From 49300bc844bb9e3a029fe7a5d9806dbee8cc6398 Mon Sep 17 00:00:00 2001 From: Ian Littman Date: Wed, 14 Aug 2024 10:53:47 -0500 Subject: [PATCH] Don't panic on zero-length NVD description_data array fields (#21250) #21242 # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) QA'd manually (see repro scenario in the linked bug). Happy to dig into adding tests here if it's worth the time to build them now that the upstream data feed has been patchd. --- changes/21242-nvd-input-validation | 1 + server/vulnerabilities/nvd/sync.go | 7 ++++--- 2 files changed, 5 insertions(+), 3 deletions(-) create mode 100644 changes/21242-nvd-input-validation diff --git a/changes/21242-nvd-input-validation b/changes/21242-nvd-input-validation new file mode 100644 index 0000000000..cab3a2e77d --- /dev/null +++ b/changes/21242-nvd-input-validation @@ -0,0 +1 @@ +Continue with an empty CVE description when the NVD CVE feed doesn't include description entries (instead of panicking) diff --git a/server/vulnerabilities/nvd/sync.go b/server/vulnerabilities/nvd/sync.go index c2e52cc40a..65174e721b 100644 --- a/server/vulnerabilities/nvd/sync.go +++ b/server/vulnerabilities/nvd/sync.go @@ -216,9 +216,10 @@ func LoadCVEMeta(ctx context.Context, logger log.Logger, vulnPath string, ds fle } schema := vuln.Schema() - meta := fleet.CVEMeta{ - CVE: cve, - Description: schema.CVE.Description.DescriptionData[0].Value, + meta := fleet.CVEMeta{CVE: cve} + + if len(schema.CVE.Description.DescriptionData) > 0 { + meta.Description = schema.CVE.Description.DescriptionData[0].Value } if schema.Impact.BaseMetricV3 != nil {