{"id":22837383,"url":"https://github.com/hubtou/pysec2vuxml","last_synced_at":"2026-07-12T21:31:03.577Z","repository":{"id":151645802,"uuid":"618994704","full_name":"HubTou/pysec2vuxml","owner":"HubTou","description":"Mass checking FreeBSD Python packages ports for PYSEC vulnerabilities and reporting in FreeBSD VuXML","archived":false,"fork":false,"pushed_at":"2023-04-21T17:07:12.000Z","size":593,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-10-22T12:51:27.727Z","etag":null,"topics":["freebsd","freebsd-ports","package-management","python","python-script","security","security-automation"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/HubTou.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"License","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2023-03-26T00:07:30.000Z","updated_at":"2023-05-09T08:57:14.000Z","dependencies_parsed_at":"2023-05-25T22:00:36.297Z","dependency_job_id":null,"html_url":"https://github.com/HubTou/pysec2vuxml","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"purl":"pkg:github/HubTou/pysec2vuxml","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HubTou%2Fpysec2vuxml","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HubTou%2Fpysec2vuxml/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HubTou%2Fpysec2vuxml/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HubTou%2Fpysec2vuxml/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/HubTou","download_url":"https://codeload.github.com/HubTou/pysec2vuxml/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HubTou%2Fpysec2vuxml/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":35403794,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-07-12T02:00:06.386Z","response_time":87,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["freebsd","freebsd-ports","package-management","python","python-script","security","security-automation"],"created_at":"2024-12-12T23:16:37.458Z","updated_at":"2026-07-12T21:31:03.569Z","avatar_url":"https://github.com/HubTou.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# pysec2vuxml\n## What is it?\nIt's a Python script (not a package for once) written for mass checking Python packages [FreeBSD ports](https://www.freshports.org/) for PYSEC vulnerabilities and reporting in [FreeBSD VuXML](https://www.vuxml.org/freebsd/index.html) port vulnerabilities database.\n\nIt uses my [pipinfo](https://github.com/HubTou/pipinfo) and [vuxml](https://github.com/HubTou/vuxml) Python packages.\n\n## How to install and use?\nInstall pre-requisites once:\n```\nportsnap fetch extract # You need superuser rights to install the ports tree\npip install pnu-pipinfo\npip install pnu-vuxml\nchmod a+x pysec2vuxml.py\n```\n\nThen launch the script:\n```\nportsnap fetch update # You need superuser rights to update the ports index and the port tree\npysec2vuxml.py | tee results.txt\n```\n\nThe execution will take some time in order to call the [Python Packaging Authority's web service for checking vulnerabilities](https://warehouse.pypa.io/api-reference/json.html#known-vulnerabilities) for each of the 4.000+ FreeBSD Python packages ports.\nThe web service results are cached and reused for 1 day.\n\n## Results\nOn the first run, out of the current versions of 4.075 Python packages FreeBSD ports, 364 weren't found in the [PyPA](https://www.pypa.io/en/latest/)'s web service, and 45 vulnerable ports were identified.\nNone of those 45 vulnerable ports were already reported in FreeBSD VuXML port vulnerabilities database.\n\nThe file [results.txt](https://github.com/HubTou/pysec2vuxml/blob/main/results.txt) contains the script output of a recent run as an example.\n\nThe files [vuxml_new_entries.xml](https://github.com/HubTou/pysec2vuxml/blob/main/vuxml_new_entries.xml) and [vuxml_modified_entries.xml](https://github.com/HubTou/pysec2vuxml/blob/main/vuxml_modified_entries.xml) respectively contain new and modified VuXML entries for the vulnerable ports identified.\n\n## Reporting new vulnerabilities to the security team\nYou can get a [quick introduction to the VuXML format](https://docs.freebsd.org/en/books/porters-handbook/security/#security-notify-vuxml-intro) in the [FreeBSD Porter's Handbook](https://docs.freebsd.org/en/books/porters-handbook/).\n\nThe structure that needs to be filled for each vulnerability is:\n```xml\n  \u003cvuln vid=\"INSERT UUID HERE\"\u003e\n    \u003ctopic\u003epy-PACKAGE_NAME -- INSERT VULNERABILITY SUMMARY HERE\u003c/topic\u003e\n    \u003caffects\u003e\n      \u003cpackage\u003e\n    \u003cname\u003epy37-PORT_NAME\u003c/name\u003e\n    \u003cname\u003epy38-PORT_NAME\u003c/name\u003e\n    \u003cname\u003epy39-PORT_NAME\u003c/name\u003e\n    \u003cname\u003epy310-PORT_NAME\u003c/name\u003e\n    \u003cname\u003epy311-PORT_NAME\u003c/name\u003e\n    \u003crange\u003e\u003clt\u003eINSERT VULNERABLE VERSION HERE\u003c/lt\u003e\u003c/range\u003e\n      \u003c/package\u003e\n    \u003c/affects\u003e\n    \u003cdescription\u003e\n      \u003cbody xmlns=\"http://www.w3.org/1999/xhtml\"\u003e\n    \u003cp\u003eINSERT SOURCE NAME HERE reports:\u003c/p\u003e\n    \u003cblockquote cite=\"INSERT SOURCE URL HERE\"\u003e\n      \u003cp\u003eINSERT DESCRIPTION HERE\u003c/p\u003e\n    \u003c/blockquote\u003e\n      \u003c/body\u003e\n    \u003c/description\u003e\n    \u003creferences\u003e\n      \u003ccvename\u003eINSERT CVE RECORD IF AVAILABLE\u003c/cvename\u003e\n      \u003curl\u003eINSERT BLOCKQUOTE URL HERE\u003c/url\u003e\n    \u003c/references\u003e\n    \u003cdates\u003e\n      \u003cdiscovery\u003eYEAR-MONTH-DAY\u003c/discovery\u003e\n      \u003centry\u003eYEAR-MONTH-DAY\u003c/entry\u003e\n    \u003c/dates\u003e\n  \u003c/vuln\u003e\n```\n\n**pysec2vuxml** will automatically generate most of this structure for each vulnerability that is not withdrawn, ignored (if its ID is present in the [ignore.txt](https://github.com/HubTou/pysec2vuxml/blob/main/ignore.txt) file) or already reported in FreeBSD VuXML.\n\n**You**'ll have to complete a few remaining fields (vuln summary, vuln discoverer), check some of them (affected versions and port name) and verify all the vulnerabilities for a given port to see if they can be factored (check vuln vid \"e4181981-ccf1-11ed-956f-7054d21a9e2a\" in [vuxml_new_entries.xml](https://github.com/HubTou/pysec2vuxml/blob/main/vuxml_new_entries.xml) for a good example).\n\nThen, if you have superuser access, put your new or modified entries into **/usr/ports/security/vuxml/vuln** and use the [vuxml](https://www.freshports.org/security/vuxml/) FreeBSD port to [verify if everything is correct](https://docs.freebsd.org/en/books/porters-handbook/security/#security-notify-vuxml-testing):\n```Shell\ncd /usr/ports/security/vuxml\nmake validate\n```\n\nIf it's the case, please clone this repository and [submit pull requests](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request) to the [vuxml_new_entries.xml](https://github.com/HubTou/pysec2vuxml/blob/main/vuxml_new_entries.xml) and [vuxml_modified_entries.xml](https://github.com/HubTou/pysec2vuxml/blob/main/vuxml_modified_entries.xml) files, and/or directly create [FreeBSD bug reports](https://bugs.freebsd.org/bugzilla/enter_bug.cgi?product=Ports%20%26%20Packages\u0026component=Individual%20Port%28s%29) with your entries, using a title starting with **security/vuxml:** and adding the **security** keyword.\n\nIf you don't want to see VuXML entries proposals for vulnerabilities that have been reported but are not yet committed to the FreeBSD files, you can add their IDs in the [reported.txt](https://github.com/HubTou/pysec2vuxml/blob/main/reported.txt) file.\n\n## House cleaning\nThe tool downloads and caches files in the following directories, which you can remove if you want:\n```\n$HOME/.cache/cve\n$HOME/.cache/pipinfo\n$HOME/.cache/vuxml\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhubtou%2Fpysec2vuxml","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhubtou%2Fpysec2vuxml","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhubtou%2Fpysec2vuxml/lists"}