search

freebsd / pkg

Package management tool for FreeBSD. Help at #pkg on Libera Chat or pkg@FreeBSD.org
Other
748 stars 279 forks source link

Not same data whenuse `pkg audit --raw=json` with `-q` and without #2254

Closed ddurieux closed 4 months ago

ddurieux commented 8 months ago

Hi,

I have a script to get the pkg audit in JSON format by my monitoring tool and after to create tickets.

pkg version 1.20.9 under FreeBSD 13.2

It's using -F to force get vulnerabilities data to be sure it's up to date:

/usr/local/sbin/pkg audit -F --raw=json-compact -q

With the -q, I got only the json data, not other text.

But I haven't the same data in json (not same list of CVE) if I do the same command without the -q

This is the 2 differences (I use --raw=json to be more readable), you can see the problem for the gitlab-ce:

# /usr/local/sbin/pkg audit --raw=json -q
{
    "pkg_count": 6,
    "packages": {
        "c-ares": {
            "version": "1.21.0",
            "issue_count": 1,
            "issues": [
                {
                    "Affected versions": [
                        "< 1.27.0"
                    ],
                    "description": "dns/c-ares -- malformatted file causes application crash",
                    "cve": [
                        "CVE-2024-25629"
                    ],
                    "url": "https://vuxml.FreeBSD.org/freebsd/255bf44c-d298-11ee-9c27-40b034429ecf.html"
                }
            ],
            "reverse dependencies": [
                "node20",
                "rubygem-execjs",
                "rubygem-autoprefixer-rails1025",
                "gitlab-ce",
                "rubygem-terser",
                "rubygem-uglifier",
                "yarn-node20",
                "yarn",
                "rubygem-grpc",
                "rubygem-gapic-common",
                "rubygem-google-cloud-profiler-v2",
                "rubygem-gitlab-labkit",
                "rubygem-kas-grpc",
                "rubygem-gitaly",
                "rubygem-spamcheck",
                "rubygem-googleapis-common-protos",
                "grpc"
            ]
        },
        "libgit2": {
            "version": "1.6.4",
            "issue_count": 1,
            "issues": [
                {
                    "Affected versions": [
                        "< 1.6.5",
                        ">= 1.7.0 : < 1.7.2"
                    ],
                    "description": "Libgit2 -- multiple vulnerabilities",
                    "cve": [
                        "CVE-2024-24577"
                    ],
                    "url": "https://vuxml.FreeBSD.org/freebsd/43768ff3-c683-11ee-97d0-001b217b3468.html"
                }
            ],
            "reverse dependencies": [
                "rubygem-rugged",
                "gitlab-ce",
                "rubygem-licensee"
            ]
        },
        "gitlab-ce": {
            "version": "16.5.1_2",
            "issue_count": 1,
            "issues": [
                {
                    "Affected versions": [
                        ">= 8.13.0 : < 16.4.3",
                        ">= 16.5.0 : < 16.5.3",
                        ">= 16.6.0 : < 16.6.1"
                    ],
                    "description": "Gitlab -- Vulnerabilities",
                    "cve": [
                        "CVE-2023-3443",
                        "CVE-2023-4658",
                        "CVE-2023-3964",
                        "CVE-2023-4317",
                        "CVE-2023-4912",
                        "CVE-2023-5995",
                        "CVE-2023-5226",
                        "CVE-2023-3949",
                        "CVE-2023-6396",
                        "CVE-2023-6033"
                    ],
                    "url": "https://vuxml.FreeBSD.org/freebsd/3b14b2b4-9014-11ee-98b3-001b217b3468.html"
                }
            ],
            "reverse dependencies": [

            ]
        },
        "openexr": {
            "version": "3.2.1",
            "issue_count": 1,
            "issues": [
                {
                    "Affected versions": [
                        ">= 3.2.0 : < 3.2.2",
                        "< 3.1.12"
                    ],
                    "description": "openexr -- Heap Overflow in Scanline Deep Data Parsing",
                    "cve": [
                        "CVE-2023-5841"
                    ],
                    "url": "https://vuxml.FreeBSD.org/freebsd/f161a5ad-c9bd-11ee-b7a7-353f1e043d9a.html"
                }
            ],
            "reverse dependencies": [
                "vips",
                "rubygem-ruby-vips",
                "rubygem-image_processing",
                "rubygem-rails70",
                "gitlab-ce",
                "rubygem-gettext_i18n_rails_js-rails70",
                "rubygem-invisible_captcha",
                "ImageMagick7",
                "rubygem-mini_magick410",
                "rubygem-mini_magick",
                "libjxl",
                "ffmpeg",
                "libheif",
                "aom"
            ]
        },
        "rubygem-rack16": {
            "version": "1.6.13",
            "issue_count": 1,
            "issues": [
                {
                    "Affected versions": [
                        "< 1.6.14"
                    ],
                    "description": "rack -- Multiple vulnerabilities",
                    "cve": [
                        "CVE-2022-44572",
                        "CVE-2022-44571",
                        "CVE-2022-44570"
                    ],
                    "url": "https://vuxml.FreeBSD.org/freebsd/95176ba5-9796-11ed-bfbf-080027f5fec9.html"
                }
            ],
            "reverse dependencies": [
                "rubygem-request_store",
                "gitlab-ce",
                "rubygem-gon-rails70",
                "rubygem-lograge-rails70",
                "rubygem-gitlab-experiment",
                "rubygem-rack-test",
                "rubygem-actionpack70",
                "rubygem-redis-actionpack-rails70",
                "rubygem-gitlab-labkit",
                "rubygem-apollo_upload_server",
                "rubygem-marginalia",
                "rubygem-rails70",
                "rubygem-gettext_i18n_rails_js-rails70",
                "rubygem-invisible_captcha",
                "rubygem-turbo-rails-rails70",
                "rubygem-propshaft-rails70",
                "rubygem-responders-rails70",
                "rubygem-devise48-rails70",
                "rubygem-devise-rails70",
                "rubygem-devise-two-factor41-rails70",
                "rubygem-actiontext70",
                "rubygem-actionmailbox70",
                "rubygem-importmap-rails-rails70",
                "rubygem-actioncable70",
                "rubygem-actionmailer70",
                "rubygem-premailer-rails110-rails70",
                "rubygem-sprockets-rails-rails70",
                "rubygem-sassc-rails-rails70",
                "rubygem-graphiql-rails",
                "rubygem-activestorage70",
                "rubygem-railties70",
                "rubygem-peek-rails70",
                "rubygem-rails-i18n-rails70",
                "rubygem-vite_rails-rails70",
                "rubygem-health_check-rails70",
                "rubygem-sentry-rails",
                "rubygem-doorkeeper-rails70",
                "rubygem-doorkeeper-openid_connect",
                "rubygem-jsbundling-rails-rails70",
                "rubygem-cssbundling-rails-rails70",
                "rubygem-tailwindcss-rails-rails70",
                "rubygem-stimulus-rails-rails70",
                "rubygem-capybara"
            ]
        },
        "curl": {
            "version": "8.4.0",
            "issue_count": 1,
            "issues": [
                {
                    "Affected versions": [
                        "< 8.6.0"
                    ],
                    "description": "curl -- OCSP verification bypass with TLS session reuse",
                    "cve": [
                        "CVE-2024-0853"
                    ],
                    "url": "https://vuxml.FreeBSD.org/freebsd/02e33cd1-c655-11ee-8613-08002784c58d.html"
                }
            ],
            "reverse dependencies": [
                "rust",
                "zabbix6-agent",
                "git",
                "gitlab-ce",
                "gitaly",
                "rubygem-git",
                "rubygem-danger",
                "rubygem-gitlab-dangerfiles",
                "rubygem-danger-gitlab",
                "cfitsio",
                "vips",
                "rubygem-ruby-vips",
                "rubygem-image_processing",
                "rubygem-rails70",
                "rubygem-gettext_i18n_rails_js-rails70",
                "rubygem-invisible_captcha",
                "rubygem-ethon",
                "rubygem-typhoeus"
            ]
        }
    }
}
 # /usr/local/sbin/pkg audit --raw=json 
{
    "pkg_count": 6,
    "packages": {
        "c-ares": {
            "version": "1.21.0",
            "issue_count": 1,
            "issues": [
                {
                    "Affected versions": [
                        "< 1.27.0"
                    ],
                    "description": "dns/c-ares -- malformatted file causes application crash",
                    "cve": [
                        "CVE-2024-25629"
                    ],
                    "url": "https://vuxml.FreeBSD.org/freebsd/255bf44c-d298-11ee-9c27-40b034429ecf.html"
                }
            ],
            "reverse dependencies": [
                "node20",
                "rubygem-execjs",
                "rubygem-autoprefixer-rails1025",
                "gitlab-ce",
                "rubygem-terser",
                "rubygem-uglifier",
                "yarn-node20",
                "yarn",
                "rubygem-grpc",
                "rubygem-gapic-common",
                "rubygem-google-cloud-profiler-v2",
                "rubygem-gitlab-labkit",
                "rubygem-kas-grpc",
                "rubygem-gitaly",
                "rubygem-spamcheck",
                "rubygem-googleapis-common-protos",
                "grpc"
            ]
        },
        "libgit2": {
            "version": "1.6.4",
            "issue_count": 1,
            "issues": [
                {
                    "Affected versions": [
                        "< 1.6.5",
                        ">= 1.7.0 : < 1.7.2"
                    ],
                    "description": "Libgit2 -- multiple vulnerabilities",
                    "cve": [
                        "CVE-2024-24577"
                    ],
                    "url": "https://vuxml.FreeBSD.org/freebsd/43768ff3-c683-11ee-97d0-001b217b3468.html"
                }
            ],
            "reverse dependencies": [
                "rubygem-rugged",
                "gitlab-ce",
                "rubygem-licensee"
            ]
        },
        "gitlab-ce": {
            "version": "16.5.1_2",
            "issue_count": 6,
            "issues": [
                {
                    "Affected versions": [
                        ">= 8.13.0 : < 16.4.3",
                        ">= 16.5.0 : < 16.5.3",
                        ">= 16.6.0 : < 16.6.1"
                    ],
                    "description": "Gitlab -- Vulnerabilities",
                    "cve": [
                        "CVE-2023-3443",
                        "CVE-2023-4658",
                        "CVE-2023-3964",
                        "CVE-2023-4317",
                        "CVE-2023-4912",
                        "CVE-2023-5995",
                        "CVE-2023-5226",
                        "CVE-2023-3949",
                        "CVE-2023-6396",
                        "CVE-2023-6033"
                    ],
                    "url": "https://vuxml.FreeBSD.org/freebsd/3b14b2b4-9014-11ee-98b3-001b217b3468.html"
                },
                {
                    "Affected versions": [
                        ">= 8.17.0 : < 16.4.4",
                        ">= 16.5.0 : < 16.5.4",
                        ">= 16.6.0 : < 16.6.2"
                    ],
                    "description": "Gitlab -- vulnerabilities",
                    "cve": [
                        "CVE-2023-3511",
                        "CVE-2023-5061",
                        "CVE-2023-3904",
                        "CVE-2023-5512",
                        "CVE-2023-3907",
                        "CVE-2023-6051",
                        "CVE-2023-6564",
                        "CVE-2023-6680"
                    ],
                    "url": "https://vuxml.FreeBSD.org/freebsd/e2fb85ce-9a3c-11ee-af26-001b217b3468.html"
                },
                {
                    "Affected versions": [
                        ">= 8.13.0 : < 16.5.6",
                        ">= 16.6.0 : < 16.6.4",
                        ">= 16.7.0 : < 16.7.2"
                    ],
                    "description": "Gitlab -- vulnerabilities",
                    "cve": [
                        "CVE-2023-2030",
                        "CVE-2023-6955",
                        "CVE-2023-4812",
                        "CVE-2023-5356",
                        "CVE-2023-7028"
                    ],
                    "url": "https://vuxml.FreeBSD.org/freebsd/4c8c2218-b120-11ee-90ec-001b217b3468.html"
                },
                {
                    "Affected versions": [
                        ">= 11.3.0 : < 16.7.6",
                        ">= 16.8.0 : < 16.8.3",
                        ">= 16.9.0 : < 16.9.1"
                    ],
                    "description": "Gitlab -- Vulnerabilities",
                    "cve": [
                        "CVE-2024-0410",
                        "CVE-2023-3509",
                        "CVE-2024-0861",
                        "CVE-2023-4895",
                        "CVE-2024-1525",
                        "CVE-2023-6736",
                        "CVE-2023-6477",
                        "CVE-2024-1451"
                    ],
                    "url": "https://vuxml.FreeBSD.org/freebsd/03bf5157-d145-11ee-acee-001b217b3468.html"
                },
                {
                    "Affected versions": [
                        ">= 12.7.0 : < 16.5.8",
                        ">= 16.6.0 : < 16.6.6",
                        ">= 16.7.0 : < 16.7.4",
                        ">= 16.8.0 : < 16.8.1"
                    ],
                    "description": "Gitlab -- vulnerabilities",
                    "cve": [
                        "CVE-2024-0456",
                        "CVE-2023-5612",
                        "CVE-2023-5933",
                        "CVE-2023-6159",
                        "CVE-2024-0402"
                    ],
                    "url": "https://vuxml.FreeBSD.org/freebsd/61fe903b-bc2e-11ee-b06e-001b217b3468.html"
                },
                {
                    "Affected versions": [
                        ">= 13.3.0 : < 16.6.7",
                        ">= 16.7.0 : < 16.7.5",
                        ">= 16.8.0 : < 16.8.2"
                    ],
                    "description": "Gitlab -- vulnerabilities",
                    "cve": [
                        "CVE-2024-1066",
                        "CVE-2023-6386",
                        "CVE-2023-6840",
                        "CVE-2024-1250"
                    ],
                    "url": "https://vuxml.FreeBSD.org/freebsd/6b2cba6a-c6a5-11ee-97d0-001b217b3468.html"
                }
            ],
            "reverse dependencies": [

            ]
        },
        "openexr": {
            "version": "3.2.1",
            "issue_count": 1,
            "issues": [
                {
                    "Affected versions": [
                        ">= 3.2.0 : < 3.2.2",
                        "< 3.1.12"
                    ],
                    "description": "openexr -- Heap Overflow in Scanline Deep Data Parsing",
                    "cve": [
                        "CVE-2023-5841"
                    ],
                    "url": "https://vuxml.FreeBSD.org/freebsd/f161a5ad-c9bd-11ee-b7a7-353f1e043d9a.html"
                }
            ],
            "reverse dependencies": [
                "vips",
                "rubygem-ruby-vips",
                "rubygem-image_processing",
                "rubygem-rails70",
                "gitlab-ce",
                "rubygem-gettext_i18n_rails_js-rails70",
                "rubygem-invisible_captcha",
                "ImageMagick7",
                "rubygem-mini_magick410",
                "rubygem-mini_magick",
                "libjxl",
                "ffmpeg",
                "libheif",
                "aom"
            ]
        },
        "rubygem-rack16": {
            "version": "1.6.13",
            "issue_count": 3,
            "issues": [
                {
                    "Affected versions": [
                        "< 1.6.14"
                    ],
                    "description": "rack -- Multiple vulnerabilities",
                    "cve": [
                        "CVE-2022-44572",
                        "CVE-2022-44571",
                        "CVE-2022-44570"
                    ],
                    "url": "https://vuxml.FreeBSD.org/freebsd/95176ba5-9796-11ed-bfbf-080027f5fec9.html"
                },
                {
                    "Affected versions": [
                        "< 1.6.14"
                    ],
                    "description": "rack -- possible DoS vulnerability in multipart MIME parsing",
                    "cve": [
                        "CVE-2023-27530"
                    ],
                    "url": "https://vuxml.FreeBSD.org/freebsd/f0798a6a-bbdb-11ed-ba99-080027f5fec9.html"
                },
                {
                    "Affected versions": [
                        "< 1.6.14"
                    ],
                    "description": "rack -- possible denial of service vulnerability in header parsing",
                    "cve": [
                        "CVE-2023-27539"
                    ],
                    "url": "https://vuxml.FreeBSD.org/freebsd/2fdb053c-ca25-11ed-9d7e-080027f5fec9.html"
                }
            ],
            "reverse dependencies": [
                "rubygem-request_store",
                "gitlab-ce",
                "rubygem-gon-rails70",
                "rubygem-lograge-rails70",
                "rubygem-gitlab-experiment",
                "rubygem-rack-test",
                "rubygem-actionpack70",
                "rubygem-redis-actionpack-rails70",
                "rubygem-gitlab-labkit",
                "rubygem-apollo_upload_server",
                "rubygem-marginalia",
                "rubygem-rails70",
                "rubygem-gettext_i18n_rails_js-rails70",
                "rubygem-invisible_captcha",
                "rubygem-turbo-rails-rails70",
                "rubygem-propshaft-rails70",
                "rubygem-responders-rails70",
                "rubygem-devise48-rails70",
                "rubygem-devise-rails70",
                "rubygem-devise-two-factor41-rails70",
                "rubygem-actiontext70",
                "rubygem-actionmailbox70",
                "rubygem-importmap-rails-rails70",
                "rubygem-actioncable70",
                "rubygem-actionmailer70",
                "rubygem-premailer-rails110-rails70",
                "rubygem-sprockets-rails-rails70",
                "rubygem-sassc-rails-rails70",
                "rubygem-graphiql-rails",
                "rubygem-activestorage70",
                "rubygem-railties70",
                "rubygem-peek-rails70",
                "rubygem-rails-i18n-rails70",
                "rubygem-vite_rails-rails70",
                "rubygem-health_check-rails70",
                "rubygem-sentry-rails",
                "rubygem-doorkeeper-rails70",
                "rubygem-doorkeeper-openid_connect",
                "rubygem-jsbundling-rails-rails70",
                "rubygem-cssbundling-rails-rails70",
                "rubygem-tailwindcss-rails-rails70",
                "rubygem-stimulus-rails-rails70",
                "rubygem-capybara"
            ]
        },
        "curl": {
            "version": "8.4.0",
            "issue_count": 1,
            "issues": [
                {
                    "Affected versions": [
                        "< 8.6.0"
                    ],
                    "description": "curl -- OCSP verification bypass with TLS session reuse",
                    "cve": [
                        "CVE-2024-0853"
                    ],
                    "url": "https://vuxml.FreeBSD.org/freebsd/02e33cd1-c655-11ee-8613-08002784c58d.html"
                }
            ],
            "reverse dependencies": [
                "rust",
                "zabbix6-agent",
                "git",
                "gitlab-ce",
                "gitaly",
                "rubygem-git",
                "rubygem-danger",
                "rubygem-gitlab-dangerfiles",
                "rubygem-danger-gitlab",
                "cfitsio",
                "vips",
                "rubygem-ruby-vips",
                "rubygem-image_processing",
                "rubygem-rails70",
                "rubygem-gettext_i18n_rails_js-rails70",
                "rubygem-invisible_captcha",
                "rubygem-ethon",
                "rubygem-typhoeus"
            ]
        }
    }
}
rilysh commented 8 months ago

Without the option -q, pkg audit can print significantly more information. -q generally here to suppress more hints. See: 1 and 2

But I'm not exactly sure (as I didn't tried reproduce this with GitLab or packages with many vulnerabilities listed...)

bapt commented 4 months ago

it has been fixed in the mean time