Fleet vulnerability automation webhook not working

fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)

https://fleetdm.com

Other

2.64k stars 376 forks source link

Fleet vulnerability automation webhook not working #18902

Closed ojaschauhan closed 2 days ago

ojaschauhan commented 1 month ago

version 4.49.2

Chrome running on macOS but issues is not related to browser, it's on fleet server

💥 Actual behavior

Fleet had issue with NVD and i thought it's due to that the webhook is not sending any new vulns. But it's not even working after the NVD fix.

I am able to see that everyday the vulnerability count is changing but nothing gets sent to the webhook i have configured in automation. I have tried testing the webhook manually it's working fine. I have tried reconfiguring it. Tried to dig into server logs to see any events but i dont see a single event related to webhook/automation being called or error that it wasnt able to execute.

TODO

🧑‍💻 Steps to reproduce

Add any new vulnerable software to your device. Let fleet sync it

See if automation sends details to webhook or not.

sharon-fdm commented 1 month ago

@mostlikelee, can you please see if this is reproducible?

mostlikelee commented 1 month ago

I wasn't able to reproduce this. @ojaschauhan by default webhooks are only triggered if the vulnerability was published in the last 30 days, which is a configurable date. Could that be the cause?

ojaschauhan commented 1 month ago

@mostlikelee Yes i installed a very old version of python which is now shown in the vulnerability section. but no webhook go triggered for it.

And i am seeing vulnerabilities number changing everyday and it addes new vulns as well. Which are also not being sent to the webhook.

I dont see any logs for it so i am not sure how can i share more information about it.

mostlikelee commented 1 month ago

@ojaschauhan by default, webhooks only trigger for CVEs published in the last 30 days but you can change that using recent-vulnerability-max-age. Could that be the issue you're seeing?

nikolastoilov commented 1 month ago

@mostlikelee This shouldn't be the case as we haven't made any config changes to the webhook, it just stopped working in February (roughly the same timeframe when there were issues with NVD DB). By looking at the container logs, we don't see anything that hints us towards the reason of issue (nothing like failed POST/incorrect JSON formatting). We are kind of running out of options to troubleshoot this further, is there anything else that we may be missing here ?

rodneysamuel commented 1 month ago

yep checking the code and the logs, I can't seem to find anything that points to the webhook being triggered at all.

mostlikelee commented 1 week ago

@nikolastoilov @rodneysamuel Can you provide debug fleet logs along with an example CVE and Software you expect to trigger a webhook?

mostlikelee commented 2 days ago

closing this issue because we can't currently reproduce the behavior, but please feel free to re-open it if the issue is still occurring!

fleet-release commented 2 days ago

Webhook silent, still, Vulnerability hides, Fixed, safety resides.