Skip to content

Show apps with known vulnerabilities in the updates tab.

Installed apks with "known vuln" anti features are displayed in the "Updates" tab with a prompt to either upgrade/uninstall, and also the option to ignore.

I can optionally break this down into some smaller MRs if desired:

  • AntiFeature and ApkAntiFeatureJoin tables.
  • ignoreVulnerabilities preference.
  • Changes to Updates tab to support the main feature.

Things which are not yet done, and which can either be added to this MR, or postponed until afterward:

  • Feedback about known vulnerabilities in AppDetails.
    • Right now all the UI revolves around the Updates tab.
    • AppDetails is probably required so that before someone installs an app, they are alerted.
    • We can also show specific versions in the version list as vulnerable.
  • Any sort of discussion around "how did we decide it was vulnerable?"
    • Without this, if people contact upstream and file a bug then they can't provide any info at all as to the nature of the bug, and upstream will not be able to easily figure out either.
    • See some of the discussion on #1070 (closed) for more info.
  • Ignoring only a specific version of an apk.
    • Right now you can just ignore all vulnerabilities for a specific app.
  • Can't un-ignore apps with vulnerabilities.
    • This really should work like the "ignore updates" feature.
    • The toolbar in AppDetails should have a menu checkbox for "Ignore vulnerable versions".
  • Doesn't suggest a newer version which is non-vulnerable (and correctly signed) if the known vuln apk is from a repo without the highest priority (and thus preferredMetadata is from the repo with the non-vuln version).

Feel free to move any of these "not done yet" thigns into the "WIP for the following reasons" section, and I can add them to this MR.

Closes #1070 (closed).

Edited by Peter Serwylo

Merge request reports