Not exactly a bug in "pkg" itself, and not a base system security issue: I installed pip-audit from PyPI, at first inside a virtual env so that I would be notified when issues were found, then I decided to try it outside the venv. Also: It would be a feature if pkg audit could report whether or not a pkg upgrade is available that fixes a reported vulnerability. mail% pkg audit python39-3.9.15_1 is vulnerable: Python -- multiple vulnerabilities WWW: https://vuxml.FreeBSD.org/freebsd/050eba46-7638-11ed-820d-080027d3a315.html 1 problem(s) in 1 installed package(s) found. mail% pip-audit Found 5 known vulnerabilities in 3 packages Name Version ID Fix Versions ------- --------- ------------------- ------------ certifi 2022.9.24 GHSA-43fp-rhv2-5gv8 2022.12.7 pillow 9.2.0 PYSEC-2022-42980 9.3.0 pillow 9.2.0 OSV-2022-715 pillow 9.2.0 OSV-2022-1074 py 1.11.0 PYSEC-2022-42969 Name Skip Reason ------- ---------------------------------------------------------------------- sqlite3 Dependency not found on PyPI and could not be audited: sqlite3 (0.0.0) tkinter Dependency not found on PyPI and could not be audited: tkinter (0.0.0) mail% pkg vers | egrep 'py39-(certifi|pillow|py)-' py39-certifi-2022.9.24 = py39-pillow-9.2.0 = py39-py-1.11.0 = mail% pkg vers | grep pkg pkg-1.18.4 = mail% pkg vers | grep -v = mail% uname -a FreeBSD x.y.z 13.1-RELEASE-p3 FreeBSD 13.1-RELEASE-p3 GENERIC amd64
Brief ramble … <https://www.freshports.org/vuxml.php?package=python39> leads to various details, including a 2022-12-07 entry. Rewind to <https://www.freshports.org/lang/python39/>, the skull icon – not greyed out – indicates a vulnerability. <https://www.freshports.org/faq.php#vuxml> (In reply to Phil Budne from comment #0) > … if pkg audit could report whether or not a pkg upgrade is available > that fixes a reported vulnerability. … With FreshPorts able to distinguish between current and past vulnerabilities … yes, I wonder whether pkg-audit(8) can signal that a (reported) vulnerability is without a (ported) fix.