New pkg audit FNs

Torsten Zuehlsdorff tz at
Fri Oct 13 09:47:40 UTC 2017


>> Why not
>> teach pkg-audit(8) to query NVD based on CPE annotations in *binary* 
>> packages?
>> Doing so would also provide a workaround for VuXML entries cancelled
>> to reduce bloat.
> I agree, pkg-audit needs to be taught to do that. Along those lines, we 
> could create a port for cvechecker:
> But both solutions only handle installed packages.
> We would still need something to alert us to CVEs in non-installed 
> software, I think.
> Also, I've just looked and it seems only a little over 1000 ports have 
> CPE strings. Adding something to portlint that warned ports developers 
> to add any needed CPE info would be helpful. I think that type of 
> warning has helped us improve LICENSE entries.

One more thought on this topic: a cvececker isn't enough. Looking at 
security updates of piwik, gitlab, phpmailer and many more: most of the 
security issues fixed never got an CVE entry. But of course any of the 
issues could be exploited in one or another way.

But i think cvechecker is a step in the right direction. pkg audit is 
incredible helpful even with its current restrictions!


More information about the freebsd-ports mailing list