Checking for known vulnerabilities

[nx10]

Description of the new feature / enhancement

winget should be able to check if there are known vulnerabilities for installed applications.

Proposed technical implementation details

Similar to npm audit which uses the GitHub advisory database, winget could list installed applications with known vulnerabilities with the command winget audit.

It should then list:

• Severity
• Vulnerabilty type
• Link to security advisory (more information)

It should also show if there is a newer version available which fixes the vulnerability.

The main technical difficulty would be choosing and the maintaining database backend. Maybe the Github advisory database could be expanded.

[jedieaston]

Related to this: #872 (in which I commented the functionality could be used for this purpose)

[birbilis]

There's also a chance a newer version than you have installed has new (compared to ones existing in old version) known vulnerabilities. Shouldn't it similarly (not sure if doing by default would slow things down) warn before installing update?

Question is where would it get this info?

Also would it list vulnerabilities introduced by dependencies?

[nx10]

There's also a chance a newer version than you have installed has new (compared to ones existing in old version) known vulnerabilities. Shouldn't it similarly (not sure if doing by default would slow things down) warn before installing update?

I think there should be a (possibly configurable) warning before installing applications with known vulnerabilities.

Question is where would it get this info?

As specified in the issue, I think the GitHub advisory database would fit well, but I left this purposefully vague as I am non a security expert.

Also would it list vulnerabilities introduced by dependencies?

Possibly. However depending on how (what features of) the dependencies are used a vulnerable dependency does not necessarily lead to a vulnerable downstream application.

[Trenly]

@denelon - is this also Catalog-Health ?

[denelon]

We've also looked at https://cve.mitre.org/ as another possible source for some of this data, but the mapping to WinGet package identifiers isn't straight-forward.

[jaytea33]

I tried using nvd.nist.gov because it goes by CPE name over CVE and (seemingly) aggregates with GitHub advisories and mitre, so with NVD going by CPE it makes it arguably the better option.

However, I ran into way too many issues trying to correlate the winget package names with CPE names to flag 0 or 1 for whether your current app version that winget detects has a known vulnerability or not, so denelon is right, it's difficult to match up with the package names, regardless of the source. You also have to space out the API calls carefully in your script to avoid rate limits unless you're especially skilled at grouping them together in a single API call.

Maybe someone more skilled than me with scripting can do it but I couldn't figure out a universal way to correlate the package names with the CPE names from NVD, there's so many special characters and truncations needed per app name

[denelon]

We've recently added a link to Repology over at the main README.md for the WinGet Community Repository. We're currently looking into better ways to handle correlation between WinGet package identifiers and reported CVE data.