From 67fd2ee995f313f4e09d07cda5d59ca5dda62646 Mon Sep 17 00:00:00 2001 From: Antonin Godard Date: Wed, 9 Oct 2024 09:40:59 +0200 Subject: ref-manual: add missing CVE_CHECK manifest variables Variables that can be used for toggling creation of manifest and specifying the path to the output in the deploy directory. (From yocto-docs rev: fb462c47bb15522cc02642fe51f39c8e15044957) Signed-off-by: Antonin Godard (cherry picked from commit 14131a42a7ea8bbae2165c1b8dbcabd5f28b2b22) Signed-off-by: Antonin Godard Signed-off-by: Steve Sakoman --- documentation/ref-manual/variables.rst | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) (limited to 'documentation') diff --git a/documentation/ref-manual/variables.rst b/documentation/ref-manual/variables.rst index 70d8d8baeb..757cce5fb8 100644 --- a/documentation/ref-manual/variables.rst +++ b/documentation/ref-manual/variables.rst @@ -135,7 +135,7 @@ system and gives an overview of their function and contents. appear in :term:`DISTRO_FEATURES` within the current configuration, then the recipe will be skipped, and if the build system attempts to build the recipe then an error will be triggered. - + :term:`APPEND` An override list of append strings for each target specified with @@ -1521,6 +1521,10 @@ system and gives an overview of their function and contents. variable only in certain contexts (e.g. when building for kernel and kernel module recipes). + :term:`CVE_CHECK_CREATE_MANIFEST` + Specifies whether to create a CVE manifest to place in the deploy + directory. The default is "1". + :term:`CVE_CHECK_IGNORE` The list of CVE IDs which are ignored. Here is an example from the :oe_layerindex:`Python3 recipe`:: @@ -1528,6 +1532,10 @@ system and gives an overview of their function and contents. # This is windows only issue. CVE_CHECK_IGNORE += "CVE-2020-15523" + :term:`CVE_CHECK_MANIFEST_JSON` + Specifies the path to the CVE manifest in JSON format. See + :term:`CVE_CHECK_CREATE_MANIFEST`. + :term:`CVE_CHECK_REPORT_PATCHED` Specifies whether or not the :ref:`ref-classes-cve-check` class should report patched or ignored CVEs. The default is "1", but you @@ -2489,8 +2497,8 @@ system and gives an overview of their function and contents. .. note:: From a security perspective, hardcoding a default password is not - generally a good idea or even legal in some jurisdictions. It is - recommended that you do not do this if you are building a production + generally a good idea or even legal in some jurisdictions. It is + recommended that you do not do this if you are building a production image. Additionally there is a special ``passwd-expire`` command that will @@ -9554,4 +9562,3 @@ system and gives an overview of their function and contents. On systems where many tasks run in parallel, setting a limit to this can be helpful in controlling system resource usage. - -- cgit v1.2.3-54-g00ecf