From c6c5e6c61b914dbd5bac2816f959be23122bc223 Mon Sep 17 00:00:00 2001
From: Zach Wasserman <zach@fleetdm.com>
Date: Thu, 6 Apr 2023 08:10:06 -0700
Subject: [PATCH] More robust version handling for macOS software (#10703)

This should get version numbers for more apps on macOS. Notably,
1Password includes helper apps that were getting vulnerability false
positives because we were not picking up the versions.

Addresses #10702.

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [x] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [x] Manual QA for all new/changed functionality
---
 changes/macos-app-version               | 1 +
 server/service/osquery_utils/queries.go | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)
 create mode 100644 changes/macos-app-version

diff --git a/changes/macos-app-version b/changes/macos-app-version
new file mode 100644
index 0000000000..fcb51ba0e0
--- /dev/null
+++ b/changes/macos-app-version
@@ -0,0 +1 @@
+* Improve version detection for macOS apps. This fixes some false positives in macOS vulnerability detection.
diff --git a/server/service/osquery_utils/queries.go b/server/service/osquery_utils/queries.go
index 1d715a3738..bcb630af7e 100644
--- a/server/service/osquery_utils/queries.go
+++ b/server/service/osquery_utils/queries.go
@@ -609,7 +609,7 @@ var softwareMacOS = DetailQuery{
 	Query: withCachedUsers(`WITH cached_users AS (%s)
 SELECT
   name AS name,
-  bundle_short_version AS version,
+  COALESCE(NULLIF(bundle_short_version, ''), bundle_version) AS version,
   'Application (macOS)' AS type,
   bundle_identifier AS bundle_identifier,
   'apps' AS source,