# pkg audit



## fernandel (Jul 27, 2021)

Hi!

After swithed from ports to packages `pkg audit` doesn't shows anything:

```
pkg audit
0 problem(s) in 0 installed package(s) found
```

Thank you.


----------



## hardworkingnewbie (Jul 27, 2021)

Well congrats to you, so you have no problems which should be the norm.


----------



## fernandel (Jul 27, 2021)

hardworkingnewbie said:


> Well congrats to you, so you have no problems which should be the norm.


I think that should be 0 problems in the number of installed packages.


----------



## SirDice (Jul 27, 2021)

What does `pkg version -vR` show? Does it still show a list of packages?


----------



## BjarneB (Jul 27, 2021)

fernandel said:


> I think that should be 0 problems in the number of installed packages.


nah, on one of my systems  I get:
root@ntp1:/var/log/chrony # pkg audit
libxml2-2.9.10_3 is vulnerable:
  libxml2 -- Possible denial of service
  CVE: CVE-2021-3541
  WWW: https://vuxml.FreeBSD.org/freebsd/524bd03a-bb75-11eb-bf35-080027f515ea.html

1 problem(s) in 1 installed package(s) found.

So it does not tell you how many packages you have installed, but how many packages have issues.


----------



## mer (Jul 27, 2021)

The final message is a summary, basically the sum of the number of problems found and the sum of the number packages that were found to have problems.
Any single package can have more than one vulnerability.
But there could be a bug.  I just ran it, I'm following quarterly, chromium and curl are both showing more than one CVE, both say "multiple vulnerabilities" but the summary says

2 problem(s) in 2 installed package(s) found.

For me, honestly, the number of packages, what packages and the list of CVEs is more important than having the summary line correct.

If yours say "0" then don't worry about it.
Don't forget that the dailysecurity script run pkg audit, so check root email or the log file if you have periodic set to push to log files.


----------



## fernandel (Jul 27, 2021)

SirDice said:


> What does `pkg version -vR` show? Does it still show a list of packages?


Thank you, yes it shows and I understand now how it works.


----------



## sidetone (Jul 28, 2021)

I use `pkg audit -F` for it to check for updates. Then, it will show if there's a vulnerability, if one wasn't shown before with `pkg audit`.


----------

