Recently it came to my attention that a port/package (*) is not listed as vulnerable in the freshports.org vulneribility information page, using VuXML:
The same vuxml file [ 1 ] [ 2 ] is used by
[ 1 ] https://www.vuxml.org/freebsd/
[ 2 ] https://vuxml.freebsd.org/freebsd/
(*) The port/package in question is security/vault from Thread 76557 , version 1.4.1. Vault is not listed in the VuXML file, but it has two vulnerabilities in version 1.4.1 ( see 1.4.2 for CVE ). At the time of this writing in quarterly repository a package of version 1.4.1 is available ( it has been upgraded by swills@ to 1.5.0, already build as package for next quarterly repository update).
The severity of one of the vulnerabilities is marked by NIST NVD as "HIGH", the other as "CRITICAL".
The same vuxml file [ 1 ] [ 2 ] is used by
pkg audit
. That would mean pkg audit
won't always display known vulnerable ports/packages. How can the detection against known vulnerabilities be improved? In ports is security/cvechecker. Does someone use it, if yes can you tell about your experience with it? Or can you suggest other ports, methods to audit vulnerabilities of installed packages?[ 1 ] https://www.vuxml.org/freebsd/
[ 2 ] https://vuxml.freebsd.org/freebsd/
(*) The port/package in question is security/vault from Thread 76557 , version 1.4.1. Vault is not listed in the VuXML file, but it has two vulnerabilities in version 1.4.1 ( see 1.4.2 for CVE ). At the time of this writing in quarterly repository a package of version 1.4.1 is available ( it has been upgraded by swills@ to 1.5.0, already build as package for next quarterly repository update).
The severity of one of the vulnerabilities is marked by NIST NVD as "HIGH", the other as "CRITICAL".