NAME

vuxml — FreeBSD VuXML library

SYNOPSIS

import vuxml

Dict
vuxml.load_vuxml();

Dict
vuxml.get_vulns_by_topics(Dict vuxml_data);

Dict
vuxml.get_vulns_by_packages(Dict vuxml_data);

Dict
vuxml.get_vulns_by_references(Dict vuxml_data);

Dict
vuxml.get_vulns_by_discovery_dates(Dict vuxml_data);

Dict
vuxml.get_vulns_by_entry_dates(Dict vuxml_data);

Dict
vuxml.get_vulns_by_modified_dates(Dict vuxml_data);

List
vuxml.search_vulns_by_regex(Dict vuxml_data, String regex_string, Boolean in_topics=True, Boolean in_descriptions=True);

List
vuxml.search_vulns_by_reference(Dict vuxml_data, String source, String identifier);

List
vuxml.search_vulns_by_package(Dict vuxml_data, String package_name, String package_version, Boolean regex_names=False);

Boolean
vuxml.is_valid_date(String date_string);

List
vuxml.search_vulns_by_discovery_date(Dict vuxml_data, String date_string);

List
vuxml.search_vulns_by_entry_date(Dict vuxml_data, String date_string);

List
vuxml.search_vulns_by_modified_date(Dict vuxml_data, String date_string);

vuxml.print_vuln(String vid, Dict vulnerability_data, Boolean show_description=False);

DESCRIPTION

The load_vuxml() function downloads or reuse a FreeBSD VuXML library and returns it as a Python dictionary.

The get_vulns_by_topics() function returns a dictionary of vulnerabilities IDs (VID) by topics from a VuXML data structure.

The get_vulns_by_packages() function returns a dictionary of VID by packages/versions from a VuXML data structure.

The get_vulns_by_references() function returns a dictionary of VID by category/reference from a VuXML data structure.

The get_vulns_by_discovery_dates(), get_vulns_by_discovery_dates() and get_vulns_by_discovery_dates() functions return a dictionary of VID by discovery, entry or modified dates from a VuXML data structure.

The search_vulns_by_regex() function returns a list of VID by regular expression in topics and/or descriptions.

The search_vulns_by_reference() function returns a list of VID by source & identifier in references. At least one of the source and identifier parameters should be defined.

The search_vulns_by_package() function returns a list of VID by name & version in affects. package_name is mandatory, package_version is optional. regex_names indicates if the package_name is a regular expression.

The is_valid_date() function returns True if the given string is a recognized date format (ie. "YYYY-MM-DD", "YYYY-MM" or "YYYY").

The search_vulns_by_discovery_date() function returns a list of VID by date in discovery dates.

The search_vulns_by_entry_date() function returns a list of VID by date in entry dates.

The search_vulns_by_modified_date() function returns a list of VID by date in modified dates.

The print_vuln() function pretty prints a vulnerability from a VID and a vulnerability data structure. The optional show_description parameter indicates if a text rendering of the description field (in HTML) is required.

ENVIRONMENT

The VUXML_DEBUG environment variable can be set to any value to enable debug mode.

The LOCALAPPDATA and TMP environment variables under Windows, and HOME, TMPDIR and TMP environment variables under other operating systems can influence the caching directory used.

SEE ALSO

vuxml(1), VuXML website FreeBSD VuXML website VuXML database explanation in the Porter's handbook VuXML database as a FreeBSD port pkg-audit(8), vxquery

STANDARDS

The library “vuxml” is not a standard UNIX one.

It tries to follow the PEP 8 style guide for Python code.

PORTABILITY

Tested OK under Windows.

Packaged for FreeBSD as pyXX-pnu-vuxml.

HISTORY

This library was made for the PNU project

While working on the pipinfo(1) tool, I noticed that some Python packages installed as FreeBSD ports where marked as vulnerable in Python advisories but not in FreeBSD ports advisories.

I made a tool called pysec2vuxml to check the 4000+ FreeBSD ports of Python packages, and found around 1% of them vulnerable.

So I made this library in order to verify if these vulnerable ports where also marked as vulnerable in FreeBSD VuXML, and got carried away writing a full utility demonstrating its use!

LICENSE

This library is available under the 3-clause BSD license.

AUTHORS

Hubert Tournier

CAVEATS

PORTEPOCH (ie. software versions ending with ",number") is not taken into account when checking if a vulnerable Python package is also a vulnerable FreeBSD port.

Exotic version numbers (ie. with letters for example) are also not taken into account.