From 362a0e545e66ea2a7b07ec2e5a64a18b02a016a2 Mon Sep 17 00:00:00 2001
From: Tim Lee <timlee@fleetdm.com>
Date: Wed, 24 Jul 2024 10:53:33 -0600
Subject: [PATCH] 18913 ignore rejected NVD vulnerabilities (#20193)

#18913 Recreating PR (ref: https://github.com/fleetdm/fleet/pull/19972)
---
 changes/18913-ignore-rejected-cves            | 1 +
 server/vulnerabilities/nvd/cve_test.go        | 4 +++-
 server/vulnerabilities/nvd/sync/cve_syncer.go | 6 ++++++
 3 files changed, 10 insertions(+), 1 deletion(-)
 create mode 100644 changes/18913-ignore-rejected-cves

diff --git a/changes/18913-ignore-rejected-cves b/changes/18913-ignore-rejected-cves
new file mode 100644
index 0000000000..1fabe60f9f
--- /dev/null
+++ b/changes/18913-ignore-rejected-cves
@@ -0,0 +1 @@
+CVEs identified as 'Rejected' in NVD will no longer match against software
\ No newline at end of file
diff --git a/server/vulnerabilities/nvd/cve_test.go b/server/vulnerabilities/nvd/cve_test.go
index a98c9ca239..c69897179d 100644
--- a/server/vulnerabilities/nvd/cve_test.go
+++ b/server/vulnerabilities/nvd/cve_test.go
@@ -318,7 +318,9 @@ func TestTranslateCPEToCVE(t *testing.T) {
 				{ID: "CVE-2023-42950", resolvedInVersion: "17.2"},
 				{ID: "CVE-2024-23273", resolvedInVersion: "17.4"},
 			},
-			excludedCVEs:      []string{"CVE-2023-28205"},
+			excludedCVEs: []string{
+				"CVE-2023-28205", // This vulnerability is for Safari 16.4.0
+			},
 			continuesToUpdate: true,
 		},
 		"cpe:2.3:a:apple:safari:16.4.0:*:*:*:*:macos:*:*": {
diff --git a/server/vulnerabilities/nvd/sync/cve_syncer.go b/server/vulnerabilities/nvd/sync/cve_syncer.go
index 178429cf65..bad1289a36 100644
--- a/server/vulnerabilities/nvd/sync/cve_syncer.go
+++ b/server/vulnerabilities/nvd/sync/cve_syncer.go
@@ -199,6 +199,9 @@ func (s *CVE) updateYearFile(year int, cves []nvdapi.CVEItem) error {
 	// Convert new API 2.0 format to legacy feed format and create map of new CVE information.
 	newLegacyCVEs := make(map[string]*schema.NVDCVEFeedJSON10DefCVEItem)
 	for _, cve := range cves {
+		if cve.CVE.VulnStatus != nil && *cve.CVE.VulnStatus == "Rejected" {
+			continue
+		}
 		legacyCVE := convertAPI20CVEToLegacy(cve.CVE, s.logger)
 		newLegacyCVEs[legacyCVE.CVE.CVEDataMeta.ID] = legacyCVE
 	}
@@ -249,6 +252,9 @@ func (s *CVE) updateVulnCheckYearFile(year int, cves []VulnCheckCVE, modCount, a
 	// Convert new API 2.0 format to legacy feed format and create map of new CVE information.
 	newLegacyCVEs := make(map[string]*schema.NVDCVEFeedJSON10DefCVEItem)
 	for _, cve := range cves {
+		if cve.CVE.VulnStatus != nil && *cve.CVE.VulnStatus == "Rejected" {
+			continue
+		}
 		legacyCVE := convertAPI20CVEToLegacy(cve.CVE, s.logger)
 		updateWithVulnCheckConfigurations(legacyCVE, cve.VcConfigurations)
 		newLegacyCVEs[legacyCVE.CVE.CVEDataMeta.ID] = legacyCVE