Re: 45 vulnerable ports unreported in VuXML
- Reply: Hubert Tournier : "Re: 45 vulnerable ports unreported in VuXML"
- In reply to: void : "Re: 45 vulnerable ports unreported in VuXML"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 04 Apr 2023 10:31:25 UTC
I’m OK to do the OSV tool. Best regards, Le mar. 4 avr. 2023 à 11:58, void <void@f-m.fm> a écrit : > On Sun, Mar 26, 2023 at 12:16:53PM +0200, Hubert Tournier wrote: > >Hello, > > > >While working on pipinfo <https://github.com/HubTou/pipinfo>, an > >alternative Python packages management tool, I noticed that some Python > >packages installed as FreeBSD ports where marked as vulnerable by the > Python > >Packaging Authority > ><https://warehouse.pypa.io/api-reference/json.html#known-vulnerabilities> > >but not in FreeBSD VuXML <https://www.vuxml.org/freebsd/index.html> ports > >security database. > > > >So I made a pysec2vuxml <https://github.com/HubTou/pysec2vuxml> tool to > >check the 4.000+ FreeBSD ports for Python packages and found 45 of them > >vulnerable and unreported > ><https://github.com/HubTou/pysec2vuxml/blob/main/results.txt>. > > > >I started producing new VuXML entries > ><https://github.com/HubTou/pysec2vuxml/blob/main/vuxml_newentries.txt> > for > >these vulnerable ports. *Please tell me if it's worth pursuing this > effort?* > > > >In order to verify if these vulnerable ports where also marked as > >vulnerable in FreeBSD VuXML, I made a Python VuXML handling library and > got > >carried away writing a whole utility, vuxml > ><https://github.com/HubTou/vuxml>, to demonstrate its use. This could be > of > >general interest to some of you? > > > >Best regards, > > > >PS: this approach could be extended to Rust crates, Ruby gems and so on > >with the vulnerabilities described in the OSV <https://osv.dev/>... > > +1 ^^^ really good idea > > Probably best to ask in freebsd-hackers@ as devs are likely to > read this there > -- >