From 1176afbb0bbaa5be3f97b4a335463d312979c38d Mon Sep 17 00:00:00 2001 From: Victor Lyuboslavsky Date: Sun, 11 Aug 2024 20:57:29 +0200 Subject: [PATCH] Vuln cron fail fix (#21240) #21239 This PR fixes the generated vuln JSON files, which would get the current customers up and running. QA Done: - New vuln JSON files generated at: https://github.com/getvictor/vulnerabilities/releases - Ran local server with new vuln JSON files by setting `export TEST_VULN_GITHUB_OWNER=getvictor` - Diff of JSON files from https://github.com/fleetdm/vulnerabilities and https://github.com/getvictor/vulnerabilities Steps for diff: ``` mkdir new cd new gh release download cve-202408111650 -D . -R getvictor/vulnerabilities gunzip *.gz cd ../ mkdir old cd old gh release download cve-202408111637 -D . -R fleetdm/vulnerabilities gunzip *.gz cd .. diff old new ``` Diff results also remove a few Rejected CVEs from JSON files. The 2024 results also have a few minor diffs that don't seem significant. --- server/vulnerabilities/nvd/sync/cve_syncer.go | 20 +++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/server/vulnerabilities/nvd/sync/cve_syncer.go b/server/vulnerabilities/nvd/sync/cve_syncer.go index bad1289a36..c1100fb28b 100644 --- a/server/vulnerabilities/nvd/sync/cve_syncer.go +++ b/server/vulnerabilities/nvd/sync/cve_syncer.go @@ -781,15 +781,31 @@ func convertAPI20CVEToLegacy(cve nvdapi.CVE, logger log.Logger) *schema.NVDCVEFe descriptions := make([]*schema.CVEJSON40LangString, 0, len(cve.Descriptions)) for _, description := range cve.Descriptions { // Keep only english descriptions to match the legacy. - if description.Lang != "en" { + var lang string + switch { + case description.Lang == "en": + lang = description.Lang + case description.Lang == "en-US": + // This occurred starting with Microsoft CVE-2024-38200 + lang = "en" + default: + // Non-english descriptions are ignored. continue } descriptions = append(descriptions, &schema.CVEJSON40LangString{ - Lang: description.Lang, + Lang: lang, Value: description.Value, }) } + if len(descriptions) == 0 { + // Populate a blank description to prevent Fleet cron job from crashing: https://github.com/fleetdm/fleet/issues/21239 + descriptions = append(descriptions, &schema.CVEJSON40LangString{ + Lang: "en", + Value: "", + }) + } + problemtypeData := make([]*schema.CVEJSON40ProblemtypeProblemtypeData, 0, len(cve.Weaknesses)) if len(cve.Weaknesses) == 0 { problemtypeData = append(problemtypeData, &schema.CVEJSON40ProblemtypeProblemtypeData{