docs/manual: describe the new <pkg>_IGNORE_CVES variable

author Thomas Petazzoni <thomas.petazzoni@bootlin.com>

Sat, 15 Feb 2020 12:44:17 +0000 (13:44 +0100)

committer Peter Korsgaard <peter@korsgaard.com>

Sat, 15 Feb 2020 15:49:28 +0000 (16:49 +0100)
author Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Sat, 15 Feb 2020 12:44:17 +0000 (13:44 +0100)
committer Peter Korsgaard <peter@korsgaard.com>
Sat, 15 Feb 2020 15:49:28 +0000 (16:49 +0100)
diff --git a/docs/manual/adding-packages-generic.txt b/docs/manual/adding-packages-generic.txt

index baa052e31c0599ab5a1e88d0200292fa61887d13..59cdb7ffd72da046c320f3c7d52f0220867cf8be 100644 (file)
--- a/docs/manual/adding-packages-generic.txt
+++ b/docs/manual/adding-packages-generic.txt
@@ -488,6 +488,20 @@ not and can not work as people would expect it should:
    locations, `/lib/firmware`, `/usr/lib/firmware`, `/lib/modules`,
    `/usr/lib/modules`, and `/usr/share`, which are automatically excluded.
  
+* +LIBFOO_IGNORE_CVES+ is a space-separated list of CVEs that tells
+  Buildroot CVE tracking tools which CVEs should be ignored for this
+  package. This is typically used when the CVE is fixed by a patch in
+  the package, or when the CVE for some reason does not affect the
+  Buildroot package. A Makefile comment must always precede the
+  addition of a CVE to this variable. Example:
+
+----------------------
+# 0001-fix-cve-2020-12345.patch
+LIBFOO_IGNORE_CVES += CVE-2020-12345
+# only when built with libbaz, which Buildroot doesn't support
+LIBFOO_IGNORE_CVES += CVE-2020-54321
+----------------------
+
  The recommended way to define these variables is to use the following
  syntax:
author	Thomas Petazzoni <thomas.petazzoni@bootlin.com>
	Sat, 15 Feb 2020 12:44:17 +0000 (13:44 +0100)
committer	Peter Korsgaard <peter@korsgaard.com>
	Sat, 15 Feb 2020 15:49:28 +0000 (16:49 +0100)