iansltx
commented
1 month ago @sharon-fdm can we bring this into the sprint along with the NVD one, as it's going to be basically the same work on both sides? I actually thought the NVD issue was this one. Estimate would be 2, given that we'd do both at the same time.
Fleet version: all
💥 Actual behavior
The
vulnerabilitiesfeed build workflow is capable of pushing a release that panics Fleet server attempts to parse it (see #21239).🧑💻 Steps to reproduce
At first glance the above sounds like "switch back to a broken version and wow it's broken!" but the mitigation we're looking for here ensures that if we have issues in some other part of the JSON we're delivering we catch those issues as well and opt to fail out (and raise a P1 alert) rather than publishing what amounts to a poisoned vulns feed.
🛠️ To fix
We need to add a step in the workflow that basically does at least the inverse of what the vulnerability processing cron (or, more simply, the
vuln_processingcommand) does when thedisable_data_syncconfig value is set totrue: sync vulnerabilities without worrying about scanning against installed packages on hosts. Add that step after this one:https://github.com/fleetdm/vulnerabilities/blob/b17bd30c22abe6e23f01ae89b5162e8acfa8a990/.github/workflows/generate-cve.yml#L62-L66
and fail the build if the command returns nonzero.
In order to do this, we'll need to decide what's in-scope to integration test, and how to effectively mock the rest; my thought here is that we can place the files where the server would expect them rather than downloading over GitHub, and that will still catch the sorts of issues we're looking for. That's about as good as we can do without publishing releases.
/cc @sharon-fdm @getvictor