Specification: CVE Detection in Validation and Client Reporting#6292
Specification: CVE Detection in Validation and Client Reporting#6292denelon wants to merge 1 commit into
Conversation
…#2204) Specification for integrating vulnerability detection into the WinGet ecosystem — validation pipeline flagging, client reporting via 'winget security' command, and Group Policy controls for enterprise. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Trenly
left a comment
Trenly
left a comment
There was a problem hiding this comment.
My main concern is mostly about using the severity instead of the actual CVSS. I'd prefer to use the actual CVSS if possible, since it provides a greater level of fidelity. If the severity is important for user facing features, that mapping could be internal to the CLI
| 2. **Known CVE flagging** — If the submitted version has known CVEs: | ||
| - Add a `Security-CVE` label to the PR | ||
| - Post a bot comment listing CVEs with severity ratings (CVSS score) | ||
| - Do NOT auto-reject — moderators approve with acknowledgment |
There was a problem hiding this comment.
Distinguish between community moderator vs MSFT moderated with waiver
| - Do NOT auto-reject — moderators approve with acknowledgment | ||
| 3. **Severity-based workflow:** | ||
| - Critical/High (CVSS ≥ 7.0): Require explicit moderator approval | ||
| - Medium (CVSS 4.0–6.9): Warning, auto-approve still possible |
There was a problem hiding this comment.
There currently is no auto-approve, everything is either community moderated or MSFT moderated. Auto-approve would only happen for verified publisher
|
|
||
| | Command | CVE Behavior | | ||
| |---------|-------------| | ||
| | `winget list` | `--include-security` flag adds CVE column | |
| |---------|-------------| | ||
| | `winget list` | `--include-security` flag adds CVE column | | ||
| | `winget upgrade` | Security-relevant upgrades highlighted with ⚠️ | | ||
| | `winget install --version` | Non-blocking warning when version has known CVEs | |
There was a problem hiding this comment.
Blocking if GPO disallows installs with CVEs?
| | `winget list` | `--include-security` flag adds CVE column | | ||
| | `winget upgrade` | Security-relevant upgrades highlighted with ⚠️ | | ||
| | `winget install --version` | Non-blocking warning when version has known CVEs | | ||
| | `winget show` | `--security` flag shows CVE details | |
There was a problem hiding this comment.
Why add a new flag? winget show is already a single package level, no need to require additional user action just to see CVE data
| Security: | ||
| Advisories: | ||
| - Id: CVE-2024-32002 | ||
| Severity: Critical |
There was a problem hiding this comment.
Should users be specifying severity, or should it be determined automatically based on CVSS? What is the risk if a user marks a CVSS 8.0 as Medium severity?
| | Argument | Commands | Description | | ||
| |----------|----------|-------------| | ||
| | `--ignore-security-warnings` | install, upgrade | Proceed despite CVE warnings | | ||
| | `--include-security` | list, show | Show CVE information | |
There was a problem hiding this comment.
See comments above regarding this parameter
| |----------|----------|-------------| | ||
| | `--ignore-security-warnings` | install, upgrade | Proceed despite CVE warnings | | ||
| | `--include-security` | list, show | Show CVE information | | ||
| | `--severity` | security scan | Minimum severity to report | |
There was a problem hiding this comment.
Is this strictly an enum, or would users be able to do --severity 7.0 ?
Some orgs specify that anything with a CVSS 8.0 or above is not allowed, others allow 7.0 CVSS; More granular control will be needed than just Critical/High/Med/Low in my opinion
|
|
||
| ### Schema Version | ||
|
|
||
| This feature requires manifest schema version 1.29.0 for the optional `Security` field. The CVE detection itself works without manifest changes (uses external database lookups). |
There was a problem hiding this comment.
Remove specific version information
| Node.js OpenJS.NodeJS 18.12.0 18.20.3 winget ⚠️ High | ||
| VS Code Microsoft.VS.. 1.90.0 1.91.0 winget | ||
|
|
||
| ⚠️ 2 packages have security updates. Run 'winget upgrade --all' to apply. |
There was a problem hiding this comment.
What if users want to only upgrade packages with security updates? winget upgrade --all --security ?
2 participants
📖 Description
Specification for integrating CVE detection into the WinGet ecosystem. Covers validation pipeline flagging (winget-pkgs), client reporting via a new
winget securitycommand, Group Policy controls for enterprise blocking/reporting, and a package-to-vulnerability mapping system.Authored with GitHub Copilot assistance.
🔗 References
Related Issues:
🔍 Validation
Spec document — no code changes to validate.
✅ Checklist
📋 Issue Type
Microsoft Reviewers: Open in CodeFlow