-cve-check`
@@ -1698,6 +1694,34 @@ system and gives an overview of their function and contents.
         CVE_PRODUCT = "vendor:package"
+   :term:`CVE_STATUS`
+      The CVE ID which is patched or should be ignored. Here is
+      an example from the :oe_layerindex:`Python3 recipe</layerindex/recipe/23823>`::
+         CVE_STATUS[CVE-2020-15523] = "not-applicable-platform: Issue only applies on Windows"
+      It has the format "reason: description" and the description is optional.
+      The Reason is mapped to the final CVE state by mapping via
+      :term:`CVE_CHECK_STATUSMAP`
+   :term:`CVE_STATUS_GROUPS`
+      If there are many CVEs with the same status and reason, they can by simplified by using this
+      variable instead of many similar lines with :term:`CVE_STATUS`::
+         CVE_STATUS_GROUPS = "CVE_STATUS_WIN CVE_STATUS_PATCHED"
+         CVE_STATUS_WIN = "CVE-1234-0001 CVE-1234-0002"
+         CVE_STATUS_WIN[status] = "not-applicable-platform: Issue only applies on Windows"
+         CVE_STATUS_PATCHED = "CVE-1234-0003 CVE-1234-0004"
+         CVE_STATUS_PATCHED[status] = "fixed-version: Fixed externally"
+   :term:`CVE_CHECK_STATUSMAP`
+      Mapping variable for all possible reasons of :term:`CVE_STATUS`:
+      ``Patched``, ``Unpatched`` and ``Ignored``.
+      See :ref:`ref-classes-cve-check` or ``meta/conf/cve-check-map.conf`` for more details::
+         CVE_CHECK_STATUSMAP[cpe-incorrect] = "Ignored"
   :term:`CVE_VERSION`
      In a recipe, defines the version used to match the recipe version
      against the version in the `NIST CVE database <https://nvd.nist.gov/>`__

diff --git a/documentation/ref-manual/variables.rst b/documentation/ref-manual/variables.rst index ac5b97a526..def98de307 100644 --- a/documentation/ref-manual/variables.rst +++ b/documentation/ref-manual/variables.rst
@@ -1653,11 +1653,7 @@ system and gives an overview of their function and contents.
1653	and kernel module recipes).	1653	and kernel module recipes).
1654		1654
1655	:term:`CVE_CHECK_IGNORE`	1655	:term:`CVE_CHECK_IGNORE`
1656	The list of CVE IDs which are ignored. Here is	1656	This variable is deprecated and should be replaced by :term:`CVE_STATUS`.
1657	an example from the :oe_layerindex:`Python3 recipe</layerindex/recipe/23823>`::
1658
1659	# This is windows only issue.
1660	CVE_CHECK_IGNORE += "CVE-2020-15523"
1661		1657
1662	:term:`CVE_CHECK_SHOW_WARNINGS`	1658	:term:`CVE_CHECK_SHOW_WARNINGS`
1663	Specifies whether or not the :ref:`ref-classes-cve-check`	1659	Specifies whether or not the :ref:`ref-classes-cve-check`
@@ -1698,6 +1694,34 @@ system and gives an overview of their function and contents.
1698		1694
1699	CVE_PRODUCT = "vendor:package"	1695	CVE_PRODUCT = "vendor:package"
1700		1696
		1697	:term:`CVE_STATUS`
		1698	The CVE ID which is patched or should be ignored. Here is
		1699	an example from the :oe_layerindex:`Python3 recipe</layerindex/recipe/23823>`::
		1700
		1701	CVE_STATUS[CVE-2020-15523] = "not-applicable-platform: Issue only applies on Windows"
		1702
		1703	It has the format "reason: description" and the description is optional.
		1704	The Reason is mapped to the final CVE state by mapping via
		1705	:term:`CVE_CHECK_STATUSMAP`
		1706
		1707	:term:`CVE_STATUS_GROUPS`
		1708	If there are many CVEs with the same status and reason, they can by simplified by using this
		1709	variable instead of many similar lines with :term:`CVE_STATUS`::
		1710
		1711	CVE_STATUS_GROUPS = "CVE_STATUS_WIN CVE_STATUS_PATCHED"
		1712
		1713	CVE_STATUS_WIN = "CVE-1234-0001 CVE-1234-0002"
		1714	CVE_STATUS_WIN[status] = "not-applicable-platform: Issue only applies on Windows"
		1715	CVE_STATUS_PATCHED = "CVE-1234-0003 CVE-1234-0004"
		1716	CVE_STATUS_PATCHED[status] = "fixed-version: Fixed externally"
		1717
		1718	:term:`CVE_CHECK_STATUSMAP`
		1719	Mapping variable for all possible reasons of :term:`CVE_STATUS`:
		1720	``Patched``, ``Unpatched`` and ``Ignored``.
		1721	See :ref:`ref-classes-cve-check` or ``meta/conf/cve-check-map.conf`` for more details::
		1722
		1723	CVE_CHECK_STATUSMAP[cpe-incorrect] = "Ignored"
		1724
1701	:term:`CVE_VERSION`	1725	:term:`CVE_VERSION`
1702	In a recipe, defines the version used to match the recipe version	1726	In a recipe, defines the version used to match the recipe version
1703	against the version in the `NIST CVE database <https://nvd.nist.gov/>`__	1727	against the version in the `NIST CVE database <https://nvd.nist.gov/>`__