From 72cc82f60d593e388453c4ee1a7ec9a1555513f4 Mon Sep 17 00:00:00 2001
From: Victor Lyuboslavsky <victor.lyuboslavsky@gmail.com>
Date: Thu, 18 Apr 2024 10:12:49 -0500
Subject: [PATCH] Ignoring Valve Corporation's Steam client's vulnerabilities
 on Windows and macOS (#18380)

#18126
Ignoring Valve Corporation's Steam client's vulnerabilities on Windows
and macOS
- On Windows and macOS, the true version of the Steam client (like
2021-04-10) cannot be retrieved by standard methods used on other
software. We would need to create custom logic to retrieve the version
of the Steam client.
- Steam client automatically updates itself, so security risk is
somewhat mitigated.

QA note: Items from software_cve table are cleared after 2 hours.

# Checklist for submitter

<!-- Note that API documentation changes are now addressed by the
product design team. -->

- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [ ] Added/updated tests
- [x] Manual QA for all new/changed functionality
---
 changes/18126-steam-vulns                      |  3 +++
 .../vulnerabilities/nvd/cpe_translations.json  | 18 ++++++++++++++++++
 server/vulnerabilities/nvd/cve_test.go         |  1 +
 3 files changed, 22 insertions(+)
 create mode 100644 changes/18126-steam-vulns

diff --git a/changes/18126-steam-vulns b/changes/18126-steam-vulns
new file mode 100644
index 0000000000..c80ab6630c
--- /dev/null
+++ b/changes/18126-steam-vulns
@@ -0,0 +1,3 @@
+Ignoring Valve Corporation's Steam client's vulnerabilities on Windows and macOS
+  - On Windows and macOS, the true version of the Steam client (like 2021-04-10) cannot be retrieved by standard methods used on other software. We would need to create custom logic to retrieve the version of the Steam client.
+  - Steam client automatically updates itself, so security risk is somewhat mitigated.
diff --git a/server/vulnerabilities/nvd/cpe_translations.json b/server/vulnerabilities/nvd/cpe_translations.json
index f3eb6b6865..a10b2e34be 100644
--- a/server/vulnerabilities/nvd/cpe_translations.json
+++ b/server/vulnerabilities/nvd/cpe_translations.json
@@ -359,5 +359,23 @@
       "product": ["edge_chromium"],
       "vendor": ["microsoft"]
     }
+  },
+  {
+    "software": {
+      "name": ["Steam"],
+      "source": ["programs"]
+    },
+    "filter": {
+      "skip": true
+    }
+  },
+  {
+    "software": {
+      "name": ["Steam.app"],
+      "source": ["apps"]
+    },
+    "filter": {
+      "skip": true
+    }
   }
 ]
diff --git a/server/vulnerabilities/nvd/cve_test.go b/server/vulnerabilities/nvd/cve_test.go
index 63bd6b74ad..8f29cc3e8b 100644
--- a/server/vulnerabilities/nvd/cve_test.go
+++ b/server/vulnerabilities/nvd/cve_test.go
@@ -131,6 +131,7 @@ func (d *threadSafeDSMock) InsertSoftwareVulnerability(ctx context.Context, vuln
 }
 
 func TestTranslateCPEToCVE(t *testing.T) {
+	t.Parallel()
 	ctx := context.Background()
 
 	// NVD_TEST_VULNDB_DIR can be used to speed up development (sync vulnerability data only once).