Re: 45 vulnerable ports unreported in VuXML
- Reply: Hubert Tournier : "Re: 45 vulnerable ports unreported in VuXML"
- In reply to: Hubert Tournier : "45 vulnerable ports unreported in VuXML"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 04 Apr 2023 09:58:42 UTC
On Sun, Mar 26, 2023 at 12:16:53PM +0200, Hubert Tournier wrote: >Hello, > >While working on pipinfo <https://github.com/HubTou/pipinfo>, an >alternative Python packages management tool, I noticed that some Python >packages installed as FreeBSD ports where marked as vulnerable by the Python >Packaging Authority ><https://warehouse.pypa.io/api-reference/json.html#known-vulnerabilities> >but not in FreeBSD VuXML <https://www.vuxml.org/freebsd/index.html> ports >security database. > >So I made a pysec2vuxml <https://github.com/HubTou/pysec2vuxml> tool to >check the 4.000+ FreeBSD ports for Python packages and found 45 of them >vulnerable and unreported ><https://github.com/HubTou/pysec2vuxml/blob/main/results.txt>. > >I started producing new VuXML entries ><https://github.com/HubTou/pysec2vuxml/blob/main/vuxml_newentries.txt> for >these vulnerable ports. *Please tell me if it's worth pursuing this effort?* > >In order to verify if these vulnerable ports where also marked as >vulnerable in FreeBSD VuXML, I made a Python VuXML handling library and got >carried away writing a whole utility, vuxml ><https://github.com/HubTou/vuxml>, to demonstrate its use. This could be of >general interest to some of you? > >Best regards, > >PS: this approach could be extended to Rust crates, Ruby gems and so on >with the vulnerabilities described in the OSV <https://osv.dev/>... +1 ^^^ really good idea Probably best to ask in freebsd-hackers@ as devs are likely to read this there --