[Buildroot] [External] Re: [PATCH] package/lightning: stop spam!

Weber, Matthew L Collins Matthew.Weber at collins.com
Mon Oct 18 18:13:49 UTC 2021


Yann,

> From: Yann E. MORIN <yann.morin.1998 at free.fr>
> Sent: Monday, October 18, 2021 10:33 AM
> To: Weber, Matthew L Collins <Matthew.Weber at collins.com>
> Cc: Paul Cercueil <paul at crapouillou.net>; buildroot at buildroot.org <buildroot at buildroot.org>
> Subject: Re: [External] Re: [Buildroot] [PATCH] package/lightning: stop spam!
>  
> Matthew, All,
>
> On 2021-10-18 13:21 +0000, Weber, Matthew L                            Collins spake thusly:

[snip]

>
> > So in this case, I think we need to submit an entry for the GNU
> > lightning package (cpe:2.3:a:gnu:lightning:2.1.3:*:*:*:*:*:*:*) as
> > there isn't a CPE. [...] I've emailed the XML [1] to NIST to make
> > this update.
>
> So if I follow correctly, GNU lightning did not exist in the NIST CPE.
> I tried to look for it yesterday, and it turned up mothing.
>
> But now, in addition to the one version you submitted (as per your XML,
> below), there are a bunch of results, from version 1.0 up to and
> including 2.1.3:

Correct, they add all entries so that the package now can be tagged with CVE when they come up. They needed the latest example xml and then create the rest.

> > Once that's added, then this .mk can set "LIGHTNING_CPE_ID_VENDOR =
> > gnu" so the CVE filter is clear for this package (right now it is
> > free txt based and that's why you've picked up the server CVE).
>
> Patch pending to be sent; pkg-stats still reports "CPE version unknown
> in CPE database", although the website does include 2.1.3...

The CPE isn't yet set as valid in Buildroot so it can't find it. (guessing that script has some delay as well for updates?)

Regards,
Matt


More information about the buildroot mailing list