Snap publishers will receive emails periodically from the store indicating stage-packages that their snap revisions were built with that are now out of date and can be updated to resolve Ubuntu Security Notices (USN’s) which are associated with CVE’s.
However, it is also possible for anyone to perform this same check and see what packages a snap was built with that have USN’s associated with them, provided two things.
- They have access to the snap file (either through
snap downloadfrom the store or possibly from their own machine.
- That the snap file was built with a manifest.yaml, which is produced by snapcraft by default when the snap is built in launchpad or on snapcraft.io/build, or via the GitHub Action for snapcraft or if the snapcraft option
--enable-manifestis specified or finally if the environment variable
SNAPCRAFT_BUILD_INFO=1is defined when snapcraft is run to build the snap.
To check the USN’s for a snap, one has to install the
review-tools snap, which provides a command,
check-notices, to do this, and it produces JSON output. For example:
$ review-tools.check-notices somesnap_80.snap
The referenced numbers are USN numbers, information about which can be found at http://ubuntu.com/security/notices/ (or directly with the USN number at http://ubuntu.com/security/notices/USN-4759-1 for the
libglib2.0-0 package in the example above).
If you are doing this at the same time for multiple snaps, you can pre-fetch and cache the USN database that is used for this:
$ cd $HOME/snap/review-tools/common
$ review-tools.fetch-usn-db database.json.bz2
And then use
check-notices with the
$ review-tools.check-notices --no-fetch somesnap_80.snap
The fact that a snap was built with, or includes, a package that had a USN issued for it, does not automatically mean that the snap is vulnerable. The vulnerable part of the package may not actually be used by the snap, or snap confinement may protect the snap from being attacked and abused the same way that an attacker using the vulnerability may do with traditional unconfined Linux packages.