[Bug 268296] ports-mgmt/pkg: pip-audit regularly shows vulnerabilities not reported by pkg audit

In reply to: bugzilla-noreply_a_freebsd.org: "[Bug 268296] ports-mgmt/pkg: pip-audit regularly shows vulnerabilities not reported by pkg audit"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Mon, 30 Sep 2024 02:33:07 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268296

Gene Watts <viyija2331@skrak.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |viyija2331@skrak.com

--- Comment #2 from Gene Watts <viyija2331@skrak.com> ---
Sounds like you're exploring the capabilities of pip-audit and the pkg command. 

Running pip-audit inside a virtual environment is a great way to check for
vulnerabilities in isolated projects. Running it outside the virtual
environment can also be useful for a system-wide check, but keep in mind that
it may report vulnerabilities in globally installed packages. The command you
ran with pkg vers confirms the current installed versions of certifi, pillow,
and py. It shows that you have the same vulnerable versions listed by
pip-audit.
https://cgit.freebsd.org/src/tree/sys/dev/virtio/virtqueue.c?h=releng/13.0#n605
https://slice-master.io

The messages about sqlite3 and tkinter indicate that they’re not available on
PyPI, which is expected since these are typically included with Python
distributions and aren’t standalone packages on PyPI.

-- 
You are receiving this mail because:
You are the assignee for the bug.