Reporting on vulnerable packages (SmartOS)

pkgsrc has native support for reporting on vulnerable packages.
Joyent has a pkgsrc security team who maintain a file containing all known vulnerabilities. These known vulnerabilities are matched against the packages you have installed.

To use it, run:

$ pkg_admin fetch-pkg-vulnerabilities

$ pkg_admin audit

Especially, given the OpenSSL-patch-du-jour days of late, using this tool is essential and a truly valuable service to have at ones disposal.

See pkg_admin(1) for all the relevant info.

UPDATE A friend informed me that pkg_admin fetch-pkg-vulnerabilities is run from the root crontab in each OS VM (zone) by default which I wasn't aware of.