Bug 256789

Summary: security/vuxml: vuxml.org/freebsd entries not up to date / synchronised
Product: Ports & Packages Reporter: Dani I. <i.dani>
Component: Individual Port(s)Assignee: Ports Security Team <ports-secteam>
Status: Closed FIXED    
Severity: Affects Many People CC: brnrd, clusteradm, herbert, lwhsu, michael.glaus, mike.walker, riggs
Priority: --- Flags: riggs: maintainer-feedback+
Version: Latest   
Hardware: Any   
OS: Any   

Description Dani I. 2021-06-23 12:55:13 UTC 
The latest entries to security/vuxml aren't synchronised with https://www.vuxml.org/freebsd/index.html anymore. The latest entry is from 2021-06-10. We fetch the bz2 provided there once internally and then use that as source for "pkg audit". Would be cool if this could be looked at :)
Comment 1 commit-hook freebsd_committer freebsd_triage 2021-06-24 10:31:13 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=46119dd553f18833b20a76623029a24dd4948c58

commit 46119dd553f18833b20a76623029a24dd4948c58
Author:     Li-Wen Hsu <lwhsu@FreeBSD.org>
AuthorDate: 2021-06-24 10:30:56 +0000
Commit:     Li-Wen Hsu <lwhsu@FreeBSD.org>
CommitDate: 2021-06-24 10:30:56 +0000

    security/vuxml: Fix CVS name for vid e4cd0b38-c9f9-11eb-87e1-08002750c711

    This should fix vuxml.org build.

    PR:             256789

 security/vuxml/vuln-2021.xml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
Comment 2 Li-Wen Hsu freebsd_committer freebsd_triage 2021-06-24 11:11:31 UTC 
https://www.vuxml.org/freebsd/ gets updated again. It would be good if we can check cvename entry format in `make validate` target.
Comment 3 Herbert J. Skuhra 2021-09-26 09:27:02 UTC 
Are you sure?

-r--r--r--  1 root  wheel  6806644 17 Sep 03:39 /var/db/pkg/vuln.xml

# pkg audit -F
vulnxml file up-to-date

This is a serious issue, isnt't it? Some entries were added during the past few days.
Comment 4 Michael Glaus 2021-09-28 06:49:16 UTC 
Got the same problem.

I did see that the CVE-Names for apache vulnerability (882a38f9-17dd-11ec-b335-d4c9ef517024) are formated wrong. The have "CVE-" twice in it.
Comment 5 Bernard Spil freebsd_committer freebsd_triage 2021-09-28 08:05:10 UTC 
(In reply to michael.glaus from comment #4)

Fixed the double CVE- in vuxml in 21298e34e651
Comment 6 Thomas Zander freebsd_committer freebsd_triage 2021-10-22 14:42:55 UTC 
Mentioned issues have been fixed. Closing.

Please reopen in case something was overlooked.
Comment 7 Li-Wen Hsu freebsd_committer freebsd_triage 2021-10-22 20:50:29 UTC 
(In reply to Thomas Zander from comment #6)
I kept this open as a reminder to improve the `make validate` to prevent the broken vuxml file stops vuxml.org update. Would it be better to create a new ticket for it?
Comment 8 Thomas Zander freebsd_committer freebsd_triage 2021-10-23 09:48:17 UTC 
(In reply to Li-Wen Hsu from comment #7)

I think it would be better to have a dedicated tracking bug for improving make validate.

This bug 256789 was quite specific for an instance of the problem which has been resolved.