New pkg audit FNs

Steve Wills swills at
Mon Oct 9 22:03:22 UTC 2017


On 10/09/2017 17:55, Jan Beich wrote:
> Steve Wills <swills at> writes:
>> Hi,
>> On 10/09/2017 16:34, Jan Beich wrote:
>>> Matthew Seaman <matthew at> writes:
>>>> On 09/10/2017 16:57, Roger Marquis wrote:
>>>>> Can anyone say what mechanisms the ports-security team might have in
>>>>> place to monitor CVEs and port software versions?
>> I've been hacking at a prototype for scanning what I can find:
> Wouldn't that encourage copypasta, exacerbating filesize issue? 

The VuXML data does need to be split up and all tools that process it 
need to be taught to deal with multiple files.

> Why not
> teach pkg-audit(8) to query NVD based on CPE annotations in *binary* packages?
> Doing so would also provide a workaround for VuXML entries cancelled
> to reduce bloat.

I agree, pkg-audit needs to be taught to do that. Along those lines, we 
could create a port for cvechecker:

But both solutions only handle installed packages.

We would still need something to alert us to CVEs in non-installed 
software, I think.

Also, I've just looked and it seems only a little over 1000 ports have 
CPE strings. Adding something to portlint that warned ports developers 
to add any needed CPE info would be helpful. I think that type of 
warning has helped us improve LICENSE entries.


More information about the freebsd-ports mailing list