new port security/cvechecker

Stefan Esser se at
Fri Oct 13 10:04:55 UTC 2017

Am 13.10.17 um 09:25 schrieb Torsten Zuehlsdorff:
> Aloha,
>>> Why not
>>> teach pkg-audit(8) to query NVD based on CPE annotations in *binary*
>>> packages?
>>> Doing so would also provide a workaround for VuXML entries cancelled
>>> to reduce bloat.
>> I agree, pkg-audit needs to be taught to do that. Along those lines,
>> we could create a port for cvechecker:
>> But both solutions only handle installed packages.
>> We would still need something to alert us to CVEs in non-installed
>> software, I think.
>> Also, I've just looked and it seems only a little over 1000 ports have
>> CPE strings. Adding something to portlint that warned ports developers
>> to add any needed CPE info would be helpful. I think that type of
>> warning has helped us improve LICENSE entries.
> One more thought on this topic: a cvececker isn't enough. Looking at
> security updates of piwik, gitlab, phpmailer and many more: most of the
> security issues fixed never got an CVE entry. But of course any of the
> issues could be exploited in one or another way.
> But i think cvechecker is a step in the right direction. pkg audit is
> incredible helpful even with its current restrictions!

Well, and now cvechecker is in ports :)

Please let me know about any problems with the port.

Regards, STefan

More information about the freebsd-ports mailing list