Security numbers in pkgsrc

To: tech-pkg%netbsd.org@localhost
Subject: Security numbers in pkgsrc
From: Pierre Pronchery <khorben%defora.org@localhost>
Date: Tue, 16 May 2017 01:10:27 +0200

			Hi tech-pkg@,

I would like to share with you the first run of a very simple tool Ijust wrote, which name is currently simply "pkgquery" [1]. In essence,all this shell script does at the moment is browse through every packageavailable and either:

- lists all the packages for a given maintainer, eg

   $ pkgquery -M pkgsrc-users%netbsd.org@localhost

- lists the known security issues for every package available, eg

   $ pkgquery -S

Of course I have plans to generate different output formats and extendthe functionalities. I have just generated a basic security report [2]on the "trunk" branch from the Git conversion for pkgsrc [3] (commit [4]).

It should be relatively easy - and hopefully interesting - to createmore elaborate reports out of this, like graphing the amount and type ofvulnerabilities over time, for successive releases.

Disclaimer: it will *not* be indicative of how "secure" any release is,was or will be (eg in case of 0days) but it could provide interestingmetrics.


First few numbers:
- 1964 active vulnerability entries
- among which 102 different types of vulnerabilities reported, with
   most active entries being Denial of Service: (DoS)

  43 cross-site-scripting
  75 remote-system-access
  83 buffer-overflow
  84 heap-overflow
 156 arbitrary-code-execution
 181 multiple-vulnerabilities
 224 end-of-life
 549 denial-of-service


- affecting a total of 491 packages, with:
   * one vulnerability reported (230), or
   * more than one vulnerability reported (261)
- up to 44 known vulnerabilities for one package:

  25 suse32_libtiff-10.0nb4
  25 suse_libtiff-10.0nb4
  35 suse32_base-12.1nb7
  35 suse_base-12.1nb7
  40 suse32_openssl-10.0nb5
  40 suse_openssl-10.0nb5
  44 suse32_base-10.0nb8
  44 suse_base-10.0nb8


   (there is a pattern here)

Do not hesitate to follow-up for more details.

[1]https://git.edgebsd.org/gitweb/?p=infrastructure.git;a=blob;f=pkgsrc/pkgquery;hb=HEAD

[2] http://lists.edgebsd.org/edgebsd-developers/2017/05/msg00000.html
[3] https://github.com/NetBSD/pkgsrc

[4]https://github.com/NetBSD/pkgsrc/commit/3945eca4f5821e76bc2046c8678259644ea677a1


--
khorben

Prev by Date: Re: Please review wip/htslib
Next by Date: daily pkgsrc CVS update output
Previous by Thread: Please review wip/htslib
Next by Thread: Security numbers in pkgsrc
Indexes:

Home | Main Index | Thread Index | Old Index