From 4792d0bf7b5d2a883d707dad44d75a95ce22bf52 Mon Sep 17 00:00:00 2001 From: Ian Littman Date: Tue, 21 Jan 2025 15:34:44 -0600 Subject: [PATCH] Map product/vendor for homebrew "pass" package, skip "jira" python package as it has no CVEs (#25626) For #25597. Needs to be QA'd pre-merge /cc @jmwatts # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [x] Added/updated automated tests - [x] A detailed QA plan exists on the associated ticket (if it isn't there, work with the product group's QA engineer to add it) - [x] Manual QA for all new/changed functionality --- changes/25597-false-positives | 1 + server/vulnerabilities/nvd/cpe_test.go | 17 +++++++++++++++++ .../vulnerabilities/nvd/cpe_translations.json | 19 +++++++++++++++++++ server/vulnerabilities/nvd/cve_test.go | 3 +++ 4 files changed, 40 insertions(+) create mode 100644 changes/25597-false-positives diff --git a/changes/25597-false-positives b/changes/25597-false-positives new file mode 100644 index 0000000000..54bb853963 --- /dev/null +++ b/changes/25597-false-positives @@ -0,0 +1 @@ +* Resolved false-positives for the `pass` Homebrew package and `jira` Python package via a vulnerability feed update available to all Fleet versions on 2025-01-22 diff --git a/server/vulnerabilities/nvd/cpe_test.go b/server/vulnerabilities/nvd/cpe_test.go index 7f10af535b..8a669d81c9 100644 --- a/server/vulnerabilities/nvd/cpe_test.go +++ b/server/vulnerabilities/nvd/cpe_test.go @@ -1314,6 +1314,14 @@ func TestCPEFromSoftwareIntegration(t *testing.T) { Version: "6.0.1", }, cpe: "", }, + // 2025-01-20: there are no entries for the jira python package at the NVD dataset. + { + software: fleet.Software{ + Name: "jira", + Source: "python_packages", + Version: "3.8.0", + }, cpe: "", + }, { // checks vendor/product matching based on bundle name, including EAPs software: fleet.Software{ Name: "GoLand EAP.app", @@ -1691,6 +1699,15 @@ func TestCPEFromSoftwareIntegration(t *testing.T) { BundleIdentifier: "", }, cpe: "cpe:2.3:a:github:cli:2.61.0:*:*:*:*:macos:*:*", }, + { + software: fleet.Software{ + Name: "pass", + Source: "homebrew_packages", + Version: "1.7.4", + Vendor: "", + BundleIdentifier: "", + }, cpe: "cpe:2.3:a:simple_password_store_project:simple_password_store:1.7.4:*:*:*:*:macos:*:*", + }, } // NVD_TEST_CPEDB_PATH can be used to speed up development (sync cpe.sqlite only once). diff --git a/server/vulnerabilities/nvd/cpe_translations.json b/server/vulnerabilities/nvd/cpe_translations.json index b388140b92..00ea56732d 100644 --- a/server/vulnerabilities/nvd/cpe_translations.json +++ b/server/vulnerabilities/nvd/cpe_translations.json @@ -10,6 +10,16 @@ "target_sw": ["macos", "mac_os"] } }, + { + "software": { + "name": ["pass"], + "source": ["homebrew_packages"] + }, + "filter": { + "product": ["simple_password_store"], + "vendor": ["simple_password_store_project"] + } + }, { "software": { "name": ["/^ruby(@.*)?$/"], @@ -92,6 +102,15 @@ "vendor": ["docker"] } }, + { + "software": { + "name": ["jira"], + "source": ["python_packages"] + }, + "filter": { + "skip": true + } + }, { "software": { "name": ["docker"], diff --git a/server/vulnerabilities/nvd/cve_test.go b/server/vulnerabilities/nvd/cve_test.go index d5c070afe7..e04faef5e6 100644 --- a/server/vulnerabilities/nvd/cve_test.go +++ b/server/vulnerabilities/nvd/cve_test.go @@ -378,6 +378,9 @@ func TestTranslateCPEToCVE(t *testing.T) { "cpe:2.3:a:iterm2:iterm2:3.5.2:*:*:*:*:*:*:*": { includedCVEs: []cve{{ID: "CVE-2024-38395", resolvedInVersion: ""}}, }, + "cpe:2.3:a:simple_password_store_project:simple_password_store:1.7.0:*:*:*:*:macos:*:*": { + includedCVEs: []cve{{ID: "CVE-2018-12356", resolvedInVersion: "1.7.2"}}, + }, } cveOSTests := []struct {