[3/9] classes: cve_check: add note about remote patches

Message ID	362361c715e5f41b196c4b127af04d45c1d743ca.1713127068.git.bluelightning@bluelightning.org
State	New
Headers	show Return-Path: <bluelightning@bluelightning.org> ip: 66.39.132.40, mailfrom: bluelightning@bluelightning.org) From: Paul Eggleton <bluelightning@bluelightning.org> To: docs@lists.yoctoproject.org Cc: Michael Opdenacker <michael.opdenacker@bootlin.com> Subject: [PATCH 3/9] classes: cve_check: add note about remote patches Date: Sun, 14 Apr 2024 13:43:12 -0700 Message-Id: <362361c715e5f41b196c4b127af04d45c1d743ca.1713127068.git.bluelightning@bluelightning.org> In-Reply-To: <cover.1713127068.git.bluelightning@bluelightning.org> References: <cover.1713127068.git.bluelightning@bluelightning.org> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable
Series	[1/9] ref-manual: Add virtual-slash QA check \| expand [1/9] ref-manual: Add virtual-slash QA check [2/9] ref-manual: add new python classes [3/9] classes: cve_check: add note about remote patches [4/9] variables: add TARGET_DBGSRC_DIR [5/9] dev-manual: update reference to sstate-cache-management script [6/9] dev-manual: update custom distribution section [7/9] release-notes: Add CVEs, recipe upgrades and contributors for 5.0 [8/9] migration: Extend migration guide for 5.0 [9/9] release-notes: additional features and one known issue for 5.0

Message ID

362361c715e5f41b196c4b127af04d45c1d743ca.1713127068.git.bluelightning@bluelightning.org

State

New

Headers

From: Paul Eggleton <bluelightning@bluelightning.org>
To: docs@lists.yoctoproject.org
Cc: Michael Opdenacker <michael.opdenacker@bootlin.com>
Subject: [PATCH 3/9] classes: cve_check: add note about remote patches
Date: Sun, 14 Apr 2024 13:43:12 -0700
Message-Id: 
 <362361c715e5f41b196c4b127af04d45c1d743ca.1713127068.git.bluelightning@bluelightning.org>
In-Reply-To: <cover.1713127068.git.bluelightning@bluelightning.org>
References: <cover.1713127068.git.bluelightning@bluelightning.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Series

[1/9] ref-manual: Add virtual-slash QA check | expand

Commit Message

Paul Eggleton April 14, 2024, 8:43 p.m. UTC

Document the change in behaviour in 5.0.

Signed-off-by: Paul Eggleton <paul.eggleton@microsoft.com>
---
 documentation/ref-manual/classes.rst | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/documentation/ref-manual/classes.rst b/documentation/ref-manual/classes.rst
index 1f816e0457..916abf3abc 100644
--- a/documentation/ref-manual/classes.rst
+++ b/documentation/ref-manual/classes.rst
@@ -564,6 +564,13 @@  The ``Patched`` state of a CVE issue is detected from patch files with the forma
 ``CVE-ID.patch``, e.g. ``CVE-2019-20633.patch``, in the :term:`SRC_URI` and using
 CVE metadata of format ``CVE: CVE-ID`` in the commit message of the patch file.
 
+.. note::
+
+   Commit message metadata (``CVE: CVE-ID`` in a patch header) will not be scanned
+   in any patches that are remote, i.e. that are anything other than local files
+   referenced via ``file://`` in SRC_URI. However, a ``CVE-ID`` in a remote patch
+   file name itself will be registered.
+
 If the recipe adds ``CVE-ID`` as flag of the :term:`CVE_STATUS` variable with status
 mapped to ``Ignored``, then the CVE state is reported as ``Ignored``::