Re: 45 vulnerable ports unreported in VuXML

From: Hubert Tournier <hubert.tournier_at_gmail.com>
Date: Sun, 23 Apr 2023 16:53:57 UTC
Hello,

Here's a little progress report on the osv2vuxml tool development.
I'm now up to the point where I can identify vulnerable (current version)
FreeBSD ports from all the OSV "ecosystems".
But I still have to check which are not yet reported in VuXML and generate
an entry skeleton for them, like I did with pysec2vuxml.
I think I'll be able to publish something in a couple of weeks...

Note that identifying a vulnerable port implies either finding a matching
name (not always reliable with port prefixes / flavours / versions in port
suffixes) or a matching source web site (better IMO, but there are 2576
ports out of 33565 that don't have that information).
I may find more vulnerable ports in the future by delving deeper into the
data, especially if I can find matches with software packaged for Linux,
Debian, Alpine and Android ecosystems...
Also naming of FreeBSD ports for Go gems, Rust crates and others seem to be
less consistent than for Python, Ruby and PHP packages.

So here's what's reported so far:

Ecosystem / Language / vulnerabilities / affected ports / vulns for
affected ports
--------------------------------------------------------------------------------------------------------
Go / Go / 1360 / 6 /24
Hex / Erlang / 21 / 0 / 0
Maven / Java / 3462 / 8 / 8
NuGet / .Net / 267 / 3 / 3
Packagist / PHP / 1484 / 0 / 0
Pub / Dart / 5 / 0 / 0
PyPI / Python / 3955 / 61 / 166
RubyGems / Ruby / 669 / 45 / 118
crates.io / Rust / 1133 / 14 / 33
npm / JavaScript / 2962 / 57 / 83
--------------------------------------------------------------------------------------------------------
GSD / - / 7 / 0 / 0
GitHub Actions / - / 8 / 0 / 0
OSS-Fuzz / - / 2870 / 21 / 85
UVI / - / 1 / 0 / 0
--------------------------------------------------------------------------------------------------------
215 affected ports in their current version, counting for 520
vulnerabilities

And here' a preliminary detailed list of vulnerable ports with associated
vulnerabilities IDs (there might be a few false positive inside!).
Hopefully, it includes many already reported vulnerabilities in VuXML (at
least many of those listed for Python have already been reported with
pysec2vuxml):

2bsd-diff-2.11.1_1: ['GHSA-h6ch-v84p-w6p9']
R-cran-ini-0.3.1: ['GHSA-qqgx-2p2h-9c37']
R-cran-mime-0.12: ['GHSA-wrvr-8mpx-r7pp']
R-cran-rio-0.5.29: ['GHSA-8rc5-mr4f-m243']
R-cran-xopen-1.0.0: ['GHSA-74wf-cwjg-9cf2']
b2-1.3.8_1: ['GHSA-8wr4-2wm6-w3pr', 'PYSEC-2022-32']
bcrypt-1.1: ['GHSA-5wg4-74h6-q47v']
blitz-1.0.2_4: ['GHSA-5888-ffcr-r425']
capstone4-4.0.2: ['OSV-2020-438']
comrak-0.15.0_3: ['GHSA-5r3x-p7xx-x6q5', 'GHSA-8hqf-xjwp-p67v',
'GHSA-xxmq-4vph-956w']
containers-0.9.0_2: ['GHSA-cv7x-6rc6-pq5v', 'RUSTSEC-2021-0010']
coreos-etcd-2.3.8_18: ['GHSA-4993-m7g5-r9hh', 'GHSA-528j-9r78-wffx',
'GHSA-9gp7-6833-wv89', 'GHSA-h8g9-6gvh-5mrc', 'GHSA-m332-53r6-2w93',
'GHSA-p4g4-wgrh-qrg2']
coreos-etcd31-3.1.20_17: ['GHSA-4993-m7g5-r9hh', 'GHSA-528j-9r78-wffx',
'GHSA-9gp7-6833-wv89', 'GHSA-h8g9-6gvh-5mrc', 'GHSA-m332-53r6-2w93',
'GHSA-p4g4-wgrh-qrg2']
coreos-etcd32-3.2.32_15: ['GHSA-4993-m7g5-r9hh', 'GHSA-528j-9r78-wffx',
'GHSA-9gp7-6833-wv89', 'GHSA-h8g9-6gvh-5mrc', 'GHSA-m332-53r6-2w93',
'GHSA-p4g4-wgrh-qrg2']
date-3.0.1: ['GHSA-qg54-694p-wgpp']
deluge-2.0.3_3,2: ['GHSA-5c8p-qhch-qhx6', 'PYSEC-2022-256']
deluge-cli-2.0.3_4: ['GHSA-5c8p-qhch-qhx6', 'PYSEC-2022-256']
dojo-1.12.2: ['GHSA-536q-8gxx-m782', 'GHSA-jxfh-8wgv-vfr2',
'GHSA-m8gw-hjpr-rjv7']
draco-3d-compression-1.5.6: ['OSV-2020-778', 'OSV-2020-800',
'OSV-2020-824', 'OSV-2020-828', 'OSV-2021-1082']
espeak-ng-1.51.1_3: ['OSV-2021-1024', 'OSV-2021-1041', 'OSV-2021-1110',
'OSV-2021-1141', 'OSV-2021-1157', 'OSV-2021-765', 'OSV-2021-787',
'OSV-2021-802', 'OSV-2022-462', 'OSV-2022-519', 'OSV-2022-530']
flatbuffers205-2.0.5: ['GHSA-3jch-9qgp-4844', 'RUSTSEC-2021-0122']
go-protobuf-1.3.2_12,1: ['GHSA-77rm-9x9h-xj3g', 'GHSA-jwvw-v7c5-m82h',
'GHSA-mh6h-f25p-98f8']
got-0.87: ['GHSA-pfrx-2q88-qq97']
gstreamer1-1.22.0_1: ['OSV-2022-1168']
gtar-1.34: ['GHSA-3jfq-g458-7qm9', 'GHSA-5955-9wpr-37jh',
'GHSA-9r2w-394v-53qc', 'GHSA-gfjr-3jmm-4g9v', 'GHSA-j44m-qm6p-hp7m',
'GHSA-qq89-hq3f-393p', 'GHSA-r628-mhmh-qjhw']
guake-3.4.0_3: ['GHSA-7x48-7466-3g33', 'PYSEC-2022-165']
harfbuzz-7.1.0: ['OSV-2023-137', 'OSV-2023-170', 'OSV-2023-222',
'OSV-2023-323']
harp-0.6.0_3: ['GHSA-46hv-7769-j7rx', 'GHSA-6fmm-47qc-p4m4']
jbig2dec-0.19: ['OSV-2020-822']
leptonica-1.82.0: ['OSV-2022-69', 'OSV-2022-91']
libnotify-0.8.2: ['GHSA-6898-wx94-8jq8']
libraw-0.21.1: ['OSV-2022-819', 'OSV-2023-184', 'OSV-2023-90']
libredwg-0.12.4: ['OSV-2021-1086', 'OSV-2021-620', 'OSV-2021-771',
'OSV-2022-129', 'OSV-2022-363']
libsass-3.6.5: ['OSV-2020-1420', 'OSV-2020-862', 'OSV-2021-508',
'OSV-2022-896']
libucl-0.8.2: ['OSV-2021-1261', 'OSV-2022-494', 'OSV-2023-321',
'OSV-2023-78']
log4net-1.2.10_3: ['GHSA-2cwj-8chv-9pp9']
lua51-bcrypt-2.3.1: ['GHSA-5wg4-74h6-q47v']
lua51-json-1.3.4_1: ['GHSA-3c6g-pvg8-gqw2']
lua52-bcrypt-2.3.1: ['GHSA-5wg4-74h6-q47v']
lua52-json-1.3.4_1: ['GHSA-3c6g-pvg8-gqw2']
lua53-bcrypt-2.3.1: ['GHSA-5wg4-74h6-q47v']
lua53-json-1.3.4_1: ['GHSA-3c6g-pvg8-gqw2']
lua54-bcrypt-2.3.1: ['GHSA-5wg4-74h6-q47v']
lua54-json-1.3.4_1: ['GHSA-3c6g-pvg8-gqw2']
mingw32-libyaml-0.1.6_2: ['GHSA-m75h-cghq-c8h5']
mitmproxy-7.0.4_2: ['GHSA-gcx2-gvj7-pxv3', 'PYSEC-2022-170']
mongoose-5.6: ['GHSA-8687-vv9j-hgph', 'GHSA-f825-f98c-gj3g']
nlohmann-json-3.11.2: ['GHSA-3c6g-pvg8-gqw2']
ocaml-mysql-1.2.4: ['GHSA-fvq6-55gv-jx9f']
opa-0.41.0_11: ['GHSA-2m4x-4q9j-w97g', 'GHSA-f524-rf33-2jjr']
open-1.4: ['GHSA-28xh-wpgr-7fm8']
opencv-4.6.0_6: ['OSV-2022-394', 'GHSA-f698-m2v9-5fh3',
'GHSA-mc7w-4cjf-c973']
opensc-0.23.0: ['OSV-2022-1175', 'OSV-2022-1188', 'OSV-2022-1201',
'OSV-2022-1232']
p5-mem-0.4.7: ['GHSA-4xcv-9jjx-gfj3']
php80-opencc-0.0.0.20201211: ['GHSA-9qh2-6fxg-9m4g']
php80-pecl-mongodb-1.15.1: ['GHSA-4rjr-3gj2-5crq', 'GHSA-mh5c-679w-hh4r']
php80-pecl-mustache-0.9.3: ['GHSA-3233-rgx3-c2wh', 'GHSA-w3w8-37jv-2c58']
php80-pecl-ssh2-1.3.1: ['GHSA-652h-xwhf-q4h6']
php81-opencc-0.0.0.20201211: ['GHSA-9qh2-6fxg-9m4g']
php81-pecl-mongodb-1.15.1: ['GHSA-4rjr-3gj2-5crq', 'GHSA-mh5c-679w-hh4r']
php81-pecl-mustache-0.9.3: ['GHSA-3233-rgx3-c2wh', 'GHSA-w3w8-37jv-2c58']
php81-pecl-ssh2-1.3.1: ['GHSA-652h-xwhf-q4h6']
php82-opencc-0.0.0.20201211: ['GHSA-9qh2-6fxg-9m4g']
php82-pecl-mongodb-1.15.1: ['GHSA-4rjr-3gj2-5crq', 'GHSA-mh5c-679w-hh4r']
php82-pecl-mustache-0.9.3: ['GHSA-3233-rgx3-c2wh', 'GHSA-w3w8-37jv-2c58']
php82-pecl-ssh2-1.3.1: ['GHSA-652h-xwhf-q4h6']
pidgin-libnotify-0.14_15: ['GHSA-6898-wx94-8jq8']
postgresql13-semver-0.31.2: ['GHSA-x6fg-f45m-jf5q']
protobuf25-2.5.0_5: ['GHSA-77rm-9x9h-xj3g', 'GHSA-jwvw-v7c5-m82h',
'GHSA-8gq9-2x98-w8hf', 'PYSEC-2017-65', 'PYSEC-2022-48',
'GHSA-mh6h-f25p-98f8', 'RUSTSEC-2019-0003']
py27-setuptools44-44.1.1: ['GHSA-r9hx-vwmv-q579']
py310-setuptools-63.1.0: ['GHSA-r9hx-vwmv-q579']
py310-setuptools58-58.5.3_2: ['GHSA-r9hx-vwmv-q579']
py311-setuptools-63.1.0: ['GHSA-r9hx-vwmv-q579']
py311-setuptools58-58.5.3_2: ['GHSA-r9hx-vwmv-q579']
py37-setuptools-63.1.0: ['GHSA-r9hx-vwmv-q579']
py37-setuptools58-58.5.3_2: ['GHSA-r9hx-vwmv-q579']
py38-setuptools-63.1.0: ['GHSA-r9hx-vwmv-q579']
py38-setuptools58-58.5.3_2: ['GHSA-r9hx-vwmv-q579']
py39-Flask-Cors-3.0.8: ['GHSA-xc3p-ff3m-f46v']
py39-WsgiDAV-3.1.0: ['GHSA-xx6g-jj35-pxjv']
py39-ansible-7.1.0: ['PYSEC-2020-220', 'PYSEC-2020-221', 'PYSEC-2021-125']
py39-arrow-1.2.3: ['GHSA-h588-76vg-prgj', 'GHSA-qgrp-8f3v-q85p',
'GHSA-r7cj-wmwv-hfw5', 'RUSTSEC-2021-0116', 'RUSTSEC-2021-0117',
'RUSTSEC-2021-0118']
py39-bcrypt-3.2.2: ['GHSA-5wg4-74h6-q47v']
py39-beaker-1.12.1: ['PYSEC-2020-216']
py39-branca-0.6.0: ['GHSA-c9rv-3jmq-527w', 'RUSTSEC-2020-0075']
py39-capstone-4.0.2: ['OSV-2020-438']
py39-celery-4.4.7: ['GHSA-q4xr-rc97-m4xx', 'PYSEC-2021-858']
py39-cinder-12.0.10_22: ['GHSA-7h75-hwxx-qpgc', 'GHSA-qhch-g8qr-p497',
'PYSEC-2020-228']
py39-codecov-2.1.12: ['GHSA-5q88-cjfq-g2mh', 'GHSA-mh2h-6j8q-x246',
'GHSA-xp63-6vf5-xf3v']
py39-configobj-5.0.8: ['GHSA-c33w-24p9-8m24']
py39-cryptography-3.4.8_1,1: ['GHSA-w7pp-m8wf-vj6r', 'GHSA-x4qr-2fvf-3mr5']
py39-django-photologue-3.15_1: ['GHSA-287q-jfcp-9vhv']
py39-django-tinymce-3.6.1: ['GHSA-r8hm-w5f7-wj39']
py39-dparse-0.5.1: ['GHSA-8fg9-p83m-x5pq', 'PYSEC-2022-301']
py39-flask-caching-1.9.0: ['GHSA-656c-6cxf-hvcv', 'PYSEC-2021-13']
py39-flask-security-3.0.0_1: ['GHSA-cg8c-gc2j-2wf7']
py39-flatbuffers-2.0: ['GHSA-3jch-9qgp-4844', 'RUSTSEC-2021-0122']
py39-gstreamer1-1.20.5: ['OSV-2022-1089', 'OSV-2022-1168']
py39-httpie-3.0.2: ['GHSA-6pc9-xqrg-wfqw', 'GHSA-9w4w-cpc8-h2fq',
'PYSEC-2022-167', 'PYSEC-2022-34']
py39-httpx013-0.13.3_3: ['GHSA-h8pj-cxx2-jfg2', 'PYSEC-2022-183']
py39-impacket-0.9.17_1: ['GHSA-mj63-64x7-57xf', 'PYSEC-2021-17']
py39-jmespath-1.0.1: ['GHSA-5c5f-7vfq-3732']
py39-joblib-1.1.0: ['GHSA-6hrg-qmvc-2xh8', 'PYSEC-2022-288']
py39-json5-0.9.11: ['GHSA-9c47-m6qq-7p4h']
py39-jsonpointer-2.0: ['GHSA-282f-qqgm-c34q']
py39-kerberos-1.3.1: ['PYSEC-2017-49']
py39-lmdb-0.97: ['PYSEC-2019-236', 'PYSEC-2019-237', 'PYSEC-2019-238',
'PYSEC-2019-239', 'PYSEC-2019-240']
py39-markdown2-2.3.6: ['GHSA-fv3h-8x5j-pvgq', 'GHSA-jr9p-r423-9m2r',
'PYSEC-2020-65', 'PYSEC-2021-20']
py39-mime-0.1.0: ['GHSA-wrvr-8mpx-r7pp']
py39-nbdime-3.1.1_1: ['GHSA-p6rw-44q7-3fw4']
py39-nicotine-plus-3.2.0_1: ['GHSA-p4v2-r99v-wjc2']
py39-parse-1.19.0: ['GHSA-wvh7-5p38-2qfc']
py39-psutil121-1.2.1_2: ['GHSA-qfc5-mcwq-26q8', 'PYSEC-2019-41']
py39-py-1.11.0: ['GHSA-w596-4wvx-j9j6', 'PYSEC-2022-42969']
py39-pycares-4.1.2: ['GHSA-c58j-88f5-h53f']
py39-pygments-25-2.5.2: ['GHSA-9w8r-397f-prfh', 'GHSA-pq64-v7f5-gqh8',
'PYSEC-2021-140', 'PYSEC-2021-141']
py39-pyinstaller-3.5_1: ['GHSA-7fcj-pq9j-wh2r', 'PYSEC-2020-175',
'PYSEC-2020-194']
py39-pymatgen-2022.7.19: ['GHSA-5jqp-885w-xj32']
py39-pysaml24-4.9.0_1: ['GHSA-5p3x-r448-pc62', 'GHSA-f4g9-h89h-jgv9',
'GHSA-qf7v-8hj3-4xw7', 'PYSEC-2020-94', 'PYSEC-2021-48', 'PYSEC-2021-49']
py39-redis2-2.10.6_2: ['GHSA-24wv-mv5m-xv4h', 'GHSA-8fww-64cx-x8p5',
'GHSA-35q2-47q7-3pc3']
py39-redis3-3.5.3: ['GHSA-24wv-mv5m-xv4h', 'GHSA-8fww-64cx-x8p5']
py39-rencode-1.0.6_1: ['GHSA-gh8j-2pgf-x458', 'PYSEC-2021-345']
py39-semver-2.13.0: ['GHSA-x6fg-f45m-jf5q']
py39-sentry-sdk-1.5.12: ['GHSA-29pr-6jr8-q5jm']
py39-setuptools-63.1.0: ['GHSA-r9hx-vwmv-q579']
py39-setuptools58-58.5.3_2: ['GHSA-r9hx-vwmv-q579']
py39-slixmpp-1.7.1: ['GHSA-q6cq-m9gm-6q2f']
py39-sqlalchemy10-1.0.14: ['GHSA-38fc-9xqv-7f7q', 'GHSA-887w-45rq-vxgf',
'PYSEC-2019-123', 'PYSEC-2019-124', 'PYSEC-2019-53', 'PYSEC-2019-54']
py39-sqlalchemy11-1.1.18: ['GHSA-38fc-9xqv-7f7q', 'GHSA-887w-45rq-vxgf',
'PYSEC-2019-123', 'PYSEC-2019-124', 'PYSEC-2019-53', 'PYSEC-2019-54']
py39-sqlalchemy12-1.2.19: ['GHSA-38fc-9xqv-7f7q', 'GHSA-887w-45rq-vxgf']
py39-suds-1.1.2: ['PYSEC-2013-32']
py39-tensorflow-2.9.1_7: ['GHSA-27rc-728f-x5w2', 'GHSA-368v-7v32-52fx',
'GHSA-49rq-hwc3-x77w', 'GHSA-54pp-c6pp-7fpx', 'GHSA-558h-mq8x-7q9g',
'GHSA-5w96-866f-6rm8', 'GHSA-647v-r7qq-24fh', 'GHSA-64jg-wjww-7c5w',
'GHSA-66vq-54fq-6jvv', 'GHSA-67pf-62xr-q35m', 'GHSA-68v3-g9cm-rmm6',
'GHSA-6hg6-5c2q-7rcr', 'GHSA-6wfh-89q8-44jq', 'GHSA-6x99-gv2v-q76v',
'GHSA-7jvm-xxmr-v5cw', 'GHSA-7x4v-9gxg-9hwj', 'GHSA-8fvv-46hw-vpg3',
'GHSA-8w5g-3wcv-9g2j', 'GHSA-93vr-9q9m-pj8p', 'GHSA-94mm-g2mv-8p7r',
'GHSA-cg88-rpvp-cjv5', 'GHSA-cqvq-fvhr-v6hc', 'GHSA-f2w8-jw48-fr7j',
'GHSA-f49c-87jh-g47q', 'GHSA-f637-vh3r-vfh2', 'GHSA-fqm2-gh8w-gr68',
'GHSA-frqp-wp83-qggv', 'GHSA-fxgc-95xx-grvq', 'GHSA-g9fm-r5mm-rf9f',
'GHSA-gf97-q72m-7579', 'GHSA-gq2j-cr96-gvqx', 'GHSA-gw97-ff7c-9v96',
'GHSA-h246-cgh4-7475', 'GHSA-h6q3-vv32-2cq5', 'GHSA-hq7g-wwwp-q46h',
'GHSA-j5w9-hmfh-4cr6', 'GHSA-jq6x-99hj-q636', 'GHSA-mgmh-g2v6-mqw5',
'GHSA-mv77-9g28-cwg3', 'GHSA-pf36-r9c6-h97j', 'GHSA-qjqc-vqcf-5qvj',
'GHSA-rcf8-g8jv-vg6p', 'GHSA-rjx6-v474-2ch9', 'GHSA-rmg2-f698-wq35',
'GHSA-xf83-q765-xm6m', 'GHSA-xvwp-h6jv-7472', 'GHSA-xxcj-rhqg-m46g']
py39-treq-20.9.0: ['GHSA-fhpf-pp6p-55qc']
py39-unicorn-1.0.2: ['OSV-2020-1373', 'OSV-2020-1409', 'OSV-2020-1410',
'OSV-2020-2180', 'OSV-2020-2305', 'OSV-2020-802', 'OSV-2020-825',
'OSV-2020-837', 'OSV-2021-1046', 'OSV-2021-1230', 'OSV-2021-307',
'OSV-2021-345', 'PYSEC-2021-868']
py39-wagtail-4.2_2: ['GHSA-33pv-vcgh-jfg9', 'GHSA-5286-f2rf-35c2']
py39-whois-0.9.13: ['GHSA-97jv-c342-5xhc']
radare2-5.8.4: ['OSV-2022-1137', 'OSV-2022-993', 'OSV-2023-35',
'OSV-2023-96']
rubygem-actionpack4-4.2.11.3: ['GHSA-7wjx-3g7j-8584',
'GHSA-8xww-x3g3-6jcv', 'GHSA-9chr-4fjh-5rgw', 'GHSA-hjg4-8q5f-x6fm',
'GHSA-p84v-45xj-wwqj']
rubygem-actionpack5-5.1.7_1: ['GHSA-7wjx-3g7j-8584', 'GHSA-8727-m6gj-mc37',
'GHSA-8xww-x3g3-6jcv', 'GHSA-9chr-4fjh-5rgw', 'GHSA-hjg4-8q5f-x6fm',
'GHSA-jp5v-5gx4-jmj9', 'GHSA-p84v-45xj-wwqj', 'GHSA-wh98-p28r-vrc9']
rubygem-actionpack50-5.0.7.2_2: ['GHSA-7wjx-3g7j-8584',
'GHSA-8727-m6gj-mc37', 'GHSA-8xww-x3g3-6jcv', 'GHSA-9chr-4fjh-5rgw',
'GHSA-hjg4-8q5f-x6fm', 'GHSA-jp5v-5gx4-jmj9', 'GHSA-p84v-45xj-wwqj',
'GHSA-wh98-p28r-vrc9']
rubygem-actionpack52-5.2.8.1_1: ['GHSA-8xww-x3g3-6jcv',
'GHSA-9chr-4fjh-5rgw', 'GHSA-p84v-45xj-wwqj']
rubygem-actionpack60-6.0.6.1: ['GHSA-8xww-x3g3-6jcv',
'GHSA-9chr-4fjh-5rgw', 'GHSA-p84v-45xj-wwqj']
rubygem-actionpack61-6.1.7.3: ['GHSA-9chr-4fjh-5rgw']
rubygem-actionview4-4.2.11.3: ['GHSA-65cv-r6x7-79hv',
'GHSA-cfjv-5498-mph5', 'GHSA-ch3h-j2vf-95pv']
rubygem-actionview5-5.1.7: ['GHSA-65cv-r6x7-79hv', 'GHSA-cfjv-5498-mph5',
'GHSA-ch3h-j2vf-95pv', 'GHSA-xq5j-gw7f-jgj8']
rubygem-actionview50-5.0.7.2: ['GHSA-65cv-r6x7-79hv',
'GHSA-cfjv-5498-mph5', 'GHSA-ch3h-j2vf-95pv', 'GHSA-xq5j-gw7f-jgj8']
rubygem-activerecord4-4.2.11.3: ['GHSA-3hhc-qp5v-9p2j',
'GHSA-579w-22j4-4749']
rubygem-activerecord5-5.1.7: ['GHSA-3hhc-qp5v-9p2j', 'GHSA-579w-22j4-4749',
'GHSA-8hc4-xxm3-5ppp']
rubygem-activerecord50-5.0.7.2: ['GHSA-3hhc-qp5v-9p2j',
'GHSA-579w-22j4-4749', 'GHSA-8hc4-xxm3-5ppp']
rubygem-activerecord52-5.2.8.1: ['GHSA-579w-22j4-4749']
rubygem-activerecord60-6.0.6.1: ['GHSA-579w-22j4-4749']
rubygem-activeresource4-4.1.0: ['GHSA-46j2-xjgp-jrfm']
rubygem-activesupport4-4.2.11.3: ['GHSA-j6gc-792m-qgm2',
'GHSA-pj73-v5mw-pm9j']
rubygem-activesupport5-5.1.7_1: ['GHSA-2p68-f74v-9wc6',
'GHSA-j6gc-792m-qgm2', 'GHSA-pj73-v5mw-pm9j']
rubygem-activesupport50-5.0.7.2_1: ['GHSA-2p68-f74v-9wc6',
'GHSA-j6gc-792m-qgm2', 'GHSA-pj73-v5mw-pm9j']
rubygem-activesupport52-5.2.8.1: ['GHSA-j6gc-792m-qgm2',
'GHSA-pj73-v5mw-pm9j']
rubygem-activesupport60-6.0.6.1: ['GHSA-j6gc-792m-qgm2',
'GHSA-pj73-v5mw-pm9j']
rubygem-async-2.5.0: ['GHSA-fwr7-v2mv-hh25']
rubygem-aws-sdk2-2.11.632: ['GHSA-rrc9-gqf8-8rwg']
rubygem-base64-0.1.1: ['GHSA-x67x-vg9m-65c3', 'RUSTSEC-2017-0004']
rubygem-bcrypt-3.1.18: ['GHSA-5wg4-74h6-q47v']
rubygem-bootstrap-sass-3.4.1: ['GHSA-9v3m-8fp8-mj99']
rubygem-cairo-1.17.8: ['OSV-2023-298']
rubygem-cookiejar-0.3.3: ['GHSA-h452-7996-h45h']
rubygem-cose-1.2.0: ['GHSA-746g-3gfp-hfhw']
rubygem-debug-1.7.2: ['GHSA-9vvw-cc9w-f27h', 'GHSA-gxpj-cx7g-858c']
rubygem-foreman-0.87.2: ['GHSA-xm28-fw2x-fqv2']
rubygem-generator-0.0.1: ['GHSA-6c65-xcf5-299x', 'GHSA-h6gg-fvf5-qgwf',
'GHSA-w3g5-2848-2v8r', 'RUSTSEC-2019-0020', 'RUSTSEC-2020-0151']
rubygem-globalid-0.4.2: ['GHSA-23c2-gwp5-pxw9']
rubygem-gon-rails5-6.2.1: ['GHSA-78vq-9j56-wrfr']
rubygem-gon-rails50-6.2.1: ['GHSA-78vq-9j56-wrfr']
rubygem-httparty-0.20.0: ['GHSA-5pq7-52mg-hr42']
rubygem-ini-0.1.1: ['GHSA-qqgx-2p2h-9c37']
rubygem-json-2.6.3: ['GHSA-3c6g-pvg8-gqw2']
rubygem-json1-1.8.6: ['GHSA-3c6g-pvg8-gqw2', 'GHSA-jphg-qwrw-7w9g']
rubygem-kramdown1-1.17.0: ['GHSA-52p9-v744-mwjj', 'GHSA-mqm2-cgpr-p4m6']
rubygem-mqtt-0.6.0: ['GHSA-hg78-c92r-hvwr']
rubygem-mustache-1.1.1: ['GHSA-3233-rgx3-c2wh', 'GHSA-w3w8-37jv-2c58']
rubygem-mustache0-0.99.8: ['GHSA-3233-rgx3-c2wh', 'GHSA-w3w8-37jv-2c58']
rubygem-mysql-2.9.1_1: ['GHSA-5f7m-mmpc-qhh4']
rubygem-netaddr-2.0.1: ['GHSA-49pj-69vf-c689']
rubygem-nokogiri111-1.11.7_2: ['GHSA-2qc6-mcvw-92cw',
'GHSA-2rr5-8q37-2w7h', 'GHSA-cgx6-hpwq-fhv5', 'GHSA-crjr-9rc5-ghw8',
'GHSA-fq42-c5rg-92c2', 'GHSA-gx8x-g87m-h5q6', 'GHSA-pxvg-2qj5-37jq',
'GHSA-v6gp-9mmm-c6p5', 'GHSA-xh29-r2w5-wx8m', 'GHSA-xxx9-3xcr-gjj3']
rubygem-omniauth1-1.9.2_1: ['GHSA-ww4x-rwq6-qpgf']
rubygem-oxidized-web-0.13.1_4: ['GHSA-8qwh-rm6c-jv96']
rubygem-pdfkit-0.8.7: ['GHSA-rhwx-hjx2-x4qr']
rubygem-pg-1.4.6: ['GHSA-wc9v-mj63-m9g5']
rubygem-pg13-1.3.5: ['GHSA-wc9v-mj63-m9g5']
rubygem-pghero-rails5-2.8.3: ['GHSA-vf99-xw26-86g5']
rubygem-pghero-rails50-2.8.3: ['GHSA-vf99-xw26-86g5']
rubygem-rack16-1.6.13: ['GHSA-3h57-hmj3-gj3p', 'GHSA-5f9h-9pjv-v6j7',
'GHSA-65f5-mfpf-vfhj', 'GHSA-hxqx-xwvh-44m2', 'GHSA-j6w9-fv6q-3q52',
'GHSA-wq4h-7r42-5hrr']
rubygem-rails4-4.2.11.3: ['GHSA-579w-22j4-4749', 'GHSA-7wjx-3g7j-8584',
'GHSA-9chr-4fjh-5rgw', 'GHSA-cfjv-5498-mph5', 'GHSA-ch3h-j2vf-95pv']
rubygem-rails5-5.1.7_2: ['GHSA-579w-22j4-4749', 'GHSA-7wjx-3g7j-8584',
'GHSA-9chr-4fjh-5rgw', 'GHSA-cfjv-5498-mph5', 'GHSA-ch3h-j2vf-95pv',
'GHSA-wh98-p28r-vrc9']
rubygem-rails50-5.0.7.2_2: ['GHSA-579w-22j4-4749', 'GHSA-7wjx-3g7j-8584',
'GHSA-9chr-4fjh-5rgw', 'GHSA-cfjv-5498-mph5', 'GHSA-ch3h-j2vf-95pv',
'GHSA-wh98-p28r-vrc9']
rubygem-rails52-5.2.8.1: ['GHSA-579w-22j4-4749', 'GHSA-9chr-4fjh-5rgw']
rubygem-sanitize-6.0.0: ['GHSA-fw3g-2h3j-qmm7']
rubygem-simple_form-4.0.0: ['GHSA-r74q-gxcg-73hx']
rubygem-sinatra1-1.4.8: ['GHSA-qp49-3pvw-x4m5']
rubygem-terser-1.0.2: ['GHSA-4wf5-vphf-c2xc']
rubygem-terser11-1.1.14: ['GHSA-4wf5-vphf-c2xc']
rubygem-time-0.2.2: ['GHSA-wcg3-cvx6-7396']
rubygem-tweetstream-2.6.1_1: ['GHSA-6hrm-jqp3-64cv']
rubygem-twitter-stream-0.1.16_2: ['GHSA-p6p8-q4pj-f74m']
rubygem-unicode-0.4.4.4: ['GHSA-qjf4-7642-c57p']
rubygem-useragent-0.16.10: ['GHSA-pjmx-9xr3-82qr']
send-0.3_4: ['GHSA-jgqf-hwc5-hh37', 'GHSA-pgv6-jrvv-75jp',
'GHSA-xwg4-93c6-3h42']
showdown-0.6_3: ['GHSA-h6mq-3cj6-h738']
svg2png-0.1.3_6: ['GHSA-mpp5-2x55-49xw']
tidy-html5-5.8.0_2: ['OSV-2020-1427', 'OSV-2020-1440']
ua_parser-core-0.5.0_1: ['GHSA-fx7m-j728-mjw3']
unicorn-1.0.2: ['OSV-2020-1373', 'OSV-2020-1409', 'OSV-2020-1410',
'OSV-2020-2180', 'OSV-2020-2305', 'OSV-2020-802', 'OSV-2020-825',
'OSV-2020-837', 'OSV-2021-1046', 'OSV-2021-1230', 'OSV-2021-307',
'OSV-2021-345', 'PYSEC-2021-868']
vmd-1.9.4: ['GHSA-pfr3-87q3-65rc']
wabt-1.0.32: ['OSV-2021-1241', 'OSV-2022-1248', 'OSV-2022-1261',
'OSV-2022-1263', 'OSV-2022-916']
wasm3-0.5.0_2: ['GHSA-77fq-4xf5-hph4', 'GHSA-crf8-h2wq-2h9x']
webbrowser-0.3: ['GHSA-m589-mv4q-p7rj']
zh-opencc-1.0.5_3: ['GHSA-9qh2-6fxg-9m4g']

Best regards,

Le mar. 4 avr. 2023 à 12:31, Hubert Tournier <hubert.tournier@gmail.com> a
écrit :

> I’m OK to do the OSV tool.
>
> Best regards,
>
> Le mar. 4 avr. 2023 à 11:58, void <void@f-m.fm> a écrit :
>
>> On Sun, Mar 26, 2023 at 12:16:53PM +0200, Hubert Tournier wrote:
>> >Hello,
>> >
>> >While working on pipinfo <https://github.com/HubTou/pipinfo>, an
>> >alternative Python packages management tool, I noticed that some Python
>> >packages installed as FreeBSD ports where marked as vulnerable by the
>> Python
>> >Packaging Authority
>> ><https://warehouse.pypa.io/api-reference/json.html#known-vulnerabilities
>> >
>> >but not in FreeBSD VuXML <https://www.vuxml.org/freebsd/index.html>
>> ports
>> >security database.
>> >
>> >So I made a pysec2vuxml <https://github.com/HubTou/pysec2vuxml> tool to
>> >check the 4.000+ FreeBSD ports for Python packages and found 45 of them
>> >vulnerable and unreported
>> ><https://github.com/HubTou/pysec2vuxml/blob/main/results.txt>.
>> >
>> >I started producing new VuXML entries
>> ><https://github.com/HubTou/pysec2vuxml/blob/main/vuxml_newentries.txt>
>> for
>> >these vulnerable ports. *Please tell me if it's worth pursuing this
>> effort?*
>> >
>> >In order to verify if these vulnerable ports where also marked as
>> >vulnerable in FreeBSD VuXML, I made a Python VuXML handling library and
>> got
>> >carried away writing a whole utility, vuxml
>> ><https://github.com/HubTou/vuxml>, to demonstrate its use. This could
>> be of
>> >general interest to some of you?
>> >
>> >Best regards,
>> >
>> >PS: this approach could be extended to Rust crates, Ruby gems and so on
>> >with the vulnerabilities described in the OSV <https://osv.dev/>...
>>
>> +1 ^^^ really good idea
>>
>> Probably best to ask in freebsd-hackers@ as devs are likely to
>> read this there
>> --
>>
>