Open Deadlyelder opened 2 months ago
What are you going to use for vulnerability information on the packages provided by flatpak and snap? I don't think NVD is enough.
I agree with the idea of collecting packages handled by snap/flatpak as a way of organizing asset information.
You are correct that relying solely on the NVD is not enough, but it is a good starting point since it provides information about installed Flatpak and Snap packages. While the accuracy (or rather the confidence level) in the vulnerability is limited, this is mainly due to the lack of security advisories from Flatpak and Snap. However, by notifying users through vuls, we might encourage the developers there to consider publishing such advisories.
In other words since vuls already provides a switch to show/hide results, we try to leverage this by alerting users of the package presence. Accurate identification of vulnerabilities will only be possible once Flatpak and Snap offer security advisories.
Another consideration is that if Snap or Flatpak maintainers were to map their package names to existing CPE or WDF identifiers, it would greatly simplify the task at hand.
In the meantime, we try to make the best of the available resources, including modifying the go-cve-dictionary
(PR 400 submitted) to support the queries we use in vuls for covering Snap and Flatpak.
Support for finding vulnerabilities for packages installed via flatpak and snap package managers due to their widespread use.