Skip to content

audit: Remove VuXML from audit and add OSV code#2558

Open
illuusio wants to merge 8 commits into
freebsd:mainfrom
illuusio:osvf-audit
Open

audit: Remove VuXML from audit and add OSV code#2558
illuusio wants to merge 8 commits into
freebsd:mainfrom
illuusio:osvf-audit

Conversation

@illuusio

@illuusio illuusio commented Nov 12, 2025
edited
Loading

Copy link
Copy Markdown
Contributor

Remove VuXML from code and add OSV JSON code. Code makes sure that there should be drop-in placement compatibility.

Before merging there should be ready:

  • VuXML code remove
  • OSVf reading and checking
  • Update pkg config keys (OSVF_SITE and VUXML_SITE)
  • Update Testcases for pkg audit
  • Remove not needed external/yxml as it not anywhere than pkg_audio.c
  • Update OSV schema validation to have correct released osv-schema.
  • OSV FreeBSD vulnerability database released
  • Change testing OSVF_SITE url to correct one

Testing OSV database can be found from: freebsd-osv.json

As FreeBSD OSV database ain't yet release this commit is WIP and should not be merged.

@illuusio illuusio force-pushed the osvf-audit branch 5 times, most recently from 7d2aaf5 to 1abc347 Compare November 19, 2025 12:45
@illuusio illuusio force-pushed the osvf-audit branch 5 times, most recently from bdcab12 to bb6e5b9 Compare December 15, 2025 10:36
illuusio added 8 commits May 7, 2026 12:43
@illuusio
audit: Remove VuXML from audit and add OSV code
66a689b 
Remove VuXML from code and add OSV JSON code. Code
makes sure that there should be drop-in placement
compatibility.

Update OSV-schema to official one

As FreeBSD OSV database ain't yet release this
commit is WIP and should not be merged.
@illuusio
audit: Fixing testcases to work with OSV
f43576d 
Fixing testcases to work with OSV and some changes
that had to be made to come along with real world.
@illuusio
audit: Remove yxml
7a98fea 
Remove yxml as it no currently used anywhere. VuXML which was only
user for yxml is replaced with OSVf which uses libucl.
@illuusio
scripts/completion/_pkg.in: Remove vuln.xml from completion
785a88d 
Update completion that is does not contain vuln.xml anymore
but correct freebsd-osv.json
@illuusio
scripts/periodic/405.pkg-base-audit.in: Remove vuln.xml
4466f5d 
Remove vuln.xml and replace with correct freebsd-osv.json
@illuusio
scripts/periodic/410.pkg-audit.in: Remove vuln.xml
6d218db 
Remove vuln.xml and replace with correct freebsd-osv.json
@illuusio
manpages: Replace vuln.xml with freebsd-osv.json
4796dd9 
Update manpages which contains vuln.xml with
freebsd-osv.json
@illuusio
src/pkg.conf.sample: Add OSVF_SITE to config
a41fb4e 
Replace VULNXML_SITE with OSVF_SITE in pkg.conf.sample
@illuusio

illuusio commented May 7, 2026

Copy link
Copy Markdown
Contributor Author

Rebased to latest version. Ported old VuXML tests as they were so they are converted form XML to JSON and all they pass.

@decke

decke commented Jun 1, 2026

Copy link
Copy Markdown

I couldn't figure out which data the code uses to find a match. When looking at the freebsd-osv.json feed it seems to be package name. Is that correct?

I am currently working on improving CPE data in the portstree and I am not sure how that might fit into the picture. The basic idea behind CPE was to allow matching CVEs to software products and my naive understanding was that CPE will help us getting rid of manually crafting VUXML entries. What do you think about CPE_STR?

(sorry this is not an actual review but just me trying to understand the chosen solution and the consequences)

@illuusio

illuusio commented Jun 1, 2026

Copy link
Copy Markdown
Contributor Author

I couldn't figure out which data the code uses to find a match. When looking at the freebsd-osv.json feed it seems to be package name. Is that correct?

I am currently working on improving CPE data in the portstree and I am not sure how that might fit into the picture. The basic idea behind CPE was to allow matching CVEs to software products and my naive understanding was that CPE will help us getting rid of manually crafting VUXML entries. What do you think about CPE_STR?

(sorry this is not an actual review but just me trying to understand the chosen solution and the consequences)

There is actually basic CPE string creation and parsing in pkg which I have committed last year (libpkg/pkg_cpe.c) so I like to CPE strings to rule things. If I understood correctly question was should CPE_STR use to determine bug? I don't have strong opinion but it would be better than current uuid (yes they are good to unique string but for humans they are just bad). I don't know if this is the place to have this conversation? If you ask me VuXML should be dropped and JSON OSV should be favored.

What comes to matching. pkg uses package name for matching this which makes things bit difficult to have CPE -> Vulnerability report converting as they can be very different than CPE strings are. WARNING THIS MY OPINION! If CPE is wanted to use there should be CPE name in package for matching (better would have CPE string for seeking) but I'm just man from bus station with out any needed knowledge about this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@illuusio @decke