# FreeBSD vulnerability scan



## French Fries (Aug 24, 2017)

Dear friends,

I switched only recently to FreeBSD from Debian GNU/Linux.

Is there an equivalent of debsecan for FreeBSD?

debsecan scans all installed packages and looks for vulnerabilities in the 
CVE database: http://www.cvedetails.com

Example:
`debsecan --suite=sid
CVE-2017-11333 libvorbisfile3 (remotely exploitable, low urgency)
CVE-2017-11735 libvorbisfile3 (remotely exploitable, low urgency)
CVE-2016-10317 libgs9-common (remotely exploitable, medium urgency)
CVE-2017-11714 libgs9-common (remotely exploitable, medium urgency)
CVE-2017-9611 libgs9-common (remotely exploitable, medium urgency)
CVE-2017-9612 libgs9-common (remotely exploitable, medium urgency)
CVE-2017-9726 libgs9-common (remotely exploitable, medium urgency)
CVE-2017-9727 libgs9-common (remotely exploitable, medium urgency)
CVE-2017-9739 libgs9-common (remotely exploitable, medium urgency)
CVE-2017-9835 libgs9-common (remotely exploitable, medium urgency)`

Any equivalent ?

Kind regards,


----------



## SirDice (Aug 24, 2017)

pkg-audit(8).


----------



## French Fries (Aug 24, 2017)

Nice to see this is integrated into FreeBSD.

I love this option:

```
-r, --recursive
        Prints packages that depend    on vulnerable packages and are thus
        potentially    vulnerable as well.
```


----------



## SirDice (Aug 24, 2017)

It uses "our" own VuXML though, not exactly the same but the reported vulnerabilities are confirmed to be a problem on FreeBSD by the Security Team. So it's the best way to check for issues. One of the weekly security checks from periodic(8) also uses it. The only caveat is that this only checks ports/packages, not the base OS. This might change when pkgbase (using pkg(8) to update/upgrade the base OS) is finished though.

https://www.freebsd.org/doc/en/books/porters-handbook/security-notify.html


----------

