docs: fix code review issues

Signed-off-by: Terri Oda <[email protected]>
terriko · Feb 5, 2024 · 64945bf · 64945bf
1 parent d00620a
commit 64945bf
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 6 deletions.
diff --git a/.github/actions/spelling/allow.txt b/.github/actions/spelling/allow.txt
@@ -624,6 +624,7 @@ tar
 taskbar
 tcpdump
 tcpreplay
+tempfile
 templating
 terminology
 terri

diff --git a/doc/MANUAL.md b/doc/MANUAL.md
@@ -328,19 +328,19 @@ fork of 7zip. We are currently using `7z` for extracting `jar`, `apk`, `msi`, `e
 
 ## Deployment best practices
 
-CVE binary tool was expected to be used by developers wishing to track known vulnerabilities against their own code and their dependencies.  We expect many users to use continuous integration systems such as Github Actions, and we have our own [cve-bin-tool GitHub Action](https://github.com/intel/cve-bin-tool-action) available to make that easy.  You can also run it within your existing build/test environments.  
+CVE binary tool is intended for use by developers wishing to track known vulnerabilities against their own code and their dependencies.  We expect many users to use continuous integration systems such as Github Actions, and we have our own [cve-bin-tool GitHub Action](https://github.com/intel/cve-bin-tool-action) available to make that easy.  You can also run it within your existing build/test environments.
 
 We usually assume that the people providing the binaries for scanning will be the same people who set up and control the environment in which they are run.  For example, a normal use case would be an open source project scanning their own generated files as a build check.  We don't really expect people to use this as a forensics tool on a compromised system. (Although if you use it that way, we'd love to hear how that worked for you!)
 
 ### Use user-level permissions with appropriate file system access
 
 You should give cve-bin-tool minimal, user-level permissions. The user for cve-bin-tool will need access to the following things:
 
-- Read/write access to a cache directory for storing and reading the vulnerability data (`~/.cache/cve-bin-tool/`).  
+- Read/write access to a cache directory for storing and reading the vulnerability data (`~/.cache/cve-bin-tool/`).
   - Write access is only needed during data updates, which typically run once a day and can be scheduled separately.
-- Read access to the file/directory to be scanned
-- Write access to the system temp directory if extracting files.  
-- Write access to a directory/file for reports, if you want the report in a file and not just printed to the console
+- Read access to the file/directory to be scanned.
+- Write access to the system temp directory if extracting files.
+- Write access to a directory/file for reports, if you want the report in a file and not just printed to the console.
 
 You should not run cve-bin-tool as root, not even in a sandbox, container, or virtual machine. While "don't run as root" is pretty standard security advice, we specifically do not want to give cve-bin-tool permission to over-write the system binaries it uses for scanning or extracting files such as `strings` or `rpm2cpio`, as those could be used to greatly increase the risk/severity of any issue found in cve-bin-tool or its dependencies.
 
@@ -360,7 +360,7 @@ The update job can be further constrained to have only access to the database ca
 
 ### Using cve-bin-tool within a throwaway environment
 
-CVE-bin-tool was intended for use as part of continuous integration testing, and many such systems use throwaway containers or virtual machines to mitigate risk.  If you're intending to do this, you will probably want to find a way to store and re-use the vulnerability data, probably by copying it into the "fresh" environment.  
+CVE-bin-tool is intended for use as part of continuous integration testing, and many such systems use throwaway containers or virtual machines to mitigate risk.  If you're intending to do this, you will probably want to find a way to store and re-use the vulnerability data, probably by copying it into the "fresh" environment.
 
 In Github Actions, you can use `actions/cache` to do this.  You can see how we handle caching in [our GitHub Actions cache job](https://github.com/intel/cve-bin-tool/blob/main/.github/workflows/update-cache.yml).  If you're not using Github Actions, you may find it useful to look at the instructions for [using cve-bin-tool offline](how_to_guides/offline.md) as they show the process for separating the download of data and the scan.