maintainer-feedback requested: [Bug 268296] ports-mgmt/pkg: pip-audit regularly shows vulnerabilities not reported by pkg audit
Date: Sat, 10 Dec 2022 11:44:41 UTC
Bugzilla Automation <bugzilla@FreeBSD.org> has asked freebsd-pkg (Nobody) <pkg@FreeBSD.org> for maintainer-feedback: Bug 268296: ports-mgmt/pkg: pip-audit regularly shows vulnerabilities not reported by pkg audit https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268296 --- Description --- Not exactly a bug in "pkg" itself, and not a base system security issue: I installed pip-audit from PyPI, at first inside a virtual env so that I would be notified when issues were found, then I decided to try it outside the venv. Also: It would be a feature if pkg audit could report whether or not a pkg upgrade is available that fixes a reported vulnerability. mail% pkg audit python39-3.9.15_1 is vulnerable: Python -- multiple vulnerabilities WWW: https://vuxml.FreeBSD.org/freebsd/050eba46-7638-11ed-820d-080027d3a315.html 1 problem(s) in 1 installed package(s) found. mail% pip-audit Found 5 known vulnerabilities in 3 packages Name Version ID Fix Versions ------- --------- ------------------- ------------ certifi 2022.9.24 GHSA-43fp-rhv2-5gv8 2022.12.7 pillow 9.2.0 PYSEC-2022-42980 9.3.0 pillow 9.2.0 OSV-2022-715 pillow 9.2.0 OSV-2022-1074 py 1.11.0 PYSEC-2022-42969 Name Skip Reason ------- ---------------------------------------------------------------------- sqlite3 Dependency not found on PyPI and could not be audited: sqlite3 (0.0.0) tkinter Dependency not found on PyPI and could not be audited: tkinter (0.0.0) mail% pkg vers | egrep 'py39-(certifi|pillow|py)-' py39-certifi-2022.9.24 = py39-pillow-9.2.0 = py39-py-1.11.0 = mail% pkg vers | grep pkg pkg-1.18.4 = mail% pkg vers | grep -v = mail% uname -a FreeBSD x.y.z 13.1-RELEASE-p3 FreeBSD 13.1-RELEASE-p3 GENERIC amd64