45 vulnerable ports unreported in VuXML

From: Hubert Tournier <hubert.tournier_at_gmail.com>
Date: Sun, 26 Mar 2023 10:16:53 UTC
Hello,

While working on pipinfo <https://github.com/HubTou/pipinfo>, an
alternative Python packages management tool, I noticed that some Python
packages installed as FreeBSD ports where marked as vulnerable by the Python
Packaging Authority
<https://warehouse.pypa.io/api-reference/json.html#known-vulnerabilities>
but not in FreeBSD VuXML <https://www.vuxml.org/freebsd/index.html> ports
security database.

So I made a pysec2vuxml <https://github.com/HubTou/pysec2vuxml> tool to
check the 4.000+ FreeBSD ports for Python packages and found 45 of them
vulnerable and unreported
<https://github.com/HubTou/pysec2vuxml/blob/main/results.txt>.

I started producing new VuXML entries
<https://github.com/HubTou/pysec2vuxml/blob/main/vuxml_newentries.txt> for
these vulnerable ports. *Please tell me if it's worth pursuing this effort?*

In order to verify if these vulnerable ports where also marked as
vulnerable in FreeBSD VuXML, I made a Python VuXML handling library and got
carried away writing a whole utility, vuxml
<https://github.com/HubTou/vuxml>, to demonstrate its use. This could be of
general interest to some of you?

Best regards,

PS: this approach could be extended to Rust crates, Ruby gems and so on
with the vulnerabilities described in the OSV <https://osv.dev/>...