Show apps with known vulnerabilities in the updates tab.
Installed apks with "known vuln" anti features are displayed in the "Updates" tab with a prompt to either upgrade/uninstall, and also the option to ignore.
I can optionally break this down into some smaller MRs if desired:
-
AntiFeature
andApkAntiFeatureJoin
tables. -
ignoreVulnerabilities
preference. - Changes to Updates tab to support the main feature.
Things which are not yet done, and which can either be added to this MR, or postponed until afterward:
- Feedback about known vulnerabilities in AppDetails.
- Right now all the UI revolves around the Updates tab.
- AppDetails is probably required so that before someone installs an app, they are alerted.
- We can also show specific versions in the version list as vulnerable.
- Any sort of discussion around "how did we decide it was vulnerable?"
- Without this, if people contact upstream and file a bug then they can't provide any info at all as to the nature of the bug, and upstream will not be able to easily figure out either.
- See some of the discussion on #1070 (closed) for more info.
- Ignoring only a specific version of an apk.
- Right now you can just ignore all vulnerabilities for a specific app.
- Can't un-ignore apps with vulnerabilities.
- This really should work like the "ignore updates" feature.
- The toolbar in AppDetails should have a menu checkbox for "Ignore vulnerable versions".
- Doesn't suggest a newer version which is non-vulnerable (and correctly signed) if the known vuln apk is from a repo without the highest priority (and thus
preferredMetadata
is from the repo with the non-vuln version).
Feel free to move any of these "not done yet" thigns into the "WIP for the following reasons" section, and I can add them to this MR.
Closes #1070 (closed).
Edited by Peter Serwylo