mirror of
https://github.com/fleetdm/fleet
synced 2026-05-24 09:28:54 +00:00
ae4ccdf6d3
<!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves #40054 # Checklist for submitter - [ ] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. - Included in previous PR ## Testing - [x] Added/updated automated tests - [x] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Refactor** * Migrated logging infrastructure from external framework to standard library structured logging, enabling improved context-aware operations and error tracking across vulnerability detection and synchronization workflows. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
185 lines
5.9 KiB
Go
185 lines
5.9 KiB
Go
package customcve
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
"fmt"
|
|
"log/slog"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/fleetdm/fleet/v4/server/fleet"
|
|
"github.com/fleetdm/fleet/v4/server/vulnerabilities/nvd/tools/cvefeed/nvd"
|
|
)
|
|
|
|
var (
|
|
MissingCVEsErr = errors.New("CVEs must be specified")
|
|
MissingNameLikeMatch = errors.New("NameLikeMatch must be specified")
|
|
MissingResolvedInVersionErr = errors.New("ResolvedInVersion must be specified")
|
|
)
|
|
|
|
// CVEMatchingRuleSpec contains custom matching rules for matching software
|
|
// with a list of CVEs. These rules address false negatives in the NVD data.
|
|
// Add an interface if you want to add more rule types.
|
|
type CVEMatchingRule struct {
|
|
NameLikeMatch string // Name of software to match (like match)
|
|
ExcludeIfNameContains string // Exclude software if name contains this pattern (case-insensitive, in-memory filter)
|
|
SourceMatch string // Source of software to match (exact match)
|
|
CVEs []string // List of CVEs to assign to software
|
|
ResolvedInVersion string // Version of software that resolves the CVEs
|
|
}
|
|
|
|
type CVEMatchingRules []CVEMatchingRule
|
|
|
|
// getCVEMatchingRules returns a list of custom rules for matching software with CVEs
|
|
// Currently only supporting CVEMatchingRules, but can be extended to support other types.
|
|
// Append new rules here.
|
|
func getCVEMatchingRules() CVEMatchingRules {
|
|
return []CVEMatchingRule{
|
|
// June 11 2024 Office 365 Vulnerabilities
|
|
// https://learn.microsoft.com/en-us/officeupdates/microsoft365-apps-security-updates
|
|
{
|
|
NameLikeMatch: "Microsoft 365",
|
|
ExcludeIfNameContains: "companion",
|
|
SourceMatch: "programs",
|
|
CVEs: []string{"CVE-2024-30101", "CVE-2024-30102", "CVE-2024-30103", "CVE-2024-30104"},
|
|
ResolvedInVersion: "16.0.17628.20144",
|
|
},
|
|
// July 9 2024 Office 365 Vulnerabilities
|
|
// https://learn.microsoft.com/en-us/officeupdates/microsoft365-apps-security-updates
|
|
{
|
|
NameLikeMatch: "Microsoft 365",
|
|
ExcludeIfNameContains: "companion",
|
|
SourceMatch: "programs",
|
|
CVEs: []string{"CVE-2023-38545", "CVE-2024-38020", "CVE-2024-38021"},
|
|
ResolvedInVersion: "16.0.17726.20160",
|
|
},
|
|
// August 13 2024 Office 365 Vulnerabilities
|
|
// https://learn.microsoft.com/en-us/officeupdates/microsoft365-apps-security-updates
|
|
{
|
|
NameLikeMatch: "Microsoft 365",
|
|
ExcludeIfNameContains: "companion",
|
|
SourceMatch: "programs",
|
|
CVEs: []string{
|
|
"CVE-2024-38172",
|
|
"CVE-2024-38170",
|
|
"CVE-2024-38173",
|
|
"CVE-2024-38171",
|
|
"CVE-2024-38189",
|
|
"CVE-2024-38169",
|
|
"CVE-2024-38200",
|
|
},
|
|
ResolvedInVersion: "16.0.17830.20166",
|
|
},
|
|
// Gitk and Git GUI CVEs for Homebrew git-gui package
|
|
// These CVEs affect gitk/git-gui which is git-gui on Homebrew not git
|
|
{
|
|
NameLikeMatch: "git-gui",
|
|
SourceMatch: "homebrew_packages",
|
|
CVEs: []string{"CVE-2025-27613", "CVE-2025-27614", "CVE-2025-46835"},
|
|
ResolvedInVersion: "2.50.1",
|
|
},
|
|
// Windows Notepad command injection vulnerability
|
|
// https://cveawg.mitre.org/api/cve/CVE-2026-20841
|
|
{
|
|
NameLikeMatch: "Microsoft.WindowsNotepad",
|
|
SourceMatch: "programs",
|
|
CVEs: []string{"CVE-2026-20841"},
|
|
ResolvedInVersion: "11.2510",
|
|
},
|
|
}
|
|
}
|
|
|
|
func (r CVEMatchingRule) match(ctx context.Context, ds fleet.Datastore) ([]fleet.SoftwareVulnerability, error) {
|
|
var vulns []fleet.SoftwareVulnerability
|
|
filter := fleet.VulnSoftwareFilter{
|
|
Name: r.NameLikeMatch,
|
|
Source: r.SourceMatch,
|
|
}
|
|
software, err := ds.ListSoftwareForVulnDetection(ctx, filter)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
var excludePattern string
|
|
if r.ExcludeIfNameContains != "" {
|
|
excludePattern = strings.ToLower(r.ExcludeIfNameContains)
|
|
}
|
|
|
|
for _, s := range software {
|
|
// Skip software that matches the exclusion pattern
|
|
if excludePattern != "" && strings.Contains(strings.ToLower(s.Name), excludePattern) {
|
|
continue
|
|
}
|
|
|
|
if nvd.SmartVerCmp(s.Version, r.ResolvedInVersion) < 0 {
|
|
for _, cve := range r.CVEs {
|
|
vulns = append(vulns, fleet.SoftwareVulnerability{
|
|
SoftwareID: s.ID,
|
|
CVE: cve,
|
|
ResolvedInVersion: &r.ResolvedInVersion,
|
|
})
|
|
}
|
|
}
|
|
}
|
|
|
|
return vulns, nil
|
|
}
|
|
|
|
func (r CVEMatchingRule) validate() error {
|
|
if len(r.CVEs) == 0 {
|
|
return MissingCVEsErr
|
|
}
|
|
|
|
if r.NameLikeMatch == "" {
|
|
return MissingNameLikeMatch
|
|
}
|
|
|
|
if r.ResolvedInVersion == "" {
|
|
return MissingResolvedInVersionErr
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// ValidateAll returns an error if any rule in the list fails to validate
|
|
func (r CVEMatchingRules) ValidateAll() error {
|
|
for i, rule := range r {
|
|
if err := rule.validate(); err != nil {
|
|
return fmt.Errorf("invalid rule %d: %v", i, err)
|
|
}
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// CheckCustomVulnerabilities matches software against custom rules and inserts vulnerabilities
|
|
func CheckCustomVulnerabilities(ctx context.Context, ds fleet.Datastore, logger *slog.Logger, startTime time.Time) ([]fleet.SoftwareVulnerability, error) {
|
|
rules := getCVEMatchingRules()
|
|
if err := rules.ValidateAll(); err != nil {
|
|
return nil, fmt.Errorf("invalid rules: %w", err)
|
|
}
|
|
|
|
var vulns []fleet.SoftwareVulnerability
|
|
for i, rule := range rules {
|
|
v, err := rule.match(ctx, ds)
|
|
if err != nil {
|
|
logger.ErrorContext(ctx, "Error matching rule", "ruleIndex", i, "err", err)
|
|
continue
|
|
}
|
|
vulns = append(vulns, v...)
|
|
}
|
|
|
|
newVulns, err := ds.InsertSoftwareVulnerabilities(ctx, vulns, fleet.CustomSource)
|
|
if err != nil {
|
|
// Return early so DeleteOutOfDateVulnerabilities doesn't run.
|
|
// Otherwise, without the insert refreshing updated_at, all existing vulns would look stale and be deleted.
|
|
logger.ErrorContext(ctx, "Error inserting software vulnerabilities", "err", err)
|
|
return nil, err
|
|
}
|
|
|
|
if err := ds.DeleteOutOfDateVulnerabilities(ctx, fleet.CustomSource, startTime); err != nil {
|
|
logger.ErrorContext(ctx, "Error deleting out of date vulnerabilities", "err", err)
|
|
}
|
|
|
|
return newVulns, nil
|
|
}
|