Get accurate vulns for Google Chrome browser plugins (extensions)

zayhanlon commented 10 months ago

This issue's remaining effort can be completed in ≤1 sprint. It will be valuable even if nothing else ships.

It is planned and ready to implement. It is on the proper kanban board.

Goal

User story
As a vulnerability management engineer,
I want Fleet to use a source outside of the National Vulnerability Database (NVD) to detect vulnerabilities in Google Chrome browser plugins (extensions)
so that I can get an accurate report of vulnerable browser plugins installed on my hosts.

We think NVD reports incorrect vulns which results in false positives: https://github.com/fleetdm/fleet/issues/11924#issuecomment-1777757578
Fleet's method of fixing this kind of false positive (incorrect NVD report) is to completely exclude a specific browser plugin from vuln reporting.
We think there are alternative sources for vulns for browser plugins (similar to how we parse changelogs from Microsoft for macOS Office apps instead of the NVD dataset.)

Changes

Product

[ ] UI changes: TODO
[ ] CLI usage changes: TODO
[ ] REST API changes: TODO
[ ] Permissions changes: TODO
[ ] Outdated documentation changes: TODO
[ ] Changes to paid features or tiers: TODO
[ ] Scalability testing: TODO

Engineering

[ ] Database schema migrations: TODO

ℹ️ Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

Context

Requestor(s): @zayhanlon

QA

Risk assessment

Requires load testing: TODO
Risk level: Low / High TODO
Risk description: TODO

Manual testing steps

Step 1
Step 2
Step 3

Testing notes

Confirmation

[ ] Engineer (@____): Added comment to user story confirming succesful completion of QA.
[ ] QA (@____): Added comment to user story confirming succesful completion of QA.

noahtalerman commented 10 months ago

Feature fest: Why just investigate? We should make this about getting accurate vuln data for browser extensions. Take this.

noahtalerman commented 10 months ago

@zayhanlon heads up, we pulled this into the upcoming design sprint.

rachaelshaw commented 9 months ago

@zayhanlon we didn't get to this in the current design sprint, bringing this back to Feature Fest.

marko-lisica commented 9 months ago

@zayhanlon We didn't get to this one in the current design sprint. Adding it to feature fest.

noahtalerman commented 8 months ago

Heads up @zayhanlon this request was discussed during feature fest last week and didn't make it into the current design sprint.

fleetdm / fleet