Re: 45 vulnerable ports unreported in VuXML

From: Hubert Tournier <hubert.tournier_at_gmail.com>
Date: Tue, 04 Apr 2023 10:31:25 UTC
I’m OK to do the OSV tool.

Best regards,

Le mar. 4 avr. 2023 à 11:58, void <void@f-m.fm> a écrit :

> On Sun, Mar 26, 2023 at 12:16:53PM +0200, Hubert Tournier wrote:
> >Hello,
> >
> >While working on pipinfo <https://github.com/HubTou/pipinfo>, an
> >alternative Python packages management tool, I noticed that some Python
> >packages installed as FreeBSD ports where marked as vulnerable by the
> Python
> >Packaging Authority
> ><https://warehouse.pypa.io/api-reference/json.html#known-vulnerabilities>
> >but not in FreeBSD VuXML <https://www.vuxml.org/freebsd/index.html> ports
> >security database.
> >
> >So I made a pysec2vuxml <https://github.com/HubTou/pysec2vuxml> tool to
> >check the 4.000+ FreeBSD ports for Python packages and found 45 of them
> >vulnerable and unreported
> ><https://github.com/HubTou/pysec2vuxml/blob/main/results.txt>.
> >
> >I started producing new VuXML entries
> ><https://github.com/HubTou/pysec2vuxml/blob/main/vuxml_newentries.txt>
> for
> >these vulnerable ports. *Please tell me if it's worth pursuing this
> effort?*
> >
> >In order to verify if these vulnerable ports where also marked as
> >vulnerable in FreeBSD VuXML, I made a Python VuXML handling library and
> got
> >carried away writing a whole utility, vuxml
> ><https://github.com/HubTou/vuxml>, to demonstrate its use. This could be
> of
> >general interest to some of you?
> >
> >Best regards,
> >
> >PS: this approach could be extended to Rust crates, Ruby gems and so on
> >with the vulnerabilities described in the OSV <https://osv.dev/>...
>
> +1 ^^^ really good idea
>
> Probably best to ask in freebsd-hackers@ as devs are likely to
> read this there
> --
>