Flatpak CVE Checker
This is a simple tool that parses Flatpaks for CVEs and updates.
Dependencies
- cve-check-tool
- pygobject
- libflatpak
- appstream-glib
- python-gitlab (optional)
Usage
Basic usage is simply ./flatpak-cve-check --id org.freedesktop.Platform//1.6.
What this does is find that Flatpak installed in the system, extracts package information from its manifest, and tries to match it with CVEs from the NIST NVD.
You will need to manually call cve-check-update to update the database.
Note that this downloads and stores over 1GB of data.
This alone is actually usually not enough to get great results because in order to find a match your module names and versions must match the ones in the database which can be found in the CPE Dictionary. So this uses a custom property to allow setting this information to ensure accurate results:
{
"modules": [
{
/* This would be a typical human readable module name */
"name": "faad",
"sources": [
{
/* Many modules don't have a useful version for us */
"type": "git",
"url": "..."
}
],
"x-cpe": {
/* But this is the CPE product name */
"product": "freeware_advanced_audio_decoder_2",
"version": "2.8.8",
/* We may have used a newer commit that fixed a CVE */
"patches": ["CVE-2018-9999"],
/* In case you need to ignore a CVE */
"ignored": ["CVE-2017-9999"]
}
}
]
}To truely get accurate and reliable results you will need to do this for every module. This is currently a work in progress for the runtimes.
Automation
You can also create a configuration file to automatically check multiple packages and
open issues for newly detected CVEs and updates. See config.json.example for a pretty
comprehensive example.
You then run flatpak-cve-check --config config.json. The options --no-report and
--no-release-check are also very helpful for debugging your configuration without
spamming issue trackers or the release-monitoring site.
To effectively use the release-monitoring feature your module names must match the names of packages from a supported distro: https://release-monitoring.org/distros.