diff --git a/server/vulnerabilities/nvd/cve_test.go b/server/vulnerabilities/nvd/cve_test.go index c5d92fe655..5fbe09b8fe 100644 --- a/server/vulnerabilities/nvd/cve_test.go +++ b/server/vulnerabilities/nvd/cve_test.go @@ -229,6 +229,14 @@ func TestTranslateCPEToCVE(t *testing.T) { }, continuesToUpdate: true, }, + "cpe:2.3:a:apple:garageband:10.4.11:*:*:*:*:macos:*:*": { + excludedCVEs: []string{"CVE-2024-54559"}, + continuesToUpdate: true, + }, + "cpe:2.3:o:apple:macos:15.1.1:*:*:*:*:*:*:*": { + includedCVEs: []cve{{ID: "CVE-2024-54559", resolvedInVersion: "15.2"}}, + continuesToUpdate: true, + }, "cpe:2.3:a:avira:password_manager:2.18.4.38471:*:*:*:*:firefox:*:*": { includedCVEs: []cve{ {ID: "CVE-2022-28795"}, diff --git a/server/vulnerabilities/nvd/sync/cve_syncer.go b/server/vulnerabilities/nvd/sync/cve_syncer.go index 696d3adaca..79c0084ac4 100644 --- a/server/vulnerabilities/nvd/sync/cve_syncer.go +++ b/server/vulnerabilities/nvd/sync/cve_syncer.go @@ -433,7 +433,7 @@ func (s *CVE) sync(ctx context.Context, lastModStartDate *string) (newLastModSta return "", err } vulnerabilitiesReceived++ - cvesByYear[year] = append(cvesByYear[year], vuln) + cvesByYear[year] = append(cvesByYear[year], transformVuln(vuln)) } // Dump vulnerabilities to the year files to reduce memory footprint. @@ -481,6 +481,16 @@ func (s *CVE) sync(ctx context.Context, lastModStartDate *string) (newLastModSta return newLastModStartDate, nil } +// cleans up vulnerability feed entries that are incorrect from NVD, allowing fixing bugged NVD rules without needing +// to update Fleet server +func transformVuln(item nvdapi.CVEItem) nvdapi.CVEItem { + if item.CVE.ID != nil && *item.CVE.ID == "CVE-2024-54559" { + item.CVE.Configurations[0].Nodes[0].CPEMatch = item.CVE.Configurations[0].Nodes[0].CPEMatch[0:1] + } + + return item +} + func (s *CVE) DoVulnCheck(ctx context.Context) error { vulnCheckArchive := "vulncheck.zip" baseURL := "https://api.vulncheck.com/v3/backup/nist-nvd2"