portaudit reports: how to exclude a specific vulnerability

Daniel Pittman daniel at rimspace.net
Mon Oct 31 02:34:44 PST 2005


"Michael C. Shultz" <ringworm01 at gmail.com> writes:
> On Sunday 30 October 2005 22:45, you wrote:
G'day.

[...]

>> I can't work out how to tell portaudit to stop bothering me about 
>> [a single] particular vulnerability, though.
>>
>> Can I ask it to exclude a vulnerability, or (ever better) a
>> vulnerability/package combination, from reports?
>
> I think this will do it, put it in /etc/make.conf
>
> .if ${.CURDIR:M*/security/p5-Crypt-OpenPGP}
> DISABLE_VULNERABILITIES="YES"
> .endif

Hrm.  That doesn't exclude it from the command line tool, and a quick
check of the periodic/security file tells me that it won't work in the
periodic runs either.

Unfortunately, portaudit only seems to support the 'portaudit_fixed'
system for marking a problem in the core OS fixed, not for individual
versions.

More searching also shows a comment from the author(s) to the effect
that this would be easy to extend to non-core packages, but that has not
been done yet.

Ah, well.  Either a local patch, or I just cope with the problem, I
guess.
    Daniel


More information about the freebsd-questions mailing list