Set ResolvedInVersion for osv vuln scanning (#43087)

Bug fix for https://github.com/fleetdm/fleet/pull/42063 **Related issue:** Resolves #40057 # Checklist for submitter ## Testing - [x] Added/updated automated tests - [x] QA'd all new/changed functionality manually For unreleased bug fixes in a release candidate, one of: - [ ] Confirmed that the fix is not expected to adversely impact load test results --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
2026-04-21 13:37:30 +00:00 · 2026-04-06 17:15:07 -05:00 · 2026-04-06 17:15:07 -05:00 · 4587edfb72
commit 4587edfb72
parent 0342347675
2 changed files with 28 additions and 3 deletions
--- a/server/vulnerabilities/osv/analyzer.go
+++ b/server/vulnerabilities/osv/analyzer.go
@ -265,9 +265,15 @@ func matchSoftwareToOSV(software []fleet.Software, artifact *OSVArtifact) []flee

 		for _, vuln := range vulns {
 			if isVulnerable(sw.Version, vuln, isKernelPackage) {
+				var resolvedIn *string
+				if vuln.Fixed != "" {
+					fixed := vuln.Fixed // Create a copy to get a stable pointer
+					resolvedIn = &fixed
+				}
 				result = append(result, fleet.SoftwareVulnerability{
-					SoftwareID: sw.ID,
-					CVE:        vuln.CVE,
+					SoftwareID:        sw.ID,
+					CVE:               vuln.CVE,
+					ResolvedInVersion: resolvedIn,
 				})
 			}
 		}
--- a/server/vulnerabilities/osv/analyzer_test.go
+++ b/server/vulnerabilities/osv/analyzer_test.go
@ -11,6 +11,7 @@ import (
 	"time"

 	"github.com/fleetdm/fleet/v4/server/fleet"
+	"github.com/fleetdm/fleet/v4/server/ptr"
 	"github.com/stretchr/testify/require"
 )

@ -475,7 +476,25 @@ func TestMatchSoftwareToOSV(t *testing.T) {
 				},
 			},
 			expected: []fleet.SoftwareVulnerability{
-				{SoftwareID: 1, CVE: "CVE-2024-5555"},
+				{SoftwareID: 1, CVE: "CVE-2024-5555", ResolvedInVersion: ptr.String("2.4.50")},
+			},
+		},
+		{
+			name: "Range-based vulnerability matching with multiple fixed versions",
+			software: []fleet.Software{
+				{ID: 1, Name: "apache2", Version: "2.4.41"},
+			},
+			artifact: &OSVArtifact{
+				Vulnerabilities: map[string][]OSVVulnerability{
+					"apache2": {
+						{CVE: "CVE-2024-5555", Introduced: "2.4.0", Fixed: "2.4.50"},
+						{CVE: "CVE-2024-6666", Introduced: "2.4.10", Fixed: "2.4.48"},
+					},
+				},
+			},
+			expected: []fleet.SoftwareVulnerability{
+				{SoftwareID: 1, CVE: "CVE-2024-5555", ResolvedInVersion: ptr.String("2.4.50")},
+				{SoftwareID: 1, CVE: "CVE-2024-6666", ResolvedInVersion: ptr.String("2.4.48")},
 			},
 		},
 		{