Recently it came to my attention that a port/package (*) is not listed as vulnerable in the freshports.org vulneribility information page, using VuXML:
The same vuxml file [ 1 ] [ 2 ] is used by
[ 1 ] https://www.vuxml.org/freebsd/
[ 2 ] https://vuxml.freebsd.org/freebsd/
(*) The port/package in question is security/vault from Thread 76557 , version 1.4.1. Vault is not listed in the VuXML file, but it has two vulnerabilities in version 1.4.1 ( see 1.4.2 for CVE ). At the time of this writing in quarterly repository a package of version 1.4.1 is available ( it has been upgraded by swills@ to 1.5.0, already build as package for next quarterly repository update).
The severity of one of the vulnerabilities is marked by NIST NVD as "HIGH", the other as "CRITICAL".
FreshPorts - VuXML
www.freshports.org
The same vuxml file [ 1 ] [ 2 ] is used by
pkg audit
. That would mean pkg audit
won't always display known vulnerable ports/packages. How can the detection against known vulnerabilities be improved? In ports is security/cvechecker. Does someone use it, if yes can you tell about your experience with it? Or can you suggest other ports, methods to audit vulnerabilities of installed packages?[ 1 ] https://www.vuxml.org/freebsd/
[ 2 ] https://vuxml.freebsd.org/freebsd/
(*) The port/package in question is security/vault from Thread 76557 , version 1.4.1. Vault is not listed in the VuXML file, but it has two vulnerabilities in version 1.4.1 ( see 1.4.2 for CVE ). At the time of this writing in quarterly repository a package of version 1.4.1 is available ( it has been upgraded by swills@ to 1.5.0, already build as package for next quarterly repository update).
The severity of one of the vulnerabilities is marked by NIST NVD as "HIGH", the other as "CRITICAL".