Date: Mon, 9 Oct 2017 18:03:09 -0400 From: Steve Wills <swills@FreeBSD.org> To: Jan Beich <jbeich@FreeBSD.org> Cc: Matthew Seaman <matthew@FreeBSD.org>, freebsd-ports@freebsd.org, ale@Freebsd.org Subject: Re: New pkg audit FNs Message-ID: <c75df693-11a2-e583-d0ba-713df1351623@FreeBSD.org> In-Reply-To: <o9pg-ouk5-wny@FreeBSD.org> References: <nycvar.OFS.7.76.1710090833020.60492@eboyr.pbz> <b63f2936-e922-4a90-f256-6d7870dbd55b@FreeBSD.org> <tvz8-rrf3-wny@FreeBSD.org> <d56ddf99-a1fc-e813-67ed-ea6d65c8211f@FreeBSD.org> <o9pg-ouk5-wny@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, On 10/09/2017 17:55, Jan Beich wrote: > Steve Wills <swills@FreeBSD.org> writes: > >> Hi, >> >> On 10/09/2017 16:34, Jan Beich wrote: >>> Matthew Seaman <matthew@FreeBSD.org> writes: >>> >>>> On 09/10/2017 16:57, Roger Marquis wrote: >>>> >>>>> Can anyone say what mechanisms the ports-security team might have in >>>>> place to monitor CVEs and port software versions? >> >> I've been hacking at a prototype for scanning what I can find: >> >> https://github.com/swills/nvd_to_new_vuxml > > Wouldn't that encourage copypasta, exacerbating filesize issue? The VuXML data does need to be split up and all tools that process it need to be taught to deal with multiple files. > Why not > teach pkg-audit(8) to query NVD based on CPE annotations in *binary* packages? > Doing so would also provide a workaround for VuXML entries cancelled > to reduce bloat. I agree, pkg-audit needs to be taught to do that. Along those lines, we could create a port for cvechecker: https://github.com/sjvermeu/cvechecker But both solutions only handle installed packages. We would still need something to alert us to CVEs in non-installed software, I think. Also, I've just looked and it seems only a little over 1000 ports have CPE strings. Adding something to portlint that warned ports developers to add any needed CPE info would be helpful. I think that type of warning has helped us improve LICENSE entries. Steve
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?c75df693-11a2-e583-d0ba-713df1351623>