Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion Resources/CVE/2023-08.json
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,6 @@
"severity": "medium",
"summary": "ssl.SSLSocket may bypass TLS handshake verification on aborted connections, allowing pre-handshake data to be read by callers",
"affectedVersionRange": "< 3.8.18, < 3.9.18, < 3.10.13, < 3.11.5",
"recordedAt": "2023-08-25"
"recordedAt": "2026-07-15"
}
]
2 changes: 1 addition & 1 deletion Resources/CVE/2023-11.json
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,6 @@
"severity": "high",
"summary": "Integer overflow in Qt Network HTTP/2 implementation allows remote servers to cause heap corruption or denial of service via a crafted HTTP/2 response",
"affectedVersionRange": "< 5.15.17, < 6.5.4, < 6.6.2",
"recordedAt": "2023-11-10"
"recordedAt": "2026-07-15"
}
]
2 changes: 1 addition & 1 deletion Resources/CVE/2024-03.json
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,6 @@
"severity": "medium",
"summary": "zipfile module vulnerable to zip-bomb via quoted-overlap attack; extracting crafted archives may consume excessive disk space or memory",
"affectedVersionRange": "< 3.9.19, < 3.10.14, < 3.11.8, < 3.12.2",
"recordedAt": "2024-03-19"
"recordedAt": "2026-07-15"
}
]
2 changes: 1 addition & 1 deletion Resources/CVE/2024-07.json
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,6 @@
"severity": "high",
"summary": "Qt Network HTTP/2 server push handling allows man-in-the-middle attackers to inject responses or read cleartext data due to missing validation of push promise headers",
"affectedVersionRange": "< 6.7.2",
"recordedAt": "2024-07-04"
"recordedAt": "2026-07-15"
}
]
8 changes: 4 additions & 4 deletions Resources/CVE/2024-09.json
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
"severity": "high",
"summary": "ASAR Integrity bypass via content modification (Windows only, requires embeddedAsarIntegrityValidation + onlyLoadAppFromAsar fuses)",
"affectedVersionRange": "< 30.0.5",
"recordedAt": "2024-09-26"
"recordedAt": "2026-07-15"
},
{
"id": "CVE-2024-46993",
Expand All @@ -15,7 +15,7 @@
"severity": "medium",
"summary": "Heap buffer overflow in NativeImage::CreateFromPath / CreateFromBuffer",
"affectedVersionRange": "< 28.3.2, < 29.3.3, < 30.0.3",
"recordedAt": "2024-09-26"
"recordedAt": "2026-07-15"
},
{
"id": "CVE-2024-6232",
Expand All @@ -24,7 +24,7 @@
"severity": "high",
"summary": "tarfile module Regular Expression Denial of Service (ReDoS) via crafted PAX header strings, causing excessive CPU usage",
"affectedVersionRange": "< 3.9.20, < 3.10.15, < 3.11.10, < 3.12.7",
"recordedAt": "2024-09-03"
"recordedAt": "2026-07-15"
},
{
"id": "CVE-2024-8088",
Expand All @@ -33,6 +33,6 @@
"severity": "medium",
"summary": "zipimport module infinite loop when processing ZIP files containing entries with excessive null bytes in the name field",
"affectedVersionRange": "< 3.9.20, < 3.10.15, < 3.11.10, < 3.12.5",
"recordedAt": "2024-09-03"
"recordedAt": "2026-07-15"
}
]
2 changes: 1 addition & 1 deletion Resources/CVE/2025-09.json
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,6 @@
"severity": "medium",
"summary": "ASAR Integrity bypass via resource modification (requires embeddedAsarIntegrityValidation + onlyLoadAppFromAsar fuses)",
"affectedVersionRange": "< 35.7.5, < 36.8.1, < 37.3.1",
"recordedAt": "2025-09-04"
"recordedAt": "2026-07-15"
}
]
14 changes: 7 additions & 7 deletions Resources/CVE/2026-03.json
Original file line number Diff line number Diff line change
Expand Up @@ -5,54 +5,54 @@
"severity": "high",
"summary": "Context Isolation bypass via window.open",
"affectedVersionRange": "< 27.1.0, < 26.6.0, < 25.9.7",
"recordedAt": "2026-03-13"
"recordedAt": "2026-07-15"
},
{
"id": "CVE-2023-39956",
"cveId": "CVE-2023-39956",
"severity": "high",
"summary": "Renderer process sandbox escape",
"affectedVersionRange": "< 26.2.1, < 25.8.1, < 24.8.3",
"recordedAt": "2026-03-13"
"recordedAt": "2026-07-15"
},
{
"id": "CVE-2023-29198",
"cveId": "CVE-2023-29198",
"severity": "critical",
"summary": "Out-of-bounds write in V8 (Chromium)",
"affectedVersionRange": "< 25.0.0",
"recordedAt": "2026-03-13"
"recordedAt": "2026-07-15"
},
{
"id": "CVE-2022-29247",
"cveId": "CVE-2022-29247",
"severity": "high",
"summary": "Protocol handler allows loading arbitrary code",
"affectedVersionRange": "< 19.0.0, < 18.3.1, < 17.4.1",
"recordedAt": "2026-03-13"
"recordedAt": "2026-07-15"
},
{
"id": "CVE-2022-21718",
"cveId": "CVE-2022-21718",
"severity": "medium",
"summary": "Arbitrary file read via custom protocol handler",
"affectedVersionRange": "< 17.0.0, < 16.0.6, < 15.3.5",
"recordedAt": "2026-03-13"
"recordedAt": "2026-07-15"
},
{
"id": "CVE-2021-39184",
"cveId": "CVE-2021-39184",
"severity": "high",
"summary": "Context Isolation bypass via window.open",
"affectedVersionRange": "< 15.0.0, < 14.1.0, < 13.3.0",
"recordedAt": "2026-03-13"
"recordedAt": "2026-07-15"
},
{
"id": "CVE-2020-15215",
"cveId": "CVE-2020-15215",
"severity": "critical",
"summary": "Remote code execution via nativeWindowOpen",
"affectedVersionRange": "< 11.0.0, < 10.1.2, < 9.3.3",
"recordedAt": "2026-03-13"
"recordedAt": "2026-07-15"
}
]
4 changes: 2 additions & 2 deletions Sources/Services/SecurityAnalyzer.swift
Original file line number Diff line number Diff line change
Expand Up @@ -64,8 +64,8 @@ struct SecurityDataStatus: Equatable {

struct SecurityAnalyzer {
// SECURITY_RULES_METADATA_START
private static let securityRulesVersion = "2026.03.27"
private static let securityRulesLastReviewedAt = "2026-03-27"
private static let securityRulesVersion = "2026.07.15"
private static let securityRulesLastReviewedAt = "2026-07-15"
private static let securityRulesReminderThresholdDays = 30
// SECURITY_RULES_METADATA_END

Expand Down
93 changes: 93 additions & 0 deletions scripts/test_compute_min_safe.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,93 @@
#!/usr/bin/env bash
#
# Unit tests for compute_min_safe_electron_major in update_security_rules.sh.
#

set -euo pipefail

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
# shellcheck source=update_security_rules.sh
source "${SCRIPT_DIR}/update_security_rules.sh"

TMP_DIR=""
PASS=0
FAIL=0

cleanup() {
if [[ -n "${TMP_DIR}" && -d "${TMP_DIR}" ]]; then
rm -rf "${TMP_DIR}"
fi
}
trap cleanup EXIT

TMP_DIR="$(mktemp -d)"

make_cve_json() {
local ranges="$1"
cat > "${TMP_DIR}/electron.json" <<EOF
[
{
"id": "TEST-001",
"cveId": "TEST-001",
"framework": "electron",
"severity": "high",
"summary": "Test entry",
"affectedVersionRange": "${ranges}",
"recordedAt": "2026-07-15"
}
]
EOF
}

assert_eq() {
local name="$1"
local expected="$2"
local actual="$3"
if [[ "${expected}" == "${actual}" ]]; then
echo "PASS: ${name} (expected=${expected}, actual=${actual})"
PASS=$((PASS + 1))
else
echo "FAIL: ${name} (expected=${expected}, actual=${actual})" >&2
FAIL=$((FAIL + 1))
fi
}

# Test 1: pre-release suffix is parsed and major=41 is returned.
make_cve_json "< 41.0.0-beta.8"
assert_eq "pre-release suffix < 41.0.0-beta.8" "41" "$(compute_min_safe_electron_major "${TMP_DIR}/electron.json")"

# Test 2: plain 3-segment version returns major=38.
make_cve_json "< 38.8.6"
assert_eq "plain version < 38.8.6" "38" "$(compute_min_safe_electron_major "${TMP_DIR}/electron.json")"

# Test 3: mixed ranges and suffixes return the maximum major.
make_cve_json "< 38.8.6, < 41.0.0-beta.8, < 39.8.0"
assert_eq "mixed ranges max major" "41" "$(compute_min_safe_electron_major "${TMP_DIR}/electron.json")"

# Test 4: multiple entries across different objects are merged.
cat > "${TMP_DIR}/electron.json" <<'EOF'
[
{
"id": "TEST-001",
"affectedVersionRange": "< 37.5.0, < 38.8.6",
"recordedAt": "2026-07-15"
},
{
"id": "TEST-002",
"affectedVersionRange": "< 39.8.0, < 40.7.0, < 41.0.0-beta.8",
"recordedAt": "2026-07-15"
}
]
EOF
assert_eq "multiple entries merged" "41" "$(compute_min_safe_electron_major "${TMP_DIR}/electron.json")"

# Test 5: missing file falls back to 39.
rm -f "${TMP_DIR}/electron.json"
assert_eq "missing file fallback" "39" "$(compute_min_safe_electron_major "${TMP_DIR}/electron.json")"

echo "---"
echo "Results: ${PASS} passed, ${FAIL} failed"

if [[ "${FAIL}" -gt 0 ]]; then
exit 1
fi
Loading