[Bug 268296] ports-mgmt/pkg: pip-audit regularly shows vulnerabilities not reported by pkg audit

Reply: bugzilla-noreply_a_freebsd.org: "maintainer-feedback requested: [Bug 268296] ports-mgmt/pkg: pip-audit regularly shows vulnerabilities not reported by pkg audit"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 268296] ports-mgmt/pkg: pip-audit regularly shows vulnerabilities not reported by pkg audit"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 268296] ports-mgmt/pkg: pip-audit regularly shows vulnerabilities not reported by pkg audit"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Sat, 10 Dec 2022 11:44:41 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268296

            Bug ID: 268296
           Summary: ports-mgmt/pkg: pip-audit regularly shows
                    vulnerabilities not reported by pkg audit
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: pkg@FreeBSD.org
          Reporter: phil.budne@gmail.com
          Assignee: pkg@FreeBSD.org
             Flags: maintainer-feedback?(pkg@FreeBSD.org)

Not exactly a bug in "pkg" itself, and not a base system security issue:
I installed pip-audit from PyPI, at first inside a virtual env so that
I would be notified when issues were found, then I decided to try it
outside the venv.

Also: It would be a feature if pkg audit could report whether or not a
pkg upgrade is available that fixes a reported vulnerability.


mail% pkg audit
python39-3.9.15_1 is vulnerable:
  Python -- multiple vulnerabilities
  WWW:
https://vuxml.FreeBSD.org/freebsd/050eba46-7638-11ed-820d-080027d3a315.html

1 problem(s) in 1 installed package(s) found.

mail% pip-audit 
Found 5 known vulnerabilities in 3 packages
Name    Version   ID                  Fix Versions
------- --------- ------------------- ------------
certifi 2022.9.24 GHSA-43fp-rhv2-5gv8 2022.12.7
pillow  9.2.0     PYSEC-2022-42980    9.3.0
pillow  9.2.0     OSV-2022-715
pillow  9.2.0     OSV-2022-1074
py      1.11.0    PYSEC-2022-42969
Name    Skip Reason
------- ----------------------------------------------------------------------
sqlite3 Dependency not found on PyPI and could not be audited: sqlite3 (0.0.0)
tkinter Dependency not found on PyPI and could not be audited: tkinter (0.0.0)
mail% pkg vers | egrep 'py39-(certifi|pillow|py)-'
py39-certifi-2022.9.24             =
py39-pillow-9.2.0                  =
py39-py-1.11.0                     =
mail% pkg vers | grep pkg
pkg-1.18.4                         =
mail% pkg vers | grep -v =
mail% uname -a
FreeBSD x.y.z 13.1-RELEASE-p3 FreeBSD 13.1-RELEASE-p3 GENERIC amd64

-- 
You are receiving this mail because:
You are the assignee for the bug.