Date: Tue, 4 Apr 2023 10:58:42 +0100 From: void <void@f-m.fm> To: Hubert Tournier <hubert.tournier@gmail.com> Cc: FreeBSD-security@freebsd.org Subject: Re: 45 vulnerable ports unreported in VuXML Message-ID: <ZCv00k-jL__tYYWG@int21h> In-Reply-To: <CADr%2Bmw8KzSyoVFKkFG7REAA8c9yC27cmdTt7P%2BnEN5Gg7Yeo_A@mail.gmail.com> References: <CADr%2Bmw-oh0txuXXoMptYOXBj1uwWNdeAESX6aE_iZxheFgY8gw@mail.gmail.com> <CADr%2Bmw8KzSyoVFKkFG7REAA8c9yC27cmdTt7P%2BnEN5Gg7Yeo_A@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Mar 26, 2023 at 12:16:53PM +0200, Hubert Tournier wrote: >Hello, > >While working on pipinfo <https://github.com/HubTou/pipinfo>, an >alternative Python packages management tool, I noticed that some Python >packages installed as FreeBSD ports where marked as vulnerable by the Python >Packaging Authority ><https://warehouse.pypa.io/api-reference/json.html#known-vulnerabilities>; >but not in FreeBSD VuXML <https://www.vuxml.org/freebsd/index.html>; ports >security database. > >So I made a pysec2vuxml <https://github.com/HubTou/pysec2vuxml>; tool to >check the 4.000+ FreeBSD ports for Python packages and found 45 of them >vulnerable and unreported ><https://github.com/HubTou/pysec2vuxml/blob/main/results.txt>. > >I started producing new VuXML entries ><https://github.com/HubTou/pysec2vuxml/blob/main/vuxml_newentries.txt>; for >these vulnerable ports. *Please tell me if it's worth pursuing this effort?* > >In order to verify if these vulnerable ports where also marked as >vulnerable in FreeBSD VuXML, I made a Python VuXML handling library and got >carried away writing a whole utility, vuxml ><https://github.com/HubTou/vuxml>, to demonstrate its use. This could be of >general interest to some of you? > >Best regards, > >PS: this approach could be extended to Rust crates, Ruby gems and so on >with the vulnerabilities described in the OSV <https://osv.dev/>... +1 ^^^ really good idea Probably best to ask in freebsd-hackers@ as devs are likely to read this there --
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ZCv00k-jL__tYYWG>