SecurityPatchState

public class SecurityPatchState

Provides methods to access and manage security state information for various components within a system. This class handles operations related to security patch levels, vulnerability reports, and update management.

Usage examples include:

  • Fetching the current security patch level for specific system components.

  • Retrieving published security patch levels to compare against current levels.

  • Listing and applying security updates from designated update providers.

The class uses a combination of local data storage and external data fetching to maintain and update security states.

Summary

Nested types

Types of components whose security state can be accessed.

Implementation of SecurityPatchLevel for a date-based patch level.

Implementation of SecurityPatchLevel for a simple string patch level.
public abstract class SecurityPatchState.SecurityPatchLevel implements Comparable

Abstract base class representing a security patch level.
public enum SecurityPatchState.Severity extends Enum

Severity of reported security issues.

Implementation of SecurityPatchLevel for a versioned patch level.

Constants
static final @NonNull String

Public fields
static final @NonNull List<@NonNull String>

Public constructors
SecurityPatchState(
    @NonNull Context context,
    @NonNull List<@NonNull String> systemModules,
    SecurityStateManager customSecurityStateManager
)

Creates an instance of SecurityPatchState.

Public methods
final boolean

Verifies if all specified CVEs have been patched in the system.
@NonNull SecurityPatchState.SecurityPatchLevel

Retrieves the available security patch level for a specified component for current device.
@NonNull SecurityPatchState.SecurityPatchLevel

Retrieves the current security patch level for a specified component.
@NonNull Map<@NonNull SecurityPatchState.Severity, @NonNull List<@NonNull String>>

Lists all security fixes applied on the current device since the baseline Android release of the current system image, filtered for a specified component and patch level, categorized by severity.
@NonNull List<@NonNull SecurityPatchState.SecurityPatchLevel>

Retrieves the published security patch level for a specified component.
@NonNull SecurityPatchState.SecurityPatchLevel
getSecurityPatchLevelString(
    @NonNull SecurityPatchState.Component component,
    @NonNull String securityPatchLevel
)

Retrieves the specific security patch level for a given component based on a security patch level string.
final @NonNull Uri

Constructs a URL for fetching vulnerability reports based on the device's Android version.
final boolean

Checks if all components of the device have their security patch levels up to date with the published security patch levels.
@NonNull List<@NonNull UpdateInfo>

Fetches available updates from specified update providers.
final void

Parses a JSON string to extract vulnerability report data.

Constants

DEFAULT_VULNERABILITY_REPORTS_URL

public static final @NonNull String DEFAULT_VULNERABILITY_REPORTS_URL

Public fields

DEFAULT_SYSTEM_MODULES

public static final @NonNull List<@NonNull StringDEFAULT_SYSTEM_MODULES

Public constructors

SecurityPatchState

Added in 1.0.0-alpha01
public SecurityPatchState(
    @NonNull Context context,
    @NonNull List<@NonNull String> systemModules,
    SecurityStateManager customSecurityStateManager
)

Creates an instance of SecurityPatchState.

Parameters
@NonNull Context context

Android context used for accessing shared preferences, resources, and other context-dependent features.
@NonNull List<@NonNull String> systemModules

A list of system module package names, defaults to Google provided system modules if none are provided. The first module on the list must be the system modules metadata provider package.
SecurityStateManager customSecurityStateManager

An optional custom manager for obtaining security state information. If null, a default manager is instantiated.

Public methods

areCvesPatched

Added in 1.0.0-alpha01
public final boolean areCvesPatched(@NonNull List<@NonNull String> cveList)

Verifies if all specified CVEs have been patched in the system. This method aggregates the CVEs patched across specified system components and checks if the list includes all CVEs provided.

Parameters
@NonNull List<@NonNull String> cveList

A list of CVE identifiers as strings in the form "CVE-YYYY-NNNNN", where YYYY denotes year, and NNNNN is a number with 3 to 5 digits.
Returns
boolean

true if all provided CVEs are patched, false otherwise.

getAvailableSecurityPatchLevel

public @NonNull SecurityPatchState.SecurityPatchLevel getAvailableSecurityPatchLevel(
    @NonNull SecurityPatchState.Component component,
    List<@NonNull Uri> providers
)

Retrieves the available security patch level for a specified component for current device. Available patch level comes from updates that were not downloaded or installed yet, but have been released by device manufacturer to the current device. If no updates are found, it returns the current device security patch level.

The information about updates is supplied by update clients through dedicated update information content providers. If no providers are specified, it defaults to predefined URIs, consisting of Google OTA and Play system components update clients.

Parameters
@NonNull SecurityPatchState.Component component

The component for which the available patch level is requested.
List<@NonNull Uri> providers

Optional list of URIs representing update providers; if null, defaults are used. Check documentation of OTA update clients for content provider URIs.
Returns
@NonNull SecurityPatchState.SecurityPatchLevel

A SecurityPatchLevel representing the available patch level for updates.

getDeviceSecurityPatchLevel

Added in 1.0.0-alpha01
public @NonNull SecurityPatchState.SecurityPatchLevel getDeviceSecurityPatchLevel(
    @NonNull SecurityPatchState.Component component
)

Retrieves the current security patch level for a specified component.

Parameters
@NonNull SecurityPatchState.Component component

The component for which the security patch level is requested.
Returns
@NonNull SecurityPatchState.SecurityPatchLevel

A SecurityPatchLevel representing the current patch level of the component.
Throws
kotlin.IllegalStateException

if the patch level data is not available.

getPatchedCves

Added in 1.0.0-alpha01
public @NonNull Map<@NonNull SecurityPatchState.Severity, @NonNull List<@NonNull String>> getPatchedCves(
    @NonNull SecurityPatchState.Component component,
    @NonNull SecurityPatchState.SecurityPatchLevel spl
)

Lists all security fixes applied on the current device since the baseline Android release of the current system image, filtered for a specified component and patch level, categorized by severity.

Parameters
@NonNull SecurityPatchState.Component component

The component for which security fixes are listed.
@NonNull SecurityPatchState.SecurityPatchLevel spl

The security patch level for which fixes are retrieved.
Returns
@NonNull Map<@NonNull SecurityPatchState.Severity, @NonNull List<@NonNull String>>

A map categorizing CVE identifiers by their severity for the specified patch level. For example: `` { Severity.CRITICAL: ["CVE-2023-1234", "CVE-2023-5678"], Severity.HIGH: ["CVE-2023-9012"], Severity.MODERATE: ["CVE-2023-3456"] } `` @throws IllegalArgumentException if the specified component is not valid for fetching security fixes. @throws IllegalStateException if the vulnerability report is not loaded.

getPublishedSecurityPatchLevel

Added in 1.0.0-alpha01
public @NonNull List<@NonNull SecurityPatchState.SecurityPatchLevelgetPublishedSecurityPatchLevel(
    @NonNull SecurityPatchState.Component component
)

Retrieves the published security patch level for a specified component. This patch level is based on the most recent vulnerability reports, which is a machine-readable data from Android and other security bulletins.

The published security patch level is the most recent value published in a bulletin.

Parameters
@NonNull SecurityPatchState.Component component

The component for which the published patch level is requested.
Returns
@NonNull List<@NonNull SecurityPatchState.SecurityPatchLevel>

A list of SecurityPatchLevel representing the published patch levels. The list contains single element for all components, except for KERNEL, where it lists kernel LTS version numbers for all supported major kernel versions. For example: `` [ "4.19.314", "5.15.159", "6.1.91" ] `` @throws IllegalStateException if the vulnerability report is not loaded or if patch level data is unavailable.

getSecurityPatchLevelString

Added in 1.0.0-alpha01
public @NonNull SecurityPatchState.SecurityPatchLevel getSecurityPatchLevelString(
    @NonNull SecurityPatchState.Component component,
    @NonNull String securityPatchLevel
)

Retrieves the specific security patch level for a given component based on a security patch level string. This method determines the type of SecurityPatchLevel to construct based on the component type, interpreting the string as a date for date-based components or as a version number for versioned components.

Parameters
@NonNull SecurityPatchState.Component component

The Component enum indicating which type of component's patch level is being requested.
@NonNull String securityPatchLevel

The string representation of the security patch level, which could be a date or a version number.
Returns
@NonNull SecurityPatchState.SecurityPatchLevel

A SecurityPatchLevel instance corresponding to the specified component and patch level string.
Throws
kotlin.IllegalArgumentException

If the input string is not in a valid format for the specified component type, or if the component requires a specific format that the string does not meet.

getVulnerabilityReportUrl

Added in 1.0.0-alpha01
public final @NonNull Uri getVulnerabilityReportUrl(@NonNull String serverUrl)

Constructs a URL for fetching vulnerability reports based on the device's Android version.

Parameters
@NonNull String serverUrl

The base URL of the server where vulnerability reports are stored.
Returns
@NonNull Uri

A fully constructed URL pointing to the specific vulnerability report for this device.
Throws
kotlin.IllegalArgumentException

if the Android SDK version is unsupported.

isDeviceFullyUpdated

Added in 1.0.0-alpha01
public final boolean isDeviceFullyUpdated()

Checks if all components of the device have their security patch levels up to date with the published security patch levels. This method compares the device's current security patch level against the latest published levels for each component.

Returns
boolean

true if all components are fully updated, false otherwise.
Throws
kotlin.IllegalArgumentException

if device or published security patch level for a component cannot be accessed.

listAvailableUpdates

public @NonNull List<@NonNull UpdateInfolistAvailableUpdates(List<@NonNull Uri> providers)

Fetches available updates from specified update providers. If no providers are specified, it defaults to predefined URIs. This method queries each provider URI and processes the response to gather update data relevant to the system's components.

Parameters
List<@NonNull Uri> providers

An optional list of Uri objects representing update providers. If null or empty, default providers are used.
Returns
@NonNull List<@NonNull UpdateInfo>

A list of UpdateInfo objects, each representing an available update.

loadVulnerabilityReport

Added in 1.0.0-alpha01
public final void loadVulnerabilityReport(@NonNull String jsonString)

Parses a JSON string to extract vulnerability report data. This method validates the format of the input JSON and constructs a VulnerabilityReport object, preparing the class to provide published and available security state information.

The recommended pattern of usage:

  • create SecurityPatchState object

  • call getVulnerabilityReportUrl()

  • download JSON file containing vulnerability report data

  • call parseVulnerabilityReport()

  • call getPublishedSecurityPatchLevel() or other APIs

Parameters
@NonNull String jsonString

The JSON string containing the vulnerability data.
Throws
kotlin.IllegalArgumentException

if the JSON input is malformed or contains invalid data.