The latest entries to security/vuxml aren't synchronised with https://www.vuxml.org/freebsd/index.html anymore. The latest entry is from 2021-06-10. We fetch the bz2 provided there once internally and then use that as source for "pkg audit". Would be cool if this could be looked at :)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=46119dd553f18833b20a76623029a24dd4948c58 commit 46119dd553f18833b20a76623029a24dd4948c58 Author: Li-Wen Hsu <lwhsu@FreeBSD.org> AuthorDate: 2021-06-24 10:30:56 +0000 Commit: Li-Wen Hsu <lwhsu@FreeBSD.org> CommitDate: 2021-06-24 10:30:56 +0000 security/vuxml: Fix CVS name for vid e4cd0b38-c9f9-11eb-87e1-08002750c711 This should fix vuxml.org build. PR: 256789 security/vuxml/vuln-2021.xml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
https://www.vuxml.org/freebsd/ gets updated again. It would be good if we can check cvename entry format in `make validate` target.
Are you sure? -r--r--r-- 1 root wheel 6806644 17 Sep 03:39 /var/db/pkg/vuln.xml # pkg audit -F vulnxml file up-to-date This is a serious issue, isnt't it? Some entries were added during the past few days.
Got the same problem. I did see that the CVE-Names for apache vulnerability (882a38f9-17dd-11ec-b335-d4c9ef517024) are formated wrong. The have "CVE-" twice in it.
(In reply to michael.glaus from comment #4) Fixed the double CVE- in vuxml in 21298e34e651
Mentioned issues have been fixed. Closing. Please reopen in case something was overlooked.
(In reply to Thomas Zander from comment #6) I kept this open as a reminder to improve the `make validate` to prevent the broken vuxml file stops vuxml.org update. Would it be better to create a new ticket for it?
(In reply to Li-Wen Hsu from comment #7) I think it would be better to have a dedicated tracking bug for improving make validate. This bug 256789 was quite specific for an instance of the problem which has been resolved.