pkg audit reports many vulnerabilities which are configuration-dependent. It would be nice to have a local override file to silence warnings about vulnerabilities that the administrator has determined to be inapplicable or has applied a workaround for. Fix: Probably add a new data file to read with a list of vuln IDs to acknowledge, and an option flag to pkg audit to show all vulns including those that were silenced. How-To-Repeat: Run pkg audit on a 9.x system with openssh-portable-6.2.p2_5,1 installed. The vulnerability only applies when AES-GCM is in use, which the OpenSSL on 9.x does not support.
Responsible Changed From-To: freebsd-ports-bugs->portmgr Over to maintainer.
Sorry for delay. I do like this idea, and if someone contributes it I'll be happy, unfortunatly for now I have no time to work on it
Created attachment 174064 [details] Patch to allow sysadmin to list vuxml entries to ignore Attached is a simple patch to add back this functionality.
Thanks I will look into it as soon as I find enough free time. I would prefer not to use the old portaudit.conf configuration file, but have this within pkg config file throught something like: audit_ignore: [ { name: "ruby" }, # ignore all ruby vuln { name: "ruby", version: "1.2.4_7" } ignore ruby 1.2.4_7 like ] That would allow to get some magical override like: .include(glob=true) "/usr/local/etc/audit/*.conf" where each ignore can be a single file (very helpful to populate via automation tools
(In reply to Baptiste Daroussin from comment #4) However, it's really necessary to be able to ignore specific vulnids, not just all vulns for a package. If I've examined a disclosure and determined it doesn't present an issue (e.g., the current set of zone-transfer "vulns" issued against all authoritative nameserver implementations but which only affect the tiny fraction of operators who provide slave service for untrusted zones), I still need to find out about *other* vulns against the same package.
yup I forgot to mention we could audit_ignore : [ { uuid: XXXXX } ] The same way
Is this still relevant?
Yes, it is still relevant.