How to audit installed packages against known vulnerabilities the most possible effective way?

T-Daemon

Daemon

Reaction score: 726
Messages: 1,529

Recently it came to my attention that a port/package (*) is not listed as vulnerable in the freshports.org vulneribility information page, using VuXML:


The same vuxml file [ 1 ] [ 2 ] is used by pkg audit. That would mean pkg audit won't always display known vulnerable ports/packages. How can the detection against known vulnerabilities be improved? In ports is security/cvechecker. Does someone use it, if yes can you tell about your experience with it? Or can you suggest other ports, methods to audit vulnerabilities of installed packages?

[ 1 ] https://www.vuxml.org/freebsd/
[ 2 ] https://vuxml.freebsd.org/freebsd/

(*) The port/package in question is security/vault from Thread 76557 , version 1.4.1. Vault is not listed in the VuXML file, but it has two vulnerabilities in version 1.4.1 ( see 1.4.2 for CVE ). At the time of this writing in quarterly repository a package of version 1.4.1 is available ( it has been upgraded by swills@ to 1.5.0, already build as package for next quarterly repository update).

The severity of one of the vulnerabilities is marked by NIST NVD as "HIGH", the other as "CRITICAL".
 
OP
T

T-Daemon

Daemon

Reaction score: 726
Messages: 1,529

If you find something that's not in VuXML yet, please let ports-secteam@FreeBSD.org know so it can be updated.

Thanks for the hint. I will if I discover one again. On this one, security/vault (version 1.4.1), I stumbled by accident because of Thread 76557, swills@ joined that thread, and upgraded after request on quarterly on the same day .

But the question here is which sources can be queried to audit installed packages and all ports in general. suntzu00 mentioned some ports I will check on later, and security/cvechecker. It's obvious trusting a single source ( VuXML ) is not enough.

That question should be interesting for port maintainer as well. swills@ for example maintains 225 ports, if the numbers are correct. How can someone keep track of known security vulnerabilities of that much maintained ports?

Here are some numbers of other port maintainers with high maintained port numbers ( I'm not sure if sunpoet@ or some of the others listed are a person or multiple persons but I recognise most of the names as individual person ).
Code:
3390     sunpoet@FreeBSD.org
1335     yuri@FreeBSD.org
867     miwi@FreeBSD.org
571     bofh@FreeBSD.org
444     kuriyama@FreeBSD.org
380     amdmi3@FreeBSD.org
360     horde@FreeBSD.org
269     hrs@FreeBSD.org
265     ehaupt@FreeBSD.org
260     tota@FreeBSD.org
256     koobs@FreeBSD.org
250     dbaio@FreeBSD.org
247     acm@FreeBSD.org
244     wen@FreeBSD.org
225     swills@FreeBSD.org
207     tz@FreeBSD.org
207     danfe@FreeBSD.org
171     kai@FreeBSD.org
169     tobik@FreeBSD.org
164     jbeich@FreeBSD.org
164     antoine@FreeBSD.org
158     madpilot@FreeBSD.org
146     erlang@FreeBSD.org
143     mfechner@FreeBSD.org
141     culot@FreeBSD.org
139     skreuzer@FreeBSD.org
138     nivit@FreeBSD.org
129     danilo@FreeBSD.org
121     joneum@FreeBSD.org
115     rm@FreeBSD.org
115     olgeni@FreeBSD.org
106     zope@FreeBSD.org
106     thierry@FreeBSD.org
103     wg@FreeBSD.org
102     demon@FreeBSD.org
101     stephen@FreeBSD.org
101     0mp@FreeBSD.org
 

eternal_noob

Well-Known Member

Reaction score: 192
Messages: 355

Hi,
How can someone keep track of known security vulnerabilities of that much maintained ports?
this is a very good question. I think a single person should only be allowed to maintain 10 ports maximum (number can be discussed) because it's really hard to keep up with security updates otherwise.
 

Emrion

Aspiring Daemon

Reaction score: 176
Messages: 616

Hi,

this is a very good question. I think a single person should only be allowed to maintain 10 ports maximum (number can be discussed) because it's really hard to keep up with security updates otherwise.
Good idea! Then, you have to find several hundred new maintainers. :rolleyes:
Or leave more ports without maintainers...
 

eternal_noob

Well-Known Member

Reaction score: 192
Messages: 355

I prefer unmaintained ports to "maintained ports" which don't receive security updates because the maintainer is overstrained.
This is basically the same, with the exception that you know you won't get security updates.
 

sidetone

Daemon

Reaction score: 719
Messages: 1,566

I wish they had groups for maintainers, rather than requiring no more than a single maintainer account for every port.

Perhaps allow a group of maintainers for each category, plus an additional maintainer or another group for each port.
 

Emrion

Aspiring Daemon

Reaction score: 176
Messages: 616

I prefer unmaintained ports to "maintained ports" which don't receive security updates because the maintainer is overstrained.
This is basically the same, with the exception that you know you won't get security updates.
Are you serious? :oops:
 

eternal_noob

Well-Known Member

Reaction score: 192
Messages: 355

Well, perhaps it's better to have a maintainer because in the worst case you can contact him and ask for an update.
I wasn't thinking when writing my previous post. I apologize.
 
Top