flatpak-external-data-checker icon indicating copy to clipboard operation
flatpak-external-data-checker copied to clipboard
verified publisher icon flathub-infra

Add CVEChecker which guesses the pkg name and version of an archive

Open ahayzen opened this issue 7 years ago • 6 comments

This is an initial implementation of a CVEChecker, for now it only guesses the pkg_name and version - which it then adds to the debug output.

Let me know if you want this behind a flag for now ? eg --experimental-cve-checker or if it is fine as is.

$ ./src/flatpak-external-data-checker --json --verbose ~/Downloads/com.skype.Client.json 
DEBUG:root:CVEChecker: Found libsecret of the version 0.18.5
DEBUG:root:libsecret-0.18.5.tar.xz is not a debian-repo type ext data
DEBUG:root:libsecret-0.18.5.tar.xz is not a rotating-url type ext data
DEBUG:root:CVEChecker: Found v4l-utils of the version 1.12.5
DEBUG:root:v4l-utils-1.12.5.tar.bz2 is not a debian-repo type ext data
DEBUG:root:v4l-utils-1.12.5.tar.bz2 is not a rotating-url type ext data
DEBUG:root:CVEChecker: Found nss of the version 3.36.1
DEBUG:root:nss-3.36.1.tar.gz is not a debian-repo type ext data
DEBUG:root:nss-3.36.1.tar.gz is not a rotating-url type ext data
DEBUG:root:CVEChecker: Unknown type Type.EXTRA_DATA
DEBUG:root:skypeforlinux-64.deb is not a debian-repo type ext data
DEBUG:root:skypeforlinux-64.deb is not a rotating-url type ext data

ahayzen avatar May 09 '18 23:05 ahayzen

Hey @ahayzen ! I realize now I completely dropped the ball on this one! I will dedicate some time to review to it later today, sorry for such a delay. I will make sure I move faster now. Thanks for your patience and stay tuned.

joaquimrocha avatar Jun 05 '18 09:06 joaquimrocha

One extra comment: it'd be great if you could add a test for this, similar to what we have for the other checkers.

joaquimrocha avatar Jun 05 '18 23:06 joaquimrocha

@joaquimrocha I have done the changes, now CVEChecker uses package-name from checker_data. I would like the package name to be auto determined in the future from the URL for archive type (optionally without x-checker-data) so that we can run across flathub easily.

Sure I'll write some tests next :-)

ahayzen avatar Jul 24 '18 01:07 ahayzen

@joaquimrocha Hey, I've added a basic test case to this now (as we add more functionality to the CVEChecker itself the tests can be expanded). Please re-review when you have a moment :-)

ahayzen avatar Aug 01 '18 00:08 ahayzen

@joaquimrocha yeah this pull was just a proof of concept of extracting the version numbers etc using TingPing's original script and integrating into your tool :-) Not submitting them to an external service (yet).

It looks like TingPing has something already working with bst and yocto recipes (and maybe flatpak manifests?) for the runtime's, we should check with him before going any further as it sounds much more developed and would be duplicated work.

ahayzen avatar Aug 18 '18 21:08 ahayzen

Possibly worth it to also use https://gitlab.com/BuildStream/bst-external/blob/master/bst_external/elements/collect_manifest.py for inspiration. It's being used to generate CVE reports for freedesktop-sdk and Gnome runtimes.

nanonyme avatar Jan 06 '20 15:01 nanonyme