Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-04-21 21:47:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 117
fleet/cmd/cpe
History
Scott Gress 4bed761f77
Add validator for NVD feed items (#29282) 
for #21304 

# Checklist for submitter

- [X] Manual QA for all new/changed functionality

## Details

This PR adds a new validator for NVD feed files to be run as part of the
nvd repo workflow. The intention is for that workflow to fail if any of
the files it creates are not valid (i.e. they would not be parseable by
the Fleet server) so that we don't publish and tag a release with bad
files in it.

This follows the pattern from
https://github.com/fleetdm/fleet/issues/21300 as suggested by @iansltx.

## Testing

I downloaded all of the latest release files to my local system using
```bash
gh release download 202505190037 -D ~/Downloads/nvd
```
and then ran the validator on them with
```bash
go run cmd/cpe/validate/main.go --db_dir ~/Downloads/nvd
```
To simulate file issues, I modified one section of each file to change a
value into the wrong type, and validated that this caused the validator
to panic. Examples:
```
panic: failed to load CPE translations: decode json: json: cannot unmarshal string into Go struct field CPETranslation.filter.vendor of type []string

goroutine 1 [running]:
main.checkCPETranslations({0x16dc975f9?, 0x14000192190?})
	/Users/scott/Development/fleet/cmd/cpe/validate/main.go:34 +0xa8
main.main()
	/Users/scott/Development/fleet/cmd/cpe/validate/main.go:24 +0xb0
exit status 2
```
---
```
panic: failed to parse MacOffice release notes fleet_macoffice_release_notes_macoffice-2025_05_19.json: parsing time "xyz" as "2006-01-02T15:04:05Z07:00": cannot parse "xyz" as "2006"

goroutine 1 [running]:
main.checkMacOfficeNotes({0x16f7af5f9, 0x1a})
	/Users/scott/Development/fleet/cmd/cpe/validate/main.go:56 +0x1f0
main.main()
	/Users/scott/Development/fleet/cmd/cpe/validate/main.go:25 +0xbc
exit status 2
```
---
```
panic: failed to parse MSRC feed fleet_msrc_Windows_Server_2012_R2-2025_05_19.json: json: cannot unmarshal array into Go struct field Vulnerability.Vulnerabities.RemediatedBy of type bool

goroutine 1 [running]:
main.checkMSRCVulnerabilities({0x16f49b5f9, 0x1a})
	/Users/scott/Development/fleet/cmd/cpe/validate/main.go:74 +0x1ac
main.main()
	/Users/scott/Development/fleet/cmd/cpe/validate/main.go:26 +0xc8
exit status 2
```

Additionally I tried the validator in [a run of the NVD
workflow](https://github.com/fleetdm/nvd/actions/runs/15121687898/job/42505283781)
and it executed successfully.
2025-05-22 14:51:52 -05:00
..
testdata Updating CPE generator to use new NVD API. (#15018) 2023-11-20 16:10:00 -06:00
validate Add validator for NVD feed items (#29282) 2025-05-22 14:51:52 -05:00
generate.go Update to Go 1.24.1 (#27506) 2025-03-31 11:14:09 -05:00
generate_test.go Updating CPE generator to use new NVD API. (#15018) 2023-11-20 16:10:00 -06:00