# How to audit installed packages against known vulnerabilities the most possible effective way?



## T-Daemon (Aug 16, 2020)

Recently it came to my attention that a port/package (*) is not listed as vulnerable in the freshports.org vulneribility information page, using VuXML:



			FreshPorts - VuXML
		


The same vuxml file [ 1 ] [ 2 ] is used by `pkg audit`. That would mean `pkg audit` won't always display known vulnerable ports/packages. How can the detection against known vulnerabilities be improved? In ports is security/cvechecker. Does someone use it, if yes can you tell about your experience with it? Or can you suggest other ports, methods to audit vulnerabilities of installed packages?

[ 1 ] https://www.vuxml.org/freebsd/
[ 2 ] https://vuxml.freebsd.org/freebsd/

(*) The port/package in question is security/vault from Thread 76557 , version 1.4.1. Vault is not listed in the VuXML file, but it has two vulnerabilities in version 1.4.1 ( see 1.4.2 for CVE ). At the time of this writing in quarterly repository a package of version 1.4.1 is available ( it has been upgraded by *swills@ *to 1.5.0, already build as package for next quarterly repository update).

The severity of one of the vulnerabilities is marked by NIST NVD as "HIGH", the other as "CRITICAL".


----------



## suntzu00 (Aug 16, 2020)

security/vuls, security/go-cve-dictionary have a look at these ports


----------



## T-Daemon (Aug 16, 2020)

suntzu00 said:


> security/vuls, security/go-cve-dictionary have a look at these ports



Thanks. I check them out.


----------



## SirDice (Aug 16, 2020)

If you find something that's not in VuXML yet, please let ports-secteam@FreeBSD.org know so it can be updated.


----------



## T-Daemon (Aug 16, 2020)

SirDice said:


> If you find something that's not in VuXML yet, please let ports-secteam@FreeBSD.org know so it can be updated.



Thanks for the hint. I will if I discover one again. On this one, security/vault (version 1.4.1), I stumbled by accident  because of Thread 76557, *swills@* joined that thread, and upgraded after request on quarterly on the same day .

But the question here is which sources can be queried to audit installed packages and all ports in general. *suntzu00* mentioned some ports I will check on later, and security/cvechecker. It's obvious trusting a single source ( VuXML ) is not enough.

That question should be interesting for port maintainer as well. *swills@* for example maintains 225 ports, if the numbers are correct. How can someone keep track of known security vulnerabilities of that much maintained ports?

Here are some numbers of other port maintainers with high maintained port numbers ( I'm not sure if sunpoet@ or some of the others listed are a person or multiple persons but I recognise most of the names as individual person ).

```
3390     sunpoet@FreeBSD.org
1335     yuri@FreeBSD.org
867     miwi@FreeBSD.org
571     bofh@FreeBSD.org
444     kuriyama@FreeBSD.org
380     amdmi3@FreeBSD.org
360     horde@FreeBSD.org
269     hrs@FreeBSD.org
265     ehaupt@FreeBSD.org
260     tota@FreeBSD.org
256     koobs@FreeBSD.org
250     dbaio@FreeBSD.org
247     acm@FreeBSD.org
244     wen@FreeBSD.org
225     swills@FreeBSD.org
207     tz@FreeBSD.org
207     danfe@FreeBSD.org
171     kai@FreeBSD.org
169     tobik@FreeBSD.org
164     jbeich@FreeBSD.org
164     antoine@FreeBSD.org
158     madpilot@FreeBSD.org
146     erlang@FreeBSD.org
143     mfechner@FreeBSD.org
141     culot@FreeBSD.org
139     skreuzer@FreeBSD.org
138     nivit@FreeBSD.org
129     danilo@FreeBSD.org
121     joneum@FreeBSD.org
115     rm@FreeBSD.org
115     olgeni@FreeBSD.org
106     zope@FreeBSD.org
106     thierry@FreeBSD.org
103     wg@FreeBSD.org
102     demon@FreeBSD.org
101     stephen@FreeBSD.org
101     0mp@FreeBSD.org
```


----------



## eternal_noob (Aug 16, 2020)

Hi,


T-Daemon said:


> How can someone keep track of known security vulnerabilities of that much maintained ports?


this is a very good question. I think a single person should only be allowed to maintain 10 ports maximum (number can be discussed) because it's really hard to keep up with security updates otherwise.


----------



## Emrion (Aug 16, 2020)

freebsd_noob said:


> Hi,
> 
> this is a very good question. I think a single person should only be allowed to maintain 10 ports maximum (number can be discussed) because it's really hard to keep up with security updates otherwise.


Good idea! Then, you have to find several hundred new maintainers. 
Or leave more ports without maintainers...


----------



## eternal_noob (Aug 16, 2020)

I prefer unmaintained ports to "maintained ports" which don't receive security updates because the maintainer is overstrained.
This is basically the same, with the exception that you know you won't get security updates.


----------



## sidetone (Aug 16, 2020)

I wish they had groups for maintainers, rather than requiring no more than a single maintainer account for every port.

Perhaps allow a group of maintainers for each category, plus an additional maintainer or another group for each port.


----------



## Emrion (Aug 16, 2020)

freebsd_noob said:


> I prefer unmaintained ports to "maintained ports" which don't receive security updates because the maintainer is overstrained.
> This is basically the same, with the exception that you know you won't get security updates.


Are you serious?


----------



## eternal_noob (Aug 16, 2020)

Well, perhaps it's better to have a maintainer because in the worst case you can contact him and ask for an update.
I wasn't thinking when writing my previous post. I apologize.


----------



## r00ty (Jan 28, 2021)

Hey T-Daemon  , so what did you end up going with?


----------

