Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 10 Dec 2022 11:44:41 +0000
From:      bugzilla-noreply@freebsd.org
To:        pkg@FreeBSD.org
Subject:   [Bug 268296] ports-mgmt/pkg: pip-audit regularly shows vulnerabilities not reported by pkg audit
Message-ID:  <bug-268296-32340@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D268296

            Bug ID: 268296
           Summary: ports-mgmt/pkg: pip-audit regularly shows
                    vulnerabilities not reported by pkg audit
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: pkg@FreeBSD.org
          Reporter: phil.budne@gmail.com
          Assignee: pkg@FreeBSD.org
             Flags: maintainer-feedback?(pkg@FreeBSD.org)

Not exactly a bug in "pkg" itself, and not a base system security issue:
I installed pip-audit from PyPI, at first inside a virtual env so that
I would be notified when issues were found, then I decided to try it
outside the venv.

Also: It would be a feature if pkg audit could report whether or not a
pkg upgrade is available that fixes a reported vulnerability.


mail% pkg audit
python39-3.9.15_1 is vulnerable:
  Python -- multiple vulnerabilities
  WWW:
https://vuxml.FreeBSD.org/freebsd/050eba46-7638-11ed-820d-080027d3a315.html

1 problem(s) in 1 installed package(s) found.

mail% pip-audit=20
Found 5 known vulnerabilities in 3 packages
Name    Version   ID                  Fix Versions
------- --------- ------------------- ------------
certifi 2022.9.24 GHSA-43fp-rhv2-5gv8 2022.12.7
pillow  9.2.0     PYSEC-2022-42980    9.3.0
pillow  9.2.0     OSV-2022-715
pillow  9.2.0     OSV-2022-1074
py      1.11.0    PYSEC-2022-42969
Name    Skip Reason
------- -------------------------------------------------------------------=
---
sqlite3 Dependency not found on PyPI and could not be audited: sqlite3 (0.0=
.0)
tkinter Dependency not found on PyPI and could not be audited: tkinter (0.0=
.0)
mail% pkg vers | egrep 'py39-(certifi|pillow|py)-'
py39-certifi-2022.9.24             =3D
py39-pillow-9.2.0                  =3D
py39-py-1.11.0                     =3D
mail% pkg vers | grep pkg
pkg-1.18.4                         =3D
mail% pkg vers | grep -v =3D
mail% uname -a
FreeBSD x.y.z 13.1-RELEASE-p3 FreeBSD 13.1-RELEASE-p3 GENERIC amd64

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-268296-32340>