Patch Android Vulnerabilities With Google's Vanir |
Written by Nikos Vaggalis | |||
Tuesday, 04 February 2025 | |||
Vanir is a new security patch validation tool made available for Android by the Google Open Source Security Team. In a sentence: Vanir gives Android platform developers the power to quickly and efficiently scan their custom platform code for missing security patches and identify applicable available patches. This is very important for Android device manufacturers so that they can keep their devices up to date with new patch releases, as we know how frequently new exploitable Android bugs emerge. Vanir came to be due to the pain points device manufacturers face when trying to assess vulnerabilities and incorporate the necessary updates to fix them, a challenging process. Vanir streamlines this process so that everyone can get up to speed asap. By using novel techniques and algorithms that minimize false positives, Vanir can statically scan large code bases against known vulnerable code patterns. To do that it checks signatures for CVEs which are published through the Open Source Vulnerabilities (OSV) database, a database that we've looked at in the past, In Track Open Source Vulnerabilities With Google's OSV Database, I explained CVE tracking at the end of the pipeline is still not a panacea since it comes with it's own bag of problems;mainly that for consumers it is often difficult to map a vulnerability entry to the package versions they are using, plus for the package maintainers it is time consuming to determine an accurate list of affected versions or commits across all their branches for downstream consumers after a vulnerability is fixed, in addition to the process required for publication. So to address those shortcomings, Google has introduced OSV in order to provide precise data on where a vulnerability was introduced and where it got fixed. OSV complements CVEs by extending them with precise vulnerability metadata, making it easier to query (using either package versions or commits). Vanir then, builds on that infrastructure which enables it to scann an entire Android source tree against known signatures very quickly. Vanir supports C/C++ and Java targets and it can be used either as a standalone desktop application or as a Python library. which can integrate in automated pipelines to verify any missing patches in a highly automated and systematic way. It runs on Linux systems and the open source nature and modularity of Vanir's codebase allows it to be applied to other use cases and platforms than solely Android. Download and install the latest version from its Github repo. More InformationRelated ArticlesTrack Open Source Vulnerabilities With Google's OSV Database
To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.
Comments
or email your comment to: comments@i-programmer.info |
|||
Last Updated ( Tuesday, 04 February 2025 ) |