Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-23 17:08:53 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 83

Tweak CVE feed build to avoid false positives in CVE-2024-54559 (#30293)

Browse source 
Fixes #28207.

No changes file since this will go live once merged, and it affects the
vulns feed. Tests will fail for vulns on-branch since this requires a
vulns feed rebuild.

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

<!-- Note that API documentation changes are now addressed by the
product design team. -->

- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] Added/updated automated tests
- [x] Manual QA for all new/changed functionality
This commit is contained in:
Ian Littman 2025-06-25 16:25:26 -05:00 committed by GitHub
parent 7c419e6832
commit 20376ec8ab
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 19 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
server/vulnerabilities/nvd/cve_test.go
View file

@ -229,6 +229,14 @@ func TestTranslateCPEToCVE(t *testing.T) {
},
continuesToUpdate: true,
},
"cpe:2.3:a:apple:garageband:10.4.11:*:*:*:*:macos:*:*": {
excludedCVEs: []string{"CVE-2024-54559"},
continuesToUpdate: true,
},
"cpe:2.3:o:apple:macos:15.1.1:*:*:*:*:*:*:*": {
includedCVEs: []cve{{ID: "CVE-2024-54559", resolvedInVersion: "15.2"}},
continuesToUpdate: true,
},
"cpe:2.3:a:avira:password_manager:2.18.4.38471:*:*:*:*:firefox:*:*": {
includedCVEs: []cve{
{ID: "CVE-2022-28795"},

12
server/vulnerabilities/nvd/sync/cve_syncer.go
View file

@ -433,7 +433,7 @@ func (s *CVE) sync(ctx context.Context, lastModStartDate *string) (newLastModSta
return "", err
}
vulnerabilitiesReceived++
cvesByYear[year] = append(cvesByYear[year], vuln)
cvesByYear[year] = append(cvesByYear[year], transformVuln(vuln))
}
// Dump vulnerabilities to the year files to reduce memory footprint.
@ -481,6 +481,16 @@ func (s *CVE) sync(ctx context.Context, lastModStartDate *string) (newLastModSta
return newLastModStartDate, nil
}
// cleans up vulnerability feed entries that are incorrect from NVD, allowing fixing bugged NVD rules without needing
// to update Fleet server
func transformVuln(item nvdapi.CVEItem) nvdapi.CVEItem {
if item.CVE.ID != nil && *item.CVE.ID == "CVE-2024-54559" {
item.CVE.Configurations[0].Nodes[0].CPEMatch = item.CVE.Configurations[0].Nodes[0].CPEMatch[0:1]
}
return item
}
func (s *CVE) DoVulnCheck(ctx context.Context) error {
vulnCheckArchive := "vulncheck.zip"
baseURL := "https://api.vulncheck.com/v3/backup/nist-nvd2"