Skip to content
master
Go to file
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 

README.md

Flatpak CVE Checker

This is a simple tool that parses Flatpaks for CVEs and updates.

Dependencies

  • cve-check-tool
  • pygobject
  • libflatpak
  • appstream-glib
  • python-gitlab (optional)

Usage

Basic usage is simply ./flatpak-cve-check --id org.freedesktop.Platform//1.6.

What this does is find that Flatpak installed in the system, extracts package information from its manifest, and tries to match it with CVEs from the NIST NVD.

You will need to manually call cve-check-update to update the database. Note that this downloads and stores over 1GB of data.

This alone is actually usually not enough to get great results because in order to find a match your module names and versions must match the ones in the database which can be found in the CPE Dictionary. So this uses a custom property to allow setting this information to ensure accurate results:

{
    "modules": [
        {
            /* This would be a typical human readable module name */
            "name": "faad",
            "sources": [
                {
                    /* Many modules don't have a useful version for us */
                    "type": "git",
                    "url": "..."
                }
            ],
            "x-cpe": {
                /* But this is the CPE product name */
                "product": "freeware_advanced_audio_decoder_2",
                "version": "2.8.8",
                /* We may have used a newer commit that fixed a CVE */
                "patches": ["CVE-2018-9999"],
                /* In case you need to ignore a CVE */
                "ignored": ["CVE-2017-9999"]
            }
        }
    ]
}

To truely get accurate and reliable results you will need to do this for every module. This is currently a work in progress for the runtimes.

Automation

You can also create a configuration file to automatically check multiple packages and open issues for newly detected CVEs and updates. See config.json.example for a pretty comprehensive example.

You then run flatpak-cve-check --config config.json. The options --no-report and --no-release-check are also very helpful for debugging your configuration without spamming issue trackers or the release-monitoring site.

To effectively use the release-monitoring feature your module names must match the names of packages from a supported distro: https://release-monitoring.org/distros.

About

No description, website, or topics provided.

Resources

License

Releases

No releases published

Packages

No packages published

Languages

You can’t perform that action at this time.