Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-20 15:38:39 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 107
fleet/server/vulnerabilities/nvd
History
Konstantin Sykulev 1330de8653
created mac vim mapping software transformer (#38333) 
**Related issue:** Resolves #33005

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.

## Testing

- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
2026-01-21 12:33:14 -06:00
..
sync Revise generated CPE for Docker Desktop for macOS to match more recent CVEs, make Docker CVE CPEs consistent (#32335) 2025-08-27 10:11:21 -06:00
tools Fix flaky test: TestCacheEviction panics (#31698) 2025-08-09 07:41:47 +02:00
cpe.go created mac vim mapping software transformer (#38333) 2026-01-21 12:33:14 -06:00
cpe_matching_rule.go Added util func around semver to allow for custom preprocessing. Upgraded semver lib (#25437) 2025-01-23 10:21:15 -06:00
cpe_matching_rule_test.go Migrate logic from nvdtools into Fleet (#18244) 2024-04-24 15:25:59 -07:00
cpe_matching_rules.go Add CVE exclusion for Dota when we don't report the version number correctly (#34384) 2025-10-16 14:35:56 -05:00
cpe_test.go created mac vim mapping software transformer (#38333) 2026-01-21 12:33:14 -06:00
cpe_translations.go Server changes for matching JetBrains IDE vulnerabilities (#34459) 2025-10-17 11:50:29 -07:00
cpe_translations.json (releases on merge to main) Fix vuln false positives for "Logi Bolt.app" (#33920) 2025-10-27 16:55:30 -07:00
cpe_translations_test.go 31970 NPM vuln support (#33100) 2025-10-24 12:54:57 -06:00
cve.go Switch vulns cron false positive clear to clear vulns based on when the vulns run started, rather than based on periodicity (#31364) 2025-07-29 10:14:14 -05:00
cve_test.go Add CVE exclusion for Dota when we don't report the version number correctly (#34384) 2025-10-16 14:35:56 -05:00
db.go Add sw_edition to cpe db generation and cpe translations (#32879) 2025-09-17 11:30:49 -04:00
indexed_cpe_item.go Add sw_edition to cpe db generation and cpe translations (#32879) 2025-09-17 11:30:49 -04:00
README.md 31970 NPM vuln support (#33100) 2025-10-24 12:54:57 -06:00
sanitize.go Server changes for matching JetBrains IDE vulnerabilities (#34459) 2025-10-17 11:50:29 -07:00
sanitize_test.go fix: parse out update section of CPE, fix CVE-2024-12254 Windows false positive (#26634) 2025-02-28 08:12:19 -05:00
sync.go feat: allow different cisa url to be provided (#31728) 2025-08-13 13:35:45 -05:00
sync_test.go feat: allow different cisa url to be provided (#31728) 2025-08-13 13:35:45 -05:00
testing_utils.go Fixes various bugs with NVD vulnerability detection (#7963) 2022-10-04 07:04:48 -04:00

README.md

CPE Translations

CPE Translations are rules to address bugs when translating Fleet software to Common Platform Enumerations (CPEs) which are used to identify software in the National Vulnerability Database (NVD)

To improve accuracy when mapping software to CVEs, we can add data to cpe_translations.json

How CPE translations work

CPE Translations are defined in cpe_translations.json and currently released in GitHub once a day. The rules are specified in JSON format and and each rule consists of a software and a filter object.

software defines matching logic on what Fleet Software this rule should apply to. You can use one or more of the below attributes to match on. Each attribute is an array of string or regex matches (a regex string is identified by a leading and trailing /).
A match on the attribute is found if at least 1 item in the array matches. If multiple attributes are defined, then a match is needed for each attribute. (ie. name == Zoom.app && source == apps)

software attributes:

  • name: A software name attribute
  • bundle_identifier: A software bundle_identifier attribute (macOS only)
  • source: A software source attribute (ie. apps, chrome_extensions, etc...)

example: Search Fleet software for items that match: (bundle_identifier == us.zoom.xos) AND (source = apps)

"software": {
      "bundle_identifier": ["us.zoom.xos"],
      "source": ["apps"]
    }

If the software rule matches, then Fleet will search known NVD CPEs (stored in a local sqlite database) using the specified filters or skip the software item based on the filter specified.

filter attributes:

  • product: array of strings to search by product field. If not specified, the software name is used.
  • vendor: array of strings to search by vendor field
  • target_sw: array of strings to search by target_sw field
  • part: string to override the default "a" Part value
  • skip: boolean; software is skipped if true. This overrides any other filters set.

Like the software matching logic, filter items are matched by OR within the array, and AND between filter items

example: Query the CPE database for a CPE that matches: (product == zoom OR product == meetings) AND (vendor == zoom) AND (target == macos OR target == mac_os)

"filter": {
      "product": ["zoom", "meetings"],
      "vendor": ["zoom"],
      "target_sw": ["macos", "mac_os"]
    }

Testing CPE Translations (end-to-end)

  1. make the appropriate changes to cpe_translations

  2. host this file on a local web server

    go run ./tools/file-server/main.go 8082 ./server/vulnerabilities/nvd/

  3. (re)launch your local fleet server with one of the following

    Config method

    vulnerabilities:
cpe_translations_url: "http://localhost:8082/cpe_translations.json"

    Environment method

    FLEET_VULNERABILITIES_CPE_TRANSLATIONS_URL="http://localhost:8082/cpe_translations.json" ./build/fleet serve --dev --dev_license --logging_debug

  4. trigger a vulnerabilities scan

    fleetctl trigger --name vulnerabilities