new port security/cvechecker
Stefan Esser
se at freebsd.org
Fri Oct 13 10:04:55 UTC 2017
Am 13.10.17 um 09:25 schrieb Torsten Zuehlsdorff:
> Aloha,
>
>>> Why not
>>> teach pkg-audit(8) to query NVD based on CPE annotations in *binary*
>>> packages?
>>> Doing so would also provide a workaround for VuXML entries cancelled
>>> to reduce bloat.
>>
>> I agree, pkg-audit needs to be taught to do that. Along those lines,
>> we could create a port for cvechecker:
>>
>> https://github.com/sjvermeu/cvechecker
>>
>> But both solutions only handle installed packages.
>>
>> We would still need something to alert us to CVEs in non-installed
>> software, I think.
>>
>> Also, I've just looked and it seems only a little over 1000 ports have
>> CPE strings. Adding something to portlint that warned ports developers
>> to add any needed CPE info would be helpful. I think that type of
>> warning has helped us improve LICENSE entries.
>
> One more thought on this topic: a cvececker isn't enough. Looking at
> security updates of piwik, gitlab, phpmailer and many more: most of the
> security issues fixed never got an CVE entry. But of course any of the
> issues could be exploited in one or another way.
>
> But i think cvechecker is a step in the right direction. pkg audit is
> incredible helpful even with its current restrictions!
Well, and now cvechecker is in ports :)
Please let me know about any problems with the port.
Regards, STefan
More information about the freebsd-ports
mailing list