fleet/server/vulnerabilities/nvd/testing_utils.go

package nvd

const XmlCPETestDict = `
<?xml version='1.0' encoding='UTF-8'?>
<cpe-list xmlns:config="http://scap.nist.gov/schema/configuration/0.1" xmlns="http://cpe.mitre.org/dictionary/2.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:scap-core="http://scap.nist.gov/schema/scap-core/0.3" xmlns:cpe-23="http://scap.nist.gov/schema/cpe-extension/2.3" xmlns:ns6="http://scap.nist.gov/schema/scap-core/0.1" xmlns:meta="http://scap.nist.gov/schema/cpe-dictionary-metadata/0.2" xsi:schemaLocation="http://scap.nist.gov/schema/cpe-extension/2.3 https://scap.nist.gov/schema/cpe/2.3/cpe-dictionary-extension_2.3.xsd http://cpe.mitre.org/dictionary/2.0 https://scap.nist.gov/schema/cpe/2.3/cpe-dictionary_2.3.xsd http://scap.nist.gov/schema/cpe-dictionary-metadata/0.2 https://scap.nist.gov/schema/cpe/2.1/cpe-dictionary-metadata_0.2.xsd http://scap.nist.gov/schema/scap-core/0.3 https://scap.nist.gov/schema/nvd/scap-core_0.3.xsd http://scap.nist.gov/schema/configuration/0.1 https://scap.nist.gov/schema/nvd/configuration_0.1.xsd http://scap.nist.gov/schema/scap-core/0.1 https://scap.nist.gov/schema/nvd/scap-core_0.1.xsd">
  <generator>
    <product_name>National Vulnerability Database (NVD)</product_name>
    <product_version>4.6</product_version>
    <schema_version>2.3</schema_version>
    <timestamp>2021-07-20T03:50:36.509Z</timestamp>
  </generator>
  <cpe-item name="cpe:/a:vendor:product-1:1.2.3:~~~macos~~">
    <title xml:lang="en-US">Vendor Product-1 1.2.3 for MacOS</title>
    <references>
      <reference href="https://someurl.com">Change Log</reference>
    </references>
    <cpe-23:cpe23-item name="cpe:2.3:a:vendor:product-1:1.2.3:*:*:*:*:macos:*:*"/>
  </cpe-item>
  <cpe-item name="cpe:/a:vendor2:product2:0.3:~~~macos~~" deprecated="true" deprecation_date="2021-06-10T15:28:05.490Z">
    <title xml:lang="en-US">Vendor2 Product2 0.3 for MacOS</title>
    <cpe-23:cpe23-item name="cpe:2.3:a:vendor2:product2:0.3:*:*:*:*:macos:*:*">
      <cpe-23:deprecation date="2021-06-10T11:28:05.490-04:00">
        <cpe-23:deprecated-by name="cpe:2.3:a:vendor2:product3:1.2:*:*:*:*:macos:*:*" type="NAME_CORRECTION"/>
      </cpe-23:deprecation>
    </cpe-23:cpe23-item>
  </cpe-item>
  <cpe-item name="cpe:/a:vendor2:product3:1.2:~~~macos~~" deprecated="true" deprecation_date="2021-06-10T15:28:05.490Z">
    <title xml:lang="en-US">Vendor2 Product3 1.2 for MacOS</title>
    <cpe-23:cpe23-item name="cpe:2.3:a:vendor2:product3:1.2:*:*:*:*:macos:*:*">
      <cpe-23:deprecation date="2021-06-10T11:28:05.490-04:00">
        <cpe-23:deprecated-by name="cpe:2.3:a:vendor2:product4:999:*:*:*:*:macos:*:*" type="NAME_CORRECTION"/>
      </cpe-23:deprecation>
    </cpe-23:cpe23-item>
  </cpe-item>
  <cpe-item name="cpe:/a:vendor2:product4:999">
    <title xml:lang="en-US">Vendor2 Product4 999 for MacOS</title>
    <cpe-23:cpe23-item name="cpe:2.3:a:vendor2:product4:999:*:*:*:*:macos:*:*"/>
  </cpe-item>
  <cpe-item name="cpe:/a:ge:line:1.0">
    <title xml:lang="en-US">GE Line 1.0</title>
    <cpe-23:cpe23-item name="cpe:2.3:a:ge:line:1.0:*:*:*:*:*:*:*"/>
  </cpe-item>
  <cpe-item name="cpe:/a:linecorp:line:1.0">
    <title xml:lang="en-US">LINE Corporation Line 1.0</title>
    <cpe-23:cpe23-item name="cpe:2.3:a:linecorp:line:1.0:*:*:*:*:*:*:*"/>
  </cpe-item>
  <cpe-item name="cpe:/a:badvendor:widget:1.0" deprecated="true" deprecation_date="2021-06-10T15:28:05.490Z">
    <title xml:lang="en-US">Bad Vendor Widget 1.0</title>
    <cpe-23:cpe23-item name="cpe:2.3:a:badvendor:widget:1.0:*:*:*:*:*:*:*">
      <cpe-23:deprecation date="2021-06-10T11:28:05.490-04:00">
        <cpe-23:deprecated-by name="cpe:2.3:a:badvendor:wrong_result:1.0:*:*:*:*:*:*:*" type="NAME_CORRECTION"/>
      </cpe-23:deprecation>
    </cpe-23:cpe23-item>
  </cpe-item>
  <cpe-item name="cpe:/a:badvendor:wrong_result:1.0">
    <title xml:lang="en-US">Bad Vendor Wrong Result 1.0</title>
    <cpe-23:cpe23-item name="cpe:2.3:a:badvendor:wrong_result:1.0:*:*:*:*:*:*:*"/>
  </cpe-item>
  <cpe-item name="cpe:/a:goodcorp:widget:1.0" deprecated="true" deprecation_date="2021-06-10T15:28:05.490Z">
    <title xml:lang="en-US">Good Corp Widget 1.0</title>
    <cpe-23:cpe23-item name="cpe:2.3:a:goodcorp:widget:1.0:*:*:*:*:*:*:*">
      <cpe-23:deprecation date="2021-06-10T11:28:05.490-04:00">
        <cpe-23:deprecated-by name="cpe:2.3:a:goodcorp:correct_result:1.0:*:*:*:*:*:*:*" type="NAME_CORRECTION"/>
      </cpe-23:deprecation>
    </cpe-23:cpe23-item>
  </cpe-item>
  <cpe-item name="cpe:/a:goodcorp:correct_result:1.0">
    <title xml:lang="en-US">Good Corp Correct Result 1.0</title>
    <cpe-23:cpe23-item name="cpe:2.3:a:goodcorp:correct_result:1.0:*:*:*:*:*:*:*"/>
  </cpe-item>
  <cpe-item name="cpe:/a:python:requests:2.31.0">
    <title xml:lang="en-US">Python Requests 2.31.0</title>
    <cpe-23:cpe23-item name="cpe:2.3:a:python:requests:2.31.0:*:*:*:*:*:*:*"/>
  </cpe-item>
  <cpe-item name="cpe:/a:jenkins:requests:2.31.0">
    <title xml:lang="en-US">Jenkins Requests 2.31.0</title>
    <cpe-23:cpe23-item name="cpe:2.3:a:jenkins:requests:2.31.0:*:*:*:*:jenkins:*:*"/>
  </cpe-item>
  <cpe-item name="cpe:/a:duplicity_project:duplicity:0.8.0">
    <title xml:lang="en-US">Duplicity Project Duplicity 0.8.0</title>
    <cpe-23:cpe23-item name="cpe:2.3:a:duplicity_project:duplicity:0.8.0:*:*:*:*:*:*:*"/>
  </cpe-item>
  <cpe-item name="cpe:/a:debian:duplicity:0.8.0">
    <title xml:lang="en-US">Debian Duplicity 0.8.0</title>
    <cpe-23:cpe23-item name="cpe:2.3:a:debian:duplicity:0.8.0:*:*:*:*:*:*:*"/>
  </cpe-item>
  <cpe-item name="cpe:/a:openjsf:express:4.18.0">
    <title xml:lang="en-US">OpenJS Foundation Express 4.18.0</title>
    <cpe-23:cpe23-item name="cpe:2.3:a:openjsf:express:4.18.0:*:*:*:*:node.js:*:*"/>
  </cpe-item>
  <cpe-item name="cpe:/a:checkpoint:express:4.18.0">
    <title xml:lang="en-US">Check Point Express 4.18.0</title>
    <cpe-23:cpe23-item name="cpe:2.3:a:checkpoint:express:4.18.0:*:*:*:*:*:*:*"/>
  </cpe-item>
</cpe-list>
`
Fixes various bugs with NVD vulnerability detection (#7963) - Improved NVD CPE matching process. - Fixed bug with the 'software/<id>' endpoint not showing the generated_cpe value. 2022-10-04 11:04:48 +00:00			`package nvd`
Issue 1435 software to cpe (#1488) * WIP * WIP * Make path optional and fix tests * Add first generate * Move to nvd package * remove replace * Re-add replace * It's path, not file name * Change how db path is set and use etag * Fix typos * Make db generation faster * Remove quotes * Doesn't like comments * Samitize etag and save to file * Refactor some things and improve writing of etagenv * Compress file and truncate amount of items for faster testing * Remove quotes * Try to improve performance * Ignore truncate error if not exists * Minor cleanup and make sqlite have cpe prefix * Simplify code and test sync * Add VCR for sync test * Check for nvdRelease nil * Add test for the actual translation * Address review comments * Rename generate command because we'll have a cve one too * Move to its own dir * Address review comments 2021-07-29 16:10:34 +00:00
			const XmlCPETestDict = `
			`<?xml version='1.0' encoding='UTF-8'?>`
			<cpe-list xmlns:config="http://scap.nist.gov/schema/configuration/0.1" xmlns="http://cpe.mitre.org/dictionary/2.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:scap-core="http://scap.nist.gov/schema/scap-core/0.3" xmlns:cpe-23="http://scap.nist.gov/schema/cpe-extension/2.3" xmlns:ns6="http://scap.nist.gov/schema/scap-core/0.1" xmlns:meta="http://scap.nist.gov/schema/cpe-dictionary-metadata/0.2" xsi:schemaLocation="http://scap.nist.gov/schema/cpe-extension/2.3 https://scap.nist.gov/schema/cpe/2.3/cpe-dictionary-extension_2.3.xsd http://cpe.mitre.org/dictionary/2.0 https://scap.nist.gov/schema/cpe/2.3/cpe-dictionary_2.3.xsd http://scap.nist.gov/schema/cpe-dictionary-metadata/0.2 https://scap.nist.gov/schema/cpe/2.1/cpe-dictionary-metadata_0.2.xsd http://scap.nist.gov/schema/scap-core/0.3 https://scap.nist.gov/schema/nvd/scap-core_0.3.xsd http://scap.nist.gov/schema/configuration/0.1 https://scap.nist.gov/schema/nvd/configuration_0.1.xsd http://scap.nist.gov/schema/scap-core/0.1 https://scap.nist.gov/schema/nvd/scap-core_0.1.xsd">
			`<generator>`
			`<product_name>National Vulnerability Database (NVD)</product_name>`
			`<product_version>4.6</product_version>`
			`<schema_version>2.3</schema_version>`
			`<timestamp>2021-07-20T03:50:36.509Z</timestamp>`
			`</generator>`
Fix build, add missing tests for cpe translations (#1631) * Fix build, add missing tests for cpe translations Also dont fail alltogether if there's one issue translating CPEs, log it and continue * Make it once every hour again * Use MATCH but escape strings 2021-08-11 17:52:09 +00:00			`<cpe-item name="cpe:/a:vendor:product-1:1.2.3:~~~macos~~">`
			`<title xml:lang="en-US">Vendor Product-1 1.2.3 for MacOS</title>`
Issue 1435 software to cpe (#1488) * WIP * WIP * Make path optional and fix tests * Add first generate * Move to nvd package * remove replace * Re-add replace * It's path, not file name * Change how db path is set and use etag * Fix typos * Make db generation faster * Remove quotes * Doesn't like comments * Samitize etag and save to file * Refactor some things and improve writing of etagenv * Compress file and truncate amount of items for faster testing * Remove quotes * Try to improve performance * Ignore truncate error if not exists * Minor cleanup and make sqlite have cpe prefix * Simplify code and test sync * Add VCR for sync test * Check for nvdRelease nil * Add test for the actual translation * Address review comments * Rename generate command because we'll have a cve one too * Move to its own dir * Address review comments 2021-07-29 16:10:34 +00:00			`<references>`
			`<reference href="https://someurl.com">Change Log</reference>`
			`</references>`
Fix build, add missing tests for cpe translations (#1631) * Fix build, add missing tests for cpe translations Also dont fail alltogether if there's one issue translating CPEs, log it and continue * Make it once every hour again * Use MATCH but escape strings 2021-08-11 17:52:09 +00:00			`<cpe-23:cpe23-item name="cpe:2.3:a:vendor:product-1:1.2.3:::::macos::"/>`
Issue 1435 software to cpe (#1488) * WIP * WIP * Make path optional and fix tests * Add first generate * Move to nvd package * remove replace * Re-add replace * It's path, not file name * Change how db path is set and use etag * Fix typos * Make db generation faster * Remove quotes * Doesn't like comments * Samitize etag and save to file * Refactor some things and improve writing of etagenv * Compress file and truncate amount of items for faster testing * Remove quotes * Try to improve performance * Ignore truncate error if not exists * Minor cleanup and make sqlite have cpe prefix * Simplify code and test sync * Add VCR for sync test * Check for nvdRelease nil * Add test for the actual translation * Address review comments * Rename generate command because we'll have a cve one too * Move to its own dir * Address review comments 2021-07-29 16:10:34 +00:00			`</cpe-item>`
			`<cpe-item name="cpe:/a:vendor2:product2:0.3:~~~macos~~" deprecated="true" deprecation_date="2021-06-10T15:28:05.490Z">`
			`<title xml:lang="en-US">Vendor2 Product2 0.3 for MacOS</title>`
			`<cpe-23:cpe23-item name="cpe:2.3:a:vendor2:product2:0.3:::::macos::">`
			`<cpe-23:deprecation date="2021-06-10T11:28:05.490-04:00">`
			`<cpe-23:deprecated-by name="cpe:2.3:a:vendor2:product3:1.2:::::macos::" type="NAME_CORRECTION"/>`
			`</cpe-23:deprecation>`
			`</cpe-23:cpe23-item>`
			`</cpe-item>`
			`<cpe-item name="cpe:/a:vendor2:product3:1.2:~~~macos~~" deprecated="true" deprecation_date="2021-06-10T15:28:05.490Z">`
			`<title xml:lang="en-US">Vendor2 Product3 1.2 for MacOS</title>`
			`<cpe-23:cpe23-item name="cpe:2.3:a:vendor2:product3:1.2:::::macos::">`
			`<cpe-23:deprecation date="2021-06-10T11:28:05.490-04:00">`
			`<cpe-23:deprecated-by name="cpe:2.3:a:vendor2:product4:999:::::macos::" type="NAME_CORRECTION"/>`
			`</cpe-23:deprecation>`
			`</cpe-23:cpe23-item>`
			`</cpe-item>`
			`<cpe-item name="cpe:/a:vendor2:product4:999">`
			`<title xml:lang="en-US">Vendor2 Product4 999 for MacOS</title>`
			`<cpe-23:cpe23-item name="cpe:2.3:a:vendor2:product4:999:::::macos::"/>`
			`</cpe-item>`
Fixed nondeterministic CPE matching when multiple CPE candidates share the same product name (#41649) <!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> Related issue: Resolves #39899 This fix fixes the determinism issue by ordering the results, however, it does not necessarily fix the correctness issue. Another bug opened for that: https://github.com/fleetdm/fleet/issues/41644 That's why you see changes in `cpe_test.go` that may seem incorrect in some cases. In reality the previous behavior was purely by coincidence (based on insert order). # Checklist for submitter - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. ## Testing - [x] Added/updated automated tests - [x] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * Bug Fixes * Fixed nondeterministic CPE matching when multiple candidates share the same product name. CPE selection is now deterministic and prioritizes matches based on vendor alignment with the software being analyzed. <!-- end of auto-generated comment: release notes by coderabbit.ai --> 2026-03-17 12:22:23 +00:00			`<cpe-item name="cpe:/a:ge:line:1.0">`
			`<title xml:lang="en-US">GE Line 1.0</title>`
			`<cpe-23:cpe23-item name="cpe:2.3:a:ge:line:1.0:::::::*"/>`
			`</cpe-item>`
			`<cpe-item name="cpe:/a:linecorp:line:1.0">`
			`<title xml:lang="en-US">LINE Corporation Line 1.0</title>`
			`<cpe-23:cpe23-item name="cpe:2.3:a:linecorp:line:1.0:::::::*"/>`
			`</cpe-item>`
			`<cpe-item name="cpe:/a:badvendor:widget:1.0" deprecated="true" deprecation_date="2021-06-10T15:28:05.490Z">`
			`<title xml:lang="en-US">Bad Vendor Widget 1.0</title>`
			`<cpe-23:cpe23-item name="cpe:2.3:a:badvendor:widget:1.0:::::::*">`
			`<cpe-23:deprecation date="2021-06-10T11:28:05.490-04:00">`
			`<cpe-23:deprecated-by name="cpe:2.3:a:badvendor:wrong_result:1.0:::::::*" type="NAME_CORRECTION"/>`
			`</cpe-23:deprecation>`
			`</cpe-23:cpe23-item>`
			`</cpe-item>`
			`<cpe-item name="cpe:/a:badvendor:wrong_result:1.0">`
			`<title xml:lang="en-US">Bad Vendor Wrong Result 1.0</title>`
			`<cpe-23:cpe23-item name="cpe:2.3:a:badvendor:wrong_result:1.0:::::::*"/>`
			`</cpe-item>`
			`<cpe-item name="cpe:/a:goodcorp:widget:1.0" deprecated="true" deprecation_date="2021-06-10T15:28:05.490Z">`
			`<title xml:lang="en-US">Good Corp Widget 1.0</title>`
			`<cpe-23:cpe23-item name="cpe:2.3:a:goodcorp:widget:1.0:::::::*">`
			`<cpe-23:deprecation date="2021-06-10T11:28:05.490-04:00">`
			`<cpe-23:deprecated-by name="cpe:2.3:a:goodcorp:correct_result:1.0:::::::*" type="NAME_CORRECTION"/>`
			`</cpe-23:deprecation>`
			`</cpe-23:cpe23-item>`
			`</cpe-item>`
			`<cpe-item name="cpe:/a:goodcorp:correct_result:1.0">`
			`<title xml:lang="en-US">Good Corp Correct Result 1.0</title>`
			`<cpe-23:cpe23-item name="cpe:2.3:a:goodcorp:correct_result:1.0:::::::*"/>`
			`</cpe-item>`
Improved cpe deterministic matching (#42325) Related issue: Resolves #41644 There are two cases that exist in the cpe database where this generic logic could not be applied. django from python_packages: gofiber:django djangoproject:django npm from npm_packages: microsoft:npm npmjs:npm These will require individual cve overrides that is outside the scope of this task. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT ` is avoided, SQL injection is prevented (using placeholders for values in statements), JS inline code is prevented especially for url redirects, and untrusted data interpolated into shell scripts/commands is validated against shell metacharacters. ## Testing - [x] Added/updated automated tests - [x] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit Bug Fixes * Enhanced CPE (Common Platform Enumeration) matching to reduce non-deterministic vendor selection when multiple vendors exist for the same software product. The algorithm now incorporates software ecosystem information to ensure more accurate and consistent vulnerability resolution across package types. <!-- end of auto-generated comment: release notes by coderabbit.ai --> 2026-03-24 22:48:02 +00:00			`<cpe-item name="cpe:/a:python:requests:2.31.0">`
			`<title xml:lang="en-US">Python Requests 2.31.0</title>`
			`<cpe-23:cpe23-item name="cpe:2.3:a:python:requests:2.31.0:::::::*"/>`
			`</cpe-item>`
			`<cpe-item name="cpe:/a:jenkins:requests:2.31.0">`
			`<title xml:lang="en-US">Jenkins Requests 2.31.0</title>`
			`<cpe-23:cpe23-item name="cpe:2.3:a:jenkins:requests:2.31.0:::::jenkins::"/>`
			`</cpe-item>`
			`<cpe-item name="cpe:/a:duplicity_project:duplicity:0.8.0">`
			`<title xml:lang="en-US">Duplicity Project Duplicity 0.8.0</title>`
			`<cpe-23:cpe23-item name="cpe:2.3:a:duplicity_project:duplicity:0.8.0:::::::*"/>`
			`</cpe-item>`
			`<cpe-item name="cpe:/a:debian:duplicity:0.8.0">`
			`<title xml:lang="en-US">Debian Duplicity 0.8.0</title>`
			`<cpe-23:cpe23-item name="cpe:2.3:a:debian:duplicity:0.8.0:::::::*"/>`
			`</cpe-item>`
			`<cpe-item name="cpe:/a:openjsf:express:4.18.0">`
			`<title xml:lang="en-US">OpenJS Foundation Express 4.18.0</title>`
			`<cpe-23:cpe23-item name="cpe:2.3:a:openjsf:express:4.18.0:::::node.js::"/>`
			`</cpe-item>`
			`<cpe-item name="cpe:/a:checkpoint:express:4.18.0">`
			`<title xml:lang="en-US">Check Point Express 4.18.0</title>`
			`<cpe-23:cpe23-item name="cpe:2.3:a:checkpoint:express:4.18.0:::::::*"/>`
			`</cpe-item>`
Issue 1435 software to cpe (#1488) * WIP * WIP * Make path optional and fix tests * Add first generate * Move to nvd package * remove replace * Re-add replace * It's path, not file name * Change how db path is set and use etag * Fix typos * Make db generation faster * Remove quotes * Doesn't like comments * Samitize etag and save to file * Refactor some things and improve writing of etagenv * Compress file and truncate amount of items for faster testing * Remove quotes * Try to improve performance * Ignore truncate error if not exists * Minor cleanup and make sqlite have cpe prefix * Simplify code and test sync * Add VCR for sync test * Check for nvdRelease nil * Add test for the actual translation * Address review comments * Rename generate command because we'll have a cve one too * Move to its own dir * Address review comments 2021-07-29 16:10:34 +00:00			`</cpe-list>`
			`