doyensec / electronegativity

Electronegativity is a tool to identify misconfigurations and security anti-patterns in Electron applications.
Apache License 2.0
972 stars 66 forks source link

AVAILABLE_SECURITY_FIXES_GLOBAL_CHECK false positives #104

Open goosewobbler opened 1 year ago

goosewobbler commented 1 year ago

AVAILABLE_SECURITY_FIXES_GLOBAL_CHECK is giving false positives due to its use of https://github.com/electron/releases, which has been deprecated and will no longer be updated.

The new way to get electron release data is via:

https://releases.electronjs.org/releases.json

However the data structure is completely different so this is not a drop-in replacement.

phosphore commented 1 year ago

Thanks for reporting this @goosewobbler. I agree that the current releases.json file does not contain any details regarding the new version changes, so we can't look for security fixes with that. It may be possible to get them from the RSS feed at https://github.com/electron/electron/releases.atom, even if I'm not sure how the pagination works in that, I'm only getting the last release returned. @MarshallOfSound as far as you know is there a more complete output beside the existing releases.json file hosted on releases.electronjs.org?