From owner-freebsd-ports@freebsd.org Fri Oct 13 10:04:55 2017 Return-Path: Delivered-To: freebsd-ports@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C74A2E43554 for ; Fri, 13 Oct 2017 10:04:55 +0000 (UTC) (envelope-from se@freebsd.org) Received: from mailout07.t-online.de (mailout07.t-online.de [194.25.134.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mailout00.t-online.de", Issuer "TeleSec ServerPass DE-2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 84259819AD for ; Fri, 13 Oct 2017 10:04:55 +0000 (UTC) (envelope-from se@freebsd.org) Received: from fwd12.aul.t-online.de (fwd12.aul.t-online.de [172.20.26.241]) by mailout07.t-online.de (Postfix) with SMTP id 4D7F04279149 for ; Fri, 13 Oct 2017 12:04:47 +0200 (CEST) Received: from Stefans-MBP-2.fritz.box (XRjpjYZlghrpSLWpb2aIpgTVGWZUSGlhUXaETmFrzedbxMXd04+orkdoc4LcCXmwWU@[87.151.210.245]) by fwd12.t-online.de with (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384 encrypted) esmtp id 1e2wpi-2WKqw40; Fri, 13 Oct 2017 12:04:46 +0200 Subject: new port security/cvechecker To: freebsd-ports@freebsd.org References: <55596295-86d7-0068-4fff-e2c4f79366a1@FreeBSD.org> From: Stefan Esser Message-ID: <31d9d296-dc03-b7e7-d1f8-deeedf813ce1@freebsd.org> Date: Fri, 13 Oct 2017 12:04:45 +0200 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 MIME-Version: 1.0 In-Reply-To: <55596295-86d7-0068-4fff-e2c4f79366a1@FreeBSD.org> Content-Type: text/plain; charset=windows-1252 Content-Language: en-GB Content-Transfer-Encoding: 7bit X-ID: XRjpjYZlghrpSLWpb2aIpgTVGWZUSGlhUXaETmFrzedbxMXd04+orkdoc4LcCXmwWU X-TOI-MSGID: bee9cc51-0c00-4af0-96df-8b27226dc495 X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Oct 2017 10:04:55 -0000 Am 13.10.17 um 09:25 schrieb Torsten Zuehlsdorff: > Aloha, > >>> Why not >>> teach pkg-audit(8) to query NVD based on CPE annotations in *binary* >>> packages? >>> Doing so would also provide a workaround for VuXML entries cancelled >>> to reduce bloat. >> >> I agree, pkg-audit needs to be taught to do that. Along those lines, >> we could create a port for cvechecker: >> >> https://github.com/sjvermeu/cvechecker >> >> But both solutions only handle installed packages. >> >> We would still need something to alert us to CVEs in non-installed >> software, I think. >> >> Also, I've just looked and it seems only a little over 1000 ports have >> CPE strings. Adding something to portlint that warned ports developers >> to add any needed CPE info would be helpful. I think that type of >> warning has helped us improve LICENSE entries. > > One more thought on this topic: a cvececker isn't enough. Looking at > security updates of piwik, gitlab, phpmailer and many more: most of the > security issues fixed never got an CVE entry. But of course any of the > issues could be exploited in one or another way. > > But i think cvechecker is a step in the right direction. pkg audit is > incredible helpful even with its current restrictions! Well, and now cvechecker is in ports :) Please let me know about any problems with the port. Regards, STefan