Re: [Buildroot] [External] Re: [PATCH] package/lightning: stop spam!

["Yann E. MORIN" <yann.morin.1998@free.fr>]

Matthew, All,

On 2021-10-18 13:21 +0000, Weber, Matthew L                            Collins spake thusly:
> > From: Yann E. MORIN <yann.morin.1998@free.fr>
> > Matt: is there a process to update the NIST CPE DB? Can we add that in the
> > manual, even just as an URL?
> Thomas and I had started this elinux page covering adding/updating a CVE or CPE.
> https://www.elinux.org/Buildroot:Security_Vulnerability_Management

Ah, great! :-)

> So in this case, I think we need to submit an entry for the GNU
> lightning package (cpe:2.3:a:gnu:lightning:2.1.3:*:*:*:*:*:*:*) as
> there isn't a CPE. [...] I've emailed the XML [1] to NIST to make
> this update.

So if I follow correctly, GNU lightning did not exist in the NIST CPE.
I tried to look for it yesterday, and it turned up mothing.

But now, in addition to the one version you submitted (as per your XML,
below), there are a bunch of results, from version 1.0 up to and
including 2.1.3:

    https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe:2.3:a:gnu:lightning

They were all added on 2021-10-18, so am I wrong in understanding that
your submission triggered some (automated/manual) scanning of the
upstream repo to generate all those entries?

> Once that's added, then this .mk can set "LIGHTNING_CPE_ID_VENDOR =
> gnu" so the CVE filter is clear for this package (right now it is
> free txt based and that's why you've picked up the server CVE).

Patch pending to be sent; pkg-stats still reports "CPE version unknown
in CPE database", although the website does include 2.1.3...

Thanks ! :-)

Regards,
Yann E. MORIN.

> Regards,
> Matt
> 
> 
> 
> [1]
> <?xml version="1.0" encoding="utf-8"?>
> <cpe-list xmlns="http://cpe.mitre.org/dictionary/2.0" xmlns:config="http://scap.nist.gov/schema/configuration/0.1" xmlns:cpe-23="http://scap.nist.gov/schema/cpe-extension/2.3" xmlns:meta="http://scap.nist.gov/schema/cpe-dictionary-metadata/0.2" xmlns:ns6="http://scap.nist.gov/schema/scap-core/0.1" xmlns:scap-core="http://scap.nist.gov/schema/scap-core/0.3" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://scap.nist.gov/schema/cpe-extension/2.3 https://scap.nist.gov/schema/cpe/2.3/cpe-dictionary-extension_2.3.xsd http://cpe.mitre.org/dictionary/2.0 https://scap.nist.gov/schema/cpe/2.3/cpe-dictionary_2.3.xsd http://scap.nist.gov/schema/cpe-dictionary-metadata/0.2 https://scap.nist.gov/schema/cpe/2.1/cpe-dictionary-metadata_0.2.xsd http://scap.nist.gov/schema/scap-core/0.3 https://scap.nist.gov/schema/nvd/scap-core_0.3.xsd http://scap.nist.gov/schema/configuration/0.1 https://scap.nist.gov/schema/nvd/configuration_0.1.xsd http://scap.nist.gov/schema/scap
 -core/0.1 https://scap.nist.gov/schema/nvd/scap-core_0.1.xsd">
>         <cpe-item name="cpe:/a:gnu:lightning:2.1.3">
>                 <title xml:lang="en-US">GNU Lightning Project 2.1.3</title>
>                 <references>
>                         <reference href="http://git.savannah.gnu.org/cgit/lightning.git">VERSION</reference>
>                         <reference href="https://www.gnu.org/software/lightning/">PRODUCT</reference>
>                 </references>
>                 <cpe-23:cpe23-item name="cpe:2.3:a:gnu:lightning:2.1.3:*:*:*:*:*:*:*"/>
>         </cpe-item>
> </cpe-list>

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot