Re: 45 vulnerable ports unreported in VuXML

From: void <void_at_f-m.fm>
Date: Tue, 04 Apr 2023 09:58:42 UTC
On Sun, Mar 26, 2023 at 12:16:53PM +0200, Hubert Tournier wrote:
>Hello,
>
>While working on pipinfo <https://github.com/HubTou/pipinfo>, an
>alternative Python packages management tool, I noticed that some Python
>packages installed as FreeBSD ports where marked as vulnerable by the Python
>Packaging Authority
><https://warehouse.pypa.io/api-reference/json.html#known-vulnerabilities>
>but not in FreeBSD VuXML <https://www.vuxml.org/freebsd/index.html> ports
>security database.
>
>So I made a pysec2vuxml <https://github.com/HubTou/pysec2vuxml> tool to
>check the 4.000+ FreeBSD ports for Python packages and found 45 of them
>vulnerable and unreported
><https://github.com/HubTou/pysec2vuxml/blob/main/results.txt>.
>
>I started producing new VuXML entries
><https://github.com/HubTou/pysec2vuxml/blob/main/vuxml_newentries.txt> for
>these vulnerable ports. *Please tell me if it's worth pursuing this effort?*
>
>In order to verify if these vulnerable ports where also marked as
>vulnerable in FreeBSD VuXML, I made a Python VuXML handling library and got
>carried away writing a whole utility, vuxml
><https://github.com/HubTou/vuxml>, to demonstrate its use. This could be of
>general interest to some of you?
>
>Best regards,
>
>PS: this approach could be extended to Rust crates, Ruby gems and so on
>with the vulnerabilities described in the OSV <https://osv.dev/>...

+1 ^^^ really good idea

Probably best to ask in freebsd-hackers@ as devs are likely to 
read this there
--