No description, website, or topics provided.
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
.gitignore
COPYING
README.md
flatpak-cve-check
yocto-mappings.ini

README.md

Flatpak CVE Checker

This is a simple tool that parses Flatpaks for CVEs.

Dependencies

  • cve-check-tool
  • pygobject
  • libflatpak
  • python-gitlab (optional)

TODO

This is still a work in progress so configuration isn't well exposed yet.

Usage

Basic usage is simply ./flatpak-cve-check org.freedesktop.Platform 1.6.

What this does is find that Flatpak installed in the system, extracts package information from its manifest, and tries to match it with CVEs from the NIST NVD.

You will need to manually call cve-check-update to update the database. Note that this downloads and stores over 1GB of data.

This alone is actually usually not enough to get great results because in order to find a match your module names and versions must match the ones in the database which can be found in the CPE Dictionary. So this uses a custom property to allow setting this information to ensure accurate results:

{
    "modules": [
        {
            /* This would be a typical human readable module name */
            "name": "faad",
            "sources": [
                {
                    /* Many modules don't have a useful version for us */
                    "type": "git",
                    "url": "..."
                }
            ],
            "x-cpe": {
                /* But this is the CPE product name */
                "product": "freeware_advanced_audio_decoder_2",
                "version": "2.8.8",
                /* We may have used a newer commit that fixed a CVE */
                "patches": ["CVE-2018-9999"],
                /* In case you need to ignore a CVE */
                "ignored": ["CVE-2017-9999"]
            }
        }
    ]
}

To truely get accurate and reliable results you will need to do this for every module. This is currently a work in progress for the runtimes.