[Work in progress] Hide bundled applications

Anselm · 8 Dec 2018, 16:28

I would like to now about those applications. Experts like me often update those packages as a workaround, if the "main" application does not do it (e.g. the main application is eol).

Tom · 8 Dec 2018, 17:40

We will not hide them completely, but they will be reported more subtle and in a way where only experts would want to spend that extra click or two to get the details.

While this is work in progress, then it is not something you should expect very soon.

Tom · 14 Mar 2019, 16:45

Finally, we are getting ready to launch this new feature. We have run the first tests in the test environment and are ready to update the backend either tomorrow or Monday.

The first iteration will hide (disregard) the bundled apps.

However, we expect to make an update for the UI very soon, that will allow you to view the hidden bundled applications.

Please, do start to report bundled applications, in most cases, all we need is a copy of the path of e.g. Java, Flash, curl or whatever program that is part of another parent installation.

Tom · 6 Apr 2019, 14:07

The UI has been updated two days ago, to support bundled applications. This means that most bundled applications can be viewed in the UI.

Any feedback on bundling is welcome.

When you see detections of e.g. 7-Zip, curl, Java and so on, that are actually part of other programs, please post it, send it via email or in the chat and we will create both the parent product and create the bundling specification that relates the two pieces of software.

OLLI_S · 4 Jun 2019, 14:17

Cool, @Tom that VulnDetect now supports Bundled Apps.

Anselm · 8 Apr 2019, 12:03

@Tom do you talk about exe or dll? I think you have a lot of programs bundled together e.g. with 7zip.dll or unrar.dll.

Tom · 8 Apr 2019, 13:06

@Anselm Currently, we will limit it to the products that we already detect.

The detection of libraries / DLLs is not within our current scope. Though we may create a few exceptions, when there is major issues like with "unacev2.dll".

Anselm · 10 Apr 2019, 09:37

@Tom ok, but: if you have a vulnerability in the exe file, you also have it in the dll. And often applications bundles the dll and not the exe.

Tom · 14 Apr 2019, 17:07

@Anselm
That is true.
However, it is still the responsibility of the parent program to report this and fix it. You are likely to break many programs if you just replace the DLL.
We will keep an eye out for this and add detection for DLLs when we become aware of programs that bundle vulnerable versions and "provide" a vector to exploit it (very often Java and AIR vulnerabilities can't be exploited, because there is no feasible vector, the same is the case for many DLLs).

OLLI_S · 28 Dec 2021, 22:16

@Tom VulnDetect (Personal) offers bundling and as far as I can see this topic here can be closed.
Or is there any specific reason, why you want to leave it opened?

Tom · 30 Dec 2021, 20:13

@olli_s We can close it, I see you opened something similar for the corporate edition

OLLI_S · 30 Dec 2021, 21:26

@tom said in [Work in progress] Hide bundled applications:

I see you opened something similar for the corporate edition

Wich topic to you mean?