subtree updates

meta-raspberrypi: 8dc3a31088..c7f4c739a3:
  Khem Raj (5):
        linux-raspberrypi: Upgrade to 5.10.52
        userland: Update to latest master branch
        raspberrypi-firmware: Update to latest
        raspberrypi-tools: Update to latest
        sdcard_image-rpi.bbclass: Fix IMAGE_TYPEDEP override to use new syntax

  Martin Jansa (4):
        Convert to new override syntax
        Manually fix conversion
        layer.conf: Update to honister
        userland: package man pages in PN-doc

  Pierre-Jean Texier (2):
        kas: local.conf: bump CONF_VERSION variable
        kas: local.conf: disable prelink

poky: 17aabc0127..492205ea83:
  Alexander Kanavin (17):
        llvm: update 12.0.0 -> 12.0.1
        systemd: update 248.3 -> 249.1
        python3-testools: update 2.4.0 -> 2.5.0
        libuv: update 1.41.0 -> 1.42.0
        gnu-config: update to latest revision
        vulkan-samples: update to latest revision
        cmake: update 3.20.5 -> 3.21.0
        cmake: update 3.21.0 -> 3.21.1
        mtools: update 4.0.32 -> 4.0.34
        util-linux: update 2.37 -> 2.37.1
        iputils: update 20210202 -> 20210722
        freetype: update 2.10.4 -> 2.11.0
        devtool: print a warning on upgrades if PREFERRED_VERSION is set
        rpm: do not RRECOMMEND rpm-build
        selftest: add core-image-weston to no-gpl3-no-meta-gpl2 image test
        shadow: update 4.8.1 -> 4.9
        local.conf.sample: disable prelink

  Bernhard Rosenkränzer (1):
        gcc: update 11.1 -> 11.2

  Bruce Ashfield (6):
        linux-yocto/5.10: update to v5.10.53
        linux-yocto/5.13: update to v5.13.5
        linux-yocto/5.4: update to v5.4.135
        linux-yocto-rt/5.10: update to -rt47
        linux-yocto/5.13: enable TYPEC_TCPCI in usbc fragment
        linux-yocto/5.10: enable TYPEC_TCPCI in usbc fragment

  Changqing Li (1):
        archiver.bbclass: fix do_ar_configured failure for kernel

  Chen Qi (3):
        zstd: fix CVE_PRODUCT
        insane.bbclass: fix the file-rdeps QA message for the new override syntax
        iputils: fix do_configure failure of missing ip command

  Damian Wrobel (1):
        rootfs: remove ldconfig auxiliary cache where appropriate

  Denys Dmytriyenko (4):
        meta: convert nested overrides leftovers to new syntax
        convert-overrides.py: handle few more cases of overrides
        libwpe: remove rpi-specific custom code
        poky-tiny: drop uclibc override

  Jon Mason (1):
        parselogs.py: qemuarm should be qemuarmv5

  Joshua Watt (4):
        mesa: Fix v3d & vc4 dmabuf import
        bitbake: bitbake: asyncrpc: Catch early SIGTERM
        libxft: Fix bad PKG value
        bitbake: contrib: vim: Update for new override syntax

  Kai Kang (2):
        u-boot_2021.07: set UBOOT_MACHINE for qemumips and qemumips64
        python3-pytest: display correct version info

  Kevin Hao (2):
        meta-yocto-bsp: Introduce the v5.13 bbappend
        meta-yocto-bsp: Bump to the v5.10.55

  Khem Raj (10):
        binutils: Upgrade to 2.37 branch
        texinfo: Update gnulib to fix build with glibc 2.34
        systemd: Fix build on musl
        stress-ng: Drop defining daddr_t
        stress-ng: Detemine minimal stack size via sysconf
        mesa: Define a fallback for DRIDRIVERS
        libssh2: Fix syntax for using ptest override
        toaster-managed-mode.json: Correctly specify term with new override syntax
        distrooverrides.bbclass: Correct override syntax
        devtool.py: Correct override syntax

  Lee Chee Yang (1):
        aspell: fix CVE-2019-25051

  Marek Vasut (2):
        image_types: Restore pre-btrfs-tools 4.14.1 mkfs.btrfs shrink behavior
        kernel-uboot: Handle gzip and lzo compression options

  Martin Jansa (6):
        convert-overrides.py: show processed file and version of this script
        convert-overrides.py: remove base_dep_prepend and autotools_dep_prepend exception
        convert-overrides.py: 0.9.1 include '(' as delimiter for shortvars
        convert-overrides.py: allow specifying multiple target dirs
        convert-overrides.py: allow dots before override in vars_re and shortvars_re
        systemd-boot: use ld.bfd as efi-ld even when gold or lld is used in ${LD}

  Matthias Klein (2):
        runqemu: Fix typo in error message
        runqemu: decouple bios and kernel options

  Matthias Schiffer (3):
        initscripts: populate-volatile.sh: do not log to tty0
        initscripts: populate-volatile.sh: run create_file synchronously
        initscripts: fix creation order for /var/log with VOLATILE_LOG_DIR=true

  Michael Halstead (1):
        releases: update to include 3.3.1

  Michael Opdenacker (18):
        oe-setup-builddir: update YP docs and OE URLs
        conf-notes.txt: now suggesting to run 'runqemu qemux86-64'
        test-manual: document LTO related reproducibility bug
        quick start manual: update "source oe-init-build-env" output
        dev-manual: fix wrong reference to class
        documentation/README: improve BitBake manual referencing guidelines
        manuals: simplify references to BitBake manual
        manuals: remove explicit BitBake variable references
        meta-skeleton: add recipe examples from documentation sources
        bitbake: doc: bitbake-user-manual: fix syntax in example and improve description
        bitbake: doc: bitbake-user-manual: update bitbake option help
        bitbake: doc: bitbake-user-manual: grammar fix for the number of "metadata"
        manuals: initial documentation for CVE management
        ref-manual: remove example recipe source files
        profile-manual: document how to build perf manpages on target
        cve-check: fix comments
        cve-check: update link to NVD website for CVE details
        cve-check: improve comment about CVE patch file names

  Mingli Yu (2):
        perlcross: not break build if already patched
        curl: Upgrade to 7.78.0

  Nicolas Dechesne (4):
        yocto-check-layer: improve missed dependencies
        checklayer: new function get_layer_dependencies()
        checklayer: rename _find_layer_depends
        yocto-check-layer: ensure that all layer dependencies are tested too

  Oleksandr Kravchuk (1):
        bitbake.conf: change GNOME_MIRROR to new one

  Patrick Williams (1):
        pixman: re-disable iwmmxt

  Paul Barker (4):
        bitbake: asyncrpc: Fix bad message error in client
        bitbake: asyncrpc: Set timeout when waiting for reply from server
        bitbake: parse/ast: Substitute '~' when naming anonymous functions
        kernel-yocto: Simplify no git repo case in do_kernel_checkout

  Quentin Schulz (4):
        bitbake: doc: Makefile: turn warnings into errors by default
        bitbake: doc: bitbake-user-manual: ref-variables: order alphabetically the glossary sources
        bitbake: doc: bitbake-user-manual: ref-variables: force glossary output to be alphabetically sorted
        bitbake: doc: bitbake-user-manual: replace ``FOO`` by :term:`FOO` where possible

  Richard Purdie (49):
        Add MAINTAINERS.md file
        yocto-check-layer: Remove duplicated code
        libubootenv: Drop default-env RRECOMMENDS
        bitbake: data_smart: Allow colon in variable expansion regex
        meta-poky/meta-yocto-bsp: Convert to new override syntax
        layer.conf: Update to honister
        autotools/base/icecc: Remove prepend from function names
        scripts/contrib: Add override conversion script
        systemtap: Fix headers issue with x86 and 5.13 headers
        migration-guides: Add start of 3.4 guide with override migration notes
        common-tasks: Fix conversion error in npm example
        bitbake: bitbake: Switch to using new override syntax
        bitbake: doc/lib: Update to use new override syntax containing colons
        bitbake: doc/lib: Add fixes for issues missed by the automated conversion
        bitbake: bitbake: Update to version 1.51.1
        layer.conf: Override changes mean we're only compatible with honister
        Convert to new override syntax
        meta: Manual override fixes
        local.conf.sample: Bump version so users update their config
        sanity.conf: Require bitbake 1.51.1
        dropbear: Fix incorrect package override for postrm
        convert-overrides: Allow script to handle patch/diffs
        sdk: Decouple default install path from built in path
        sstate: Fix rebuilds when changing layer config
        populate_sdk_ext: Fix handling of TOOLCHAIN_HOST_TASK in the eSDK case
        local.conf.sample: Bump version so users update their config
        poky: Use SDKPATHINSTALL instead of SDKPATH
        vim: Clarify where RDEPENDS/RRECOMMENDS apply
        bitbake: data_smart: Fix inactive overide accidental variable value corruption
        local.conf.sample: Fix missed override conversion
        license: Exclude COPYING.MIT from pseudo
        meta: Convert IMAGE_TYPEDEP to use override syntax
        uboot-extlinux-config: Fix missing override conversion
        image/image_types: Convert CONVERSION_CMD/COMPRESS_CMD to new override syntax
        image: Drop COMPRESS_CMD
        devupstream: Allow support of native class extensions
        diffoscope: Upgrade 178 -> 179
        strace: Upgrade 5.12 -> 5.13
        valgrind: Add patches for glibc 2.34 support
        bitbake: runqueue: Improve multiconfig deferred task issues
        elfutils: Add patch from upstream for glibc 2.34 ptest fixes
        bitbake: doc: Fix append/prepend/remove references
        bitbake: fetch/tests/toaster: Override conversion fixups
        bitbake: process: Improve traceback error reporting from main loop
        bitbake: command: Ensure we catch/handle exceptions
        bitbake: ui/taskexp: Improve startup exception handling
        bitbake: ui/taskexp: Fix to work with empty build directories
        oeqa/runtime/cases/ptest: Increase test timeout from 300s to 450s
        packagedata: Fix after override syntax change

  Ross Burton (2):
        glew: fix Makefile race
        libx11: fix xkb compilation with _EVDEVK symbols

  Saul Wold (1):
        MAINTAINERS: Saul will cover devtool and eSDK

  Stefan Wiehler (1):
        dev-manual: fix source release example script

  Stefano Babic (1):
        mtd-utils: upgrade 2.1.2 -> 2.1.3

  Tim Orling (2):
        python3-hypothesis: upgrade 6.14.3 -> 6.14.5
        python3-importlib-metadata: upgrade 4.6.1 -> 4.6.3

  Tony Battersby (2):
        lto.inc: disable LTO for grub
        gcc: Backport patch to make LTO builds more reproducible

  Tony Tascioglu (6):
        ffmpeg: fix-CVE-2020-20446
        ffmpeg: fix CVE-2020-20453
        ffmpeg: fix CVE-2020-22015
        ffmpeg: fix CVE-2020-22021
        ffmpeg: fix CVE-2020-22033 and CVE-2020-22019
        ffmpeg: fix CVE-2021-33815

  Trevor Woerner (1):
        ffmpeg: add libatomic for armv5

  Ulrich Ölmann (2):
        initramfs-framework: fix whitespace issue
        initramfs-framework/setup-live: fix shebang

  Vinay Kumar (1):
        glibc: Fix CVE-2021-33574

  Vivien Didelot (1):
        init-manager-systemd: define weak dev manager

  Zqiang (1):
        python3: use monotonic clock for condvar if possible

  hongxu (1):
        createrepo-c: fix createrepo-c failed in nativesdk

  leimaohui (1):
        archiver.bbclass: Fix patch error for recipes that inherit dos2unix.

  wangmy (3):
        bind: upgrade 9.16.18 -> 9.16.19
        i2c-tools: upgrade 4.2 -> 4.3
        diffoscope: upgrade 177 -> 178

  zangrc (2):
        python3-dbus: upgrade 1.2.16 -> 1.2.18
        python3-pip: upgrade 21.1.3 -> 21.2.1

meta-openembedded: 8fbcfb9f02..3cf2475ea0:
  Anastasios Kavoukis (1):
        pm-qa: fix paths for shell scripts

  Andreas Müller (3):
        mozjs/0001-Port-build-to-python3.patch: Fix typos in description
        jack: upgrade 1.19.18 -> 1.19.19
        fluidsynth: upgrade 2.2.1 -> 2.2.2

  Andrej Valek (1):
        thrift: upgrade to 0.14.2

  Andrew Jeffery (2):
        python3-gmpy: Add native support
        python3-ecdsa: Add native support

  Armin Kuster (2):
        hiawatha: fix url.
        wireshark: update to 3.4.7

  Ben Brown (1):
        android-tools: fix install of adb client when TOOLS is overridden

  Changqing Li (1):
        apache2: upgrade 2.4.46 -> 2.4.48

  Devendra Tewari (1):
        Suppress eol in functionfs setup scripts (#147)

  Gianfranco (1):
        vboxguestdrivers: upgrade 6.1.22 -> 6.1.24

  Joe Slater (2):
        php: move to version 7.4.21
        gtksourceview4: work around dependency deficiency

  Johannes Obermüller (1):
        evtest: fix timestamps in output

  Kai Kang (2):
        python3-blivet: 3.1.4 -> 3.4.0
        python3-blivetgui: 2.1.10 -> 2.2.1

  Khem Raj (23):
        netperf: Update to latest
        netperf: Add systemd unit file
        packagegroup-meta-oe: Add lmdb
        packagegroup-meta-oe: Add mbw
        addcli: check for ns_get16 and ns_get32
        fuse: Define closefrom if not available
        autofs: Fix build with glibc 2.34+
        ntp: Do not use PTHREAD_STACK_MIN on glibc
        ntp: Fix make check
        mongodb: Upgrade to 4.4.7
        vboxguestdrivers: Remove __divmoddi4 patch
        packagegroup-meta-oe: Add jemalloc
        apitrace: Exclude from builds with glibc 2.34+
        libhugetlbfs: Disable build with glibc 2.34+
        fvwm: Package extra files and man pages
        luajit: Fix override syntax
        lua: Drop uclibc patch
        packagegroup-meta-oe: Correct override name and fix syntax
        recipes: Fix override syntax
        emacs,libgpiod,cockpit: Fix override syntax in using FILES_${PN}
        fvwm: Fix build time paths in target perl/python scripts
        nis: Drop uclibc check in anon python function
        jemalloc: Fix build on musl

  Leon Anavi (3):
        python3-networkx: Upgrade 2.6.1 -> 2.6.2
        python3-pysonos: Upgrade 0.0.53 -> 0.0.54
        python3-zeroconf: Upgrade 0.33.1 -> 0.33.2

  Li Wang (1):
        openlldp: fix segfault

  Maksym Sloyko (1):
        libusbgx: Configure the Devices Used

  Martin Jansa (5):
        Convert to new override syntax
        layer.conf: Update to honister
        mariadb: manually fix the conversion
        packagegroup-meta-oe: manually finish override syntax conversion
        klibc.bbclass, image_types_sparse.bbclass, packagegroup-meta-oe.bb: update the overrides syntax conversion

  Mingli Yu (4):
        mariadb: redefine log-error item
        jemalloc: add new recipe
        hdf5: improve reproducibility
        mariadb: Update SRC_URI

  Nicolas Dechesne (1):
        mbw: add new recipe

  Paulo Neves (1):
        htop: Add ncurses-terminfo-base to RDEPENDS

  Sakib Sajal (1):
        lmdb: add recipe

  Salman Ahmed (2):
        nginx: upgrade 1.18.0 -> 1.20.1
        nginx: upgrade 1.19.6 -> 1.21.1

  Tony Battersby (1):
        net-snmp: fix QA Issue after LDFLAGS change

  Yi Zhao (3):
        postfix: upgrade 3.6.1 -> 3.6.2
        audit: upgrade 3.0.2 -> 3.0.3
        audit: fix compile error for 2.8.5

  Zang Ruochen (1):
        python3-robotframework: upgrade 4.0.3 -> 4.1

  wangmy (17):
        evince: upgrade 40.2 -> 40.4
        gnome-backgrounds: upgrade 3.36.0 -> 3.38.0
        gnome-desktop3: upgrade 3.36.6 -> 3.38.8
        cmark: upgrade 0.30.0 -> 0.30.1
        ctags: upgrade 5.9.20210711.0 -> 5.9.20210718.0
        libnet-dns-perl: upgrade 1.31 -> 1.32
        libtalloc: upgrade 2.3.2 -> 2.3.3
        nghttp2: upgrade 1.43.0 -> 1.44.0
        bats: upgrade 1.3.0 -> 1.4.1
        networkmanager: upgrade 1.32.2 -> 1.32.4
        gensio: upgrade 2.2.7 -> 2.2.8
        libmbim: upgrade 1.24.8 -> 1.26.0
        fetchmail: upgrade 6.4.19 -> 6.4.20
        ctags: upgrade 5.9.20210718.0 -> 5.9.20210801.0
        libblockdev: upgrade 2.25 -> 2.26
        libqmi: upgrade 1.28.6 -> 1.28.8
        monit: upgrade 5.28.0 -> 5.28.1

  zangrc (15):
        python3-qrcode: upgrade 7.1 -> 7.2
        python3-rdflib: upgrade 5.0.0 -> 6.0.0
        python3-simplejson: upgrade 3.17.2 -> 3.17.3
        python3-bitstring: upgrade 3.1.7 -> 3.1.9
        python3-iso8601: upgrade 0.1.14 -> 0.1.16
        python3-gmqtt: upgrade 0.6.9 -> 0.6.10
        python3-graphviz: upgrade 0.16 -> 0.17
        python3-smbus: upgrade 4.2 -> 4.3
        python3-pandas: upgrade 1.3.0 -> 1.3.1
        python3-progress: upgrade 1.5 -> 1.6
        python3-sentry-sdk: upgrade 1.3.0 -> 1.3.1
        python3-socketio: upgrade 5.3.0 -> 5.4.0
        python3-tqdm: upgrade 4.61.2 -> 4.62.0
        python3-twisted: upgrade 21.2.0 -> 21.7.0
        python3-xlsxwriter: upgrade 1.4.4 -> 1.4.5

  zhengruoqin (15):
        live555: upgrade 20210710 -> 20210720
        libtest-warnings-perl: upgrade 0.030 -> 0.031
        python3-pybind11: upgrade 2.6.2 -> 2.7.0
        python3-pymongo: upgrade 3.11.4 -> 3.12.0
        python3-sqlalchemy: upgrade 1.4.20 -> 1.4.22
        python3-sentry-sdk: upgrade 1.2.0 -> 1.3.0
        libcurses-perl: upgrade 1.37 -> 1.38
        libdbd-sqlite-perl: upgrade 1.66 -> 1.68
        libencode-perl: upgrade 3.10 -> 3.11
        python3-bitarray: upgrade 2.2.2 -> 2.2.3
        python3-cbor2: upgrade 5.4.0 -> 5.4.1
        python3-gast: upgrade 0.5.0 -> 0.5.1
        poppler: upgrade 21.07.0 -> 21.08.0
        valijson: upgrade 0.4 -> 0.5
        xwd: upgrade 1.0.7 -> 1.0.8

meta-security: 152cdb506b..c885d399cd:
  Armin Kuster (18):
        suricata.inc: exclude ppc in rust version
        suricata: Drop 4.1.x its EOL
        add meta-rust
        crowdsec: add pkg
        packagegroup-core-security.bb: fix suricat-ptest inclusion
        gitlab-ci.yml:  streamline builds matrix
        krill: Add new pkg
        clamav: fix branch name and update
        meta-security: Convert to new override syntax
        meta-tpm: Convert to new override syntax
        meta-integrity: Convert to new override syntax
        meta-hardening: Convert to new override syntax
        meta-security-isafw: Convert to new override syntax
        meta-parsec: Convert to new override syntax
        meta-security-compliance: Convert to new override syntax
        dynamix-layers: Convert to new override syntax
        kas: Convert to new override syntax
        packagegroup-core-security.bb: only include suricat-ptest if rust is included

  Martin Jansa (1):
        layer.conf: Update to honister

Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: Iec7301cf1c43b7cec462dcf88292a8b1b12a5045
diff --git a/poky/documentation/dev-manual/common-tasks.rst b/poky/documentation/dev-manual/common-tasks.rst
index 2af2896..7fa0df4 100644
--- a/poky/documentation/dev-manual/common-tasks.rst
+++ b/poky/documentation/dev-manual/common-tasks.rst
@@ -872,7 +872,7 @@
 :term:`Build Directory`.
 
 To understand how these features work, the best reference is
-``meta/classes/core-image.bbclass``. This class lists out the available
+``meta/classes/image.bbclass``. This class lists out the available
 :term:`IMAGE_FEATURES` of which most map to package groups while some, such
 as ``debug-tweaks`` and ``read-only-rootfs``, resolve as general
 configuration settings.
@@ -4384,7 +4384,7 @@
    variable, inherit the
    :ref:`own-mirrors <ref-classes-own-mirrors>`
    class, and use the
-   :term:`bitbake:BB_NO_NETWORK`
+   :term:`BB_NO_NETWORK`
    variable to your ``local.conf``.
    ::
 
@@ -4457,7 +4457,7 @@
 -  :term:`BB_NUMBER_THREADS`:
    The maximum number of threads BitBake simultaneously executes.
 
--  :term:`bitbake:BB_NUMBER_PARSE_THREADS`:
+-  :term:`BB_NUMBER_PARSE_THREADS`:
    The number of threads BitBake uses during parsing.
 
 -  :term:`PARALLEL_MAKE`: Extra
@@ -7288,7 +7288,8 @@
        npmsw://${THISDIR}/${BPN}/npm-shrinkwrap.json \
        "
    S = "${WORKDIR}/npm"
-   inherit npm LICENSE_${PN} = "MIT"
+   inherit npm
+   LICENSE_${PN} = "MIT"
    LICENSE_${PN}-accepts = "MIT"
    LICENSE_${PN}-array-flatten = "MIT"
    ...
@@ -9121,7 +9122,7 @@
 
    The output of ``bitbake-dumpsig`` also includes the value each
    variable had, a list of dependencies for each variable, and
-   :term:`bitbake:BB_HASHBASE_WHITELIST`
+   :term:`BB_HASHBASE_WHITELIST`
    information.
 
 There is also a ``bitbake-diffsigs`` command for comparing two
@@ -9358,7 +9359,7 @@
 
 -  ``bb.debug(level, msg)``: Writes "DEBUG: msg" to the
    log. Also logs to stdout if the log level is greater than or equal to
-   level. See the ":ref:`-D <bitbake:bitbake-user-manual/bitbake-user-manual-intro:usage and syntax>`" option
+   level. See the ":ref:`bitbake:bitbake-user-manual/bitbake-user-manual-intro:usage and syntax`" option
    in the BitBake User Manual for more information.
 
 -  ``bb.warn(msg)``: Writes "WARNING: msg" to the log while also
@@ -10528,6 +10529,9 @@
 1. *Identify the bug or CVE to be fixed:* This information should be
    collected so that it can be included in your submission.
 
+   See :ref:`dev-manual/common-tasks:checking for vulnerabilities`
+   for details about CVE tracking.
+
 2. *Check if the fix is already present in the master branch:* This will
    result in the most straightforward path into the stable branch for the
    fix.
@@ -10928,7 +10932,7 @@
          p=${p%-*}
          # Only archive GPL packages (update *GPL* regex for your license check)
          numfiles=`ls tmp/deploy/licenses/$p/*GPL* 2> /dev/null | wc -l`
-         if [ $numfiles -gt 1 ]; then
+         if [ $numfiles -ge 1 ]; then
             echo Archiving $p
             mkdir -p $src_release_dir/$p/source
             cp $d/* $src_release_dir/$p/source 2> /dev/null
@@ -11090,6 +11094,48 @@
 
    NO_GENERIC_LICENSE[Firmware-Abilis] = "LICENSE.Abilis.txt"
 
+Checking for Vulnerabilities
+============================
+
+Vulnerabilities in images
+-------------------------
+
+The Yocto Project has an infrastructure to track and address unfixed
+known security vulnerabilities, as tracked by the public
+`Common Vulnerabilities and Exposures (CVE) <https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures>`__
+database.
+
+To know which packages are vulnerable to known security vulnerabilities,
+add the following setting to your configuration::
+
+   INHERIT += "cve-check"
+
+This way, at build time, BitBake will warn you about known CVEs
+as in the example below::
+
+   WARNING: flex-2.6.4-r0 do_cve_check: Found unpatched CVE (CVE-2019-6293), for more information check /poky/build/tmp/work/core2-64-poky-linux/flex/2.6.4-r0/temp/cve.log
+   WARNING: libarchive-3.5.1-r0 do_cve_check: Found unpatched CVE (CVE-2021-36976), for more information check /poky/build/tmp/work/core2-64-poky-linux/libarchive/3.5.1-r0/temp/cve.log
+
+It is also possible to check the CVE status of individual packages as follows::
+
+   bitbake -c cve_check flex libarchive
+
+Note that OpenEmbedded-Core keeps a list of known unfixed CVE issues which can
+be ignored. You can pass this list to the check as follows::
+
+   bitbake -c cve_check libarchive -R conf/distro/include/cve-extra-exclusions.inc
+
+Enabling vulnerabily tracking in recipes
+----------------------------------------
+
+The :term:`CVE_PRODUCT` variable defines the name used to match the recipe name
+against the name in the upstream `NIST CVE database <https://nvd.nist.gov/>`__.
+
+The CVE database is stored in :term:`DL_DIR` and can be inspected using
+``sqlite3`` command as follows::
+
+   sqlite3 downloads/CVE_CHECK/nvdcve_1.1.db .dump | grep CVE-2021-37462
+
 Using the Error Reporting Tool
 ==============================