jedieaston
commented
2 years ago Related to this: https://github.com/microsoft/winget-cli/issues/872 (in which I commented the functionality could be used for this purpose)
Open nx10 opened 2 years ago
jedieaston
commented
2 years ago Related to this: https://github.com/microsoft/winget-cli/issues/872 (in which I commented the functionality could be used for this purpose)
birbilis
commented
2 years ago There's also a chance a newer version than you have installed has new (compared to ones existing in old version) known vulnerabilities. Shouldn't it similarly (not sure if doing by default would slow things down) warn before installing update?
Question is where would it get this info?
Also would it list vulnerabilities introduced by dependencies?
nx10
commented
2 years ago There's also a chance a newer version than you have installed has new (compared to ones existing in old version) known vulnerabilities. Shouldn't it similarly (not sure if doing by default would slow things down) warn before installing update?
I think there should be a (possibly configurable) warning before installing applications with known vulnerabilities.
Question is where would it get this info?
As specified in the issue, I think the GitHub advisory database would fit well, but I left this purposefully vague as I am non a security expert.
Also would it list vulnerabilities introduced by dependencies?
Possibly. However depending on how (what features of) the dependencies are used a vulnerable dependency does not necessarily lead to a vulnerable downstream application.
Trenly
commented
1 year ago @denelon - is this also Catalog-Health ?
denelon
commented
1 year ago We've also looked at https://cve.mitre.org/ as another possible source for some of this data, but the mapping to WinGet package identifiers isn't straight-forward.
jaytea33
commented
6 months ago I tried using nvd.nist.gov because it goes by CPE name over CVE and (seemingly) aggregates with GitHub advisories and mitre, so with NVD going by CPE it makes it arguably the better option.
However, I ran into way too many issues trying to correlate the winget package names with CPE names to flag 0 or 1 for whether your current app version that winget detects has a known vulnerability or not, so denelon is right, it's difficult to match up with the package names, regardless of the source. You also have to space out the API calls carefully in your script to avoid rate limits unless you're especially skilled at grouping them together in a single API call.
Maybe someone more skilled than me with scripting can do it but I couldn't figure out a universal way to correlate the package names with the CPE names from NVD, there's so many special characters and truncations needed per app name
denelon
commented
5 months ago We've recently added a link to Repology over at the main README.md for the WinGet Community Repository. We're currently looking into better ways to handle correlation between WinGet package identifiers and reported CVE data.
Description of the new feature / enhancement
winget should be able to check if there are known vulnerabilities for installed applications.
Proposed technical implementation details
Similar to
npm auditwhich uses the GitHub advisory database, winget could list installed applications with known vulnerabilities with the commandwinget audit.It should then list:
It should also show if there is a newer version available which fixes the vulnerability.
The main technical difficulty would be choosing and the maintaining database backend. Maybe the Github advisory database could be expanded.