45 vulnerable ports unreported in VuXML
Date: Sun, 26 Mar 2023 10:16:53 UTC
Hello, While working on pipinfo <https://github.com/HubTou/pipinfo>, an alternative Python packages management tool, I noticed that some Python packages installed as FreeBSD ports where marked as vulnerable by the Python Packaging Authority <https://warehouse.pypa.io/api-reference/json.html#known-vulnerabilities> but not in FreeBSD VuXML <https://www.vuxml.org/freebsd/index.html> ports security database. So I made a pysec2vuxml <https://github.com/HubTou/pysec2vuxml> tool to check the 4.000+ FreeBSD ports for Python packages and found 45 of them vulnerable and unreported <https://github.com/HubTou/pysec2vuxml/blob/main/results.txt>. I started producing new VuXML entries <https://github.com/HubTou/pysec2vuxml/blob/main/vuxml_newentries.txt> for these vulnerable ports. *Please tell me if it's worth pursuing this effort?* In order to verify if these vulnerable ports where also marked as vulnerable in FreeBSD VuXML, I made a Python VuXML handling library and got carried away writing a whole utility, vuxml <https://github.com/HubTou/vuxml>, to demonstrate its use. This could be of general interest to some of you? Best regards, PS: this approach could be extended to Rust crates, Ruby gems and so on with the vulnerabilities described in the OSV <https://osv.dev/>...