From 20376ec8aba9c25b55ae464c700dff642b894574 Mon Sep 17 00:00:00 2001
From: Ian Littman <iansltx@gmail.com>
Date: Wed, 25 Jun 2025 16:25:26 -0500
Subject: [PATCH] Tweak CVE feed build to avoid false positives in
 CVE-2024-54559 (#30293)

Fixes #28207.

No changes file since this will go live once merged, and it affects the
vulns feed. Tests will fail for vulns on-branch since this requires a
vulns feed rebuild.

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

<!-- Note that API documentation changes are now addressed by the
product design team. -->

- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] Added/updated automated tests
- [x] Manual QA for all new/changed functionality
---
 server/vulnerabilities/nvd/cve_test.go        |  8 ++++++++
 server/vulnerabilities/nvd/sync/cve_syncer.go | 12 +++++++++++-
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/server/vulnerabilities/nvd/cve_test.go b/server/vulnerabilities/nvd/cve_test.go
index c5d92fe655..5fbe09b8fe 100644
--- a/server/vulnerabilities/nvd/cve_test.go
+++ b/server/vulnerabilities/nvd/cve_test.go
@@ -229,6 +229,14 @@ func TestTranslateCPEToCVE(t *testing.T) {
 			},
 			continuesToUpdate: true,
 		},
+		"cpe:2.3:a:apple:garageband:10.4.11:*:*:*:*:macos:*:*": {
+			excludedCVEs:      []string{"CVE-2024-54559"},
+			continuesToUpdate: true,
+		},
+		"cpe:2.3:o:apple:macos:15.1.1:*:*:*:*:*:*:*": {
+			includedCVEs:      []cve{{ID: "CVE-2024-54559", resolvedInVersion: "15.2"}},
+			continuesToUpdate: true,
+		},
 		"cpe:2.3:a:avira:password_manager:2.18.4.38471:*:*:*:*:firefox:*:*": {
 			includedCVEs: []cve{
 				{ID: "CVE-2022-28795"},
diff --git a/server/vulnerabilities/nvd/sync/cve_syncer.go b/server/vulnerabilities/nvd/sync/cve_syncer.go
index 696d3adaca..79c0084ac4 100644
--- a/server/vulnerabilities/nvd/sync/cve_syncer.go
+++ b/server/vulnerabilities/nvd/sync/cve_syncer.go
@@ -433,7 +433,7 @@ func (s *CVE) sync(ctx context.Context, lastModStartDate *string) (newLastModSta
 				return "", err
 			}
 			vulnerabilitiesReceived++
-			cvesByYear[year] = append(cvesByYear[year], vuln)
+			cvesByYear[year] = append(cvesByYear[year], transformVuln(vuln))
 		}
 
 		// Dump vulnerabilities to the year files to reduce memory footprint.
@@ -481,6 +481,16 @@ func (s *CVE) sync(ctx context.Context, lastModStartDate *string) (newLastModSta
 	return newLastModStartDate, nil
 }
 
+// cleans up vulnerability feed entries that are incorrect from NVD, allowing fixing bugged NVD rules without needing
+// to update Fleet server
+func transformVuln(item nvdapi.CVEItem) nvdapi.CVEItem {
+	if item.CVE.ID != nil && *item.CVE.ID == "CVE-2024-54559" {
+		item.CVE.Configurations[0].Nodes[0].CPEMatch = item.CVE.Configurations[0].Nodes[0].CPEMatch[0:1]
+	}
+
+	return item
+}
+
 func (s *CVE) DoVulnCheck(ctx context.Context) error {
 	vulnCheckArchive := "vulncheck.zip"
 	baseURL := "https://api.vulncheck.com/v3/backup/nist-nvd2"