SecurityPatchState
open class SecurityPatchState
Provides methods to access and manage security state information for various components within a system. This class handles operations related to security patch levels, vulnerability reports, and update management.
Usage examples include:
-
Fetching the current security patch level for specific system components.
-
Retrieving published security patch levels to compare against current levels.
-
Listing and applying security updates from designated update providers.
The class uses a combination of local data storage and external data fetching to maintain and update security states.
Recommended pattern of usage:
-
call
getVulnerabilityReportUrland make a request to download the JSON file containing vulnerability report data -
create SecurityPatchState object, passing in the downloaded JSON as a
String -
call
getPublishedSecurityPatchLevelor other APIs
Summary
Nested types |
|---|
|
Implementation of |
|
Implementation of |
abstract class SecurityPatchState.SecurityPatchLevel : ComparableAbstract base class representing a security patch level. |
enum SecurityPatchState.Severity : EnumSeverity of reported security issues. |
|
Implementation of |
Constants |
|
|---|---|
const String |
Kernel component providing kernel version as VersionedSpl. |
const String |
System component providing ro.build.version.security_patch property value as DateBasedSpl. |
const String |
System modules component providing DateBasedSpl of system modules patch level. |
const String |
URL for the Google-provided data of vulnerabilities from Android Security Bulletin. |
Public companion functions |
|
|---|---|
SecurityPatchState.SecurityPatchLevel |
getComponentSecurityPatchLevel(Retrieves the specific security patch level for a given component based on a security patch level string. |
Uri |
@RequiresApi(value = 26)Constructs a URL for fetching vulnerability reports based on the device's Android version. |
Public constructors |
|---|
SecurityPatchState(Creates an instance of SecurityPatchState. |
Public functions |
|
|---|---|
Boolean |
areCvesPatched(cveList: List<String>)Verifies if all specified CVEs have been patched in the system. |
open SecurityPatchState.SecurityPatchLevel |
getDeviceSecurityPatchLevel(component: String)Retrieves the current security patch level for a specified component. |
open Map<SecurityPatchState.Severity, Set<String>> |
getPatchedCves(Lists all security fixes applied on the current device since the baseline Android release of the current system image, filtered for a specified component and patch level, categorized by severity. |
open List<SecurityPatchState.SecurityPatchLevel> |
getPublishedSecurityPatchLevel(component: String)Retrieves the published security patch level for a specified component. |
Boolean |
Checks if all components of the device have their security patch levels up to date with the published security patch levels. |
Unit |
@WorkerThreadParses a JSON string to extract vulnerability report data. |
Constants
COMPONENT_KERNEL
const val COMPONENT_KERNEL: String
Kernel component providing kernel version as VersionedSpl.
COMPONENT_SYSTEM
const val COMPONENT_SYSTEM: String
System component providing ro.build.version.security_patch property value as DateBasedSpl.
COMPONENT_SYSTEM_MODULES
const val COMPONENT_SYSTEM_MODULES: String
System modules component providing DateBasedSpl of system modules patch level.
DEFAULT_VULNERABILITY_REPORTS_URL
const val DEFAULT_VULNERABILITY_REPORTS_URL: String
URL for the Google-provided data of vulnerabilities from Android Security Bulletin.
Public companion functions
getComponentSecurityPatchLevel
fun getComponentSecurityPatchLevel(
component: String,
securityPatchLevel: String
): SecurityPatchState.SecurityPatchLevel
Retrieves the specific security patch level for a given component based on a security patch level string. This method determines the type of SecurityPatchLevel to construct based on the component type, interpreting the string as a date for date-based components or as a version number for versioned components.
| Parameters | |
|---|---|
component: String |
The component indicating which type of component's patch level is being requested. |
securityPatchLevel: String |
The string representation of the security patch level, which could be a date or a version number. |
| Returns | |
|---|---|
SecurityPatchState.SecurityPatchLevel |
A |
| Throws | |
|---|---|
kotlin.IllegalArgumentException |
If the input string is not in a valid format for the specified component type, or if the component requires a specific format that the string does not meet. |
getVulnerabilityReportUrl
@RequiresApi(value = 26)
fun getVulnerabilityReportUrl(
serverUrl: Uri = Uri.parse(DEFAULT_VULNERABILITY_REPORTS_URL)
): Uri
Constructs a URL for fetching vulnerability reports based on the device's Android version.
| Parameters | |
|---|---|
serverUrl: Uri = Uri.parse(DEFAULT_VULNERABILITY_REPORTS_URL) |
The base URL of the server where vulnerability reports are stored. |
| Returns | |
|---|---|
Uri |
A fully constructed URL pointing to the specific vulnerability report for this device. |
Public companion properties
DEFAULT_SYSTEM_MODULES
val DEFAULT_SYSTEM_MODULES: List<String>
Default list of Android Mainline system modules.
Public constructors
SecurityPatchState
SecurityPatchState(
context: Context,
systemModulePackageNames: List<String> = DEFAULT_SYSTEM_MODULES,
customSecurityStateManagerCompat: SecurityStateManagerCompat? = null,
vulnerabilityReportJsonString: String? = null
)
Creates an instance of SecurityPatchState.
| Parameters | |
|---|---|
context: Context |
Application context used for accessing shared preferences, resources, and other context-dependent features. |
systemModulePackageNames: List<String> = DEFAULT_SYSTEM_MODULES |
A list of system module package names, defaults to Google provided system modules if none are provided. The first module on the list must be the system modules metadata provider package. |
customSecurityStateManagerCompat: SecurityStateManagerCompat? = null |
An optional custom manager for obtaining security state information. If null, a default manager is instantiated. |
vulnerabilityReportJsonString: String? = null |
A JSON string containing vulnerability data to initialize a If you only care about the Device SPL, this parameter is optional. If you need access to Published SPL and Available SPL, you must provide this JSON string, either here in the constructor, or later using |
Public functions
areCvesPatched
fun areCvesPatched(cveList: List<String>): Boolean
Verifies if all specified CVEs have been patched in the system. This method aggregates the CVEs patched across specified system components and checks if the list includes all CVEs provided.
| Parameters | |
|---|---|
cveList: List<String> |
A list of CVE identifiers as strings in the form "CVE-YYYY-NNNNN", where YYYY denotes year, and NNNNN is a number with 3 to 5 digits. |
| Returns | |
|---|---|
Boolean |
true if all provided CVEs are patched, false otherwise. |
getDeviceSecurityPatchLevel
open fun getDeviceSecurityPatchLevel(component: String): SecurityPatchState.SecurityPatchLevel
Retrieves the current security patch level for a specified component.
| Parameters | |
|---|---|
component: String |
The component for which the security patch level is requested. |
| Returns | |
|---|---|
SecurityPatchState.SecurityPatchLevel |
A |
| Throws | |
|---|---|
kotlin.IllegalStateException |
if the patch level data is not available. |
kotlin.IllegalArgumentException |
if the component name is unrecognized. |
getPatchedCves
open fun getPatchedCves(
component: String,
spl: SecurityPatchState.SecurityPatchLevel
): Map<SecurityPatchState.Severity, Set<String>>
Lists all security fixes applied on the current device since the baseline Android release of the current system image, filtered for a specified component and patch level, categorized by severity.
| Parameters | |
|---|---|
component: String |
The component for which security fixes are listed. |
spl: SecurityPatchState.SecurityPatchLevel |
The security patch level for which fixes are retrieved. |
| Returns | |
|---|---|
Map<SecurityPatchState.Severity, Set<String>> |
A map categorizing CVE identifiers by their severity for the specified patch level. For example: |
getPublishedSecurityPatchLevel
open fun getPublishedSecurityPatchLevel(component: String): List<SecurityPatchState.SecurityPatchLevel>
Retrieves the published security patch level for a specified component. This patch level is based on the most recent vulnerability reports, which is a machine-readable data from Android and other security bulletins.
The published security patch level is the most recent value published in a bulletin.
| Parameters | |
|---|---|
component: String |
The component for which the published patch level is requested. |
| Returns | |
|---|---|
List<SecurityPatchState.SecurityPatchLevel> |
A list of |
isDeviceFullyUpdated
fun isDeviceFullyUpdated(): Boolean
Checks if all components of the device have their security patch levels up to date with the published security patch levels. This method compares the device's current security patch level against the latest published levels for each component.
| Returns | |
|---|---|
Boolean |
true if all components are fully updated, false otherwise. |
| Throws | |
|---|---|
kotlin.IllegalArgumentException |
if device or published security patch level for a component cannot be accessed. |
loadVulnerabilityReport
@WorkerThread
fun loadVulnerabilityReport(jsonString: String): Unit
Parses a JSON string to extract vulnerability report data. This method validates the format of the input JSON and constructs a VulnerabilityReport object, preparing the class to provide published and available security state information.
| Parameters | |
|---|---|
jsonString: String |
The JSON string containing the vulnerability data. |
| Throws | |
|---|---|
kotlin.IllegalArgumentException |
if the JSON input is malformed or contains invalid data. |