New pkg audit FNs
Steve Wills
swills at FreeBSD.org
Mon Oct 9 22:03:22 UTC 2017
Hi,
On 10/09/2017 17:55, Jan Beich wrote:
> Steve Wills <swills at FreeBSD.org> writes:
>
>> Hi,
>>
>> On 10/09/2017 16:34, Jan Beich wrote:
>>> Matthew Seaman <matthew at FreeBSD.org> writes:
>>>
>>>> On 09/10/2017 16:57, Roger Marquis wrote:
>>>>
>>>>> Can anyone say what mechanisms the ports-security team might have in
>>>>> place to monitor CVEs and port software versions?
>>
>> I've been hacking at a prototype for scanning what I can find:
>>
>> https://github.com/swills/nvd_to_new_vuxml
>
> Wouldn't that encourage copypasta, exacerbating filesize issue?
The VuXML data does need to be split up and all tools that process it
need to be taught to deal with multiple files.
> Why not
> teach pkg-audit(8) to query NVD based on CPE annotations in *binary* packages?
> Doing so would also provide a workaround for VuXML entries cancelled
> to reduce bloat.
I agree, pkg-audit needs to be taught to do that. Along those lines, we
could create a port for cvechecker:
https://github.com/sjvermeu/cvechecker
But both solutions only handle installed packages.
We would still need something to alert us to CVEs in non-installed
software, I think.
Also, I've just looked and it seems only a little over 1000 ports have
CPE strings. Adding something to portlint that warned ports developers
to add any needed CPE info would be helpful. I think that type of
warning has helped us improve LICENSE entries.
Steve
More information about the freebsd-ports
mailing list