Am 13.10.17 um 09:25 schrieb Torsten Zuehlsdorff: > Aloha, > >>> Why not >>> teach pkg-audit(8) to query NVD based on CPE annotations in *binary* >>> packages? >>> Doing so would also provide a workaround for VuXML entries cancelled >>> to reduce bloat. >> >> I agree, pkg-audit needs to be taught to do that. Along those lines, >> we could create a port for cvechecker: >> >> https://github.com/sjvermeu/cvechecker >> >> But both solutions only handle installed packages. >> >> We would still need something to alert us to CVEs in non-installed >> software, I think. >> >> Also, I've just looked and it seems only a little over 1000 ports have >> CPE strings. Adding something to portlint that warned ports developers >> to add any needed CPE info would be helpful. I think that type of >> warning has helped us improve LICENSE entries. > > One more thought on this topic: a cvececker isn't enough. Looking at > security updates of piwik, gitlab, phpmailer and many more: most of the > security issues fixed never got an CVE entry. But of course any of the > issues could be exploited in one or another way. > > But i think cvechecker is a step in the right direction. pkg audit is > incredible helpful even with its current restrictions!
Well, and now cvechecker is in ports :) Please let me know about any problems with the port. Regards, STefan _______________________________________________ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
