base vulnerabilities

I'm trying to keep track of unfixed known security bugs in all of my
systems, and I'm having a hellish time doing that.

It's bad enough just for all the penguin systems -- even though they
are all ultimately derived from Debian, they are subtly different with
their own bugtracking sites, their own patch level package versions,
etc. Ie.

- debian proper
- devuan
- raspberrypi
- pop-os via ubuntu 

Yes, in fact I have all of these 8-O

But now throw FreeBSD into the mix. It's still doable with the bugs in
packages: when a fresh CVE is announced, even if it comes via a
different channel, like the oss-security mailing list, because there's
an associated package name comparing the announced vulnerable version
range with the package version suffices to determine the status.

But what about base? First of all, I'm still not familiar enough with
daemonic realms to immediately know if base imports code from a
vulnerable upstream package.  Without further help, it seems the only
way would be grepping /usr/src. I think VuXML is *intended* to be that
help, but on the occassion which prompted me to write this, it has no
mention of the CVEs in question, even though I now know the package is
in fact included in base, and seems to be a vulnerable version in all
released base versions:

- https://www.cve.org/CVERecord?id=CVE-2025-1632
- https://www.cve.org/CVERecord?id=CVE-2024-57970

So my questions are:

- does anyone even try to do this?
- how?

-- 
Ian