Flag many apps with KnownVuln

metadata/com.cheogram.android.yml

@@ -128,6 +128,13 @@ Builds:
     prebuild: sed -i -e '/MissingTranslation/aabortOnError\ false' -e '/splits/,+5d'
         -e '/Variants.all/,+10d' build.gradle
     ndk: r21e
+    antifeatures:
+      - KnownVuln
+
+MaintainerNotes: |-
+    KnownVuln: org.webrtc:google-webrtc:1.0.32006 noted at below link
+    https://git.singpolyma.net/cheogram-android/tree/$TAG/item/build.gradle
+    https://gitlab.com/fdroid/fdroiddata/-/issues/2064
 
 AutoUpdateMode: Version ++free %v-fdroid
 UpdateCheckMode: Tags .*-fdroid$

metadata/com.csipsimple.yml

@@ -1,3 +1,5 @@
+AntiFeatures:
+  - KnownVuln
 Categories:
   - Phone & SMS
 License: GPL-3.0-only
@@ -89,6 +91,9 @@ MaintainerNotes: |-
     this issue, as of June 23 2016, the maintainers haven't responded to that
     question yet.
 
+    KnownVuln: webrtc@2948 noted above
+    https://gitlab.com/fdroid/fdroiddata/-/merge_requests/11496
+
 ArchivePolicy: 0 versions
 AutoUpdateMode: None
 UpdateCheckMode: None

metadata/com.foobnix.pro.pdf.reader.yml

@@ -330,11 +330,18 @@ Builds:
       - pushd ../Builder/
       - ./link_merge.sh
     ndk: r25b
+    antifeatures:
+      - KnownVuln
 
 MaintainerNotes: |-
     * Upstream builds separate APKs for each architecture but we build an universal APK.
     * scanner will detect GMS (/com/google/android/gms) in these APKs; those are only stubs here, see https://gitlab.com/fdroid/fdroiddata/-/issues/2272#note_493741256
 
+    * KnownVuln: MuPDF 1.11 noted at below link
+    * https://github.com/foobnix/LibreraReader/blob/8.8.5/app/src/main/java/com/foobnix/pdf/info/AppsConfig.java#L30
+    * app includes both MuPDF 1.11 as the default for legacy Android 4.0 compatibility
+    * https://gitlab.com/fdroid/fdroiddata/-/merge_requests/11496
+
 AutoUpdateMode: Version +-fdroid %v
 UpdateCheckMode: Tags
 UpdateCheckData: app/build.gradle|\s+FDroidCodeNumber = (\d+)|.|\s+FDroidVersionNumber

metadata/com.gsnathan.pdfviewer.yml

@@ -1,3 +1,5 @@
+AntiFeatures:
+  - KnownVuln
 Categories:
   - Reading
 License: MIT
@@ -97,6 +99,13 @@ Builds:
     gradle:
       - yes
 
+MaintainerNotes: |-
+    KnownVuln: com.github.barteksc:android-pdf-viewer:3.2.0 noted at below link
+    https://github.com/JavaCafe01/PdfViewer/blob/$TAG/app/build.gradle
+    https://github.com/JavaCafe01/PdfViewer/issues/175
+    https://gitlab.com/fdroid/fdroiddata/-/merge_requests/11496
+    Repository archived
+
 AutoUpdateMode: Version v%v
 UpdateCheckMode: Tags ^v[0-9.]+$
 CurrentVersion: '3.7'

metadata/com.poupa.attestationdeplacement.yml

@@ -1,3 +1,5 @@
+AntiFeatures:
+  - KnownVuln
 Categories:
   - Phone & SMS
 License: GPL-3.0-only
@@ -125,6 +127,13 @@ Builds:
     gradle:
       - yes
 
+MaintainerNotes: |-
+    KnownVuln: com.itextpdf:itextg:5.5.10 noted at below link
+    https://github.com/AdrienPoupa/AttestationDeplacement/blob/$TAG/app/build.gradle
+    https://github.com/AdrienPoupa/AttestationDeplacement/issues/131
+    https://gitlab.com/fdroid/fdroiddata/-/merge_requests/11496
+    Repository archived
+
 AutoUpdateMode: Version %v
 UpdateCheckMode: Tags
 CurrentVersion: 3.7.0

metadata/com.saverio.pdfviewer.yml

@@ -54,6 +54,7 @@ Builds:
 
 MaintainerNotes: KnownVuln as it uses a very old version of pdfium with many vulnerabilities,
     see https://gitlab.com/fdroid/fdroiddata/-/merge_requests/9913#note_701892370
+    https://github.com/Sav22999/sav-pdf-viewer-pro/issues/28
 
 AutoUpdateMode: Version %v
 UpdateCheckMode: Tags

metadata/com.simplemobiletools.filemanager.pro.yml

@@ -526,6 +526,14 @@ Builds:
       - build.patch
     gradle:
       - fdroid
+    antifeatures:
+      - KnownVuln
+
+MaintainerNotes: |-
+    KnownVuln: com.github.tibbi:AndroidPdfViewer:da57ff410e noted at below link
+    https://github.com/SimpleMobileTools/Simple-File-Manager/blob/$TAG/app/build.gradle
+    https://github.com/SimpleMobileTools/Simple-File-Manager/issues/619
+    https://gitlab.com/fdroid/fdroiddata/-/merge_requests/11496
 
 AutoUpdateMode: Version %v
 UpdateCheckMode: Tags

metadata/cx.hell.android.pdfview.yml

@@ -1,3 +1,5 @@
+AntiFeatures:
+  - KnownVuln
 Categories:
   - Reading
 License: GPL-3.0-only
@@ -75,6 +77,11 @@ Builds:
       - yes
     ndk: r12b
 
+MaintainerNotes: |-
+    KnownVuln: Ancient MuPDF noted at below link
+    https://github.com/mpietrzak/apv/tree/$COMMIT/pdfview/deps
+    https://gitlab.com/fdroid/fdroiddata/-/merge_requests/11496
+
 AutoUpdateMode: None
 UpdateCheckMode: None
 CurrentVersion: 0.4.0

metadata/de.baumann.pdfcreator.yml

@@ -1,3 +1,5 @@
+AntiFeatures:
+  - KnownVuln
 Categories:
   - Writing
 License: GPL-3.0-or-later
@@ -174,6 +176,12 @@ Builds:
       - echo -e 'distributionUrl=https://services.gradle.org/distributions/gradle-3.3-bin.zip'
         > gradle/wrapper/gradle-wrapper.properties
 
+MaintainerNotes: |-
+    KnownVuln: com.itextpdf:itextg:5.5.10 noted at below link
+    https://github.com/scoute-dich/PDFCreator/blob/$TAG/app/build.gradle
+    https://gitlab.com/fdroid/fdroiddata/-/merge_requests/11496
+    Repository archived
+
 AutoUpdateMode: Version v%v
 UpdateCheckMode: Tags
 CurrentVersion: '3.8'

metadata/io.github.droidapps.pdfreader.yml

@@ -1,3 +1,5 @@
+AntiFeatures:
+  - KnownVuln
 Categories:
   - Reading
 License: GPL-3.0-only
@@ -33,6 +35,11 @@ Builds:
       - yes
     ndk: r12b
 
+MaintainerNotes: |-
+    KnownVuln: Ancient MuPDF noted at below link
+    https://github.com/droidapps/pdfreader4Android/tree/$TAG/jni/mupdf/pdf
+    https://gitlab.com/fdroid/fdroiddata/-/merge_requests/11496
+
 AutoUpdateMode: None
 UpdateCheckMode: Tags
 CurrentVersion: 0.4.0

metadata/it.iiizio.epubator.yml

@@ -1,3 +1,5 @@
+AntiFeatures:
+  - KnownVuln
 Categories:
   - Reading
 License: GPL-3.0-only
@@ -63,6 +65,11 @@ Builds:
     subdir: ePUBator
     prebuild: mv lib libs
 
+MaintainerNotes: |-
+    KnownVuln: itextpdf-5.5.6.jar noted at below link
+    https://sourceforge.net/p/epubator/code/ci/master/tree/ePUBator/lib/
+    https://gitlab.com/fdroid/fdroiddata/-/merge_requests/11496
+
 AutoUpdateMode: None
 UpdateCheckMode: Tags
 CurrentVersion: '0.12'

metadata/org.documentfoundation.libreoffice.yml

@@ -1,3 +1,5 @@
+AntiFeatures:
+  - KnownVuln
 Categories:
   - Reading
 License: MPL-2.0
@@ -402,6 +404,9 @@ MaintainerNotes: |-
 
     Once the right contents of LOTarballs has been figured out, don't forget to set --enable-fetch-external=no and add back the symlink command to LOTarballs (and update the LOTarballs commit hash to the new one).
 
+    KnownVuln: Current version is from 2018-01-26
+    https://cgit.freedesktop.org/libreoffice/core/commit/?id=484d0ea842da
+
 ArchivePolicy: 4 versions
 AutoUpdateMode: None
 UpdateCheckMode: None

metadata/org.ninthfloor.copperpdf.yml

@@ -1,3 +1,5 @@
+AntiFeatures:
+  - KnownVuln
 Categories:
   - Reading
   - System
@@ -58,6 +60,12 @@ Builds:
       - yes
     prebuild: sed -i -e '/jcenter/a google()' ../build.gradle
 
+MaintainerNotes: |-
+    KnownVuln: PDF.js 1.5.188 noted at below link
+    https://github.com/paride/CopperPDF/blob/$TAG/app/src/main/assets/pdf.js
+    https://gitlab.com/fdroid/fdroiddata/-/merge_requests/11496
+    Repository archived
+
 AutoUpdateMode: Version v%v
 UpdateCheckMode: Tags
 CurrentVersion: v1.3.0

metadata/org.snikket.android.yml

@@ -65,6 +65,12 @@ Builds:
         -e "/phonenumber/aimplementation 'org.webrtc:google-webrtc:1.0.32006'" -e
         '/splits/,+5d' -e '/Variants.all/,+8d' build.gradle
     ndk: r21e
+    antifeatures:
+      - KnownVuln
+
+MaintainerNotes: |-
+    KnownVuln: org.webrtc:google-webrtc:1.0.32006 noted above
+    https://gitlab.com/fdroid/fdroiddata/-/issues/2064
 
 AutoUpdateMode: Version ++fcr %v
 UpdateCheckMode: Tags

metadata/org.sufficientlysecure.viewer.yml

@@ -1,3 +1,5 @@
+AntiFeatures:
+  - KnownVuln
 Categories:
   - Reading
 License: GPL-3.0-only
@@ -1750,6 +1752,12 @@ MaintainerNotes: |-
     * Archive policy last three upstream releases
     * Disable AUM since it does not support ABI splits
 
+    * KnownVuln: MuPDF 1.11 noted at below link
+    * https://github.com/SufficientlySecure/document-viewer/commits/$TAG/document-viewer/jni/mupdf
+    * https://github.com/SufficientlySecure/document-viewer/issues/277
+    * https://gitlab.com/fdroid/fdroiddata/-/merge_requests/11496
+    * No longer maintained
+
 ArchivePolicy: 15 versions
 AutoUpdateMode: None
 UpdateCheckMode: None

metadata/org.vudroid.yml

@@ -1,3 +1,5 @@
+AntiFeatures:
+  - KnownVuln
 Categories:
   - Reading
 License: GPL-3.0-only
@@ -31,6 +33,10 @@ Builds:
       - yes
     ndk: r12b
 
+MaintainerNotes: |-
+    KnownVuln: Ancient MuPDF
+    https://gitlab.com/fdroid/fdroiddata/-/merge_requests/11496
+
 AutoUpdateMode: None
 UpdateCheckMode: Static
 CurrentVersion: '1.4'

metadata/swati4star.createpdf.yml

@@ -1,3 +1,5 @@
+AntiFeatures:
+  - KnownVuln
 Categories:
   - Multimedia
 License: GPL-3.0-or-later
@@ -144,6 +146,12 @@ Builds:
       - sed -i -e '/aspose/d' build.gradle
       - sed -i -e '/ExcelToPDFAsync/d' src/main/java/swati4star/createpdf/fragment/ExceltoPdfFragment.java
 
+MaintainerNotes: |-
+    KnownVuln: com.itextpdf:itextg:5.5.10 noted at below link
+    https://github.com/Swati4star/Images-to-PDF/blob/$TAG/app/build.gradle
+    https://github.com/Swati4star/Images-to-PDF/issues/1083
+    https://gitlab.com/fdroid/fdroiddata/-/merge_requests/11496
+
 AutoUpdateMode: Version
 UpdateCheckMode: Tags
 CurrentVersion: 8.8.1

metadata/universe.constellation.orion.viewer.yml

@@ -1,3 +1,5 @@
+AntiFeatures:
+  - KnownVuln
 Categories:
   - Reading
 License: GPL-3.0-or-later
@@ -29,6 +31,12 @@ Builds:
       - nativeLibs/mupdf
     ndk: r20b
 
+MaintainerNotes: |-
+    KnownVuln: MuPDF 1.16.1 noted at below link
+    https://github.com/max-kammerer/orion-viewer/commits/$TAG/nativeLibs/mupdfModule
+    https://github.com/max-kammerer/orion-viewer/issues/40
+    https://gitlab.com/fdroid/fdroiddata/-/merge_requests/11496
+
 AutoUpdateMode: Version
 UpdateCheckMode: Tags
 UpdateCheckData: orion-viewer/version.properties|orion\.version\.code\s*=\s*([0-9]+)|.|orion.version.name\s*=\s*(.+)