better automatic KnownVuln workflow
There are a couple cases where fdroid update
will automatically mark APKs with the KnownVuln Anti-Feature:
- If OpenSSL version strings are found that match releases that have known vulns.
- If an APK is signed with MD5 or SHA1.
- If the APK was built to exploit the Janus vuln.
We've seen that this can be brittle, with some false positives. I've been trying to figure out the best way to provide manual control over these. The current implementation does not provide any manual override. Here are some ideas off the top of my head:
- CI job for fdroiddata that checks this, it would have to build the APK first.
- Make
fdroid lint
orfdroid scanner
add them to the metadata file, similar to how checkupdates adds entries. - Make a new subcommand, like
fdroid knownvuln
to scan APKs and add entries. - Something else?
@licaon-kter @linsui @IzzySoft ping since you've certainly encountered these cases.