Bug 281269 - pkg-audit ignores VuXML reports if installed package has PORTEPOCH appended
Summary: pkg-audit ignores VuXML reports if installed package has PORTEPOCH appended
Status: New
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Ports Security Team
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-09-04 15:12 UTC by Piotr Smyrak
Modified: 2024-09-14 08:49 UTC (History)
3 users (show)

See Also:
bugzilla: maintainer-feedback? (joneum)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Piotr Smyrak 2024-09-04 15:12:13 UTC 
Steps to reproduce:
1. pick a vulnerable ports / package whose Makefile includes a PORTEPOCH and install it. 
2. run pkg audit

Note, I have spotted this thanks on firefox, yet it might as well be reproduced on www/nginx which is cheaper to build. Thus I believe that bug #281250 is a duplicate or actually a symptom of this description. 

% uname -v
FreeBSD 13.4-STABLE stable/13-n258228-3a9010c98b3d GENERIC

% pkg --version
1.21.3

% pkg info firefox | head -1
firefox-128.0.3,2

% grep -A1 'name.firefox' /usr/ports/security/vuxml/vuln/2024.xml
        <name>firefox</name>
        <range><lt>129.0</lt></range>
--
        <name>firefox</name>
        <range><lt>129.0</lt></range>

% doas pkg audit -F
vulnxml file up-to-date
0 problem(s) in 0 installed package(s) found.
Comment 1 Baptiste Daroussin freebsd_committer freebsd_triage 2024-09-04 15:17:34 UTC 
this is not a pkg bug, pkg does what is expected, the vuxml report should contain the portepoch.
Comment 2 Piotr Smyrak 2024-09-04 15:21:13 UTC 
(In reply to Baptiste Daroussin from comment #1)
I am not sure, how this shall be treated. Yet from a practical point of view, this is kind of natural that VuXML reports might not have PORTEPOCHs, since CVEs are filed on upstream versions not against versions from ports.
Comment 3 Baptiste Daroussin freebsd_committer freebsd_triage 2024-09-04 15:29:12 UTC 
note I have fixed, the report, no it is not natural to not report EPOCH or PORTREVISION because vuxml is supposed to report CVE that are affecting a given version of a port and in the portland is means upstreamversion_portrevision,epoch

often the security patch ends up bumping the portrevision for example.
Comment 4 Piotr Smyrak 2024-09-07 09:37:51 UTC 
So I now consider now this report being invalid, having reread Handbook
section on VuXML (12.3.2. A Short Introduction to VuXML). It does clearly state
that epoch should be part of version stated in the report. 

Nevertheless I do believe we still have an edge problem here, as only on the 2023.xml listing I could identify a number of entries filed without port epochs for other ports. Note, I skipped removed ports in the list below. 

addc71b8-6024-11ef-86a1-8c164567ca3c nginx
ERROR: Port: 3, VuXML report without EPOCH
--
7467c611-b490-11ee-b903-001fc69cd6dc mozilla
No such port.
--
c742dbe8-3704-11ef-9e6e-b42e991fc52e netatalk3
ERROR: Port: 1, VuXML report without EPOCH
--
320a19f7-1ddd-11ef-a2ae-8c164567ca3c nginx
ERROR: Port: 3, VuXML report without EPOCH
--
9bcff2c4-1779-11ef-b489-b42e991fc52e openfire
ERROR: Port: 1, VuXML report without EPOCH
--
57561cfc-f24b-11ee-9730-001fc69cd6dc xwayland
ERROR: Port: 1, VuXML report without EPOCH
--
0a48e552-e470-11ee-99b3-589cfc0f81b0 amavisd-new
ERROR: Port: 1, VuXML report without EPOCH
21a854cc-cac1-11ee-b7a7-353f1e043d9a dnsmasq
ERROR: Port: 1, VuXML report without EPOCH
21a854cc-cac1-11ee-b7a7-353f1e043d9a dnsmasq-devel
ERROR: Port: 5, VuXML report without EPOCH
cb22a9a6-c907-11ee-8d1c-40b034429ecf p5-Spreadsheet-ParseExcel
ERROR: Port: 1, VuXML report without EPOCH
--
7467c611-b490-11ee-b903-001fc69cd6dc xwayland
ERROR: Port: 1, VuXML report without EPOCH
Comment 5 Piotr Smyrak 2024-09-09 08:36:43 UTC 
Actually the misnomer "mozilla" instead of "firefox" is in 5d7939f6-5989-11ef-9793-b42e991fc52e.
Comment 6 Piotr Smyrak 2024-09-14 08:49:48 UTC 
So I find this ticket Invalid.