Patch Android Vulnerabilities With Google's Vanir
Written by Nikos Vaggalis   
Tuesday, 04 February 2025

Vanir is a new security patch validation tool made available for Android by the Google Open Source Security Team.

In a sentence:

Vanir gives Android platform developers the power to quickly and efficiently scan their custom platform code for missing security patches and identify applicable available patches.

This is very important for Android device manufacturers so that they can keep their devices up to date with new patch releases, as we know how frequently new exploitable Android bugs emerge. Vanir came to be due to the pain points device manufacturers face when trying to assess vulnerabilities and incorporate the necessary updates to fix them, a challenging process. Vanir streamlines this process so that everyone can get up to speed asap.

By using novel techniques and algorithms that minimize false positives, Vanir can statically scan large code bases against known vulnerable code patterns. To do that it checks signatures for CVEs which are published through the Open Source Vulnerabilities (OSV) database, a database that we've looked at in the past, In Track Open Source Vulnerabilities With Google's OSV Database, I explained

CVE tracking at the end of the pipeline is still not a panacea since it comes with it's own bag of problems;mainly that for consumers it is often difficult to map a vulnerability entry to the package versions they are using, plus for the package maintainers it is time consuming to determine an accurate list of affected versions or commits across all their branches for downstream consumers after a vulnerability is fixed, in addition to the process required for publication.

So to address those shortcomings, Google has introduced OSV in order to provide precise data on where a vulnerability was introduced and where it got fixed. OSV complements CVEs by extending them with precise vulnerability metadata, making it easier to query (using either package versions or commits).

Vanir then, builds on that infrastructure which enables it to scann an entire Android source tree against known signatures very quickly.

Vanir supports C/C++ and Java targets and it can be used either as a standalone desktop application or as a Python library. which can integrate in automated pipelines to verify any missing patches in a highly automated and systematic way. It runs on Linux systems and the open source nature and modularity of Vanir's codebase allows it to be applied to other use cases and platforms than solely Android.

Download and install the latest version from its Github repo.

googleg

More Information

Vanir on Github 

Related Articles

Track Open Source Vulnerabilities With Google's OSV Database 

 

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

Banner


FerretDB 2 Moves To DocumentDB
11/02/2025

FerretDB has been updated to version 2.0, which the company says offers major improvements in performance, compatibility, support, and flexibility. In practical terms, the main change is a move to use [ ... ]



Unitree G1 - See How It Runs
26/01/2025

Chinese robotics company Unitree has made a significant breakthrough with its G1 humanoid robot which walks and runs in a convincingly natural way. This is thanks to its advanced hip joint design. See [ ... ]


More News

espbook

 

Comments




or email your comment to: comments@i-programmer.info

Last Updated ( Tuesday, 04 February 2025 )