diff --git a/docs/manual/adding-packages-generic.adoc b/docs/manual/adding-packages-generic.adoc index 6827b9975e..e7547460fd 100644 --- a/docs/manual/adding-packages-generic.adoc +++ b/docs/manual/adding-packages-generic.adoc @@ -509,9 +509,9 @@ not and can not work as people would expect it should: * +LIBFOO_IGNORE_CVES+ is a space-separated list of CVEs that tells Buildroot CVE tracking tools which CVEs should be ignored for this package. This is typically used when the CVE is fixed by a patch in - the package, or when the CVE for some reason does not affect the - Buildroot package. A Makefile comment must always precede the - addition of a CVE to this variable. Example: + the package (see xref:additional-patch-documentation[]), or when the CVE for + some reason does not affect the Buildroot package. A Makefile comment must + always precede the addition of a CVE to this variable. Example: + ---- # 0001-fix-cve-2020-12345.patch diff --git a/docs/manual/patch-policy.adoc b/docs/manual/patch-policy.adoc index a4bc5f391a..02051f2f0e 100644 --- a/docs/manual/patch-policy.adoc +++ b/docs/manual/patch-policy.adoc @@ -144,6 +144,7 @@ AC_PROG_MAKE_SET +AM_CONDITIONAL([CXX_WORKS], [test "x$rw_cv_prog_cxx_works" = "xyes"]) ---- +[[additional-patch-documentation]] === Additional patch documentation Ideally, all patches should document an upstream patch or patch submission, when @@ -177,4 +178,14 @@ Upstream: N/A ---- Adding this documentation helps streamline the patch review process during -package version updates. \ No newline at end of file +package version updates. + +If the patch addresses one or multiple vulnerabilities, list each identifier on +a separate line with a +CVE+ trailer. + +---- +CVE: +---- + +If multiple patches address the same vulnerability, reference the vulnerability +in every patch.