Prepare for Fleet 4.10.0 (#4161)

Co-authored-by: Zach Wasserman <zach@fleetdm.com>
2026-04-21 13:37:30 +00:00 · 2022-02-13 21:13:06 -05:00 · 2022-02-13 21:13:06 -05:00 · 67827474c2
commit 67827474c2
parent e0716d0c2a
44 changed files with 76 additions and 66 deletions
--- a/.github/workflows/goreleaser-fleet.yaml
+++ b/.github/workflows/goreleaser-fleet.yaml
@ -27,7 +27,7 @@ jobs:
      - name: Set up Go
        uses: actions/setup-go@v2
        with:
-          go-version: 1.17.2
+          go-version: 1.17.7

      - name: Install JS Dependencies
        run: make deps-js
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,3 +1,54 @@
+## Fleet 4.10.0 (Feb 10, 2022)
+
+* Upgrade Go to 1.17.7 with security fixes for crypto/elliptic (CVE-2022-23806), math/big (CVE-2022-23772), and cmd/go (CVE-2022-23773). These are not likely to be high impact in Fleet deployments, but we are upgrading in an abundance of caution.
+
+* Add aggregate software and vulnerability information on the new **Software** page.
+
+* Add ability to see how many hosts have a specific vulnerable software installed on the
+  **Software** page. This information is also available in the `GET /api/v1/fleet/software` API route.
+
+* Add ability to send a webhook request if a new vulnerability (CVE) is
+found on at least one host. Documentation on what data is included the webhook
+request and when the webhook request is sent can be found here on [fleedm.com/docs](https://fleetdm.com/docs/using-fleet/automations#vulnerability-automations).
+
+* Add aggregate Mobile Device Management and Munki data on the **Home** page.
+
+* Add email and URL validation across the entire Fleet UI.
+
+* Add ability to filter software by "Vulnerable" on the **Host details** page.
+
+* Update standard policy templates to use new naming convention. For example, "Is FileVault enabled on macOS
+devices?" is now "Full disk encryption enabled (macOS)."
+
+* Add db-innodb-status and db-process-list to `fleetctl debug` command.
+
+* Fleet Premium: Add the ability to generate a Fleet installer and manage enroll secrets on the **Team details**
+  page. 
+
+* A ability for users with the observer role to view which platforms (macOS, Windows, Linux) a query
+  is compatible with.
+
+* Improve the experience for editing queries and policies in the Fleet UI.
+
+* Improve vulnerability processing for NPM packages.
+
+* Support triggering a webhook for newly detected vulnerabilities with a list of affected hosts.
+
+* Add filter software by CVE.
+
+* Add the ability to disable scheduled query performance statistics.
+
+* Add ability to filter the host summary information by platform (macOS, Windows, Linux) on the **Home** page.
+
+* Fix a bug in Fleet installers for Linux in which a computer restart would stop the host from
+  reporting to Fleet.
+
+* Make sure ApplyTeamSpec only works with premium deployments.
+
+* Disable MDM, Munki, and Chrome profile queries on unsupported platforms to reduce log noise.
+
+* Properly handle paths in CVE URL prefix.
+
 ## Fleet 4.9.1 (Feb 2, 2022)

 ### This is a security release.
--- a/changes/add-enable-scheduled-query-stats-to-fleetconfig
+++ b/changes/add-enable-scheduled-query-stats-to-fleetconfig
@ -1 +0,0 @@
-* Allow to disable scheduled query stats through fleet serve config
--- a/changes/disable-mdm-queries
+++ b/changes/disable-mdm-queries
@ -1 +0,0 @@
-* Disable MDM, Munki, and Chrome profile queries on unsupported platforms to reduce log noise.
--- a/changes/fix-cve-url-prefix
+++ b/changes/fix-cve-url-prefix
@ -1 +0,0 @@
-* Properly handle paths in CVE URL prefix
--- a/changes/issue-2998-software-cve-search
+++ b/changes/issue-2998-software-cve-search
@ -1 +0,0 @@
-* Add filter software by CVE
--- a/changes/issue-3029-team-details-modals
+++ b/changes/issue-3029-team-details-modals
@ -1 +0,0 @@
-* Add generate installer and manage enroll secrets to team details page
--- a/changes/issue-3050-settings
+++ b/changes/issue-3050-settings
@ -1 +0,0 @@
-* Expose vulnerabilities webhook config in app config.
--- a/changes/issue-3050-trigger-vulnerabilities-webhook
+++ b/changes/issue-3050-trigger-vulnerabilities-webhook
@ -1 +0,0 @@
-* Support triggering a webhook for newly detected vulnerabilities with a list of affected hosts
--- a/changes/issue-3054-3208-host-details-software
+++ b/changes/issue-3054-3208-host-details-software
@ -1,2 +0,0 @@
-* Add new "Software" tab to Host details page
-* Add ability to filter software by "Vulnerable" on the Host details page
--- a/changes/issue-3086-add-hosts-count-to-software
+++ b/changes/issue-3086-add-hosts-count-to-software
@ -1 +0,0 @@
-* Add `hosts_count` field for each software (and `counts_updated_at` timestamp as a top-level field) to the response payload of `GET /api/v1/fleet/software`
--- a/changes/issue-3086-cleanup-unused-software
+++ b/changes/issue-3086-cleanup-unused-software
@ -1 +0,0 @@
-* Cleanup unused `software` entries after having calculated the count of hosts
--- a/changes/issue-3099-3195-improve-query-editing
+++ b/changes/issue-3099-3195-improve-query-editing
@ -1 +0,0 @@
-* Refine and improve query and policy editing interface
--- a/changes/issue-3173-debug-status-processlist
+++ b/changes/issue-3173-debug-status-processlist
@ -1 +0,0 @@
-* Add db-innodb-status and db-process-list to fleetctl debug
--- a/changes/issue-3263-aggregation
+++ b/changes/issue-3263-aggregation
@ -1 +0,0 @@
-* Add aggregation of mdm and munki data
--- a/changes/issue-3263-host-summary-filter
+++ b/changes/issue-3263-host-summary-filter
@ -1 +0,0 @@
-* Add platform filter to the host_summary endpoint
--- a/changes/issue-3397-software-page
+++ b/changes/issue-3397-software-page
@ -1,3 +0,0 @@
-* Add new feature: Software page
-* Replace "View all software" modal with link to software page
-* Add hosts counts and last updated time to software card on homepage dashboard
--- a/changes/issue-3507-url-email-validators
+++ b/changes/issue-3507-url-email-validators
@ -1 +0,0 @@
-* App wide frontend validators for email addresses and urls
--- a/changes/issue-3584-fix-webhooks-lock-duration
+++ b/changes/issue-3584-fix-webhooks-lock-duration
@ -1 +0,0 @@
-* Amend webhook db lock duration to be always one hour.
--- a/changes/issue-3634-user-actions-flash-messages
+++ b/changes/issue-3634-user-actions-flash-messages
@ -1 +0,0 @@
-* Success and error messages for resetting a user's password and session
--- a/changes/issue-3706-input-max-length
+++ b/changes/issue-3706-input-max-length
@ -1 +0,0 @@
-* Add max length to user, query and policy name inputs
--- a/changes/issue-3762-software-vulnerability-webhook-modal
+++ b/changes/issue-3762-software-vulnerability-webhook-modal
@ -1 +0,0 @@
-* Ability in UI to set a software vulnerability automation on Software page
--- a/changes/issue-3782-apply-team-specs-ee
+++ b/changes/issue-3782-apply-team-specs-ee
@ -1 +0,0 @@
-* Make sure ApplyTeamSpec only works with premium deployments.
--- a/changes/issue-3800-macOS-homepage
+++ b/changes/issue-3800-macOS-homepage
@ -1,2 +0,0 @@
- Added platform filter to homepage dashboard
- Added Munki and MDM data cards to homepage dashboard for macOS devices
--- a/changes/issue-3872-fix-label-search
+++ b/changes/issue-3872-fix-label-search
@ -1 +0,0 @@
-* Fix label search crashing app on special character input
--- a/changes/issue-3879-preview-apply-policies
+++ b/changes/issue-3879-preview-apply-policies
@ -1 +0,0 @@
-* Apply the whole yaml instead of just parts of it in preview
--- a/changes/issue-3882-clean-team-packs
+++ b/changes/issue-3882-clean-team-packs
@ -1 +0,0 @@
-* Clean up team schedules when deleting a team.
--- a/changes/issue-3899-revamp-nav-bar
+++ b/changes/issue-3899-revamp-nav-bar
@ -1,2 +0,0 @@
-* Move settings tab into account drawer
-* Refactor nav bar to new frontend patterns
--- a/changes/issue-3901-match-target-sw
+++ b/changes/issue-3901-match-target-sw
@ -1 +0,0 @@
-* Properly match target_sw when looking for vulnerabilities within npm packages
--- a/changes/issue-3904-get-team-by-id-api
+++ b/changes/issue-3904-get-team-by-id-api
@ -1 +0,0 @@
-* Add new endpoint get team by id
--- a/changes/issue-3921-logout-automatically
+++ b/changes/issue-3921-logout-automatically
@ -1 +0,0 @@
-* /logout route automatically logs the user out of Fleet
--- a/changes/issue-3953-apply-queries-missing-authorization
+++ b/changes/issue-3953-apply-queries-missing-authorization
@ -1 +0,0 @@
-* Check that user is authorized to update query in update query specs endpoint
--- a/changes/issue-3988-3989-query-policy-validations
+++ b/changes/issue-3988-3989-query-policy-validations
@ -1 +0,0 @@
-* Return backend validation in the label of query/policy creation form
--- a/changes/issue-3991-fix-get-failing-policies-webhook
+++ b/changes/issue-3991-fix-get-failing-policies-webhook
@ -1 +0,0 @@
-* Bug fix in UI: Loading current failing policies webhooks data
--- a/changes/issue-4095-observer-view-compatibility
+++ b/changes/issue-4095-observer-view-compatibility
@ -1 +0,0 @@
-* An observer can view a query's operating system compatibility
--- a/changes/issue-4118-software-automation-details
+++ b/changes/issue-4118-software-automation-details
@ -1 +0,0 @@
-* Add software automation details to UI modal
--- a/changes/linux-packaging-service-persistence
+++ b/changes/linux-packaging-service-persistence
@ -1 +0,0 @@
-* Fix generated Linux packages to keep service enabled after computer restart.
--- a/changes/update-standard-policies
+++ b/changes/update-standard-policies
@ -1,2 +0,0 @@
-* Update standard policy templates to use new naming convention. For example, "Is FileVault enabled on macOS
-devices?" is now "Full disk encryption enabled (macOS)."
--- a/charts/fleet/Chart.yaml
+++ b/charts/fleet/Chart.yaml
@ -4,8 +4,8 @@ name: fleet
 keywords:
  - fleet
  - osquery
-version: v4.9.1
+version: v4.10.0
 home: https://github.com/fleetdm/fleet
 sources:
  - https://github.com/fleetdm/fleet.git
-appVersion: v4.9.1
+appVersion: v4.10.0
--- a/charts/fleet/values.yaml
+++ b/charts/fleet/values.yaml
@ -2,7 +2,7 @@
 # All settings related to how Fleet is deployed in Kubernetes
 hostName: fleet.localhost
 replicas: 3 # The number of Fleet instances to deploy
-imageTag: v4.9.1 # Version of Fleet to deploy
+imageTag: v4.10.0 # Version of Fleet to deploy
 createIngress: true # Whether or not to automatically create an Ingress
 ingressAnnotations: {} # Additional annotation to add to the Ingress
 podAnnotations: {} # Additional annotations to add to the Fleet pod
--- a/docs/03-Contributing/05-Releasing-Fleet.md
+++ b/docs/03-Contributing/05-Releasing-Fleet.md
@ -12,9 +12,11 @@ Add a "Performance" section below the list of changes. This section should summa
 hosts that the Fleet server can handle, call out if this number has
 changed since the last release, and list the infrastructure used in the load testing environment.

-Update the NPM [package.json](../../tools/fleetctl-npm/package.json) with the new version number (do
-not yet `npm publish`). Update the [Helm chart](../../charts/fleet/Chart.yaml) and [values
-file](../../charts/fleet/values.yaml) with the new version number.
+Update version numbers in the relevant files:
+
+- [package.json](../../tools/fleetctl-npm/package.json) (do not yet `npm publish`)
+- [Helm chart](../../charts/fleet/Chart.yaml) and [values file](../../charts/fleet/values.yaml)
+- [Terraform variables](../../tools/terraform/variables.tf)

 Commit these changes via Pull Request and pull the changes on the `main` branch locally. Check that
 `HEAD` of the `main` branch points to the commit with these changes.
@ -54,7 +56,7 @@ Please visit our [update guide](https://fleetdm.com/docs/using-fleet/updating-fl

 ### Documentation

-Documentation for this release can be found at https://github.com/fleetdm/fleet/blob/<VERSION>/docs/README.md
+Documentation for Fleet is available at [fleetdm.com/docs](https://fleetdm.com/docs).

 ### Binary Checksum

@ -73,7 +75,7 @@ When editing is complete, publish the release.

 > If releasing a "prerelease" of Fleet, run `npm publish --tag prerelease`. This way, you can
 > publish a prerelease of fleetctl while the most recent fleetctl npm package, available for public
-> download, is still the latest *official* release.
+> download, is still the latest _official_ release.

 5. Announce the release in the #fleet channel of [osquery
   Slack](https://osquery.slack.com/join/shared_invite/zt-h29zm0gk-s2DBtGUTW4CFel0f0IjTEw#/) and
@ -110,7 +112,7 @@ must be created and relevant changes cherry-picked onto that branch:
   ```

 2. Cherry pick the necessary commits into the new branch:
-   
+
   ```
   git cherry-pick d34db33f
   ```
@ -123,8 +125,7 @@ must be created and relevant changes cherry-picked onto that branch:

   When a `patch-*` branch is pushed, the [Docker publish
   Action](https://github.com/fleetdm/fleet/actions/workflows/goreleaser-snapshot-fleet.yaml) will
-   be invoked to push a container image for QA with `fleetctl preview` (eg. `fleetctl preview
-   --tag patch-fleet-v4.3.1`).
+   be invoked to push a container image for QA with `fleetctl preview` (eg. `fleetctl preview --tag patch-fleet-v4.3.1`).

 4. Check in the GitHub UI that Actions ran successfully for this branch and perform [QA smoke
   testing](../../.github/ISSUE_TEMPLATE/smoke-tests.md).
@ -142,4 +143,4 @@ must be created and relevant changes cherry-picked onto that branch:
   timestamps. If they do not, submit a new Pull Request to increase the timestamps and ensure that
   migrations are run in the appropriate order.

-   TODO [#2850](https://github.com/fleetdm/fleet/issues/2850): Improve docs/tooling for this.
+   TODO [#2850](https://github.com/fleetdm/fleet/issues/2850): Improve docs/tooling for this.
--- a/server/datastore/mysql/schema.sql
+++ b/server/datastore/mysql/schema.sql
@ -36,7 +36,7 @@ CREATE TABLE `app_config_json` (
  UNIQUE KEY `id` (`id`)
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;
 /*!40101 SET character_set_client = @saved_cs_client */;
-INSERT INTO `app_config_json` VALUES (1,'{\"org_info\": {\"org_name\": \"\", \"org_logo_url\": \"\"}, \"sso_settings\": {\"idp_name\": \"\", \"metadata\": \"\", \"entity_id\": \"\", \"enable_sso\": false, \"issuer_uri\": \"\", \"metadata_url\": \"\", \"idp_image_url\": \"\", \"enable_sso_idp_login\": false}, \"agent_options\": {\"config\": {\"options\": {\"logger_plugin\": \"tls\", \"pack_delimiter\": \"/\", \"logger_tls_period\": 10, \"distributed_plugin\": \"tls\", \"disable_distributed\": false, \"logger_tls_endpoint\": \"/api/v1/osquery/log\", \"distributed_interval\": 10, \"distributed_tls_max_attempts\": 3}, \"decorators\": {\"load\": [\"SELECT uuid AS host_uuid FROM system_info;\", \"SELECT hostname AS hostname FROM system_info;\"]}}, \"overrides\": {}}, \"host_settings\": {\"enable_host_users\": true, \"enable_software_inventory\": false, \"enable_scheduled_query_stats\": true}, \"smtp_settings\": {\"port\": 587, \"domain\": \"\", \"server\": \"\", \"password\": \"\", \"user_name\": \"\", \"configured\": false, \"enable_smtp\": false, \"enable_ssl_tls\": true, \"sender_address\": \"\", \"enable_start_tls\": true, \"verify_ssl_certs\": true, \"authentication_type\": \"0\", \"authentication_method\": \"0\"}, \"server_settings\": {\"server_url\": \"\", \"enable_analytics\": false, \"deferred_save_host\": false, \"live_query_disabled\": false}, \"webhook_settings\": {\"interval\": \"24h0m0s\", \"host_status_webhook\": {\"days_count\": 0, \"destination_url\": \"\", \"host_percentage\": 0, \"enable_host_status_webhook\": false}, \"vulnerabilities_webhook\": {\"destination_url\": \"\", \"host_batch_size\": 0, \"enable_vulnerabilities_webhook\": false}, \"failing_policies_webhook\": {\"policy_ids\": null, \"destination_url\": \"\", \"host_batch_size\": 0, \"enable_failing_policies_webhook\": false}}, \"host_expiry_settings\": {\"host_expiry_window\": 0, \"host_expiry_enabled\": false}, \"vulnerability_settings\": {\"databases_path\": \"\"}}','2020-01-01 01:01:01','2020-01-01 01:01:01');
+INSERT INTO `app_config_json` VALUES (1,'{\"org_info\": {\"org_name\": \"\", \"org_logo_url\": \"\"}, \"sso_settings\": {\"idp_name\": \"\", \"metadata\": \"\", \"entity_id\": \"\", \"enable_sso\": false, \"issuer_uri\": \"\", \"metadata_url\": \"\", \"idp_image_url\": \"\", \"enable_sso_idp_login\": false}, \"agent_options\": {\"config\": {\"options\": {\"logger_plugin\": \"tls\", \"pack_delimiter\": \"/\", \"logger_tls_period\": 10, \"distributed_plugin\": \"tls\", \"disable_distributed\": false, \"logger_tls_endpoint\": \"/api/v1/osquery/log\", \"distributed_interval\": 10, \"distributed_tls_max_attempts\": 3}, \"decorators\": {\"load\": [\"SELECT uuid AS host_uuid FROM system_info;\", \"SELECT hostname AS hostname FROM system_info;\"]}}, \"overrides\": {}}, \"host_settings\": {\"enable_host_users\": true, \"enable_software_inventory\": false}, \"smtp_settings\": {\"port\": 587, \"domain\": \"\", \"server\": \"\", \"password\": \"\", \"user_name\": \"\", \"configured\": false, \"enable_smtp\": false, \"enable_ssl_tls\": true, \"sender_address\": \"\", \"enable_start_tls\": true, \"verify_ssl_certs\": true, \"authentication_type\": \"0\", \"authentication_method\": \"0\"}, \"server_settings\": {\"server_url\": \"\", \"enable_analytics\": false, \"deferred_save_host\": false, \"live_query_disabled\": false}, \"webhook_settings\": {\"interval\": \"24h0m0s\", \"host_status_webhook\": {\"days_count\": 0, \"destination_url\": \"\", \"host_percentage\": 0, \"enable_host_status_webhook\": false}, \"vulnerabilities_webhook\": {\"destination_url\": \"\", \"host_batch_size\": 0, \"enable_vulnerabilities_webhook\": false}, \"failing_policies_webhook\": {\"policy_ids\": null, \"destination_url\": \"\", \"host_batch_size\": 0, \"enable_failing_policies_webhook\": false}}, \"host_expiry_settings\": {\"host_expiry_window\": 0, \"host_expiry_enabled\": false}, \"vulnerability_settings\": {\"databases_path\": \"\"}}','2020-01-01 01:01:01','2020-01-01 01:01:01');
 /*!40101 SET @saved_cs_client     = @@character_set_client */;
 /*!40101 SET character_set_client = utf8 */;
 CREATE TABLE `carve_blocks` (
--- a/tools/fleetctl-npm/package.json
+++ b/tools/fleetctl-npm/package.json
@ -1,6 +1,6 @@
 {
  "name": "fleetctl",
-  "version": "v4.9.1",
+  "version": "v4.10.0",
  "description": "Installer for the fleetctl CLI tool",
  "bin": {
    "fleetctl": "./run.js"
--- a/tools/terraform/variables.tf
+++ b/tools/terraform/variables.tf
@ -24,12 +24,12 @@ variable "vulnerabilities_path" {

 variable "fleet_backend_cpu" {
  default = 256
-  type = number
+  type    = number
 }

 variable "fleet_backend_mem" {
  default = 512
-  type = number
+  type    = number
 }

 variable "async_host_processing" {
@ -37,7 +37,7 @@ variable "async_host_processing" {
 }

 variable "logging_debug" {
-default = "false"
+  default = "false"
 }

 variable "logging_json" {
@ -51,12 +51,12 @@ variable "database_user" {

 variable "database_name" {
  description = "the name of the database fleet will create/use"
-  default = "fleet"
+  default     = "fleet"
 }

 variable "fleet_image" {
  description = "the name of the container image to run"
-  default     = "fleetdm/fleet:v4.9.0"
+  default     = "fleetdm/fleet:v4.10.0"
 }

 variable "software_inventory" {
@ -72,13 +72,13 @@ variable "vuln_db_path" {
 variable "cpu_migrate" {
  description = "cpu units for migration task"
  default     = 1024
-  type = number
+  type        = number
 }

 variable "mem_migrate" {
  description = "memory limit for migration task in MB"
  default     = 2048
-  type = number
+  type        = number
 }

 variable "fleet_max_capacity" {
@ -103,5 +103,5 @@ variable "cpu_tracking_target_value" {

 variable "fleet_license" {
  description = "Fleet Premium license key"
-  default = ""
-}
+  default     = ""
+}
				`@ -1 +0,0 @@`
				`* Allow to disable scheduled query stats through fleet serve config`
				`@ -1 +0,0 @@`
				`* Disable MDM, Munki, and Chrome profile queries on unsupported platforms to reduce log noise.`
				`@ -1 +0,0 @@`
				`* Add generate installer and manage enroll secrets to team details page`
				`@ -1 +0,0 @@`
				`* Expose vulnerabilities webhook config in app config.`
				`@ -1 +0,0 @@`
				`* Support triggering a webhook for newly detected vulnerabilities with a list of affected hosts`
				`@ -1 +0,0 @@`
				* Add `hosts_count` field for each software (and `counts_updated_at` timestamp as a top-level field) to the response payload of `GET /api/v1/fleet/software`
				`@ -1 +0,0 @@`
				* Cleanup unused `software` entries after having calculated the count of hosts
				`@ -1 +0,0 @@`
				`* Refine and improve query and policy editing interface`
				`@ -1 +0,0 @@`
				`* Add db-innodb-status and db-process-list to fleetctl debug`
				`@ -1 +0,0 @@`
				`* Add platform filter to the host_summary endpoint`