d70500a6e9
Fixes: #31989 # Adding sw_edition to CPE generation and translation This PR adds the ability to override sw_edition with cpe translations. This adds a new column to cpe.sqlite that is generated daily. Old versions of fleet will still work with the new cpe db and translations. Versions from this change forward will require the new cpe db for cpe translations to work. # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [x] Added/updated automated tests - [ ] Where appropriate, [automated tests simulate multiple hosts and test for host isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing) (updates to one hosts's records do not affect another) - [x] QA'd all new/changed functionality manually ## Backwards Compatibility Testing with physical machines and for Firefox ESR fix | Fleet version | cpe db | translations | vuln. soft. # | Firefox ESR cpe | Firefox ESR vuln. # | | ------- | ------ | ------------ | ------------- | ---------------- | ------------------- | | Updated | old | old | 58 | `:*:macos:*:*` | 168 | | Updated | new | new | 58 | `:esr:macos:*:*` | 92 | | 4.71.1 | old | old | 58 | `:*:macos:*:*` | 168 | | 4.71.1 | new | new | 58 | `:*:macos:*:*` | 168 | Testing with osquery-perf hosts | Fleet version | cpe db | translations | vuln. soft. # | Vulnerabilities | | ------- | ------ | ------------ | ------------- | --------------- | | Updated | old | old | 156/161 | 3136 | | Updated | new | new | 156/161 | 3136 | | 4.71.1 | old | old | 156/161 | 3951 | | 4.71.1 | new | new | 156/161 | 3951 | --------- Co-authored-by: Ian Littman <iansltx@gmail.com> |
||
|---|---|---|
| .. | ||
| sync | ||
| tools | ||
| cpe.go | ||
| cpe_matching_rule.go | ||
| cpe_matching_rule_test.go | ||
| cpe_matching_rules.go | ||
| cpe_test.go | ||
| cpe_translations.go | ||
| cpe_translations.json | ||
| cve.go | ||
| cve_test.go | ||
| db.go | ||
| indexed_cpe_item.go | ||
| README.md | ||
| sanitize.go | ||
| sanitize_test.go | ||
| sync.go | ||
| sync_test.go | ||
| testing_utils.go | ||
CPE Translations
CPE Translations are rules to address bugs when translating Fleet software to Common Platform Enumerations (CPEs) which are used to identify software in the National Vulnerability Database (NVD)
To improve accuracy when mapping software to CVEs, we can add data to cpe_translations.json
How CPE translations work
CPE Translations are defined in cpe_translations.json and currently released in
GitHub once a day. The rules are specified in JSON format and
and each rule consists of a software and a filter object.
software defines matching logic on what Fleet Software this rule should apply to. You can use one
or more of the below attributes to match on. Each attribute is an array of string or regex
matches (a regex string is identified by a leading and trailing /).
A match on the attribute is found if at least 1 item in the array matches. If multiple
attributes are defined, then a match is needed for each attribute. (ie. name == Zoom.app &&
source == apps)
software attributes:
name: A software name attributebundle_identifier: A software bundle_identifier attribute (macOS only)source: A software source attribute (ie.apps,chrome_extensions, etc...)
example: Search Fleet software for items that match: (bundle_identifier == us.zoom.xos) AND (source = apps)
"software": {
"bundle_identifier": ["us.zoom.xos"],
"source": ["apps"]
}
If the software rule matches, then Fleet will search known NVD CPEs (stored in a local sqlite database) using the
specified filters or skip the software item based on the filter specified.
filter attributes:
product: array of strings to search by product fieldvendor: array of strings to search by vendor fieldtarget_sw: array of strings to search by target_sw fieldpart: string to override the default "a" Part valueskip: boolean; software is skipped iftrue. This overrides any other filters set.
Like the software matching logic, filter items are matched by OR within the array, and AND between filter items
example: Query the CPE database for a CPE that matches: (product == zoom OR product == meetings) AND (vendor == zoom) AND (target == macos OR target == mac_os)
"filter": {
"product": ["zoom", "meetings"],
"vendor": ["zoom"],
"target_sw": ["macos", "mac_os"]
}
Testing CPE Translations (end-to-end)
-
make the appropriate changes to cpe_translations
-
host this file on a local web server
go run ./tools/file-server/main.go 8082 ./server/vulnerabilities/nvd/ -
(re)launch your local fleet server with one of the following
Config method
vulnerabilities: cpe_translations_url: "http://localhost:8082/cpe_translations.json"Environment method
FLEET_VULNERABILITIES_CPE_TRANSLATIONS_URL="http://localhost:8082/cpe_translations.json" ./build/fleet serve --dev --dev_license --logging_debug -
trigger a vulnerabilities scan
fleetctl trigger --name vulnerabilities