Steps to reproduce: 1. pick a vulnerable ports / package whose Makefile includes a PORTEPOCH and install it. 2. run pkg audit Note, I have spotted this thanks on firefox, yet it might as well be reproduced on www/nginx which is cheaper to build. Thus I believe that bug #281250 is a duplicate or actually a symptom of this description. % uname -v FreeBSD 13.4-STABLE stable/13-n258228-3a9010c98b3d GENERIC % pkg --version 1.21.3 % pkg info firefox | head -1 firefox-128.0.3,2 % grep -A1 'name.firefox' /usr/ports/security/vuxml/vuln/2024.xml <name>firefox</name> <range><lt>129.0</lt></range> -- <name>firefox</name> <range><lt>129.0</lt></range> % doas pkg audit -F vulnxml file up-to-date 0 problem(s) in 0 installed package(s) found.
this is not a pkg bug, pkg does what is expected, the vuxml report should contain the portepoch.
(In reply to Baptiste Daroussin from comment #1) I am not sure, how this shall be treated. Yet from a practical point of view, this is kind of natural that VuXML reports might not have PORTEPOCHs, since CVEs are filed on upstream versions not against versions from ports.
note I have fixed, the report, no it is not natural to not report EPOCH or PORTREVISION because vuxml is supposed to report CVE that are affecting a given version of a port and in the portland is means upstreamversion_portrevision,epoch often the security patch ends up bumping the portrevision for example.
So I now consider now this report being invalid, having reread Handbook section on VuXML (12.3.2. A Short Introduction to VuXML). It does clearly state that epoch should be part of version stated in the report. Nevertheless I do believe we still have an edge problem here, as only on the 2023.xml listing I could identify a number of entries filed without port epochs for other ports. Note, I skipped removed ports in the list below. addc71b8-6024-11ef-86a1-8c164567ca3c nginx ERROR: Port: 3, VuXML report without EPOCH -- 7467c611-b490-11ee-b903-001fc69cd6dc mozilla No such port. -- c742dbe8-3704-11ef-9e6e-b42e991fc52e netatalk3 ERROR: Port: 1, VuXML report without EPOCH -- 320a19f7-1ddd-11ef-a2ae-8c164567ca3c nginx ERROR: Port: 3, VuXML report without EPOCH -- 9bcff2c4-1779-11ef-b489-b42e991fc52e openfire ERROR: Port: 1, VuXML report without EPOCH -- 57561cfc-f24b-11ee-9730-001fc69cd6dc xwayland ERROR: Port: 1, VuXML report without EPOCH -- 0a48e552-e470-11ee-99b3-589cfc0f81b0 amavisd-new ERROR: Port: 1, VuXML report without EPOCH 21a854cc-cac1-11ee-b7a7-353f1e043d9a dnsmasq ERROR: Port: 1, VuXML report without EPOCH 21a854cc-cac1-11ee-b7a7-353f1e043d9a dnsmasq-devel ERROR: Port: 5, VuXML report without EPOCH cb22a9a6-c907-11ee-8d1c-40b034429ecf p5-Spreadsheet-ParseExcel ERROR: Port: 1, VuXML report without EPOCH -- 7467c611-b490-11ee-b903-001fc69cd6dc xwayland ERROR: Port: 1, VuXML report without EPOCH
Actually the misnomer "mozilla" instead of "firefox" is in 5d7939f6-5989-11ef-9793-b42e991fc52e.
So I find this ticket Invalid.