# pkg audit / vuln.xml / no more updates for base system and kernel ??



## simplerezo (Jun 25, 2019)

Hi !

I'm using pkg audit to get report about current "vulnerabilities" for ports and also for FreeBSD base/kernel using that special syntax:

```
pkg audit FreeBSD-11.2_2 && pkg audit FreeBSD-kernel-11.2_2
```

But it looks like vuln.xml is not anymore updated about FreeBSD SA since 12.0p3/11.2p9 ...:
https://www.vuxml.org/freebsd/pkg-FreeBSD.html
https://www.vuxml.org/freebsd/pkg-FreeBSD-kernel.html

Is it normal ?


----------



## Quip (Sep 30, 2019)

No, this is not normal from my point of view and I am really pi**ed off of it.
I tried many times to discuss it on freebsd-security@ mailing list - why SAs are not added automatically to the vuln.xml - without any reply.
Entries were mainly added by Mark Felder who invented this https://blog.feld.me/posts/2016/08/monitoring-freebsd-base-system-vulnerabilities-with-pkg-audit/ but he is not Security Officer.
Then I created security/base-audit to ease the monitoring of vulnerabilities for users (it is simple periodic script running daily). Now it is useless because there are no SA entries.
It seems like nobody from FreeBSD officials care about reporting vulnerabilities to users. I really don't know why. Are we really in 2019 without tool and entries to automatically check and report vulnerabilities in the base system if we have it for ports / packages?

Even if I created patch for the latest missing SA entries and submitted PR then nobody can commit it for a month https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=240322
It can be so simple to just commit it that I can't get it why it was not done yet.


----------



## dvl@ (Mar 6, 2020)

simplerezo said:


> Hi !
> 
> I'm using pkg audit to get report about current "vulnerabilities" for ports and also for FreeBSD base/kernel using that special syntax:
> 
> ...



I see update for 2020 at those URLs


----------



## Quip (Mar 7, 2020)

January entries were submitted by me.
Current NTP entry was added with entries for port version of ntp.


----------



## dvl@ (Mar 7, 2020)

Thank you. Please continue. Your work is helpful.


----------

