From 32c5c47b1fcfa786a4c50bd311494651e52b4b93 Mon Sep 17 00:00:00 2001
From: Jahziel Villasana-Espinoza <jahziel@fleetdm.com>
Date: Fri, 7 Mar 2025 10:24:56 -0500
Subject: [PATCH] added panic recovery to software mutations flow just to be
 safe (#26932)

> For #24784

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Added/updated automated tests
- [x] Manual QA for all new/changed functionality
---
 server/vulnerabilities/nvd/cpe.go      | 5 +++++
 server/vulnerabilities/nvd/cpe_test.go | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/server/vulnerabilities/nvd/cpe.go b/server/vulnerabilities/nvd/cpe.go
index 415bf5703a..9ae7d6ec28 100644
--- a/server/vulnerabilities/nvd/cpe.go
+++ b/server/vulnerabilities/nvd/cpe.go
@@ -372,6 +372,11 @@ var (
 func mutateSoftware(software *fleet.Software, logger log.Logger) {
 	for _, transformer := range softwareTransformers {
 		if transformer.matches(software) {
+			defer func() {
+				if r := recover(); r != nil {
+					level.Warn(logger).Log("msg", "panic during software mutation", "softwareName", software.Name, "softwareVersion", software.Version, "error", r)
+				}
+			}()
 			transformer.mutate(software, logger)
 			break
 		}
diff --git a/server/vulnerabilities/nvd/cpe_test.go b/server/vulnerabilities/nvd/cpe_test.go
index 8219ef101e..a439676a71 100644
--- a/server/vulnerabilities/nvd/cpe_test.go
+++ b/server/vulnerabilities/nvd/cpe_test.go
@@ -2134,7 +2134,7 @@ func TestMutateSoftware(t *testing.T) {
 		},
 	} {
 		t.Run(tc.name, func(t *testing.T) {
-			mutateSoftware(tc.s, log.NewNopLogger())
+			require.NotPanics(t, func() { mutateSoftware(tc.s, log.NewNopLogger()) })
 			require.Equal(t, tc.sanitized, tc.s)
 		})
 	}