diff --git a/.github/workflows/dogfood-gitops.yml b/.github/workflows/dogfood-gitops.yml index 14c23204cc..e50cbc7a33 100644 --- a/.github/workflows/dogfood-gitops.yml +++ b/.github/workflows/dogfood-gitops.yml @@ -47,7 +47,7 @@ jobs: FLEET_GITOPS_DIR: ${{ github.workspace }}/it-and-security FLEET_URL: https://dogfood.fleetdm.com FLEET_API_TOKEN: ${{ secrets.DOGFOOD_API_TOKEN }} - DOGFOOD_APPLE_BM_DEFAULT_TEAM: Workstations + DOGFOOD_APPLE_BM_DEFAULT_TEAM: "πŸ’»Workstations" DOGFOOD_MACOS_MIGRATION_WEBHOOK_URL: ${{ secrets.DOGFOOD_MACOS_MIGRATION_WEBHOOK_URL }} DOGFOOD_GLOBAL_ENROLL_SECRET: ${{ secrets.DOGFOOD_GLOBAL_ENROLL_SECRET }} DOGFOOD_SSO_ISSUER_URI: ${{ secrets.DOGFOOD_SSO_ISSUER_URI }} diff --git a/CHANGELOG.md b/CHANGELOG.md index c8c0143f49..ac4301c2e9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,12 @@ +## Fleet 4.47.1 (Mar 18, 2024) + +### Bug fixes + +* Removed outdated tooltips from UI. +* Fixed an issue with Windows MDM profile processing where `` commands were being skipped. +* Team users no longer have access to OS versions on hosts from other teams for GET fleet/os_versions and GET fleet/os_versions/[id]. +* Reduced the number of 'Deadlock found' errors seen by the server when multiple hosts share the same UUID. + ## Fleet 4.47.0 (Mar 11, 2024) ### Endpoint operations diff --git a/changes/17061-homebrew-python b/changes/17061-homebrew-python new file mode 100644 index 0000000000..bf76e59e02 --- /dev/null +++ b/changes/17061-homebrew-python @@ -0,0 +1 @@ +Fixing false negative vulnerabilities on macOS Homebrew python packages. diff --git a/charts/fleet/Chart.yaml b/charts/fleet/Chart.yaml index e5da8a827a..d17e312c04 100644 --- a/charts/fleet/Chart.yaml +++ b/charts/fleet/Chart.yaml @@ -8,7 +8,7 @@ version: v6.0.2 home: https://github.com/fleetdm/fleet sources: - https://github.com/fleetdm/fleet.git -appVersion: v4.47.0 +appVersion: v4.47.1 dependencies: - name: mysql condition: mysql.enabled diff --git a/charts/fleet/values.yaml b/charts/fleet/values.yaml index cccbbbf53f..a4e2f3b816 100644 --- a/charts/fleet/values.yaml +++ b/charts/fleet/values.yaml @@ -2,7 +2,7 @@ # All settings related to how Fleet is deployed in Kubernetes hostName: fleet.localhost replicas: 3 # The number of Fleet instances to deploy -imageTag: v4.47.0 # Version of Fleet to deploy +imageTag: v4.47.1 # Version of Fleet to deploy podAnnotations: {} # Additional annotations to add to the Fleet pod serviceAccountAnnotations: {} # Additional annotations to add to the Fleet service account resources: diff --git a/infrastructure/dogfood/terraform/aws/variables.tf b/infrastructure/dogfood/terraform/aws/variables.tf index db52977d4e..532a892465 100644 --- a/infrastructure/dogfood/terraform/aws/variables.tf +++ b/infrastructure/dogfood/terraform/aws/variables.tf @@ -56,7 +56,7 @@ variable "database_name" { variable "fleet_image" { description = "the name of the container image to run" - default = "fleetdm/fleet:v4.47.0" + default = "fleetdm/fleet:v4.47.1" } variable "software_inventory" { diff --git a/infrastructure/dogfood/terraform/gcp/variables.tf b/infrastructure/dogfood/terraform/gcp/variables.tf index ed05409ebb..3fb278db31 100644 --- a/infrastructure/dogfood/terraform/gcp/variables.tf +++ b/infrastructure/dogfood/terraform/gcp/variables.tf @@ -68,5 +68,5 @@ variable "redis_mem" { } variable "image" { - default = "fleet:v4.47.0" + default = "fleet:v4.47.1" } diff --git a/it-and-security/teams/servers-canary.yml b/it-and-security/teams/servers-canary.yml index a009d9dcf0..fe582aede3 100644 --- a/it-and-security/teams/servers-canary.yml +++ b/it-and-security/teams/servers-canary.yml @@ -1,4 +1,4 @@ -name: "Servers (canary)" +name: "☁️🐣Servers (canary)" team_settings: features: enable_host_users: false diff --git a/it-and-security/teams/servers.yml b/it-and-security/teams/servers.yml index b10d25d3e3..212a2bd0ab 100644 --- a/it-and-security/teams/servers.yml +++ b/it-and-security/teams/servers.yml @@ -1,4 +1,4 @@ -name: "Servers" +name: "☁️Servers" team_settings: features: enable_host_users: true diff --git a/it-and-security/teams/workstations-canary.yml b/it-and-security/teams/workstations-canary.yml index d859a4acf0..2ceefcce9c 100644 --- a/it-and-security/teams/workstations-canary.yml +++ b/it-and-security/teams/workstations-canary.yml @@ -1,4 +1,4 @@ -name: "Workstations (canary)" +name: "πŸ’»πŸ£Workstations (canary)" team_settings: features: enable_host_users: true diff --git a/server/vulnerabilities/nvd/cpe_test.go b/server/vulnerabilities/nvd/cpe_test.go index 8c4298b0d1..6f8a5f4c94 100644 --- a/server/vulnerabilities/nvd/cpe_test.go +++ b/server/vulnerabilities/nvd/cpe_test.go @@ -1604,6 +1604,15 @@ func TestCPEFromSoftwareIntegration(t *testing.T) { // DO NOT MATCH with Cisco Umbrella cpe: "", }, + { + software: fleet.Software{ + Name: "python@3.9", + Source: "homebrew_packages", + Version: "3.9.18_2", + Vendor: "", + }, + cpe: `cpe:2.3:a:python:python:3.9.18_2:*:*:*:*:*:*:*`, + }, } // NVD_TEST_CPEDB_PATH can be used to speed up development (sync cpe.sqlite only once). diff --git a/server/vulnerabilities/nvd/sanitize.go b/server/vulnerabilities/nvd/sanitize.go index 33dc144f8a..40e0be0ddc 100644 --- a/server/vulnerabilities/nvd/sanitize.go +++ b/server/vulnerabilities/nvd/sanitize.go @@ -81,11 +81,13 @@ var langCodes = map[string]bool{ // - Removing any extra spaces // - Lowercasing the name // - Removing parts from the bundle identifier +// - Removing version contained in homebrew_packages name func sanitizeSoftwareName(s *fleet.Software) string { archs := regexp.MustCompile(` \(?x64\)?|\(?64-bit\)?|\(?64bit\)?|\(?amd64\)? `) ver := regexp.MustCompile(` \.?\(?(\d+\.)?(\d+\.)?(\*|\d+)\)?\s?`) gen := regexp.MustCompile(` \(\w+\)\s?`) comments := regexp.MustCompile(` (-|:)\s?.+`) + versions := regexp.MustCompile(`@\d+($|(\.\d+($|\..+)))`) // @3 or @3.9 or @3.9.18 or @3.9.18_2 r := strings.ToLower(s.Name) r = strings.TrimSuffix(r, ".app") @@ -119,6 +121,11 @@ func sanitizeSoftwareName(s *fleet.Software) string { r = strings.Replace(r, ")", " ", -1) r = strings.Join(strings.Fields(r), " ") + // Remove @ from homebrew names + if s.Source == "homebrew_packages" { + r = versions.ReplaceAllString(r, "") + } + return r } diff --git a/terraform/byo-vpc/byo-db/byo-ecs/variables.tf b/terraform/byo-vpc/byo-db/byo-ecs/variables.tf index 34e1224e23..f91717e035 100644 --- a/terraform/byo-vpc/byo-db/byo-ecs/variables.tf +++ b/terraform/byo-vpc/byo-db/byo-ecs/variables.tf @@ -13,7 +13,7 @@ variable "fleet_config" { type = object({ mem = optional(number, 4096) cpu = optional(number, 512) - image = optional(string, "fleetdm/fleet:v4.47.0") + image = optional(string, "fleetdm/fleet:v4.47.1") family = optional(string, "fleet") sidecars = optional(list(any), []) depends_on = optional(list(any), []) diff --git a/terraform/byo-vpc/byo-db/variables.tf b/terraform/byo-vpc/byo-db/variables.tf index 345c3b5915..ccc1350a59 100644 --- a/terraform/byo-vpc/byo-db/variables.tf +++ b/terraform/byo-vpc/byo-db/variables.tf @@ -74,7 +74,7 @@ variable "fleet_config" { type = object({ mem = optional(number, 4096) cpu = optional(number, 512) - image = optional(string, "fleetdm/fleet:v4.47.0") + image = optional(string, "fleetdm/fleet:v4.47.1") family = optional(string, "fleet") sidecars = optional(list(any), []) depends_on = optional(list(any), []) diff --git a/terraform/byo-vpc/example/main.tf b/terraform/byo-vpc/example/main.tf index fca893ee9d..0a3234a11d 100644 --- a/terraform/byo-vpc/example/main.tf +++ b/terraform/byo-vpc/example/main.tf @@ -17,7 +17,7 @@ provider "aws" { } locals { - fleet_image = "fleetdm/fleet:v4.47.0" + fleet_image = "fleetdm/fleet:v4.47.1" domain_name = "example.com" } diff --git a/terraform/byo-vpc/variables.tf b/terraform/byo-vpc/variables.tf index f6d434237a..139dccf8c0 100644 --- a/terraform/byo-vpc/variables.tf +++ b/terraform/byo-vpc/variables.tf @@ -165,7 +165,7 @@ variable "fleet_config" { type = object({ mem = optional(number, 4096) cpu = optional(number, 512) - image = optional(string, "fleetdm/fleet:v4.47.0") + image = optional(string, "fleetdm/fleet:v4.47.1") family = optional(string, "fleet") sidecars = optional(list(any), []) depends_on = optional(list(any), []) diff --git a/terraform/example/main.tf b/terraform/example/main.tf index 8aade09819..b13e7319d0 100644 --- a/terraform/example/main.tf +++ b/terraform/example/main.tf @@ -59,8 +59,8 @@ module "fleet" { fleet_config = { # To avoid pull-rate limiting from dockerhub, consider using our quay.io mirror - # for the Fleet image. e.g. "quay.io/fleetdm/fleet:v4.47.0" - image = "fleetdm/fleet:v4.47.0" # override default to deploy the image you desire + # for the Fleet image. e.g. "quay.io/fleetdm/fleet:v4.47.1" + image = "fleetdm/fleet:v4.47.1" # override default to deploy the image you desire # See https://fleetdm.com/docs/deploy/reference-architectures#aws for appropriate scaling # memory and cpu. autoscaling = { diff --git a/terraform/variables.tf b/terraform/variables.tf index caced3cc7b..ec0e865dce 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -215,7 +215,7 @@ variable "fleet_config" { type = object({ mem = optional(number, 4096) cpu = optional(number, 512) - image = optional(string, "fleetdm/fleet:v4.47.0") + image = optional(string, "fleetdm/fleet:v4.47.1") family = optional(string, "fleet") sidecars = optional(list(any), []) depends_on = optional(list(any), []) diff --git a/tools/fleetctl-npm/package.json b/tools/fleetctl-npm/package.json index ba7911d602..6cbd601152 100644 --- a/tools/fleetctl-npm/package.json +++ b/tools/fleetctl-npm/package.json @@ -1,6 +1,6 @@ { "name": "fleetctl", - "version": "v4.47.0", + "version": "v4.47.1", "description": "Installer for the fleetctl CLI tool", "bin": { "fleetctl": "./run.js" diff --git a/website/api/controllers/deliver-talk-to-us-form-submission.js b/website/api/controllers/deliver-talk-to-us-form-submission.js index fae7de41c8..9232fed824 100644 --- a/website/api/controllers/deliver-talk-to-us-form-submission.js +++ b/website/api/controllers/deliver-talk-to-us-form-submission.js @@ -46,10 +46,10 @@ module.exports = { required: true, description: 'What this user will be using Fleet for', isIn: [ - 'vulnerability-management', - 'device-management', - 'endpoint-ops-it', - 'endpoint-ops-security', + 'vm', + 'mdm', + 'eo-it', + 'eo-security', ], }, diff --git a/website/api/controllers/entrance/signup.js b/website/api/controllers/entrance/signup.js index df3b8853aa..652b20e802 100644 --- a/website/api/controllers/entrance/signup.js +++ b/website/api/controllers/entrance/signup.js @@ -68,10 +68,10 @@ the account verification message.)`, description: 'What the user will be using Fleet for.', required: true, isIn: [ - 'endpoint-ops-security', - 'endpoint-ops-it', - 'device-management', - 'vulnerability-management' + 'eo-security', + 'eo-it', + 'mdm', + 'vm' ], } @@ -153,6 +153,7 @@ the account verification message.)`, signupReason, password: await sails.helpers.passwords.hashPassword(password), stripeCustomerId, + primaryBuyingSituation, tosAcceptedByIp: this.req.ip }, sails.config.custom.verifyEmailAddresses? { emailProofToken: await sails.helpers.strings.random('url-friendly'), diff --git a/website/api/models/User.js b/website/api/models/User.js index 0f90184da1..513c4d083e 100644 --- a/website/api/models/User.js +++ b/website/api/models/User.js @@ -202,6 +202,18 @@ without necessarily having a billing card.` defaultsTo: false }, + primaryBuyingSituation: { + type: 'string', + description: 'The primary buying situation the user selected when they signed up.', + extendedDescription: 'User records created before 2024-03-14 will have this attribute set to ""', + isIn: [ + 'eo-security', + 'eo-it', + 'mdm', + 'vm', + ] + } + // ╔═╗╔╦╗╔╗ ╔═╗╔╦╗╔═╗ // β•‘β•£ β•‘β•‘β•‘β• β•©β•—β•‘β•£ β•‘β•‘β•šβ•β•— // β•šβ•β•β•© β•©β•šβ•β•β•šβ•β•β•β•©β•β•šβ•β• diff --git a/website/package.json b/website/package.json index 8a233939d7..e050e3271f 100644 --- a/website/package.json +++ b/website/package.json @@ -15,8 +15,7 @@ "sails-hook-organics": "^2.2.2", "sails-hook-orm": "^4.0.2", "sails-hook-sockets": "^3.0.0", - "sails-postgresql": "^5.0.0", - "yaml": "1.10.2" + "sails-postgresql": "^5.0.0" }, "devDependencies": { "eslint": "5.16.0", @@ -24,7 +23,8 @@ "htmlhint": "0.11.0", "lesshint": "6.3.6", "marked": "4.0.10", - "sails-hook-grunt": "^4.0.0" + "sails-hook-grunt": "^4.0.0", + "yaml": "1.10.2" }, "scripts": { "custom-tests": "echo \"(No other custom tests yet.)\" && echo", diff --git a/website/scripts/create-issues-for-todays-rituals.js b/website/scripts/create-issues-for-todays-rituals.js index cc71a58dd6..9faf00bca1 100644 --- a/website/scripts/create-issues-for-todays-rituals.js +++ b/website/scripts/create-issues-for-todays-rituals.js @@ -13,33 +13,17 @@ module.exports = { fn: async function ({ dry }) { - let path = require('path'); - let YAML = require('yaml'); - let topLvlRepoPath = path.resolve(sails.config.appPath, '../'); + if (!_.isObject(sails.config.builtStaticContent) || !_.isObject(sails.config.builtStaticContent.rituals)) { + throw new Error('Missing, incomplete, or invalid configuration. Could not create issues for todays rituals, please try running `sails run build-static-content` and try running this script again.'); + } + let baseHeaders = {// (for github api) 'User-Agent': 'Fleetie pie', 'Authorization': `token ${sails.config.custom.githubAccessToken}` }; - // Find all the files in the top level /handbook folder and it's sub-folders - let FILES_IN_HANDBOOK_FOLDER = await sails.helpers.fs.ls.with({ - dir: path.join(topLvlRepoPath, '/handbook'), - depth: 3 - }); - // Filter the list of filenames to get the rituals YAML files. - let ritualYamlPaths = FILES_IN_HANDBOOK_FOLDER.filter((filePath)=>{ - return _.endsWith(filePath, 'rituals.yml'); - }); - for (let ritualSource of ritualYamlPaths) { - // Load rituals - let pathToRituals = path.resolve(topLvlRepoPath, ritualSource); - let rituals = []; - let ritualsYml = await sails.helpers.fs.read(pathToRituals); - try { - rituals = YAML.parse(ritualsYml, { prettyErrors: true }); - } catch (err) { - throw new Error(`Could not parse the YAMl for rituals at ${pathToRituals} on line ${err.linePos.start.line}. To resolve, make sure the YAML is valid, and try again: ` + err.stack); - } + for (let ritualSource in sails.config.builtStaticContent.rituals) { + let rituals = sails.config.builtStaticContent.rituals[ritualSource]; for (let ritual of rituals) { // For each ritual, we'll: // - Convert the ritual's frequency into milliseconds. diff --git a/website/views/pages/contact.ejs b/website/views/pages/contact.ejs index 3aaeb3e87d..386ace9101 100644 --- a/website/views/pages/contact.ejs +++ b/website/views/pages/contact.ejs @@ -79,10 +79,10 @@
Please select an option.
diff --git a/website/views/pages/entrance/signup.ejs b/website/views/pages/entrance/signup.ejs index 7027d8115c..af992bc0c9 100644 --- a/website/views/pages/entrance/signup.ejs +++ b/website/views/pages/entrance/signup.ejs @@ -46,10 +46,10 @@
Please select an option.