Re: 45 vulnerable ports unreported in VuXML
- In reply to: Hubert Tournier : "45 vulnerable ports unreported in VuXML"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sun, 26 Mar 2023 10:21:51 UTC
On Sun, Mar 26, 2023, 12:17 Hubert Tournier wrote: > Hello, > > While working on pipinfo <https://github.com/HubTou/pipinfo>, an > alternative Python packages management tool, I noticed that some Python > packages installed as FreeBSD ports where marked as vulnerable by the Python > Packaging Authority > <https://warehouse.pypa.io/api-reference/json.html#known-vulnerabilities> > but not in FreeBSD VuXML <https://www.vuxml.org/freebsd/index.html> ports > security database. > > So I made a pysec2vuxml <https://github.com/HubTou/pysec2vuxml> tool to > check the 4.000+ FreeBSD ports for Python packages and found 45 of them > vulnerable and unreported > <https://github.com/HubTou/pysec2vuxml/blob/main/results.txt>. > > I started producing new VuXML entries > <https://github.com/HubTou/pysec2vuxml/blob/main/vuxml_newentries.txt> > for these vulnerable ports. *Please tell me if it's worth pursuing this > effort?* > > In order to verify if these vulnerable ports where also marked as > vulnerable in FreeBSD VuXML, I made a Python VuXML handling library and got > carried away writing a whole utility, vuxml > <https://github.com/HubTou/vuxml>, to demonstrate its use. This could be > of general interest to some of you? > > Best regards, > > PS: this approach could be extended to Rust crates, Ruby gems and so on > with the vulnerabilities described in the OSV <https://osv.dev/>... > Sounds great and worth adding to the infra..? :-) -- CeDeROM, SQ7MHZ, http://www.tomek.cedro.info >