Skip to content
Go to file

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time

Flatpak CVE Checker

This is a simple tool that parses Flatpaks for CVEs and updates.


  • cve-check-tool
  • pygobject
  • libflatpak
  • appstream-glib
  • python-gitlab (optional)


Basic usage is simply ./flatpak-cve-check --id org.freedesktop.Platform//1.6.

What this does is find that Flatpak installed in the system, extracts package information from its manifest, and tries to match it with CVEs from the NIST NVD.

You will need to manually call cve-check-update to update the database. Note that this downloads and stores over 1GB of data.

This alone is actually usually not enough to get great results because in order to find a match your module names and versions must match the ones in the database which can be found in the CPE Dictionary. So this uses a custom property to allow setting this information to ensure accurate results:

    "modules": [
            /* This would be a typical human readable module name */
            "name": "faad",
            "sources": [
                    /* Many modules don't have a useful version for us */
                    "type": "git",
                    "url": "..."
            "x-cpe": {
                /* But this is the CPE product name */
                "product": "freeware_advanced_audio_decoder_2",
                "version": "2.8.8",
                /* We may have used a newer commit that fixed a CVE */
                "patches": ["CVE-2018-9999"],
                /* In case you need to ignore a CVE */
                "ignored": ["CVE-2017-9999"]

To truely get accurate and reliable results you will need to do this for every module. This is currently a work in progress for the runtimes.


You can also create a configuration file to automatically check multiple packages and open issues for newly detected CVEs and updates. See config.json.example for a pretty comprehensive example.

You then run flatpak-cve-check --config config.json. The options --no-report and --no-release-check are also very helpful for debugging your configuration without spamming issue trackers or the release-monitoring site.

To effectively use the release-monitoring feature your module names must match the names of packages from a supported distro:


No description, website, or topics provided.




No releases published


No packages published


You can’t perform that action at this time.