filter out kernels with 0 hosts (#32292)

Closes https://github.com/fleetdm/fleet/issues/32257 # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) ## Testing - [x] Added/updated automated tests - [x] Where appropriate, [automated tests simulate multiple hosts and test for host isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing) (updates to one hosts's records do not affect another) - [x] QA'd all new/changed functionality manually For unreleased bug fixes in a release candidate, one of: - [x] Confirmed that the fix is not expected to adversely impact load test results
2026-05-24 01:18:42 +00:00 · 2025-08-25 20:55:57 -04:00 · 2025-08-25 20:55:57 -04:00 · 262ba193bc
commit 262ba193bc
parent 7ce6f0ca96
2 changed files with 31 additions and 11 deletions
--- a/server/datastore/mysql/operating_system_vulnerabilities.go
+++ b/server/datastore/mysql/operating_system_vulnerabilities.go
@ -228,7 +228,10 @@ FROM
 	LEFT JOIN software_cve ON software.id = software_cve.software_id
 	JOIN kernel_host_counts ON kernel_host_counts.software_id = software.id
 WHERE
-	kernel_host_counts.os_version_id = ? %s GROUP BY id, cve, version
+	kernel_host_counts.os_version_id = ?
+	AND kernel_host_counts.hosts_count > 0
+    %s
+GROUP BY id, cve, version
 `

 	var tmID uint
--- a/server/datastore/mysql/operating_system_vulnerabilities_test.go
+++ b/server/datastore/mysql/operating_system_vulnerabilities_test.go
@ -592,11 +592,15 @@ func testKernelVulnsHostCount(t *testing.T, ds *Datastore) {
 		require.NoError(t, ds.LoadHostSoftware(ctx, h, false))
 	}

-	require.NoError(t, ds.UpdateOSVersions(ctx))
-	require.NoError(t, ds.SyncHostsSoftware(ctx, time.Now()))
-	require.NoError(t, ds.ReconcileSoftwareTitles(ctx))
-	require.NoError(t, ds.SyncHostsSoftwareTitles(ctx, time.Now()))
-	require.NoError(t, ds.InsertKernelSoftwareMapping(ctx))
+	updateMappings := func() {
+		require.NoError(t, ds.UpdateOSVersions(ctx))
+		require.NoError(t, ds.SyncHostsSoftware(ctx, time.Now()))
+		require.NoError(t, ds.ReconcileSoftwareTitles(ctx))
+		require.NoError(t, ds.SyncHostsSoftwareTitles(ctx, time.Now()))
+		require.NoError(t, ds.InsertKernelSoftwareMapping(ctx))
+	}
+
+	updateMappings()

 	expectedCVEs := []string{"CVE-2025-0001", "CVE-2025-0002"}

@ -639,11 +643,7 @@ func testKernelVulnsHostCount(t *testing.T, ds *Datastore) {
 	require.NoError(t, ds.UpdateHostOperatingSystem(ctx, host5.ID, *os2))
 	addKernelToHost(host5)

-	require.NoError(t, ds.UpdateOSVersions(ctx))
-	require.NoError(t, ds.SyncHostsSoftware(ctx, time.Now()))
-	require.NoError(t, ds.ReconcileSoftwareTitles(ctx))
-	require.NoError(t, ds.SyncHostsSoftwareTitles(ctx, time.Now()))
-	require.NoError(t, ds.InsertKernelSoftwareMapping(ctx))
+	updateMappings()

 	kernels, err = ds.ListKernelsByOS(ctx, os2.OSVersionID, &team1.ID)
 	require.NoError(t, err)
@ -659,4 +659,21 @@ func testKernelVulnsHostCount(t *testing.T, ds *Datastore) {
 	assert.ElementsMatchf(t, expectedCVEs, kernels[0].Vulnerabilities, "unexpected vulnerabilities for kernel %s", kernels[0].Version)
 	assert.Equal(t, uint(4), kernels[0].HostsCount)

+	// Delete host 1. We should see the count for the kernel go down to 0.
+	require.NoError(t, ds.DeleteHost(ctx, host1.ID))
+
+	updateMappings()
+
+	ExecAdhocSQL(t, ds, func(q sqlx.ExtContext) error {
+		var count uint
+		err := sqlx.GetContext(ctx, q, &count, "SELECT hosts_count FROM kernel_host_counts WHERE os_version_id = ?", os1.OSVersionID)
+		require.NoError(t, err)
+		assert.Zero(t, count)
+		return nil
+	})
+
+	kernels, err = ds.ListKernelsByOS(ctx, os1.OSVersionID, nil)
+	require.NoError(t, err)
+	require.Empty(t, kernels)
+
 }