mirror of
https://github.com/fleetdm/fleet
synced 2026-04-21 21:47:20 +00:00
092b51f1c2
<!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves #31820 and #39898 Vulnerability processing performance improvements, and added OTEL spans to the vulnerabilities cron job. Optimized the two main bottlenecks in the vulnerability cron job: CPE matching and CVE insertion. In my loadtest testing (10K hosts), the overall initial vulnerabilities job went from over 2 hours down to 53 minutes, and the number of spans (DB accesses) went from ~2 million to ~90K. 1. CPE matching (TranslateSoftwareToCPE): replaced the goqu query builder with hand-written SQL using raw database/sql queries. Replaced UNION with separate queries because case number 3 was an expensive full text match operation and in most cases we did not need to do that. 2. CVE insertion (TranslateCPEToCVE and other places): replaced individual INSERT INTO software_cve ... VALUES (?,?,?,?) calls with batch inserts of 500 rows each, using the existing BatchProcessSimple helper. Same pattern applied to OS vulnerability inserts using the existing InsertOSVulnerabilities batch method. Functional equivalence verified using osquery perf dataset locally. Both changes produce identical output (22,366 CPEs, 131,233 CVEs) when compared against the old code using a before/after comparison tool. - CPE caveats: bugs #39898 and https://github.com/fleetdm/fleet/issues/39899 found # Checklist for submitter - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [x] Added/updated automated tests - [x] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Expanded tracing for automated vulnerability workflows to improve observability. * **Performance** * Bulk/batched processing for software and OS vulnerability inserts to speed ingestion and downstream tasks. * More efficient CPE lookup and read-optimized database access for faster translations. * **Bug Fixes** * Improved error recording and read-after-write consistency to reduce missed or duplicate vulnerability notifications. * **Tests** * Test suite updated to support batch insertion semantics. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
151 lines
4.4 KiB
Go
151 lines
4.4 KiB
Go
package macoffice
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
"os"
|
|
"path/filepath"
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/fleetdm/fleet/v4/server/fleet"
|
|
"github.com/fleetdm/fleet/v4/server/mock"
|
|
"github.com/fleetdm/fleet/v4/server/vulnerabilities/io"
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
func TestAnalyzer(t *testing.T) {
|
|
ctx := context.Background()
|
|
|
|
t.Run("Analyze", func(t *testing.T) {
|
|
t.Run("when using wrong path", func(t *testing.T) {
|
|
vulns, err := Analyze(ctx, nil, "some bad path", false)
|
|
require.Empty(t, vulns)
|
|
require.Error(t, err)
|
|
})
|
|
|
|
t.Run("when no release notes on path", func(t *testing.T) {
|
|
vulnDir := t.TempDir()
|
|
vulns, err := Analyze(ctx, nil, vulnDir, false)
|
|
require.Empty(t, vulns)
|
|
require.NoError(t, err)
|
|
})
|
|
})
|
|
|
|
t.Run("updateVulnsInDB", func(t *testing.T) {
|
|
t.Run("on error when deleting vulns", func(t *testing.T) {
|
|
ds := new(mock.Store)
|
|
ds.DeleteSoftwareVulnerabilitiesFunc = func(ctx context.Context, vulnerabilities []fleet.SoftwareVulnerability) error {
|
|
return errors.New("some error")
|
|
}
|
|
ds.InsertSoftwareVulnerabilitiesFunc = func(ctx context.Context, vulns []fleet.SoftwareVulnerability, source fleet.VulnerabilitySource) ([]fleet.SoftwareVulnerability, error) {
|
|
return nil, nil
|
|
}
|
|
|
|
vulns, err := updateVulnsInDB(ctx, ds, nil, nil)
|
|
require.Empty(t, vulns)
|
|
require.Error(t, err, "some error")
|
|
})
|
|
|
|
t.Run("on error when inserting vulns", func(t *testing.T) {
|
|
detected := []fleet.SoftwareVulnerability{
|
|
{SoftwareID: 1, CVE: "123"},
|
|
}
|
|
|
|
ds := new(mock.Store)
|
|
ds.DeleteSoftwareVulnerabilitiesFunc = func(ctx context.Context, vulnerabilities []fleet.SoftwareVulnerability) error {
|
|
return nil
|
|
}
|
|
ds.InsertSoftwareVulnerabilitiesFunc = func(ctx context.Context, vulns []fleet.SoftwareVulnerability, source fleet.VulnerabilitySource) ([]fleet.SoftwareVulnerability, error) {
|
|
return nil, errors.New("some error")
|
|
}
|
|
|
|
vulns, err := updateVulnsInDB(ctx, ds, detected, nil)
|
|
require.Empty(t, vulns)
|
|
require.Error(t, err, "some error")
|
|
})
|
|
})
|
|
|
|
t.Run("collectVulnerabilities", func(t *testing.T) {
|
|
t.Run("no release notes", func(t *testing.T) {
|
|
software := fleet.Software{}
|
|
var relNotes ReleaseNotes
|
|
vulns := collectVulnerabilities(&software, Word, relNotes)
|
|
require.Empty(t, vulns)
|
|
})
|
|
})
|
|
|
|
t.Run("getStoredVulnerabilities", func(t *testing.T) {
|
|
t.Run("on error", func(t *testing.T) {
|
|
ds := new(mock.Store)
|
|
ds.SoftwareByIDFunc = func(ctx context.Context, id uint, teamID *uint, includeCVEScores bool, tmFilter *fleet.TeamFilter) (*fleet.Software, error) {
|
|
return nil, errors.New("some error")
|
|
}
|
|
|
|
vulns, err := getStoredVulnerabilities(ctx, ds, uint(0))
|
|
require.Empty(t, vulns)
|
|
require.Error(t, err, "some error")
|
|
})
|
|
})
|
|
|
|
t.Run("latestReleaseNotes", func(t *testing.T) {
|
|
t.Run("returns release notes in order", func(t *testing.T) {
|
|
vulnPath := t.TempDir()
|
|
|
|
releaseNotes := ReleaseNotes{
|
|
{Version: "1", Date: time.Now().Add(-36 * time.Hour)},
|
|
{Version: "2", Date: time.Now()},
|
|
}
|
|
|
|
err := releaseNotes.Serialize(time.Now(), vulnPath)
|
|
require.NoError(t, err)
|
|
|
|
actual, err := getLatestReleaseNotes(vulnPath)
|
|
require.NoError(t, err)
|
|
require.Equal(t, releaseNotes[0].Version, actual[1].Version)
|
|
require.Equal(t, releaseNotes[1].Version, actual[0].Version)
|
|
})
|
|
|
|
t.Run("when vuln path exists", func(t *testing.T) {
|
|
vulnPath := t.TempDir()
|
|
|
|
actual, err := getLatestReleaseNotes(vulnPath)
|
|
require.NoError(t, err)
|
|
require.Empty(t, actual)
|
|
|
|
err = ReleaseNotes{{Version: "2"}}.Serialize(time.Now(), vulnPath)
|
|
require.NoError(t, err)
|
|
|
|
err = ReleaseNotes{{Version: "1"}}.Serialize(time.Now().Add(-35*time.Hour), vulnPath)
|
|
require.NoError(t, err)
|
|
|
|
actual, err = getLatestReleaseNotes(vulnPath)
|
|
require.NoError(t, err)
|
|
require.NotEmpty(t, actual)
|
|
require.Equal(t, "2", actual[0].Version)
|
|
})
|
|
|
|
t.Run("when vuln path does not exists", func(t *testing.T) {
|
|
releaseNotes, err := getLatestReleaseNotes("bad path")
|
|
require.Empty(t, releaseNotes)
|
|
require.Error(t, err)
|
|
})
|
|
|
|
t.Run("when the JSON file is invalid", func(t *testing.T) {
|
|
vulnPath := t.TempDir()
|
|
|
|
fileName := io.MacOfficeRelNotesFileName(time.Now())
|
|
filePath := filepath.Join(vulnPath, fileName)
|
|
|
|
f, err := os.Create(filePath)
|
|
require.NoError(t, err)
|
|
defer f.Close()
|
|
|
|
_, err = f.WriteString("some bad json")
|
|
require.NoError(t, err)
|
|
|
|
_, err = getLatestReleaseNotes(vulnPath)
|
|
require.Error(t, err)
|
|
})
|
|
})
|
|
}
|