Date: Fri, 13 Oct 2017 09:25:09 +0200 From: Torsten Zuehlsdorff <tz@FreeBSD.org> To: Steve Wills <swills@FreeBSD.org>, Jan Beich <jbeich@FreeBSD.org> Cc: Matthew Seaman <matthew@FreeBSD.org>, ale@Freebsd.org, freebsd-ports@freebsd.org Subject: Re: New pkg audit FNs Message-ID: <55596295-86d7-0068-4fff-e2c4f79366a1@FreeBSD.org> In-Reply-To: <c75df693-11a2-e583-d0ba-713df1351623@FreeBSD.org> References: <nycvar.OFS.7.76.1710090833020.60492@eboyr.pbz> <b63f2936-e922-4a90-f256-6d7870dbd55b@FreeBSD.org> <tvz8-rrf3-wny@FreeBSD.org> <d56ddf99-a1fc-e813-67ed-ea6d65c8211f@FreeBSD.org> <o9pg-ouk5-wny@FreeBSD.org> <c75df693-11a2-e583-d0ba-713df1351623@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Aloha, >> Why not >> teach pkg-audit(8) to query NVD based on CPE annotations in *binary* >> packages? >> Doing so would also provide a workaround for VuXML entries cancelled >> to reduce bloat. > > I agree, pkg-audit needs to be taught to do that. Along those lines, we > could create a port for cvechecker: > > https://github.com/sjvermeu/cvechecker > > But both solutions only handle installed packages. > > We would still need something to alert us to CVEs in non-installed > software, I think. > > Also, I've just looked and it seems only a little over 1000 ports have > CPE strings. Adding something to portlint that warned ports developers > to add any needed CPE info would be helpful. I think that type of > warning has helped us improve LICENSE entries. One more thought on this topic: a cvececker isn't enough. Looking at security updates of piwik, gitlab, phpmailer and many more: most of the security issues fixed never got an CVE entry. But of course any of the issues could be exploited in one or another way. But i think cvechecker is a step in the right direction. pkg audit is incredible helpful even with its current restrictions! Greetings, Torsten
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?55596295-86d7-0068-4fff-e2c4f79366a1>