Improve macOS vulnerability detection

michalnicp commented 2 years ago

WARNING: For users that download and sync Fleet's vulnerability feeds manually, there are required adjustments or else vulnerability processing will stop working.

Users with the default vulnerability processing settings can safely upgrade without adjustments.

Required adjustments

If the FLEET_VULNERABILITIES_DISABLE_DATA_SYNC environment variable, or the CLI flag equivalent, is set to true, you must manually download the latest CPE database and CPE translations files and copy them to the configured vulnerabilities databases path. The latest CPE database and CPE translations files can be downloaded from Fleet's NVD Releases repository on GitHub.

If the FLEET_VULNERABILITIES_CPE_DATABASE_URL environment variable, or the CLI flag equivalent, you must make sure that the CPE database file the URL points to is updated to the latest version. The latest CPE database and CPE translations files can be downloaded from Fleet's NVD Releases repository on GitHub.

Goal

Improve detection of Zoom vulnerabilities. Still needs some work as Zoom includes some extra version parts that aren't in the CPE database.
Reduce false positives when ruby and node are installed via Homebrew.

How?

Implement the proposed changes in proposals/improv-mac-os-vuln-detection.md.

Backend

[ ]

noahtalerman commented 2 years ago

Hey @michalnicp do you have stats or examples for how macOS vulnerability detection improved in Fleet 4.20?

For example, was Fleet not detecting vulns for some apps (false negatives) ? What apps are these?

I'd like to include these stats or examples in the release blogpost. This way, our users can answer "how did vulnerability detection improve for macOS?"

michalnicp commented 2 years ago

Improved detection of Zoom vulnerabilities. Still needs some work as Zoom includes some extra version parts that aren't in the CPE database.
Reduced false positives when ruby and node are installed via Homebrew. I think we can close https://github.com/fleetdm/fleet/issues/4804
Can add additional rules to cpe_translations.json as further issues with vulnerability detection are found.

noahtalerman commented 2 years ago

I think we can close https://github.com/fleetdm/fleet/issues/4804

@michalnicp what's left to close #4804?

Do we need to move #4804 into the "QA" column of the release board so that we can test to make sure all Fleet users, by default, get correct vulns for Ruby?

michalnicp commented 2 years ago

I think we can close #4804

@michalnicp what's left to close #4804?

Do we need to move #4804 into the "QA" column of the release board so that we can test to make sure all Fleet users, by default, get correct vulns for Ruby?

Yes, we should probably move this to the QA column.

fleetdm / fleet