From aaa609ac2b3f3bd807d1f4d64a507a30210876dd Mon Sep 17 00:00:00 2001
From: Simone Weiß <simone.p.weiss@posteo.com>
Date: Sat, 24 Feb 2024 17:22:14 +0000
Subject: ref-manual: classes: add cve status check for oe.qa
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

With a new check was added for oe.qa for CVE_STATUS via commit
3c5b7605acd9cd68b ("cve-check: Log if CVE_STATUS set but not
reported for component")
in poky. Add related documentation here.

(From yocto-docs rev: 04e1ff01e1b43daa0e5832904a82f95d0cfab678)

Signed-off-by: Simone Weiß <simone.p.weiss@posteo.com>
Reviewed-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 documentation/ref-manual/classes.rst | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/documentation/ref-manual/classes.rst b/documentation/ref-manual/classes.rst
index 7300020ef1..5aaf8ecc0c 100644
--- a/documentation/ref-manual/classes.rst
+++ b/documentation/ref-manual/classes.rst
@@ -1297,6 +1297,11 @@ The tests you can list with the :term:`WARN_QA` and
    paths to locations on the build host were used. Using such paths
    might result in host contamination of the build output.
 
+-  ``cve_status_not_in_db:`` Checks for each component if CVEs that are ignored
+   via :term:`CVE_STATUS`, that those are (still) reported for this component
+   in the NIST database. If not, a warning is printed. This check is disabled
+   by default.
+
 -  ``debug-deps:`` Checks that all packages except ``-dbg`` packages
    do not depend on ``-dbg`` packages, which would cause a packaging
    bug.
-- 
cgit v1.2.3-54-g00ecf