[Buildroot] [External] Re: [PATCH] package/lightning: stop spam!

Weber, Matthew L Collins Matthew.Weber at collins.com
Mon Oct 18 13:21:39 UTC 2021 

Yann,

> From: Yann E. MORIN <yann.morin.1998 at free.fr>
> Sent: Saturday, October 16, 2021 3:02 AM
> To: Paul Cercueil <paul at crapouillou.net>
> Cc: buildroot at buildroot.org <buildroot at buildroot.org>; Weber, Matthew L Collins <Matthew.Weber at collins.com>
> Subject: [External] Re: [Buildroot] [PATCH] package/lightning: stop spam!
>  
> Paul, All,
>
> +Matthew
>
> On 2021-10-15 22:50 +0100, Paul Cercueil spake thusly:
> > Every week I receive an automated email that tells me about the
> > CVE-2020-7747 vulnerability in Lightning. This vulnerability however
> > applies to the Javascript lightning-server project, and not to the
> > GNU Lightning project.
> >
> > Ignore this CVE in the Lightning package to reduce my stress levels.
> >
> > Signed-off-by: Paul Cercueil <paul at crapouillou.net>
>
> The goal of sending those automated emails, is explicitly to have people
> registered on DEVELOPPERS, to take action on those CVE reports. Such
> actions can be bumping the package to an non-affected version,
> backporting an upstream patch, or, as you did, mark them to be ignored.
>
> Bonus point if the NIST CPE DB is updated to avoid the mismatch, like
> adding an entry for GNU lightning, and thus settign the correct CPE_ID
> in Buildroot.
>
> Matt: is there a process to update the NIST CPE DB? Can we add that in the
> manual, even just as an URL?

Thomas and I had started this elinux page covering adding/updating a CVE or CPE.
https://www.elinux.org/Buildroot:Security_Vulnerability_Management

So in this case, I think we need to submit an entry for the GNU lightning package (cpe:2.3:a:gnu:lightning:2.1.3:*:*:*:*:*:*:*) as there isn't a CPE.  Once that's added, then this .mk can set "LIGHTNING_CPE_ID_VENDOR = gnu" so the CVE filter is clear for this package (right now it is free txt based and that's why you've picked up the server CVE).  I've emailed the XML [1] to NIST to make this update.

Regards,
Matt



[1]
<?xml version="1.0" encoding="utf-8"?>
<cpe-list xmlns="http://cpe.mitre.org/dictionary/2.0" xmlns:config="http://scap.nist.gov/schema/configuration/0.1" xmlns:cpe-23="http://scap.nist.gov/schema/cpe-extension/2.3" xmlns:meta="http://scap.nist.gov/schema/cpe-dictionary-metadata/0.2" xmlns:ns6="http://scap.nist.gov/schema/scap-core/0.1" xmlns:scap-core="http://scap.nist.gov/schema/scap-core/0.3" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://scap.nist.gov/schema/cpe-extension/2.3 https://scap.nist.gov/schema/cpe/2.3/cpe-dictionary-extension_2.3.xsd http://cpe.mitre.org/dictionary/2.0 https://scap.nist.gov/schema/cpe/2.3/cpe-dictionary_2.3.xsd http://scap.nist.gov/schema/cpe-dictionary-metadata/0.2 https://scap.nist.gov/schema/cpe/2.1/cpe-dictionary-metadata_0.2.xsd http://scap.nist.gov/schema/scap-core/0.3 https://scap.nist.gov/schema/nvd/scap-core_0.3.xsd http://scap.nist.gov/schema/configuration/0.1 https://scap.nist.gov/schema/nvd/configuration_0.1.xsd http://scap.nist.gov/schema/scap-core/0.1 https://scap.nist.gov/schema/nvd/scap-core_0.1.xsd">
        <cpe-item name="cpe:/a:gnu:lightning:2.1.3">
                <title xml:lang="en-US">GNU Lightning Project 2.1.3</title>
                <references>
                        <reference href="http://git.savannah.gnu.org/cgit/lightning.git">VERSION</reference>
                        <reference href="https://www.gnu.org/software/lightning/">PRODUCT</reference>
                </references>
                <cpe-23:cpe23-item name="cpe:2.3:a:gnu:lightning:2.1.3:*:*:*:*:*:*:*"/>
        </cpe-item>
</cpe-list>

More information about the buildroot mailing list