Patch so you can ignore certain ports for vulns

410.pkg-audit.in.orig

--- scripts/periodic/410.pkg-audit.in.orig	2026-04-16 14:23:11 UTC
+++ scripts/periodic/410.pkg-audit.in
@@ -46,15 +46,43 @@ fi
 : ${security_status_pkgaudit_expiry:=2}
 : ${security_status_pkgaudit_expiration:=YES}
 : ${security_status_pkgaudit_deprecation:=YES}
+: ${security_status_pkgaudit_ignore_warning_package_list:=""}
 
 # Compute PKG_DBDIR from the config file.
 pkgcmd=%prefix%/sbin/pkg
 PKG_DBDIR=`${pkgcmd} config PKG_DBDIR`
 auditfile="${PKG_DBDIR}/vuln.xml"
 
+grep='/usr/bin/grep'
+
+set -o pipefail
+
+filter_list() {
+	local pkgargs="$1"
+	shift
+	local fetchdb="$1"
+	# Populate $@ for "audit" command.
+	# -- Need "-q" option to generate only the affected package list in order to
+	#   optionally filter it, to eventually pass it on to "pkg-audit(8)" to list
+	#   affected packages.
+	set -- -q $fetchdb
+
+	if [ -n "$security_status_pkgaudit_ignore_warning_package_list" ]
+	then
+		${pkgcmd} ${pkgargs} audit $@ \
+		| ${grep} --invert-match --file "$security_status_pkgaudit_ignore_warning_package_list"
+	else
+		${pkgcmd} ${pkgargs} audit $@
+	fi
+
+	unset pkgargs
+	unset fetchdb
+}
+
 audit_pkgs() {
 	local pkgargs="$1"
 	local basedir="$2"
+	local fetchdb=''
 	local rc
 	local then
 	local now
@@ -67,12 +95,20 @@ audit_pkgs() {
 		-le $(( ${now} - ${then} + 600 )) ]; then
 		# When non-interactive, sleep to reduce congestion on mirrors
 		anticongestion
-		${pkgcmd} ${pkgargs} audit -F $q || { rc=$?; [ $rc -lt 3 ] && rc=3; }
+		fetchdb='-F'
 	else
 		echo -n 'Database fetched: '
 		date -r "${then}" -Iminutes || rc=3
-		${pkgcmd} ${pkgargs} audit $q || { rc=$?; [ $rc -lt 3 ] && rc=3; }
 	fi
+
+	set -- $fetchdb
+	filter_list "${pkgargs}" $@ | xargs ${pkgcmd} ${pkgargs} audit $q
+	rc=$?
+	if [ $rc -ne 0 ] && [ $rc -lt 3 ]
+	then
+		rc=3
+	fi
+	unset fetchdb
 
 	return $rc
 }

Use it like this

[0:13 pkg01 dvl ~] % grep security_status_pkgaudit_ignore_warning_package_list /etc/periodic.conf
security_status_pkgaudit_ignore_warning_package_list="/usr/local/etc/periodic/ignore-incessant-alert-vulnerable-package.list"

[0:13 pkg01 dvl ~] % cat /usr/local/etc/periodic/ignore-incessant-alert-vulnerable-package.list 
python311
python312

# this will ignore all vulns in those two ports.  Why?  This why:

[23:58 besser dvl ~] % pkg audit
python312-3.12.13_2 is vulnerable:
  Python -- HTTP proxy CONNECT tunnel does not sanitize CR/LF
  CVE: CVE-2026-1502
  WWW: https://vuxml.FreeBSD.org/freebsd/30bda1c3-369b-11f1-b51c-6dd25bec137b.html

  Python -- poplib module, when passed a user-controlled command, can have additional commands injected using newlines
  CVE: CVE-2025-15367
  WWW: https://vuxml.FreeBSD.org/freebsd/6d3488ae-2e0f-11f1-88c7-00a098b42aeb.html

  python -- more webbrowser.open() command injection vulnerabilities
  CVE: CVE-2026-4786
  WWW: https://vuxml.FreeBSD.org/freebsd/cf75f572-378a-11f1-a119-e36228bfe7d4.html

  Python -- use-after-free vulnerability in decompressors under memory pressure
  CVE: CVE-2026-6100
  WWW: https://vuxml.FreeBSD.org/freebsd/b8e9f33c-375d-11f1-a119-e36228bfe7d4.html

  Python -- imaplib module, when passed a user-controlled command, can have additional commands injected using newlines
  CVE: CVE-2025-15366
  WWW: https://vuxml.FreeBSD.org/freebsd/0be929a5-2e0f-11f1-88c7-00a098b42aeb.html

  Python -- configparser vulnerable to excessive CPU use
  WWW: https://vuxml.FreeBSD.org/freebsd/5ec4dcf6-3588-11f1-b51c-6dd25bec137b.html

6 problem(s) in 1 package(s) found.

Credit to ax6761 for their work on this: re https://bsd.network/web/@[email protected]/116470321227975843