Re: 45 vulnerable ports unreported in VuXML
- In reply to: Hubert Tournier : "Re: 45 vulnerable ports unreported in VuXML"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sun, 23 Apr 2023 16:53:57 UTC
Hello, Here's a little progress report on the osv2vuxml tool development. I'm now up to the point where I can identify vulnerable (current version) FreeBSD ports from all the OSV "ecosystems". But I still have to check which are not yet reported in VuXML and generate an entry skeleton for them, like I did with pysec2vuxml. I think I'll be able to publish something in a couple of weeks... Note that identifying a vulnerable port implies either finding a matching name (not always reliable with port prefixes / flavours / versions in port suffixes) or a matching source web site (better IMO, but there are 2576 ports out of 33565 that don't have that information). I may find more vulnerable ports in the future by delving deeper into the data, especially if I can find matches with software packaged for Linux, Debian, Alpine and Android ecosystems... Also naming of FreeBSD ports for Go gems, Rust crates and others seem to be less consistent than for Python, Ruby and PHP packages. So here's what's reported so far: Ecosystem / Language / vulnerabilities / affected ports / vulns for affected ports -------------------------------------------------------------------------------------------------------- Go / Go / 1360 / 6 /24 Hex / Erlang / 21 / 0 / 0 Maven / Java / 3462 / 8 / 8 NuGet / .Net / 267 / 3 / 3 Packagist / PHP / 1484 / 0 / 0 Pub / Dart / 5 / 0 / 0 PyPI / Python / 3955 / 61 / 166 RubyGems / Ruby / 669 / 45 / 118 crates.io / Rust / 1133 / 14 / 33 npm / JavaScript / 2962 / 57 / 83 -------------------------------------------------------------------------------------------------------- GSD / - / 7 / 0 / 0 GitHub Actions / - / 8 / 0 / 0 OSS-Fuzz / - / 2870 / 21 / 85 UVI / - / 1 / 0 / 0 -------------------------------------------------------------------------------------------------------- 215 affected ports in their current version, counting for 520 vulnerabilities And here' a preliminary detailed list of vulnerable ports with associated vulnerabilities IDs (there might be a few false positive inside!). Hopefully, it includes many already reported vulnerabilities in VuXML (at least many of those listed for Python have already been reported with pysec2vuxml): 2bsd-diff-2.11.1_1: ['GHSA-h6ch-v84p-w6p9'] R-cran-ini-0.3.1: ['GHSA-qqgx-2p2h-9c37'] R-cran-mime-0.12: ['GHSA-wrvr-8mpx-r7pp'] R-cran-rio-0.5.29: ['GHSA-8rc5-mr4f-m243'] R-cran-xopen-1.0.0: ['GHSA-74wf-cwjg-9cf2'] b2-1.3.8_1: ['GHSA-8wr4-2wm6-w3pr', 'PYSEC-2022-32'] bcrypt-1.1: ['GHSA-5wg4-74h6-q47v'] blitz-1.0.2_4: ['GHSA-5888-ffcr-r425'] capstone4-4.0.2: ['OSV-2020-438'] comrak-0.15.0_3: ['GHSA-5r3x-p7xx-x6q5', 'GHSA-8hqf-xjwp-p67v', 'GHSA-xxmq-4vph-956w'] containers-0.9.0_2: ['GHSA-cv7x-6rc6-pq5v', 'RUSTSEC-2021-0010'] coreos-etcd-2.3.8_18: ['GHSA-4993-m7g5-r9hh', 'GHSA-528j-9r78-wffx', 'GHSA-9gp7-6833-wv89', 'GHSA-h8g9-6gvh-5mrc', 'GHSA-m332-53r6-2w93', 'GHSA-p4g4-wgrh-qrg2'] coreos-etcd31-3.1.20_17: ['GHSA-4993-m7g5-r9hh', 'GHSA-528j-9r78-wffx', 'GHSA-9gp7-6833-wv89', 'GHSA-h8g9-6gvh-5mrc', 'GHSA-m332-53r6-2w93', 'GHSA-p4g4-wgrh-qrg2'] coreos-etcd32-3.2.32_15: ['GHSA-4993-m7g5-r9hh', 'GHSA-528j-9r78-wffx', 'GHSA-9gp7-6833-wv89', 'GHSA-h8g9-6gvh-5mrc', 'GHSA-m332-53r6-2w93', 'GHSA-p4g4-wgrh-qrg2'] date-3.0.1: ['GHSA-qg54-694p-wgpp'] deluge-2.0.3_3,2: ['GHSA-5c8p-qhch-qhx6', 'PYSEC-2022-256'] deluge-cli-2.0.3_4: ['GHSA-5c8p-qhch-qhx6', 'PYSEC-2022-256'] dojo-1.12.2: ['GHSA-536q-8gxx-m782', 'GHSA-jxfh-8wgv-vfr2', 'GHSA-m8gw-hjpr-rjv7'] draco-3d-compression-1.5.6: ['OSV-2020-778', 'OSV-2020-800', 'OSV-2020-824', 'OSV-2020-828', 'OSV-2021-1082'] espeak-ng-1.51.1_3: ['OSV-2021-1024', 'OSV-2021-1041', 'OSV-2021-1110', 'OSV-2021-1141', 'OSV-2021-1157', 'OSV-2021-765', 'OSV-2021-787', 'OSV-2021-802', 'OSV-2022-462', 'OSV-2022-519', 'OSV-2022-530'] flatbuffers205-2.0.5: ['GHSA-3jch-9qgp-4844', 'RUSTSEC-2021-0122'] go-protobuf-1.3.2_12,1: ['GHSA-77rm-9x9h-xj3g', 'GHSA-jwvw-v7c5-m82h', 'GHSA-mh6h-f25p-98f8'] got-0.87: ['GHSA-pfrx-2q88-qq97'] gstreamer1-1.22.0_1: ['OSV-2022-1168'] gtar-1.34: ['GHSA-3jfq-g458-7qm9', 'GHSA-5955-9wpr-37jh', 'GHSA-9r2w-394v-53qc', 'GHSA-gfjr-3jmm-4g9v', 'GHSA-j44m-qm6p-hp7m', 'GHSA-qq89-hq3f-393p', 'GHSA-r628-mhmh-qjhw'] guake-3.4.0_3: ['GHSA-7x48-7466-3g33', 'PYSEC-2022-165'] harfbuzz-7.1.0: ['OSV-2023-137', 'OSV-2023-170', 'OSV-2023-222', 'OSV-2023-323'] harp-0.6.0_3: ['GHSA-46hv-7769-j7rx', 'GHSA-6fmm-47qc-p4m4'] jbig2dec-0.19: ['OSV-2020-822'] leptonica-1.82.0: ['OSV-2022-69', 'OSV-2022-91'] libnotify-0.8.2: ['GHSA-6898-wx94-8jq8'] libraw-0.21.1: ['OSV-2022-819', 'OSV-2023-184', 'OSV-2023-90'] libredwg-0.12.4: ['OSV-2021-1086', 'OSV-2021-620', 'OSV-2021-771', 'OSV-2022-129', 'OSV-2022-363'] libsass-3.6.5: ['OSV-2020-1420', 'OSV-2020-862', 'OSV-2021-508', 'OSV-2022-896'] libucl-0.8.2: ['OSV-2021-1261', 'OSV-2022-494', 'OSV-2023-321', 'OSV-2023-78'] log4net-1.2.10_3: ['GHSA-2cwj-8chv-9pp9'] lua51-bcrypt-2.3.1: ['GHSA-5wg4-74h6-q47v'] lua51-json-1.3.4_1: ['GHSA-3c6g-pvg8-gqw2'] lua52-bcrypt-2.3.1: ['GHSA-5wg4-74h6-q47v'] lua52-json-1.3.4_1: ['GHSA-3c6g-pvg8-gqw2'] lua53-bcrypt-2.3.1: ['GHSA-5wg4-74h6-q47v'] lua53-json-1.3.4_1: ['GHSA-3c6g-pvg8-gqw2'] lua54-bcrypt-2.3.1: ['GHSA-5wg4-74h6-q47v'] lua54-json-1.3.4_1: ['GHSA-3c6g-pvg8-gqw2'] mingw32-libyaml-0.1.6_2: ['GHSA-m75h-cghq-c8h5'] mitmproxy-7.0.4_2: ['GHSA-gcx2-gvj7-pxv3', 'PYSEC-2022-170'] mongoose-5.6: ['GHSA-8687-vv9j-hgph', 'GHSA-f825-f98c-gj3g'] nlohmann-json-3.11.2: ['GHSA-3c6g-pvg8-gqw2'] ocaml-mysql-1.2.4: ['GHSA-fvq6-55gv-jx9f'] opa-0.41.0_11: ['GHSA-2m4x-4q9j-w97g', 'GHSA-f524-rf33-2jjr'] open-1.4: ['GHSA-28xh-wpgr-7fm8'] opencv-4.6.0_6: ['OSV-2022-394', 'GHSA-f698-m2v9-5fh3', 'GHSA-mc7w-4cjf-c973'] opensc-0.23.0: ['OSV-2022-1175', 'OSV-2022-1188', 'OSV-2022-1201', 'OSV-2022-1232'] p5-mem-0.4.7: ['GHSA-4xcv-9jjx-gfj3'] php80-opencc-0.0.0.20201211: ['GHSA-9qh2-6fxg-9m4g'] php80-pecl-mongodb-1.15.1: ['GHSA-4rjr-3gj2-5crq', 'GHSA-mh5c-679w-hh4r'] php80-pecl-mustache-0.9.3: ['GHSA-3233-rgx3-c2wh', 'GHSA-w3w8-37jv-2c58'] php80-pecl-ssh2-1.3.1: ['GHSA-652h-xwhf-q4h6'] php81-opencc-0.0.0.20201211: ['GHSA-9qh2-6fxg-9m4g'] php81-pecl-mongodb-1.15.1: ['GHSA-4rjr-3gj2-5crq', 'GHSA-mh5c-679w-hh4r'] php81-pecl-mustache-0.9.3: ['GHSA-3233-rgx3-c2wh', 'GHSA-w3w8-37jv-2c58'] php81-pecl-ssh2-1.3.1: ['GHSA-652h-xwhf-q4h6'] php82-opencc-0.0.0.20201211: ['GHSA-9qh2-6fxg-9m4g'] php82-pecl-mongodb-1.15.1: ['GHSA-4rjr-3gj2-5crq', 'GHSA-mh5c-679w-hh4r'] php82-pecl-mustache-0.9.3: ['GHSA-3233-rgx3-c2wh', 'GHSA-w3w8-37jv-2c58'] php82-pecl-ssh2-1.3.1: ['GHSA-652h-xwhf-q4h6'] pidgin-libnotify-0.14_15: ['GHSA-6898-wx94-8jq8'] postgresql13-semver-0.31.2: ['GHSA-x6fg-f45m-jf5q'] protobuf25-2.5.0_5: ['GHSA-77rm-9x9h-xj3g', 'GHSA-jwvw-v7c5-m82h', 'GHSA-8gq9-2x98-w8hf', 'PYSEC-2017-65', 'PYSEC-2022-48', 'GHSA-mh6h-f25p-98f8', 'RUSTSEC-2019-0003'] py27-setuptools44-44.1.1: ['GHSA-r9hx-vwmv-q579'] py310-setuptools-63.1.0: ['GHSA-r9hx-vwmv-q579'] py310-setuptools58-58.5.3_2: ['GHSA-r9hx-vwmv-q579'] py311-setuptools-63.1.0: ['GHSA-r9hx-vwmv-q579'] py311-setuptools58-58.5.3_2: ['GHSA-r9hx-vwmv-q579'] py37-setuptools-63.1.0: ['GHSA-r9hx-vwmv-q579'] py37-setuptools58-58.5.3_2: ['GHSA-r9hx-vwmv-q579'] py38-setuptools-63.1.0: ['GHSA-r9hx-vwmv-q579'] py38-setuptools58-58.5.3_2: ['GHSA-r9hx-vwmv-q579'] py39-Flask-Cors-3.0.8: ['GHSA-xc3p-ff3m-f46v'] py39-WsgiDAV-3.1.0: ['GHSA-xx6g-jj35-pxjv'] py39-ansible-7.1.0: ['PYSEC-2020-220', 'PYSEC-2020-221', 'PYSEC-2021-125'] py39-arrow-1.2.3: ['GHSA-h588-76vg-prgj', 'GHSA-qgrp-8f3v-q85p', 'GHSA-r7cj-wmwv-hfw5', 'RUSTSEC-2021-0116', 'RUSTSEC-2021-0117', 'RUSTSEC-2021-0118'] py39-bcrypt-3.2.2: ['GHSA-5wg4-74h6-q47v'] py39-beaker-1.12.1: ['PYSEC-2020-216'] py39-branca-0.6.0: ['GHSA-c9rv-3jmq-527w', 'RUSTSEC-2020-0075'] py39-capstone-4.0.2: ['OSV-2020-438'] py39-celery-4.4.7: ['GHSA-q4xr-rc97-m4xx', 'PYSEC-2021-858'] py39-cinder-12.0.10_22: ['GHSA-7h75-hwxx-qpgc', 'GHSA-qhch-g8qr-p497', 'PYSEC-2020-228'] py39-codecov-2.1.12: ['GHSA-5q88-cjfq-g2mh', 'GHSA-mh2h-6j8q-x246', 'GHSA-xp63-6vf5-xf3v'] py39-configobj-5.0.8: ['GHSA-c33w-24p9-8m24'] py39-cryptography-3.4.8_1,1: ['GHSA-w7pp-m8wf-vj6r', 'GHSA-x4qr-2fvf-3mr5'] py39-django-photologue-3.15_1: ['GHSA-287q-jfcp-9vhv'] py39-django-tinymce-3.6.1: ['GHSA-r8hm-w5f7-wj39'] py39-dparse-0.5.1: ['GHSA-8fg9-p83m-x5pq', 'PYSEC-2022-301'] py39-flask-caching-1.9.0: ['GHSA-656c-6cxf-hvcv', 'PYSEC-2021-13'] py39-flask-security-3.0.0_1: ['GHSA-cg8c-gc2j-2wf7'] py39-flatbuffers-2.0: ['GHSA-3jch-9qgp-4844', 'RUSTSEC-2021-0122'] py39-gstreamer1-1.20.5: ['OSV-2022-1089', 'OSV-2022-1168'] py39-httpie-3.0.2: ['GHSA-6pc9-xqrg-wfqw', 'GHSA-9w4w-cpc8-h2fq', 'PYSEC-2022-167', 'PYSEC-2022-34'] py39-httpx013-0.13.3_3: ['GHSA-h8pj-cxx2-jfg2', 'PYSEC-2022-183'] py39-impacket-0.9.17_1: ['GHSA-mj63-64x7-57xf', 'PYSEC-2021-17'] py39-jmespath-1.0.1: ['GHSA-5c5f-7vfq-3732'] py39-joblib-1.1.0: ['GHSA-6hrg-qmvc-2xh8', 'PYSEC-2022-288'] py39-json5-0.9.11: ['GHSA-9c47-m6qq-7p4h'] py39-jsonpointer-2.0: ['GHSA-282f-qqgm-c34q'] py39-kerberos-1.3.1: ['PYSEC-2017-49'] py39-lmdb-0.97: ['PYSEC-2019-236', 'PYSEC-2019-237', 'PYSEC-2019-238', 'PYSEC-2019-239', 'PYSEC-2019-240'] py39-markdown2-2.3.6: ['GHSA-fv3h-8x5j-pvgq', 'GHSA-jr9p-r423-9m2r', 'PYSEC-2020-65', 'PYSEC-2021-20'] py39-mime-0.1.0: ['GHSA-wrvr-8mpx-r7pp'] py39-nbdime-3.1.1_1: ['GHSA-p6rw-44q7-3fw4'] py39-nicotine-plus-3.2.0_1: ['GHSA-p4v2-r99v-wjc2'] py39-parse-1.19.0: ['GHSA-wvh7-5p38-2qfc'] py39-psutil121-1.2.1_2: ['GHSA-qfc5-mcwq-26q8', 'PYSEC-2019-41'] py39-py-1.11.0: ['GHSA-w596-4wvx-j9j6', 'PYSEC-2022-42969'] py39-pycares-4.1.2: ['GHSA-c58j-88f5-h53f'] py39-pygments-25-2.5.2: ['GHSA-9w8r-397f-prfh', 'GHSA-pq64-v7f5-gqh8', 'PYSEC-2021-140', 'PYSEC-2021-141'] py39-pyinstaller-3.5_1: ['GHSA-7fcj-pq9j-wh2r', 'PYSEC-2020-175', 'PYSEC-2020-194'] py39-pymatgen-2022.7.19: ['GHSA-5jqp-885w-xj32'] py39-pysaml24-4.9.0_1: ['GHSA-5p3x-r448-pc62', 'GHSA-f4g9-h89h-jgv9', 'GHSA-qf7v-8hj3-4xw7', 'PYSEC-2020-94', 'PYSEC-2021-48', 'PYSEC-2021-49'] py39-redis2-2.10.6_2: ['GHSA-24wv-mv5m-xv4h', 'GHSA-8fww-64cx-x8p5', 'GHSA-35q2-47q7-3pc3'] py39-redis3-3.5.3: ['GHSA-24wv-mv5m-xv4h', 'GHSA-8fww-64cx-x8p5'] py39-rencode-1.0.6_1: ['GHSA-gh8j-2pgf-x458', 'PYSEC-2021-345'] py39-semver-2.13.0: ['GHSA-x6fg-f45m-jf5q'] py39-sentry-sdk-1.5.12: ['GHSA-29pr-6jr8-q5jm'] py39-setuptools-63.1.0: ['GHSA-r9hx-vwmv-q579'] py39-setuptools58-58.5.3_2: ['GHSA-r9hx-vwmv-q579'] py39-slixmpp-1.7.1: ['GHSA-q6cq-m9gm-6q2f'] py39-sqlalchemy10-1.0.14: ['GHSA-38fc-9xqv-7f7q', 'GHSA-887w-45rq-vxgf', 'PYSEC-2019-123', 'PYSEC-2019-124', 'PYSEC-2019-53', 'PYSEC-2019-54'] py39-sqlalchemy11-1.1.18: ['GHSA-38fc-9xqv-7f7q', 'GHSA-887w-45rq-vxgf', 'PYSEC-2019-123', 'PYSEC-2019-124', 'PYSEC-2019-53', 'PYSEC-2019-54'] py39-sqlalchemy12-1.2.19: ['GHSA-38fc-9xqv-7f7q', 'GHSA-887w-45rq-vxgf'] py39-suds-1.1.2: ['PYSEC-2013-32'] py39-tensorflow-2.9.1_7: ['GHSA-27rc-728f-x5w2', 'GHSA-368v-7v32-52fx', 'GHSA-49rq-hwc3-x77w', 'GHSA-54pp-c6pp-7fpx', 'GHSA-558h-mq8x-7q9g', 'GHSA-5w96-866f-6rm8', 'GHSA-647v-r7qq-24fh', 'GHSA-64jg-wjww-7c5w', 'GHSA-66vq-54fq-6jvv', 'GHSA-67pf-62xr-q35m', 'GHSA-68v3-g9cm-rmm6', 'GHSA-6hg6-5c2q-7rcr', 'GHSA-6wfh-89q8-44jq', 'GHSA-6x99-gv2v-q76v', 'GHSA-7jvm-xxmr-v5cw', 'GHSA-7x4v-9gxg-9hwj', 'GHSA-8fvv-46hw-vpg3', 'GHSA-8w5g-3wcv-9g2j', 'GHSA-93vr-9q9m-pj8p', 'GHSA-94mm-g2mv-8p7r', 'GHSA-cg88-rpvp-cjv5', 'GHSA-cqvq-fvhr-v6hc', 'GHSA-f2w8-jw48-fr7j', 'GHSA-f49c-87jh-g47q', 'GHSA-f637-vh3r-vfh2', 'GHSA-fqm2-gh8w-gr68', 'GHSA-frqp-wp83-qggv', 'GHSA-fxgc-95xx-grvq', 'GHSA-g9fm-r5mm-rf9f', 'GHSA-gf97-q72m-7579', 'GHSA-gq2j-cr96-gvqx', 'GHSA-gw97-ff7c-9v96', 'GHSA-h246-cgh4-7475', 'GHSA-h6q3-vv32-2cq5', 'GHSA-hq7g-wwwp-q46h', 'GHSA-j5w9-hmfh-4cr6', 'GHSA-jq6x-99hj-q636', 'GHSA-mgmh-g2v6-mqw5', 'GHSA-mv77-9g28-cwg3', 'GHSA-pf36-r9c6-h97j', 'GHSA-qjqc-vqcf-5qvj', 'GHSA-rcf8-g8jv-vg6p', 'GHSA-rjx6-v474-2ch9', 'GHSA-rmg2-f698-wq35', 'GHSA-xf83-q765-xm6m', 'GHSA-xvwp-h6jv-7472', 'GHSA-xxcj-rhqg-m46g'] py39-treq-20.9.0: ['GHSA-fhpf-pp6p-55qc'] py39-unicorn-1.0.2: ['OSV-2020-1373', 'OSV-2020-1409', 'OSV-2020-1410', 'OSV-2020-2180', 'OSV-2020-2305', 'OSV-2020-802', 'OSV-2020-825', 'OSV-2020-837', 'OSV-2021-1046', 'OSV-2021-1230', 'OSV-2021-307', 'OSV-2021-345', 'PYSEC-2021-868'] py39-wagtail-4.2_2: ['GHSA-33pv-vcgh-jfg9', 'GHSA-5286-f2rf-35c2'] py39-whois-0.9.13: ['GHSA-97jv-c342-5xhc'] radare2-5.8.4: ['OSV-2022-1137', 'OSV-2022-993', 'OSV-2023-35', 'OSV-2023-96'] rubygem-actionpack4-4.2.11.3: ['GHSA-7wjx-3g7j-8584', 'GHSA-8xww-x3g3-6jcv', 'GHSA-9chr-4fjh-5rgw', 'GHSA-hjg4-8q5f-x6fm', 'GHSA-p84v-45xj-wwqj'] rubygem-actionpack5-5.1.7_1: ['GHSA-7wjx-3g7j-8584', 'GHSA-8727-m6gj-mc37', 'GHSA-8xww-x3g3-6jcv', 'GHSA-9chr-4fjh-5rgw', 'GHSA-hjg4-8q5f-x6fm', 'GHSA-jp5v-5gx4-jmj9', 'GHSA-p84v-45xj-wwqj', 'GHSA-wh98-p28r-vrc9'] rubygem-actionpack50-5.0.7.2_2: ['GHSA-7wjx-3g7j-8584', 'GHSA-8727-m6gj-mc37', 'GHSA-8xww-x3g3-6jcv', 'GHSA-9chr-4fjh-5rgw', 'GHSA-hjg4-8q5f-x6fm', 'GHSA-jp5v-5gx4-jmj9', 'GHSA-p84v-45xj-wwqj', 'GHSA-wh98-p28r-vrc9'] rubygem-actionpack52-5.2.8.1_1: ['GHSA-8xww-x3g3-6jcv', 'GHSA-9chr-4fjh-5rgw', 'GHSA-p84v-45xj-wwqj'] rubygem-actionpack60-6.0.6.1: ['GHSA-8xww-x3g3-6jcv', 'GHSA-9chr-4fjh-5rgw', 'GHSA-p84v-45xj-wwqj'] rubygem-actionpack61-6.1.7.3: ['GHSA-9chr-4fjh-5rgw'] rubygem-actionview4-4.2.11.3: ['GHSA-65cv-r6x7-79hv', 'GHSA-cfjv-5498-mph5', 'GHSA-ch3h-j2vf-95pv'] rubygem-actionview5-5.1.7: ['GHSA-65cv-r6x7-79hv', 'GHSA-cfjv-5498-mph5', 'GHSA-ch3h-j2vf-95pv', 'GHSA-xq5j-gw7f-jgj8'] rubygem-actionview50-5.0.7.2: ['GHSA-65cv-r6x7-79hv', 'GHSA-cfjv-5498-mph5', 'GHSA-ch3h-j2vf-95pv', 'GHSA-xq5j-gw7f-jgj8'] rubygem-activerecord4-4.2.11.3: ['GHSA-3hhc-qp5v-9p2j', 'GHSA-579w-22j4-4749'] rubygem-activerecord5-5.1.7: ['GHSA-3hhc-qp5v-9p2j', 'GHSA-579w-22j4-4749', 'GHSA-8hc4-xxm3-5ppp'] rubygem-activerecord50-5.0.7.2: ['GHSA-3hhc-qp5v-9p2j', 'GHSA-579w-22j4-4749', 'GHSA-8hc4-xxm3-5ppp'] rubygem-activerecord52-5.2.8.1: ['GHSA-579w-22j4-4749'] rubygem-activerecord60-6.0.6.1: ['GHSA-579w-22j4-4749'] rubygem-activeresource4-4.1.0: ['GHSA-46j2-xjgp-jrfm'] rubygem-activesupport4-4.2.11.3: ['GHSA-j6gc-792m-qgm2', 'GHSA-pj73-v5mw-pm9j'] rubygem-activesupport5-5.1.7_1: ['GHSA-2p68-f74v-9wc6', 'GHSA-j6gc-792m-qgm2', 'GHSA-pj73-v5mw-pm9j'] rubygem-activesupport50-5.0.7.2_1: ['GHSA-2p68-f74v-9wc6', 'GHSA-j6gc-792m-qgm2', 'GHSA-pj73-v5mw-pm9j'] rubygem-activesupport52-5.2.8.1: ['GHSA-j6gc-792m-qgm2', 'GHSA-pj73-v5mw-pm9j'] rubygem-activesupport60-6.0.6.1: ['GHSA-j6gc-792m-qgm2', 'GHSA-pj73-v5mw-pm9j'] rubygem-async-2.5.0: ['GHSA-fwr7-v2mv-hh25'] rubygem-aws-sdk2-2.11.632: ['GHSA-rrc9-gqf8-8rwg'] rubygem-base64-0.1.1: ['GHSA-x67x-vg9m-65c3', 'RUSTSEC-2017-0004'] rubygem-bcrypt-3.1.18: ['GHSA-5wg4-74h6-q47v'] rubygem-bootstrap-sass-3.4.1: ['GHSA-9v3m-8fp8-mj99'] rubygem-cairo-1.17.8: ['OSV-2023-298'] rubygem-cookiejar-0.3.3: ['GHSA-h452-7996-h45h'] rubygem-cose-1.2.0: ['GHSA-746g-3gfp-hfhw'] rubygem-debug-1.7.2: ['GHSA-9vvw-cc9w-f27h', 'GHSA-gxpj-cx7g-858c'] rubygem-foreman-0.87.2: ['GHSA-xm28-fw2x-fqv2'] rubygem-generator-0.0.1: ['GHSA-6c65-xcf5-299x', 'GHSA-h6gg-fvf5-qgwf', 'GHSA-w3g5-2848-2v8r', 'RUSTSEC-2019-0020', 'RUSTSEC-2020-0151'] rubygem-globalid-0.4.2: ['GHSA-23c2-gwp5-pxw9'] rubygem-gon-rails5-6.2.1: ['GHSA-78vq-9j56-wrfr'] rubygem-gon-rails50-6.2.1: ['GHSA-78vq-9j56-wrfr'] rubygem-httparty-0.20.0: ['GHSA-5pq7-52mg-hr42'] rubygem-ini-0.1.1: ['GHSA-qqgx-2p2h-9c37'] rubygem-json-2.6.3: ['GHSA-3c6g-pvg8-gqw2'] rubygem-json1-1.8.6: ['GHSA-3c6g-pvg8-gqw2', 'GHSA-jphg-qwrw-7w9g'] rubygem-kramdown1-1.17.0: ['GHSA-52p9-v744-mwjj', 'GHSA-mqm2-cgpr-p4m6'] rubygem-mqtt-0.6.0: ['GHSA-hg78-c92r-hvwr'] rubygem-mustache-1.1.1: ['GHSA-3233-rgx3-c2wh', 'GHSA-w3w8-37jv-2c58'] rubygem-mustache0-0.99.8: ['GHSA-3233-rgx3-c2wh', 'GHSA-w3w8-37jv-2c58'] rubygem-mysql-2.9.1_1: ['GHSA-5f7m-mmpc-qhh4'] rubygem-netaddr-2.0.1: ['GHSA-49pj-69vf-c689'] rubygem-nokogiri111-1.11.7_2: ['GHSA-2qc6-mcvw-92cw', 'GHSA-2rr5-8q37-2w7h', 'GHSA-cgx6-hpwq-fhv5', 'GHSA-crjr-9rc5-ghw8', 'GHSA-fq42-c5rg-92c2', 'GHSA-gx8x-g87m-h5q6', 'GHSA-pxvg-2qj5-37jq', 'GHSA-v6gp-9mmm-c6p5', 'GHSA-xh29-r2w5-wx8m', 'GHSA-xxx9-3xcr-gjj3'] rubygem-omniauth1-1.9.2_1: ['GHSA-ww4x-rwq6-qpgf'] rubygem-oxidized-web-0.13.1_4: ['GHSA-8qwh-rm6c-jv96'] rubygem-pdfkit-0.8.7: ['GHSA-rhwx-hjx2-x4qr'] rubygem-pg-1.4.6: ['GHSA-wc9v-mj63-m9g5'] rubygem-pg13-1.3.5: ['GHSA-wc9v-mj63-m9g5'] rubygem-pghero-rails5-2.8.3: ['GHSA-vf99-xw26-86g5'] rubygem-pghero-rails50-2.8.3: ['GHSA-vf99-xw26-86g5'] rubygem-rack16-1.6.13: ['GHSA-3h57-hmj3-gj3p', 'GHSA-5f9h-9pjv-v6j7', 'GHSA-65f5-mfpf-vfhj', 'GHSA-hxqx-xwvh-44m2', 'GHSA-j6w9-fv6q-3q52', 'GHSA-wq4h-7r42-5hrr'] rubygem-rails4-4.2.11.3: ['GHSA-579w-22j4-4749', 'GHSA-7wjx-3g7j-8584', 'GHSA-9chr-4fjh-5rgw', 'GHSA-cfjv-5498-mph5', 'GHSA-ch3h-j2vf-95pv'] rubygem-rails5-5.1.7_2: ['GHSA-579w-22j4-4749', 'GHSA-7wjx-3g7j-8584', 'GHSA-9chr-4fjh-5rgw', 'GHSA-cfjv-5498-mph5', 'GHSA-ch3h-j2vf-95pv', 'GHSA-wh98-p28r-vrc9'] rubygem-rails50-5.0.7.2_2: ['GHSA-579w-22j4-4749', 'GHSA-7wjx-3g7j-8584', 'GHSA-9chr-4fjh-5rgw', 'GHSA-cfjv-5498-mph5', 'GHSA-ch3h-j2vf-95pv', 'GHSA-wh98-p28r-vrc9'] rubygem-rails52-5.2.8.1: ['GHSA-579w-22j4-4749', 'GHSA-9chr-4fjh-5rgw'] rubygem-sanitize-6.0.0: ['GHSA-fw3g-2h3j-qmm7'] rubygem-simple_form-4.0.0: ['GHSA-r74q-gxcg-73hx'] rubygem-sinatra1-1.4.8: ['GHSA-qp49-3pvw-x4m5'] rubygem-terser-1.0.2: ['GHSA-4wf5-vphf-c2xc'] rubygem-terser11-1.1.14: ['GHSA-4wf5-vphf-c2xc'] rubygem-time-0.2.2: ['GHSA-wcg3-cvx6-7396'] rubygem-tweetstream-2.6.1_1: ['GHSA-6hrm-jqp3-64cv'] rubygem-twitter-stream-0.1.16_2: ['GHSA-p6p8-q4pj-f74m'] rubygem-unicode-0.4.4.4: ['GHSA-qjf4-7642-c57p'] rubygem-useragent-0.16.10: ['GHSA-pjmx-9xr3-82qr'] send-0.3_4: ['GHSA-jgqf-hwc5-hh37', 'GHSA-pgv6-jrvv-75jp', 'GHSA-xwg4-93c6-3h42'] showdown-0.6_3: ['GHSA-h6mq-3cj6-h738'] svg2png-0.1.3_6: ['GHSA-mpp5-2x55-49xw'] tidy-html5-5.8.0_2: ['OSV-2020-1427', 'OSV-2020-1440'] ua_parser-core-0.5.0_1: ['GHSA-fx7m-j728-mjw3'] unicorn-1.0.2: ['OSV-2020-1373', 'OSV-2020-1409', 'OSV-2020-1410', 'OSV-2020-2180', 'OSV-2020-2305', 'OSV-2020-802', 'OSV-2020-825', 'OSV-2020-837', 'OSV-2021-1046', 'OSV-2021-1230', 'OSV-2021-307', 'OSV-2021-345', 'PYSEC-2021-868'] vmd-1.9.4: ['GHSA-pfr3-87q3-65rc'] wabt-1.0.32: ['OSV-2021-1241', 'OSV-2022-1248', 'OSV-2022-1261', 'OSV-2022-1263', 'OSV-2022-916'] wasm3-0.5.0_2: ['GHSA-77fq-4xf5-hph4', 'GHSA-crf8-h2wq-2h9x'] webbrowser-0.3: ['GHSA-m589-mv4q-p7rj'] zh-opencc-1.0.5_3: ['GHSA-9qh2-6fxg-9m4g'] Best regards, Le mar. 4 avr. 2023 à 12:31, Hubert Tournier <hubert.tournier@gmail.com> a écrit : > I’m OK to do the OSV tool. > > Best regards, > > Le mar. 4 avr. 2023 à 11:58, void <void@f-m.fm> a écrit : > >> On Sun, Mar 26, 2023 at 12:16:53PM +0200, Hubert Tournier wrote: >> >Hello, >> > >> >While working on pipinfo <https://github.com/HubTou/pipinfo>, an >> >alternative Python packages management tool, I noticed that some Python >> >packages installed as FreeBSD ports where marked as vulnerable by the >> Python >> >Packaging Authority >> ><https://warehouse.pypa.io/api-reference/json.html#known-vulnerabilities >> > >> >but not in FreeBSD VuXML <https://www.vuxml.org/freebsd/index.html> >> ports >> >security database. >> > >> >So I made a pysec2vuxml <https://github.com/HubTou/pysec2vuxml> tool to >> >check the 4.000+ FreeBSD ports for Python packages and found 45 of them >> >vulnerable and unreported >> ><https://github.com/HubTou/pysec2vuxml/blob/main/results.txt>. >> > >> >I started producing new VuXML entries >> ><https://github.com/HubTou/pysec2vuxml/blob/main/vuxml_newentries.txt> >> for >> >these vulnerable ports. *Please tell me if it's worth pursuing this >> effort?* >> > >> >In order to verify if these vulnerable ports where also marked as >> >vulnerable in FreeBSD VuXML, I made a Python VuXML handling library and >> got >> >carried away writing a whole utility, vuxml >> ><https://github.com/HubTou/vuxml>, to demonstrate its use. This could >> be of >> >general interest to some of you? >> > >> >Best regards, >> > >> >PS: this approach could be extended to Rust crates, Ruby gems and so on >> >with the vulnerabilities described in the OSV <https://osv.dev/>... >> >> +1 ^^^ really good idea >> >> Probably best to ask in freebsd-hackers@ as devs are likely to >> read this there >> -- >> >