openRuyi-tutorials/buildroot
6
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs/manual: mention CVE trailer

Browse Source 
Adds documentation about adding a patch that address a vulnerability.

The patch-policy file now explain mention that patches that address a
vulnerability needs to include a `CVE:` trailer with the reference of
that vulnerability.

Until now only adding the reference to the `_IGNORE_CVES` variable was
necessary, so the documentation of this entry is modified as well to
point to the patch policy.

Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This commit is contained in:
Thomas Perale
2025-10-30 20:09:36 +01:00
committed by Peter Korsgaard
parent 9415529923
commit 1167d0ff3d
2 changed files with 15 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
docs/manual/adding-packages-generic.adoc
View File

@@ -509,9 +509,9 @@ not and can not work as people would expect it should:
* +LIBFOO_IGNORE_CVES+ is a space-separated list of CVEs that tells
Buildroot CVE tracking tools which CVEs should be ignored for this
package. This is typically used when the CVE is fixed by a patch in
the package, or when the CVE for some reason does not affect the
Buildroot package. A Makefile comment must always precede the
addition of a CVE to this variable. Example:
the package (see xref:additional-patch-documentation[]), or when the CVE for
some reason does not affect the Buildroot package. A Makefile comment must
always precede the addition of a CVE to this variable. Example:
+
----
# 0001-fix-cve-2020-12345.patch

13
docs/manual/patch-policy.adoc
View File

@@ -144,6 +144,7 @@ AC_PROG_MAKE_SET
+AM_CONDITIONAL([CXX_WORKS], [test "x$rw_cv_prog_cxx_works" = "xyes"])
----
[[additional-patch-documentation]]
=== Additional patch documentation
Ideally, all patches should document an upstream patch or patch submission, when
@@ -177,4 +178,14 @@ Upstream: N/A <additional information about why patch is Buildroot specific>
----
Adding this documentation helps streamline the patch review process during
package version updates.
package version updates.
If the patch addresses one or multiple vulnerabilities, list each identifier on
a separate line with a +CVE+ trailer.
----
CVE: <vulnerability identifier>
----
If multiple patches address the same vulnerability, reference the vulnerability
in every patch.