vuxml - FreeBSD VuXML query tool
vuxml [--desc|-D] [--id|-i VID] [--topic|-t RE] [--keyword|-k RE] [--package|-p PID] [--re-names|-R] [--sources|-s] [--ref|-r RID] [--discovery|-d DATE] [--entry|-e DATE] [--modified|-m DATE] [--debug] [--help|-?] [--version] [--]
The vuxml utility provides easy and flexible ways to query the FreeBSD VuXML database of security issues in FreeBSD and its ports collection.
You can search or explore the database:
- by vulnerability ID (with the --id|-i option),
- by regular expression in topics (with the --topic|-t option),
- by regular expression in topics and descriptions (with the --keyword|-k option),
- by package name or package name and version (with the --package|-p option),
- the package name can be treated as a regular expression (with the --re-names|-R option),
- by reference source, reference source and ID, or ID (with the --ref|-r option),
- existing sources can be listed (with the --sources|-s option),
- by discovery, entry or modification dates (with the --discovery|-d, --entry|-e or --modified|-m options),
- these dates can be a specific day, month or year.
For all these queries the detailed description is not printed, unless you use the --desc|-d option to render the HTML description as text.
For the package and reference queries, the package and version, or reference source and ID, are separated using the '~' character.
All the options can be used several times and their results are cumulative (ie. treated as logical OR).
| Options | Use |
|---|---|
| --desc|-D | Print description |
| --id|-i VID | Search for the specified Vulnerability ID |
| --topic|-t RE | Search for the specified regex in topics |
| --keyword|-k RE | Search for the specified regex in topics and desc. |
| --package|-p PID | Search for the specified name in affected packages. PID can also be name~version |
| --re-names|-R | The name part of a PID is a regex |
| --sources|-s | List references sources |
| --ref|-r RID | Search for the specified ID in references. RID can also be source~, source~ID |
| --discovery|-d DATE | Search for the specified date in discovery dates |
| --entry|-e DATE | Search for the specified date in entry dates |
| --modified|-m DATE | Search for the specified date in modified dates. DATE can be YYYY-MM-DD, YYYY-MM or YYYY |
| --debug | Enable debug mode |
| --help|-? | Print usage and a short help message and exit |
| --version | Print version and exit |
| -- | Options processing terminator |
The VUXML_DEBUG environment variable can be set to any value to enable debug mode.
The LOCALAPPDATA and TMP environment variables under Windows, and HOME, TMPDIR and TMP environment variables under other operating systems can influence the caching directory used.
The vuxml utility will attempt to maintain a caching directory for the web service it uses, where the downloaded database will be re-used within the next 24 hours.
This directory will be located in one of the following places:
Windows:
%LOCALAPPDATA%\cache\vuxml
%TMP%\cache\vuxml
Unix:
${HOME}/.cache/vuxml
${TMPDIR}/.cache/vuxml
${TMP}/.cache/vuxmlThe vuxml utility exits 0 on success, and >0 if an error occurs.
Use the following command to search for vulnerabilities affecting the "gnutls" package:
vuxml -p gnutlsAnd the following one to search for vulnerabilities affecting packages whose name starts with "gnutls" ("gnutls", "gnutls-devel", "gnutls3" will match, while "linux-f10-gnutls" won't):
vuxml -Rp "^gnutls"vuxml(3), VuXML website, FreeBSD VuXML website, VuXML database explanation in the Porter's handbook, VuXML database as a FreeBSD port, pkg-audit(8), vxquery
The vuxml utility is not a standard UNIX command.
It tries to follow the PEP 8 style guide for Python code.
Tested OK under Windows.
Packaged for FreeBSD as pyXX-pnu-vuxml.
This implementation was made for the PNU project.
While working on the pipinfo(1) tool, I noticed that some Python packages installed as FreeBSD ports where marked as vulnerable in Python advisories but not in FreeBSD ports advisories.
I made a tool called pysec2vuxml to check the 4000+ FreeBSD ports of Python packages, and found around 1% of them vulnerable.
So I made a library in order to verify if these vulnerable ports where also marked as vulnerable in FreeBSD VuXML, and got carried away writing this utility to demonstrate the use of the library!
This utility is available under the 3-clause BSD license.
PORTEPOCH (ie. software versions ending with ",number") is not taken into account when checking if a vulnerable Python package is also a vulnerable FreeBSD port.
Exotic version numbers (ie. with letters for example) are also not taken into account.