From 9eb115cf7c4615dbbf82a51c0724b29611803334 Mon Sep 17 00:00:00 2001
From: Ian Littman <iansltx@gmail.com>
Date: Thu, 2 Jan 2025 13:07:02 -0600
Subject: [PATCH] Ignore CVE-2024-10327 since it's iOS-only (#25083)

For #25075

# Checklist for submitter

- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files)
for more information.
- [x] Added/updated tests
- [x] Manual QA for all new/changed functionality
---
 changes/25075-false-positive                     |  1 +
 server/vulnerabilities/nvd/cpe_matching_rules.go | 10 ++++++++--
 server/vulnerabilities/nvd/cve_test.go           |  4 ++++
 3 files changed, 13 insertions(+), 2 deletions(-)
 create mode 100644 changes/25075-false-positive

diff --git a/changes/25075-false-positive b/changes/25075-false-positive
new file mode 100644
index 0000000000..9d60639930
--- /dev/null
+++ b/changes/25075-false-positive
@@ -0,0 +1 @@
+* Fixed CVE-2024-10327 false positive on Fleet-supported platforms (vuln is iOS-only and iOS vuln checking is not supported)
diff --git a/server/vulnerabilities/nvd/cpe_matching_rules.go b/server/vulnerabilities/nvd/cpe_matching_rules.go
index 88aae7f2dc..b1eaa68813 100644
--- a/server/vulnerabilities/nvd/cpe_matching_rules.go
+++ b/server/vulnerabilities/nvd/cpe_matching_rules.go
@@ -249,8 +249,14 @@ func GetKnownNVDBugRules() (CPEMatchingRules, error) {
 				return cpeMeta.TargetSW != "windows"
 			},
 		},
-		// CVE-2024-10004 only targets iOS, and we don't yet support iOS vuln scanning (and can't tell iOS/Mac CPEs apart yet)
-		CPEMatchingRule{CVEs: map[string]struct{}{"CVE-2024-10004": {}}, IgnoreAll: true},
+		// these CVEs only target iOS, and we don't yet support iOS vuln scanning (and can't tell iOS/Mac CPEs apart yet)
+		CPEMatchingRule{
+			CVEs: map[string]struct{}{
+				"CVE-2024-10004": {},
+				"CVE-2024-10327": {}, // also missing a CPE as of 2025-01-01
+			},
+			IgnoreAll: true,
+		},
 	}
 
 	for i, rule := range rules {
diff --git a/server/vulnerabilities/nvd/cve_test.go b/server/vulnerabilities/nvd/cve_test.go
index 4442f73425..22057fa7d8 100644
--- a/server/vulnerabilities/nvd/cve_test.go
+++ b/server/vulnerabilities/nvd/cve_test.go
@@ -363,6 +363,10 @@ func TestTranslateCPEToCVE(t *testing.T) {
 			excludedCVEs:      []string{"CVE-2024-10004"},
 			continuesToUpdate: true,
 		},
+		"cpe:2.3:a:okta:verify:9.27.0:*:*:*:*:macos:*:*": {
+			excludedCVEs:      []string{"CVE-2024-10327"},
+			continuesToUpdate: true,
+		},
 	}
 
 	cveOSTests := []struct {