Aloha,
Why not
teach pkg-audit(8) to query NVD based on CPE annotations in *binary*
packages?
Doing so would also provide a workaround for VuXML entries cancelled
to reduce bloat.
I agree, pkg-audit needs to be taught to do that. Along those lines, we
could create a port for cvechecker:
https://github.com/sjvermeu/cvechecker
But both solutions only handle installed packages.
We would still need something to alert us to CVEs in non-installed
software, I think.
Also, I've just looked and it seems only a little over 1000 ports have
CPE strings. Adding something to portlint that warned ports developers
to add any needed CPE info would be helpful. I think that type of
warning has helped us improve LICENSE entries.
One more thought on this topic: a cvececker isn't enough. Looking at
security updates of piwik, gitlab, phpmailer and many more: most of the
security issues fixed never got an CVE entry. But of course any of the
issues could be exploited in one or another way.
But i think cvechecker is a step in the right direction. pkg audit is
incredible helpful even with its current restrictions!
Greetings,
Torsten
_______________________________________________
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
