Reporting on vulnerable packages (SmartOS)
pkgsrc has native support for reporting on vulnerable packages.
Joyent has a pkgsrc security team who maintain a file containing all known vulnerabilities. These known vulnerabilities are matched against the packages you have installed.
To use it, run:
$ pkg_admin fetch-pkg-vulnerabilities
$ pkg_admin audit
Especially, given the OpenSSL-patch-du-jour days of late, using this tool is essential and a truly valuable service to have at ones disposal.
See pkg_admin(1) for all the relevant info.
A friend informed me that
pkg_admin fetch-pkg-vulnerabilities is run from the root crontab in each OS VM (zone) by default which I wasn't aware of.