Merge branch 'main' into feat-macos-ddm

.github/workflows/dogfood-gitops.yml

@@ -47,7 +47,7 @@ jobs:
           FLEET_GITOPS_DIR: ${{ github.workspace }}/it-and-security
           FLEET_URL: https://dogfood.fleetdm.com
           FLEET_API_TOKEN: ${{ secrets.DOGFOOD_API_TOKEN }}
-          DOGFOOD_APPLE_BM_DEFAULT_TEAM: Workstations
+          DOGFOOD_APPLE_BM_DEFAULT_TEAM: "💻Workstations"
           DOGFOOD_MACOS_MIGRATION_WEBHOOK_URL: ${{ secrets.DOGFOOD_MACOS_MIGRATION_WEBHOOK_URL }}
           DOGFOOD_GLOBAL_ENROLL_SECRET: ${{ secrets.DOGFOOD_GLOBAL_ENROLL_SECRET }}
           DOGFOOD_SSO_ISSUER_URI: ${{ secrets.DOGFOOD_SSO_ISSUER_URI }}

CHANGELOG.md

@@ -1,3 +1,12 @@
+## Fleet 4.47.1 (Mar 18, 2024)
+
+### Bug fixes
+
+* Removed outdated tooltips from UI.
+* Fixed an issue with Windows MDM profile processing where `<Add>` commands were being skipped.
+* Team users no longer have access to OS versions on hosts from other teams for GET fleet/os_versions and GET fleet/os_versions/[id].
+* Reduced the number of 'Deadlock found' errors seen by the server when multiple hosts share the same UUID.
+
 ## Fleet 4.47.0 (Mar 11, 2024)
 
 ### Endpoint operations

changes/17061-homebrew-python

@@ -0,0 +1 @@
+Fixing false negative vulnerabilities on macOS Homebrew python packages.

charts/fleet/Chart.yaml

@@ -8,7 +8,7 @@ version: v6.0.2
 home: https://github.com/fleetdm/fleet
 sources:
   - https://github.com/fleetdm/fleet.git
-appVersion: v4.47.0
+appVersion: v4.47.1
 dependencies:
   - name: mysql
     condition: mysql.enabled

charts/fleet/values.yaml

@@ -2,7 +2,7 @@
 # All settings related to how Fleet is deployed in Kubernetes
 hostName: fleet.localhost
 replicas: 3 # The number of Fleet instances to deploy
-imageTag: v4.47.0 # Version of Fleet to deploy
+imageTag: v4.47.1 # Version of Fleet to deploy
 podAnnotations: {} # Additional annotations to add to the Fleet pod
 serviceAccountAnnotations: {} # Additional annotations to add to the Fleet service account
 resources:

infrastructure/dogfood/terraform/aws/variables.tf

@@ -56,7 +56,7 @@ variable "database_name" {
 
 variable "fleet_image" {
   description = "the name of the container image to run"
-  default     = "fleetdm/fleet:v4.47.0"
+  default     = "fleetdm/fleet:v4.47.1"
 }
 
 variable "software_inventory" {

infrastructure/dogfood/terraform/gcp/variables.tf

@@ -68,5 +68,5 @@ variable "redis_mem" {
 }
 
 variable "image" {
-  default = "fleet:v4.47.0"
+  default = "fleet:v4.47.1"
 }

it-and-security/teams/servers-canary.yml

@@ -1,4 +1,4 @@
-name: "Servers (canary)"
+name: "☁️🐣Servers (canary)"
 team_settings:
   features:
     enable_host_users: false

it-and-security/teams/servers.yml

@@ -1,4 +1,4 @@
-name: "Servers"
+name: "☁️Servers"
 team_settings:
   features:
     enable_host_users: true

it-and-security/teams/workstations-canary.yml

@@ -1,4 +1,4 @@
-name: "Workstations (canary)"
+name: "💻🐣Workstations (canary)"
 team_settings:
   features:
     enable_host_users: true

server/vulnerabilities/nvd/cpe_test.go

@@ -1604,6 +1604,15 @@ func TestCPEFromSoftwareIntegration(t *testing.T) {
 			// DO NOT MATCH with Cisco Umbrella
 			cpe: "",
 		},
+		{
+			software: fleet.Software{
+				Name:    "python@3.9",
+				Source:  "homebrew_packages",
+				Version: "3.9.18_2",
+				Vendor:  "",
+			},
+			cpe: `cpe:2.3:a:python:python:3.9.18_2:*:*:*:*:*:*:*`,
+		},
 	}
 
 	// NVD_TEST_CPEDB_PATH can be used to speed up development (sync cpe.sqlite only once).

server/vulnerabilities/nvd/sanitize.go

@@ -81,11 +81,13 @@ var langCodes = map[string]bool{
 // - Removing any extra spaces
 // - Lowercasing the name
 // - Removing parts from the bundle identifier
+// - Removing version contained in homebrew_packages name
 func sanitizeSoftwareName(s *fleet.Software) string {
 	archs := regexp.MustCompile(` \(?x64\)?|\(?64-bit\)?|\(?64bit\)?|\(?amd64\)? `)
 	ver := regexp.MustCompile(` \.?\(?(\d+\.)?(\d+\.)?(\*|\d+)\)?\s?`)
 	gen := regexp.MustCompile(` \(\w+\)\s?`)
 	comments := regexp.MustCompile(` (-|:)\s?.+`)
+	versions := regexp.MustCompile(`@\d+($|(\.\d+($|\..+)))`) // @3 or @3.9 or @3.9.18 or @3.9.18_2
 
 	r := strings.ToLower(s.Name)
 	r = strings.TrimSuffix(r, ".app")
@@ -119,6 +121,11 @@ func sanitizeSoftwareName(s *fleet.Software) string {
 	r = strings.Replace(r, ")", " ", -1)
 	r = strings.Join(strings.Fields(r), " ")
 
+	// Remove @<version> from homebrew names
+	if s.Source == "homebrew_packages" {
+		r = versions.ReplaceAllString(r, "")
+	}
+
 	return r
 }
 

terraform/byo-vpc/byo-db/byo-ecs/variables.tf

@@ -13,7 +13,7 @@ variable "fleet_config" {
   type = object({
     mem                          = optional(number, 4096)
     cpu                          = optional(number, 512)
-    image                        = optional(string, "fleetdm/fleet:v4.47.0")
+    image                        = optional(string, "fleetdm/fleet:v4.47.1")
     family                       = optional(string, "fleet")
     sidecars                     = optional(list(any), [])
     depends_on                   = optional(list(any), [])

terraform/byo-vpc/byo-db/variables.tf

@@ -74,7 +74,7 @@ variable "fleet_config" {
   type = object({
     mem                          = optional(number, 4096)
     cpu                          = optional(number, 512)
-    image                        = optional(string, "fleetdm/fleet:v4.47.0")
+    image                        = optional(string, "fleetdm/fleet:v4.47.1")
     family                       = optional(string, "fleet")
     sidecars                     = optional(list(any), [])
     depends_on                   = optional(list(any), [])

terraform/byo-vpc/example/main.tf

@@ -17,7 +17,7 @@ provider "aws" {
 }
 
 locals {
-  fleet_image = "fleetdm/fleet:v4.47.0"
+  fleet_image = "fleetdm/fleet:v4.47.1"
   domain_name = "example.com"
 }
 

terraform/byo-vpc/variables.tf

@@ -165,7 +165,7 @@ variable "fleet_config" {
   type = object({
     mem                          = optional(number, 4096)
     cpu                          = optional(number, 512)
-    image                        = optional(string, "fleetdm/fleet:v4.47.0")
+    image                        = optional(string, "fleetdm/fleet:v4.47.1")
     family                       = optional(string, "fleet")
     sidecars                     = optional(list(any), [])
     depends_on                   = optional(list(any), [])

terraform/example/main.tf

@@ -59,8 +59,8 @@ module "fleet" {
 
   fleet_config = {
     # To avoid pull-rate limiting from dockerhub, consider using our quay.io mirror
-    # for the Fleet image. e.g. "quay.io/fleetdm/fleet:v4.47.0"
-    image = "fleetdm/fleet:v4.47.0" # override default to deploy the image you desire
+    # for the Fleet image. e.g. "quay.io/fleetdm/fleet:v4.47.1"
+    image = "fleetdm/fleet:v4.47.1" # override default to deploy the image you desire
     # See https://fleetdm.com/docs/deploy/reference-architectures#aws for appropriate scaling
     # memory and cpu.
     autoscaling = {

terraform/variables.tf

@@ -215,7 +215,7 @@ variable "fleet_config" {
   type = object({
     mem                          = optional(number, 4096)
     cpu                          = optional(number, 512)
-    image                        = optional(string, "fleetdm/fleet:v4.47.0")
+    image                        = optional(string, "fleetdm/fleet:v4.47.1")
     family                       = optional(string, "fleet")
     sidecars                     = optional(list(any), [])
     depends_on                   = optional(list(any), [])

tools/fleetctl-npm/package.json

@@ -1,6 +1,6 @@
 {
   "name": "fleetctl",
-  "version": "v4.47.0",
+  "version": "v4.47.1",
   "description": "Installer for the fleetctl CLI tool",
   "bin": {
     "fleetctl": "./run.js"

website/api/controllers/deliver-talk-to-us-form-submission.js

@@ -46,10 +46,10 @@ module.exports = {
       required: true,
       description: 'What this user will be using Fleet for',
       isIn: [
-        'vulnerability-management',
-        'device-management',
-        'endpoint-ops-it',
-        'endpoint-ops-security',
+        'vm',
+        'mdm',
+        'eo-it',
+        'eo-security',
       ],
     },
 

website/api/controllers/entrance/signup.js

@@ -68,10 +68,10 @@ the account verification message.)`,
       description: 'What the user will be using Fleet for.',
       required: true,
       isIn: [
-        'endpoint-ops-security',
-        'endpoint-ops-it',
-        'device-management',
-        'vulnerability-management'
+        'eo-security',
+        'eo-it',
+        'mdm',
+        'vm'
       ],
     }
 
@@ -153,6 +153,7 @@ the account verification message.)`,
       signupReason,
       password: await sails.helpers.passwords.hashPassword(password),
       stripeCustomerId,
+      primaryBuyingSituation,
       tosAcceptedByIp: this.req.ip
     }, sails.config.custom.verifyEmailAddresses? {
       emailProofToken: await sails.helpers.strings.random('url-friendly'),

website/api/models/User.js

@@ -202,6 +202,18 @@ without necessarily having a billing card.`
       defaultsTo: false
     },
 
+    primaryBuyingSituation: {
+      type: 'string',
+      description: 'The primary buying situation the user selected when they signed up.',
+      extendedDescription: 'User records created before 2024-03-14 will have this attribute set to ""',
+      isIn: [
+        'eo-security',
+        'eo-it',
+        'mdm',
+        'vm',
+      ]
+    }
+
     //  ╔═╗╔╦╗╔╗ ╔═╗╔╦╗╔═╗
     //  ║╣ ║║║╠╩╗║╣  ║║╚═╗
     //  ╚═╝╩ ╩╚═╝╚═╝═╩╝╚═╝

website/package.json

@@ -15,8 +15,7 @@
     "sails-hook-organics": "^2.2.2",
     "sails-hook-orm": "^4.0.2",
     "sails-hook-sockets": "^3.0.0",
-    "sails-postgresql": "^5.0.0",
-    "yaml": "1.10.2"
+    "sails-postgresql": "^5.0.0"
   },
   "devDependencies": {
     "eslint": "5.16.0",
@@ -24,7 +23,8 @@
     "htmlhint": "0.11.0",
     "lesshint": "6.3.6",
     "marked": "4.0.10",
-    "sails-hook-grunt": "^4.0.0"
+    "sails-hook-grunt": "^4.0.0",
+    "yaml": "1.10.2"
   },
   "scripts": {
     "custom-tests": "echo \"(No other custom tests yet.)\" && echo",

website/scripts/create-issues-for-todays-rituals.js

@@ -13,33 +13,17 @@ module.exports = {
 
   fn: async function ({ dry }) {
 
-    let path = require('path');
-    let YAML = require('yaml');
-    let topLvlRepoPath = path.resolve(sails.config.appPath, '../');
+    if (!_.isObject(sails.config.builtStaticContent) || !_.isObject(sails.config.builtStaticContent.rituals)) {
+      throw new Error('Missing, incomplete, or invalid configuration. Could not create issues for todays rituals, please try running `sails run build-static-content` and try running this script again.');
+    }
+
     let baseHeaders = {// (for github api)
       'User-Agent': 'Fleetie pie',
       'Authorization': `token ${sails.config.custom.githubAccessToken}`
     };
 
-    // Find all the files in the top level /handbook folder and it's sub-folders
-    let FILES_IN_HANDBOOK_FOLDER = await sails.helpers.fs.ls.with({
-      dir: path.join(topLvlRepoPath, '/handbook'),
-      depth: 3
-    });
-    // Filter the list of filenames to get the rituals YAML files.
-    let ritualYamlPaths = FILES_IN_HANDBOOK_FOLDER.filter((filePath)=>{
-      return _.endsWith(filePath, 'rituals.yml');
-    });
-    for (let ritualSource of ritualYamlPaths) {
-      // Load rituals
-      let pathToRituals = path.resolve(topLvlRepoPath, ritualSource);
-      let rituals = [];
-      let ritualsYml = await sails.helpers.fs.read(pathToRituals);
-      try {
-        rituals = YAML.parse(ritualsYml, { prettyErrors: true });
-      } catch (err) {
-        throw new Error(`Could not parse the YAMl for rituals at ${pathToRituals} on line ${err.linePos.start.line}. To resolve, make sure the YAML is valid, and try again: ` + err.stack);
-      }
+    for (let ritualSource in sails.config.builtStaticContent.rituals) {
+      let rituals = sails.config.builtStaticContent.rituals[ritualSource];
       for (let ritual of rituals) {
         // For each ritual, we'll:
         //  - Convert the ritual's frequency into milliseconds.

website/views/pages/contact.ejs

@@ -79,10 +79,10 @@
             <div class="selectbox">
             <select class="form-control" id="primaryBuyingSituation" name="primaryBuyingSituation" :class="[formErrors.primaryBuyingSituation ? 'is-invalid' : '']" v-model="formData.primaryBuyingSituation">
               <option disabled hidden value="undefined">Choose an option</option>
-              <option value="endpoint-ops-security">Endpoint operations for security engineers</option>
-              <option value="endpoint-ops-it">Endpoint operations for IT admins</option>
-              <option value="device-management">Device management</option>
-              <option value="vulnerability-management">Vulnerability management</option>
+              <option value="eo-security">Endpoint operations for security engineers</option>
+              <option value="eo-it">Endpoint operations for IT admins</option>
+              <option value="mdm">Device management (MDM)</option>
+              <option value="vm">Vulnerability management</option>
             </select>
             </div>
             <div class="d-block invalid-feedback" v-if="formErrors.topic">Please select an option.</div>

website/views/pages/entrance/signup.ejs

@@ -46,10 +46,10 @@
             <div class="selectbox">
             <select class="form-control" id="primaryBuyingSituation" name="primaryBuyingSituation" :class="[formErrors.primaryBuyingSituation ? 'is-invalid' : '']" v-model="formData.primaryBuyingSituation" @input="typeClearOneFormError('primaryBuyingSituation')">
               <option disabled hidden value="undefined">Choose an option</option>
-              <option value="endpoint-ops-security">Endpoint operations for security engineers</option>
-              <option value="endpoint-ops-it">Endpoint operations for IT admins</option>
-              <option value="device-management">Device management</option>
-              <option value="vulnerability-management">Vulnerability management</option>
+              <option value="eo-security">Endpoint operations for security engineers</option>
+              <option value="eo-it">Endpoint operations for IT admins</option>
+              <option value="mdm">Device management (MDM)</option>
+              <option value="vm">Vulnerability management</option>
             </select>
             </div>
             <div class="d-block invalid-feedback" v-if="formErrors.primaryBuyingSituation">Please select an option.</div>