Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-04-21 21:47:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 117
fleet/server/vulnerabilities/nvd
History
Konstantin Sykulev a599889152
Improved cpe deterministic matching (#42325) 
**Related issue:** Resolves #41644

There are two cases that exist in the cpe database where this generic
logic could not be applied.

django from python_packages:
gofiber:django
djangoproject:django

npm from npm_packages:
microsoft:npm
npmjs:npm

These will require individual cve overrides that is outside the scope of
this task.

- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.

- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.

## Testing

- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Bug Fixes**
* Enhanced CPE (Common Platform Enumeration) matching to reduce
non-deterministic vendor selection when multiple vendors exist for the
same software product. The algorithm now incorporates software ecosystem
information to ensure more accurate and consistent vulnerability
resolution across package types.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-03-24 17:48:02 -05:00
..
sync Reapply "Update Citrix Workspace CPE generation to distinguish betwee… (#41614) 2026-03-12 16:17:40 -07:00
tools Fix flaky test: TestCacheEviction panics (#31698) 2025-08-09 07:41:47 +02:00
cpe.go Improved cpe deterministic matching (#42325) 2026-03-24 17:48:02 -05:00
cpe_matching_rule.go Added util func around semver to allow for custom preprocessing. Upgraded semver lib (#25437) 2025-01-23 10:21:15 -06:00
cpe_matching_rule_test.go Fixed Admin By Request false positive CVEs (#42095) 2026-03-20 10:35:56 -05:00
cpe_matching_rules.go Fixed Admin By Request false positive CVEs (#42095) 2026-03-20 10:35:56 -05:00
cpe_test.go Improved cpe deterministic matching (#42325) 2026-03-24 17:48:02 -05:00
cpe_translations.go Server changes for matching JetBrains IDE vulnerabilities (#34459) 2025-10-17 11:50:29 -07:00
cpe_translations.json Fixed false positive vulnerabilities for Mattermost Desktop. (#41619) 2026-03-13 13:26:36 -05:00
cpe_translations_test.go 31970 NPM vuln support (#33100) 2025-10-24 12:54:57 -06:00
cve.go Generate correct CPE from malformed ipswitch whatsup CPE, ensure matches relevant CVEs (#41704) 2026-03-16 16:17:47 -05:00
cve_test.go Fixed Admin By Request false positive CVEs (#42095) 2026-03-20 10:35:56 -05:00
db.go Migrating vulnerabilities pkgs to slog. (#40106) 2026-02-20 15:36:38 -06:00
indexed_cpe_item.go Improved cpe deterministic matching (#42325) 2026-03-24 17:48:02 -05:00
README.md 31970 NPM vuln support (#33100) 2025-10-24 12:54:57 -06:00
sanitize.go Fixed CPE matching failing for software names that sanitize to FTS5 reserved keywords (AND, OR, NOT) (#41226) 2026-03-10 14:03:25 -05:00
sanitize_test.go fix: parse out update section of CPE, fix CVE-2024-12254 Windows false positive (#26634) 2025-02-28 08:12:19 -05:00
sync.go Migrating vulnerabilities pkgs to slog. (#40106) 2026-02-20 15:36:38 -06:00
sync_test.go Migrating vulnerabilities pkgs to slog. (#40106) 2026-02-20 15:36:38 -06:00
testing_utils.go Improved cpe deterministic matching (#42325) 2026-03-24 17:48:02 -05:00

README.md

CPE Translations

CPE Translations are rules to address bugs when translating Fleet software to Common Platform Enumerations (CPEs) which are used to identify software in the National Vulnerability Database (NVD)

To improve accuracy when mapping software to CVEs, we can add data to cpe_translations.json

How CPE translations work

CPE Translations are defined in cpe_translations.json and currently released in GitHub once a day. The rules are specified in JSON format and and each rule consists of a software and a filter object.

software defines matching logic on what Fleet Software this rule should apply to. You can use one or more of the below attributes to match on. Each attribute is an array of string or regex matches (a regex string is identified by a leading and trailing /).
A match on the attribute is found if at least 1 item in the array matches. If multiple attributes are defined, then a match is needed for each attribute. (ie. name == Zoom.app && source == apps)

software attributes:

  • name: A software name attribute
  • bundle_identifier: A software bundle_identifier attribute (macOS only)
  • source: A software source attribute (ie. apps, chrome_extensions, etc...)

example: Search Fleet software for items that match: (bundle_identifier == us.zoom.xos) AND (source = apps)

"software": {
      "bundle_identifier": ["us.zoom.xos"],
      "source": ["apps"]
    }

If the software rule matches, then Fleet will search known NVD CPEs (stored in a local sqlite database) using the specified filters or skip the software item based on the filter specified.

filter attributes:

  • product: array of strings to search by product field. If not specified, the software name is used.
  • vendor: array of strings to search by vendor field
  • target_sw: array of strings to search by target_sw field
  • part: string to override the default "a" Part value
  • skip: boolean; software is skipped if true. This overrides any other filters set.

Like the software matching logic, filter items are matched by OR within the array, and AND between filter items

example: Query the CPE database for a CPE that matches: (product == zoom OR product == meetings) AND (vendor == zoom) AND (target == macos OR target == mac_os)

"filter": {
      "product": ["zoom", "meetings"],
      "vendor": ["zoom"],
      "target_sw": ["macos", "mac_os"]
    }

Testing CPE Translations (end-to-end)

  1. make the appropriate changes to cpe_translations

  2. host this file on a local web server

    go run ./tools/file-server/main.go 8082 ./server/vulnerabilities/nvd/

  3. (re)launch your local fleet server with one of the following

    Config method

    vulnerabilities:
cpe_translations_url: "http://localhost:8082/cpe_translations.json"

    Environment method

    FLEET_VULNERABILITIES_CPE_TRANSLATIONS_URL="http://localhost:8082/cpe_translations.json" ./build/fleet serve --dev --dev_license --logging_debug

  4. trigger a vulnerabilities scan

    fleetctl trigger --name vulnerabilities