Date: Sat, 10 Dec 2022 11:44:41 +0000 From: bugzilla-noreply@freebsd.org To: pkg@FreeBSD.org Subject: maintainer-feedback requested: [Bug 268296] ports-mgmt/pkg: pip-audit regularly shows vulnerabilities not reported by pkg audit Message-ID: <bug-268296-32340-27CJv5btP8@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-268296-32340@https.bugs.freebsd.org/bugzilla/> References: <bug-268296-32340@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
Bugzilla Automation <bugzilla@FreeBSD.org> has asked freebsd-pkg (Nobody) <pkg@FreeBSD.org> for maintainer-feedback: Bug 268296: ports-mgmt/pkg: pip-audit regularly shows vulnerabilities not reported by pkg audit https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D268296 --- Description --- Not exactly a bug in "pkg" itself, and not a base system security issue: I installed pip-audit from PyPI, at first inside a virtual env so that I would be notified when issues were found, then I decided to try it outside the venv. Also: It would be a feature if pkg audit could report whether or not a pkg upgrade is available that fixes a reported vulnerability. mail% pkg audit python39-3.9.15_1 is vulnerable: Python -- multiple vulnerabilities WWW: https://vuxml.FreeBSD.org/freebsd/050eba46-7638-11ed-820d-080027d3a315.html 1 problem(s) in 1 installed package(s) found. mail% pip-audit=20 Found 5 known vulnerabilities in 3 packages Name Version ID Fix Versions ------- --------- ------------------- ------------ certifi 2022.9.24 GHSA-43fp-rhv2-5gv8 2022.12.7 pillow 9.2.0 PYSEC-2022-42980 9.3.0 pillow 9.2.0 OSV-2022-715 pillow 9.2.0 OSV-2022-1074 py 1.11.0 PYSEC-2022-42969 Name Skip Reason ------- -------------------------------------------------------------------= --- sqlite3 Dependency not found on PyPI and could not be audited: sqlite3 (0.0= .0) tkinter Dependency not found on PyPI and could not be audited: tkinter (0.0= .0) mail% pkg vers | egrep 'py39-(certifi|pillow|py)-' py39-certifi-2022.9.24 =3D py39-pillow-9.2.0 =3D py39-py-1.11.0 =3D mail% pkg vers | grep pkg pkg-1.18.4 =3D mail% pkg vers | grep -v =3D mail% uname -a FreeBSD x.y.z 13.1-RELEASE-p3 FreeBSD 13.1-RELEASE-p3 GENERIC amd64
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-268296-32340-27CJv5btP8>