Specification: CVE Detection in Validation and Client Reporting

[denelon]

📖 Description

Specification for CVE (Common Vulnerabilities and Exposures) detection and reporting in the WinGet ecosystem. Integrates at two levels: the winget-pkgs validation pipeline (flagging/blocking packages with known CVEs during submission) and the WinGet client (informing users when installed packages have known vulnerabilities).

Key architectural decisions:

• CVE metadata comes from Microsoft's private validation infrastructure — community contributions to CVE mappings are disallowed by policy
• CVE data is added to the merged manifest (same mechanism as package icons) — not present in public repository manifest files
• Periodic rescan detects new CVEs and triggers out-of-band merged manifest updates with pipeline hash reconciliation
• Critical CVEs (CVSS >= 9.0) block package submissions; lower severities are informational with a Security-CVE label
• GPO controls use numeric CVSS thresholds (e.g., 7.0) for granular enterprise policy
• winget upgrade --all --security upgrades only packages with available security fixes

Changes addressing review feedback (June 22):

• Major architectural rewrite: CVE metadata from private infra, not community-contributed manifests
• Pipeline hash reconciliation design for out-of-band merged manifest updates
• Replaced --include-security with --details (consistent with PUA spec)
• Use numeric CVSS thresholds for GPO instead of named severity enum
• Added CVSS score field to advisory schema (severity derived from score, not user-specified)
• Added winget upgrade --all --security for security-only upgrades
• Removed version-specific info from headings
• Acknowledged PURL/CPE mapping challenges (NVD version range gaps, GHSA coverage limitations)
• Added reporting endpoint examples and REST source CVE serving to Future Considerations

Authored with GitHub Copilot assistance.

🔗 References

Related Issues:

• Checking for known vulnerabilities #2204

🔍 Validation

Spec document — no code changes to validate.

✅ Checklist

• Signed the Contributor License Agreement
• Linked to an issue
• Updated Release Notes (if applicable)
• Updated documentation (if applicable)
• Updated Copilot instructions (if build, architecture, or conventions changed)

📋 Issue Type

• Bug fix
• Feature
• Task

Microsoft Reviewers: Open in CodeFlow

[Trenly]

My main concern is mostly about using the severity instead of the actual CVSS. I'd prefer to use the actual CVSS if possible, since it provides a greater level of fidelity. If the severity is important for user facing features, that mapping could be internal to the CLI

[Trenly]

Distinguish between community moderator vs MSFT moderated with waiver

[Trenly]

There currently is no auto-approve, everything is either community moderated or MSFT moderated. Auto-approve would only happen for verified publisher

[Trenly]

Why not reuse --details ?

[Trenly]

Blocking if GPO disallows installs with CVEs?

[Trenly]

Why add a new flag? winget show is already a single package level, no need to require additional user action just to see CVE data

[Trenly]

Should users be specifying severity, or should it be determined automatically based on CVSS? What is the risk if a user marks a CVSS 8.0 as Medium severity?

[Trenly]

See comments above regarding this parameter

[Trenly]

Is this strictly an enum, or would users be able to do --severity 7.0 ?

Some orgs specify that anything with a CVSS 8.0 or above is not allowed, others allow 7.0 CVSS; More granular control will be needed than just Critical/High/Med/Low in my opinion

[Trenly]

Remove specific version information

[Trenly]

What if users want to only upgrade packages with security updates? winget upgrade --all --security ?

[pl4nty]

We've found this to be pretty difficult. Manually mapping package IDs to CPEs helped, but a lot of raw NVD entries don't have accurate version ranges. Third-party dbs might have better data

afaik, GHSA's global db doesn't have a PURL format for Windows apps and doesn't ingest CPE data, eg GHSA-589r-wg5p-vwjq. CVE-2024-32002 in Git.Git is another good example, it's GHSA-8h77-4q3w-gfgv in https://github.com/git/git but is not available in the global db

[pl4nty]

This could be really powerful, I'd love to write an example server or something

[github-actions]

@check-spelling-bot Report

🔴 Please review

See the 📂 files view, the 📜action log, or 📝 job summary for details.

Unrecognized words (8)

cpe
CVEs
GHSA
nvd
rescans
sbom
scm
SLSA

These words are not needed and should be removed

AAD ABCD abi ACL'd AMap Amd appdata ARMNT asan Baz bitmask bluetooth boundparms brk Buf certs cgi CMSG codepage commandline constexpr Cov cswinrt CTL Dbg Dcom decompressor dedupe DEFT devhome Dns dsc ERANGE errcode errmsg errstr filemode Finalizers FULLWIDTH fuzzer GES github Hackathon HINSTANCE hlocal hmac Hyperlink ICONDIR icu idx img inet Intelli iwr JDK LCID lhs LONGLONG LPBYTE LPCWSTR LPDWORD LPSTR LPVOID LPWSTR MAJORVERSION MAXLENGTH maxvalue MDs MINORVERSION mta nlohmann NONAME NOUPDATE NTFS ofile oid oop OPTOUT outfile OUTOFMEMORY PARAMETERMAP pdb PDWORD pid PKCS pkix placeholders positionals posix pscustomobject pseudocode PSHOST publickey qword redirector regexes remoting reparse REQS rhs rowid RTTI runspace runtimes SARL savepoint Scm sid sqlite subdir subkey trimstart ttl typedef uninitialize uninstallation UNMARSHALING userprofile versioned Webserver website wildcards winreg WMI workaround Wpp wsl

To accept these unrecognized words as correct and remove the previously acknowledged and now absent words, you could run the following commands

... in a clone of the git@github.com:denelon/winget-cli.git repository
on the spec/cve-detection-reporting branch (ℹ️ how do I use this?):

curl -s -S -L 'https://raw.githubusercontent.com/check-spelling/check-spelling/v0.0.26/apply.pl' |
perl - 'https://github.com/microsoft/winget-cli/actions/runs/27972889258/attempts/1' &&
git commit -m 'Update check-spelling metadata'

Pattern suggestions ✂️ (2)

You could add these patterns to .github/actions/spelling/patterns.txt:

# Automatically suggested patterns

# hit-count: 1 file-count: 1
# assign regex
= /[^*].*?(?:[a-z]{3,}|[A-Z]{3,}|[A-Z][a-z]{2,}).*/[gi]?(?=\W|$)

# hit-count: 1 file-count: 1
# regex choice
\(\?:[^)]+\|[^)]+\)

Alternatively, if a pattern suggestion doesn't make sense for this project, add a # to the beginning of the line in the candidates file with the pattern to stop suggesting it.

Warnings and Notices ⚠️ (2)

See the 📂 files view, the 📜action log, or 📝 job summary for details.

⚠️ Warnings and Notices	Count
ℹ️ candidate-pattern	2
⚠️ unexpected-line-ending	2

See ⚠️ Event descriptions for more information.

If the flagged items are 🤯 false positives

If items relate to a ...

• binary file (or some other file you wouldn't want to check at all).

  Please add a file path to the excludes.txt file matching the containing file.

  File paths are Perl 5 Regular Expressions - you can test yours before committing to verify it will match your files.

  ^ refers to the file's path from the root of the repository, so ^README\.md$ would exclude README.md (on whichever branch you're using).

• well-formed pattern.

  If you can write a pattern that would match it,
  try adding it to the patterns.txt file.

  Patterns are Perl 5 Regular Expressions - you can test yours before committing to verify it will match your lines.

  Note that patterns can't match multiline strings.

[Trenly]

Should there be individual links to each advisory?