From 096589bd59f3f8e827754d43ad01dcdc406cc27f Mon Sep 17 00:00:00 2001 From: Thomas Perale Date: Thu, 30 Oct 2025 20:09:36 +0100 Subject: [PATCH] docs/manual: mention CVE trailer Adds documentation about adding a patch that address a vulnerability. The patch-policy file now explain mention that patches that address a vulnerability needs to include a `CVE:` trailer with the reference of that vulnerability. Until now only adding the reference to the `_IGNORE_CVES` variable was necessary, so the documentation of this entry is modified as well to point to the patch policy. Signed-off-by: Thomas Perale Signed-off-by: Peter Korsgaard (cherry picked from commit 1167d0ff3d225ca9ce2b6299da28a9307d370142) Signed-off-by: Thomas Perale --- docs/manual/adding-packages-generic.adoc | 6 +++--- docs/manual/patch-policy.adoc | 13 ++++++++++++- 2 files changed, 15 insertions(+), 4 deletions(-) diff --git a/docs/manual/adding-packages-generic.adoc b/docs/manual/adding-packages-generic.adoc index 6827b9975e..e7547460fd 100644 --- a/docs/manual/adding-packages-generic.adoc +++ b/docs/manual/adding-packages-generic.adoc @@ -509,9 +509,9 @@ not and can not work as people would expect it should: * +LIBFOO_IGNORE_CVES+ is a space-separated list of CVEs that tells Buildroot CVE tracking tools which CVEs should be ignored for this package. This is typically used when the CVE is fixed by a patch in - the package, or when the CVE for some reason does not affect the - Buildroot package. A Makefile comment must always precede the - addition of a CVE to this variable. Example: + the package (see xref:additional-patch-documentation[]), or when the CVE for + some reason does not affect the Buildroot package. A Makefile comment must + always precede the addition of a CVE to this variable. Example: + ---- # 0001-fix-cve-2020-12345.patch diff --git a/docs/manual/patch-policy.adoc b/docs/manual/patch-policy.adoc index a4bc5f391a..02051f2f0e 100644 --- a/docs/manual/patch-policy.adoc +++ b/docs/manual/patch-policy.adoc @@ -144,6 +144,7 @@ AC_PROG_MAKE_SET +AM_CONDITIONAL([CXX_WORKS], [test "x$rw_cv_prog_cxx_works" = "xyes"]) ---- +[[additional-patch-documentation]] === Additional patch documentation Ideally, all patches should document an upstream patch or patch submission, when @@ -177,4 +178,14 @@ Upstream: N/A ---- Adding this documentation helps streamline the patch review process during -package version updates. \ No newline at end of file +package version updates. + +If the patch addresses one or multiple vulnerabilities, list each identifier on +a separate line with a +CVE+ trailer. + +---- +CVE: +---- + +If multiple patches address the same vulnerability, reference the vulnerability +in every patch.