Scanning Snaps for Vulnerabilities

Hello, friends! I made something that might be useful for Ubuntu users who rely on snaps. It scans snaps for vulnerabilities. It’s called SnapScope, and you can see it at

https://snapscope.popey.com/

snapscope1964×1854 320 KB

It scans any snap package you specify that is publicly available on the Snap Store. Each snap has a page where you can view the previously scanned revisions and results.

firefox1964×1854 306 KB

I made a 5-minute video to show you around:

https://www.youtube.com/watch?v=-hB2Z2xI5vY

Feedback and suggestions welcome!

I personally hate SNAPs, but love the concept and intent!

If this kind of tool wasn’t already out there (which blows my mind, given the push and resources promoting/implementing SNAP-based solutions), I thank you for taking this initiative and commend you for stepping forward in your attempts to serve the Community.

I hope it turns out very well … enough to garner some official support, and maybe some funding, that could turn it into a cornerstone of the SNAP-based eco-system.

Well-done!

I might like to try this out.

I have some older snaps that I am not sure what to do with. They might be old for a reason, or maybe not. I took a quick pic of them here:

image872×528 77.9 KB

Is there any way to take an inventory of installed snaps, and then compare to current, to make sure nothing is missing or broken?

Thank you!

That’s cool. I maintain a snap but have never gotten those (monthly?) warnings about potentially vulnerabilities. So at least this tells me there’s no known issues.

To see currently-installed snaps:

snap list

To ensure that they’re all up to date:

sudo snap refresh

@popey — Alan, that’s marvellous, thank you! I second the hope that this becomes an official addition to the Ubuntu family.

By the way, maybe add the video link to the SnapScope home page?

Great idea @paddylandau - I added an About page.

Snaps do quietly refresh themselves in the background if there is anything new published by the maintainer, they check 4 times per day for updates and install any new revision automatically, there is nothing you need to do unless you turned off these automatic checks …

See:

https://snapcraft.io/docs/managing-updates

Yeah, I’ve done that. Some of the ones I have just looked old in pic above, so I thought maybe they got missed or skipped over. Thank you.

Yeah, I don’t recall ever “putting a snap on hold”. But this is a good and useful link.

Thanks for the feedback.

I plan to move this to a separate repo, and take issues and pull requests on it. It’s already open source, but the version in “production” (such that it is), is ahead of the repo.

Once I have a little time (likely over the christmas break), I’ll put it in a repo and follow up here.

In the meantime, if anyone has suggestions for improving it, let me know.

Some things I have been noodling:

• Scan multiple architectures, not just amd64
• Add more metadata to package pages, like their donation, support, issues, and other links that are already in the store metadata
• Include the date of the vuln database build in the summary
• Provide a “Queue view” to show which packages are currently awaiting scanning
• Have a malware detection feature to identify potentially dodgy packages
  • This would enable having a possible malware badge, like the KEV or critical count
  • Would also open myself up to being held accountable for “false positive” type reports
• Add a “claim account” to “own” the publisher page (e.g. I might “claim” https://snapscope.popey.com/publisher/popey - which shows all the snaps I published). That could lead to:
  • Publishers having an “notify me on critical/high/malware in my packages” via some means
  • Publishers being able to click an “Acknowledged” button, to indicate they’re looking into the issue, so people don’t need to nag them
• Improved user interface on mobile
• API access for external developers
• Potential command line version for displaying the leaderboards and submitting packages.

Further suggestions would be most welcome!

That’s great and UI is simple and efficient.

Wishes:

• You inserted links to snap store but I would find useful to have your work integrated in the snap store itself.
• I would love to be able to request scan for all versions of a snap (I mean channels, e.g. Firefox, Thunderbird and their ESR versions). Maybe it’s already available but I did not read/find it.
• There are many requests for the same version. Maybe that’s wanted but I do not see it as useful (at least in a short delay…).

Thanks for the feedback and wishlist.

I can’t do much about that. This was a personal project I have been wanting to create for some time. The opportunity came up to make something.

Canonical are welcome to take code/inspiration from this to make something public or private. But I can’t do that, because it requires things on the Canonical side that I don’t have access to.

That’s certainly something I’d like to be able to do, but at the moment it’s blocked on the tools I’m using. They have an open issue, and there’s an open pull request to add support for specifying revisions. Once that lands, I’ll certainly look at adding support for it.

I suspect that’s a result of two things. People discovering the site and trying it out is wonderful. Anyone can trigger an extra scan.

Separately, the vulnerability database that this uses is updated frequently, so actually it is useful to scan multiple times. Scanning today and scanning tomorrow may well yield different results for the same revision of the same application.

There’s now a suspected malwares list. That’s great.
Or maybe that’s old but I did not notice!!

Question: if a snap is revoked in Snap store but already installed, is it auto-removed?

Part of the process the store team does to take down a snap or quarantine it is to create an empty snap that replaces the released one on peoples installs … (in case the snap is un-quarantined because there was no actual issue found during review, the last good release gets pushed out again afterwards)

And I see that now all channels are scanned.