fleet/server/vulnerabilities/goval_dictionary/database.go

package goval_dictionary

import (
	"database/sql"
	"fmt"
	"strings"

	"github.com/fleetdm/fleet/v4/server/fleet"
	"github.com/fleetdm/fleet/v4/server/vulnerabilities/oval"
	"github.com/fleetdm/fleet/v4/server/vulnerabilities/utils"
	kitlog "github.com/go-kit/log"
	"github.com/go-kit/log/level"
)

func NewDB(db *sql.DB, platform oval.Platform) *Database {
	return &Database{sqlite: db, platform: platform}
}

type Database struct {
	sqlite   *sql.DB
	platform oval.Platform
}

const baseSearchStmt = `SELECT packages.version, cves.cve_id
    FROM packages join definitions on definitions.id = packages.definition_id
    JOIN advisories ON advisories.definition_id = definitions.id JOIN cves ON cves.advisory_id = advisories.id`

func (db Database) Verfiy() error {
	searchStmt := fmt.Sprintf("%s LIMIT 1", baseSearchStmt)
	affectedSoftwareRows, err := db.sqlite.Query(searchStmt)
	if err != nil {
		return fmt.Errorf("could not query database: %w", err)
	}

	defer affectedSoftwareRows.Close()

	if affectedSoftwareRows.Err() != nil {
		return affectedSoftwareRows.Err()
	}

	return nil
}

// Eval evaluates the current goval_dictionary database against an OS version and a list of installed software,
// returns all software vulnerabilities found. Logs on any errors so we return as many vulnerabilities as we can.
func (db Database) Eval(software []fleet.Software, logger kitlog.Logger) []fleet.SoftwareVulnerability {
	searchStmt := fmt.Sprintf("%s WHERE packages.name = ? AND packages.arch = ? ORDER BY cve_id, version", baseSearchStmt)
	vulnerabilities := make([]fleet.SoftwareVulnerability, 0)

	for _, swItem := range software {
		err := func() error {
			affectedSoftwareRows, err := db.sqlite.Query(searchStmt, swItem.Name, swItem.Arch)
			if err != nil {
				return fmt.Errorf("could not query database: %w", err)
			}
			defer affectedSoftwareRows.Close()
			for affectedSoftwareRows.Next() {
				var fixedVersionWithEpochPrefix, cve string
				if err := affectedSoftwareRows.Scan(&fixedVersionWithEpochPrefix, &cve); err != nil {
					level.Error(logger).Log(
						"msg", "could not read package vulnerability result",
						"package", swItem.Name,
						"arch", swItem.Arch,
						"platform", db.platform,
						"err", err,
					)
					continue
				}

				var currentVersion string
				if swItem.Release != "" {
					currentVersion = fmt.Sprintf("%s-%s", swItem.Version, swItem.Release)
				} else {
					currentVersion = swItem.Version
				}
				fixedVersion := strings.Split(fixedVersionWithEpochPrefix, ":")[1]

				if utils.Rpmvercmp(currentVersion, fixedVersion) < 0 {
					vulnerabilities = append(vulnerabilities, fleet.SoftwareVulnerability{
						SoftwareID:        swItem.ID,
						CVE:               cve,
						ResolvedInVersion: &fixedVersion,
					})
				}
			}

			if affectedSoftwareRows.Err() != nil {
				return affectedSoftwareRows.Err()
			}

			return nil
		}()
		if err != nil {
			level.Error(logger).Log(
				"msg", "could not read package vulnerabilities",
				"package", swItem.Name,
				"arch", swItem.Arch,
				"platform", db.platform,
				"err", err,
			)
		}
	}

	return vulnerabilities
}
Pull xz'd goval-dictionary sqlite files to evaluate vulnerabilities on Amazon Linux hosts (#21506) #20934 This is tied to https://github.com/fleetdm/vulnerabilities/pull/14; for supported OS versions (currently Amazon Linux 1/2/2022/2023) we'll pull XZ'd sqlite files from the vulnerabilities repo and query them to determine what's vulnerable. See the associated issue for how I self-QA'd this. This replaced OVAL parsing for Amazon Linux 2, as we were using the wrong data source there (Amazon has backported a bunch of fixes to their own-named releases, so any RHEL fixes don't match). Some checklist items are missing here; getting this set up in draft to get code feedback now, and I'll push updates with e.g. docs changes, as well ass an addition to the changes file. # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [x] Added/updated tests - [x] Add tests to oval_platform - [x] Add sync_test - [x] Add database_test - [x] Manual QA for all new/changed functionality - [x] Update vulnerability management docs 2024-08-26 19:07:42 +00:00			`package goval_dictionary`

			`import (`
			`"database/sql"`
			`"fmt"`
validate generate-cve.yml outputs (#26752) https://github.com/fleetdm/fleet/issues/21300 - [x] Added/updated automated tests - [x] A detailed QA plan exists on the associated ticket (if it isn't there, work with the product group's QA engineer to add it) - [x] Manual QA for all new/changed functionality 2025-03-12 19:49:47 +00:00			`"strings"`

Pull xz'd goval-dictionary sqlite files to evaluate vulnerabilities on Amazon Linux hosts (#21506) #20934 This is tied to https://github.com/fleetdm/vulnerabilities/pull/14; for supported OS versions (currently Amazon Linux 1/2/2022/2023) we'll pull XZ'd sqlite files from the vulnerabilities repo and query them to determine what's vulnerable. See the associated issue for how I self-QA'd this. This replaced OVAL parsing for Amazon Linux 2, as we were using the wrong data source there (Amazon has backported a bunch of fixes to their own-named releases, so any RHEL fixes don't match). Some checklist items are missing here; getting this set up in draft to get code feedback now, and I'll push updates with e.g. docs changes, as well ass an addition to the changes file. # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [x] Added/updated tests - [x] Add tests to oval_platform - [x] Add sync_test - [x] Add database_test - [x] Manual QA for all new/changed functionality - [x] Update vulnerability management docs 2024-08-26 19:07:42 +00:00			`"github.com/fleetdm/fleet/v4/server/fleet"`
			`"github.com/fleetdm/fleet/v4/server/vulnerabilities/oval"`
			`"github.com/fleetdm/fleet/v4/server/vulnerabilities/utils"`
			`kitlog "github.com/go-kit/log"`
			`"github.com/go-kit/log/level"`
			`)`

			`func NewDB(db sql.DB, platform oval.Platform) Database {`
			`return &Database{sqlite: db, platform: platform}`
			`}`

			`type Database struct {`
			`sqlite *sql.DB`
			`platform oval.Platform`
			`}`

validate generate-cve.yml outputs (#26752) https://github.com/fleetdm/fleet/issues/21300 - [x] Added/updated automated tests - [x] A detailed QA plan exists on the associated ticket (if it isn't there, work with the product group's QA engineer to add it) - [x] Manual QA for all new/changed functionality 2025-03-12 19:49:47 +00:00			const baseSearchStmt = `SELECT packages.version, cves.cve_id
			`FROM packages join definitions on definitions.id = packages.definition_id`
			JOIN advisories ON advisories.definition_id = definitions.id JOIN cves ON cves.advisory_id = advisories.id`

			`func (db Database) Verfiy() error {`
			`searchStmt := fmt.Sprintf("%s LIMIT 1", baseSearchStmt)`
			`affectedSoftwareRows, err := db.sqlite.Query(searchStmt)`
			`if err != nil {`
			`return fmt.Errorf("could not query database: %w", err)`
			`}`

			`defer affectedSoftwareRows.Close()`

			`if affectedSoftwareRows.Err() != nil {`
			`return affectedSoftwareRows.Err()`
			`}`

			`return nil`
			`}`

Pull xz'd goval-dictionary sqlite files to evaluate vulnerabilities on Amazon Linux hosts (#21506) #20934 This is tied to https://github.com/fleetdm/vulnerabilities/pull/14; for supported OS versions (currently Amazon Linux 1/2/2022/2023) we'll pull XZ'd sqlite files from the vulnerabilities repo and query them to determine what's vulnerable. See the associated issue for how I self-QA'd this. This replaced OVAL parsing for Amazon Linux 2, as we were using the wrong data source there (Amazon has backported a bunch of fixes to their own-named releases, so any RHEL fixes don't match). Some checklist items are missing here; getting this set up in draft to get code feedback now, and I'll push updates with e.g. docs changes, as well ass an addition to the changes file. # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [x] Added/updated tests - [x] Add tests to oval_platform - [x] Add sync_test - [x] Add database_test - [x] Manual QA for all new/changed functionality - [x] Update vulnerability management docs 2024-08-26 19:07:42 +00:00			`// Eval evaluates the current goval_dictionary database against an OS version and a list of installed software,`
			`// returns all software vulnerabilities found. Logs on any errors so we return as many vulnerabilities as we can.`
			`func (db Database) Eval(software []fleet.Software, logger kitlog.Logger) []fleet.SoftwareVulnerability {`
validate generate-cve.yml outputs (#26752) https://github.com/fleetdm/fleet/issues/21300 - [x] Added/updated automated tests - [x] A detailed QA plan exists on the associated ticket (if it isn't there, work with the product group's QA engineer to add it) - [x] Manual QA for all new/changed functionality 2025-03-12 19:49:47 +00:00			`searchStmt := fmt.Sprintf("%s WHERE packages.name = ? AND packages.arch = ? ORDER BY cve_id, version", baseSearchStmt)`
Pull xz'd goval-dictionary sqlite files to evaluate vulnerabilities on Amazon Linux hosts (#21506) #20934 This is tied to https://github.com/fleetdm/vulnerabilities/pull/14; for supported OS versions (currently Amazon Linux 1/2/2022/2023) we'll pull XZ'd sqlite files from the vulnerabilities repo and query them to determine what's vulnerable. See the associated issue for how I self-QA'd this. This replaced OVAL parsing for Amazon Linux 2, as we were using the wrong data source there (Amazon has backported a bunch of fixes to their own-named releases, so any RHEL fixes don't match). Some checklist items are missing here; getting this set up in draft to get code feedback now, and I'll push updates with e.g. docs changes, as well ass an addition to the changes file. # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [x] Added/updated tests - [x] Add tests to oval_platform - [x] Add sync_test - [x] Add database_test - [x] Manual QA for all new/changed functionality - [x] Update vulnerability management docs 2024-08-26 19:07:42 +00:00			`vulnerabilities := make([]fleet.SoftwareVulnerability, 0)`

			`for _, swItem := range software {`
			`err := func() error {`
			`affectedSoftwareRows, err := db.sqlite.Query(searchStmt, swItem.Name, swItem.Arch)`
			`if err != nil {`
			`return fmt.Errorf("could not query database: %w", err)`
			`}`
			`defer affectedSoftwareRows.Close()`
			`for affectedSoftwareRows.Next() {`
			`var fixedVersionWithEpochPrefix, cve string`
			`if err := affectedSoftwareRows.Scan(&fixedVersionWithEpochPrefix, &cve); err != nil {`
			`level.Error(logger).Log(`
			`"msg", "could not read package vulnerability result",`
			`"package", swItem.Name,`
			`"arch", swItem.Arch,`
			`"platform", db.platform,`
			`"err", err,`
			`)`
			`continue`
			`}`

			`var currentVersion string`
			`if swItem.Release != "" {`
			`currentVersion = fmt.Sprintf("%s-%s", swItem.Version, swItem.Release)`
			`} else {`
			`currentVersion = swItem.Version`
			`}`
			`fixedVersion := strings.Split(fixedVersionWithEpochPrefix, ":")[1]`

			`if utils.Rpmvercmp(currentVersion, fixedVersion) < 0 {`
			`vulnerabilities = append(vulnerabilities, fleet.SoftwareVulnerability{`
			`SoftwareID: swItem.ID,`
			`CVE: cve,`
			`ResolvedInVersion: &fixedVersion,`
			`})`
			`}`
			`}`

			`if affectedSoftwareRows.Err() != nil {`
			`return affectedSoftwareRows.Err()`
			`}`

			`return nil`
			`}()`
			`if err != nil {`
			`level.Error(logger).Log(`
			`"msg", "could not read package vulnerabilities",`
			`"package", swItem.Name,`
			`"arch", swItem.Arch,`
			`"platform", db.platform,`
			`"err", err,`
			`)`
			`}`
			`}`

			`return vulnerabilities`
			`}`