Issue with the oval vulnerability scanning

[mikermcneil]

This issue is based on a Slack message from Mike McNeil in #g-interface and may contain confidential information.

Fleet version: 4.17.0

Bug

Vulnerable software not displayed 4 hours after deployment, even though software inventory is there

Guillaume Ross 3 minutes ago It is on 4.17. The Software API returns the software, all of which have NULL vulnerabilities. So either vuln processing is not happening or I don’t have vulnerable stuff and it’s a UI issue. Gotta find a package I can install that’ll be vulnerable I guess

How?

• [ ] TODO

[GuillaumeRoss]

I have one host hooked up, software inventory is coming back, but vulnerabilities are set to NULL for every package. It might very well be that there is no vulnerable software on this machine, OR that vulnerability processing is broken, but I am not quite sure how to check. If there are simply no vulns, the UI should state that instead of telling me to wait for an hour.

[GuillaumeRoss]

@ksatter It's a standard setup out of the box, the only thing I've configured are the URL + pointed to the right certificates.

In the current config:

{
    "databases_path": "/tmp/vulndbs",
    "periodicity": 3600000000000,
    "cpe_database_url": "",
    "cve_feed_prefix_url": "",
    "current_instance_checks": "auto",
    "disable_data_sync": false,
    "recent_vulnerability_max_age": 2592000000000000
}

I checked /tmp/vulndbs and it's full of files.

[michalnicp]

I found a potential issue with the oval vulnerability scanning. In https://github.com/fleetdm/fleet/blob/907ffa8ff1b08c0220f44ee9af3d919a4a839efc/server/vulnerabilities/oval/oval_platform.go#L21 if an osVersion of Ubuntu 20.04.2 LTS is passed, the major minor version returned are both empty. At a minimum, this causes a problem during the oval file syncing but there are probably more issues.

[michalnicp]

It looks like the change in https://github.com/fleetdm/fleet/pull/6360 is the cause. We should adjust the version regex to correctly parse the new os version that we are returning for ubuntu https://github.com/fleetdm/fleet/blob/907ffa8ff1b08c0220f44ee9af3d919a4a839efc/server/service/osquery_utils/queries.go#L133

[mikermcneil]

Sounds like there are two parts to this issue: A) An issue with Ubuntu vulns mentioned above. FYI @chiiph B) UI showing the state of “vulnerability processing still happening” in a situation where the underlying reality is either that there are no vulns or that an error has occurred. FYI @lukeheath

[lukeheath]

I checked the related frontend code and there is a relevant TODO:

https://github.com/fleetdm/fleet/blob/0312454f4c24038f9a91232e8b9f5cdab010f886/frontend/pages/Homepage/cards/Software/Software.tsx#L101-L107

Looks like there was a point where we couldn't differentiate between "no vulnerabilities" and "vulnerabilities still processing".

@noahtalerman How would you like to handle the case of no results?

cc @RachelElysia (added the TODO)

[noahtalerman]

Looks like there was a point where we couldn't differentiate between "no vulnerabilities" and "vulnerabilities still processing".

@RachelElysia is this still the case? We can't differentiate between "no vulnerabilities" and "vulnerabilities still processing" ?

[noahtalerman]

Heads up folks, I updated this issue title to "Issue with the oval vulnerability scanning" so that it's focus is the scanning fix that @juan-fdz-hawa is working on.

I opened a separate "On Home and Software pages, improve empty state" issue here: #6799. This issue's focus is the no software an/or no vulnerable software state in the UI. I prioritized working on wireframes for this issue.

cc @RachelElysia @lukeheath @mikermcneil @GuillaumeRoss

[gillespi314]

I don't recall offhand if there's any value being returned from the backend that makes it explicit whether the case is "no vulnerabilities detected" or "still processing". Assuming not, one potential approach would be to use the time since counts_updated_at as a proxy. Perhaps we could display "no vulnerabilities detected" if vulnerabilities are empty and it has been more than 2x the vulnerabilities scanning periodicity. Or something like that. In this case, the "still processing" UI was a signal that something might be wrong. So maybe a third approach of displaying some sort of "something might be wrong, file a GitHub issue" message in cases like these.

[RachelElysia]

Looks like there was a point where we couldn't differentiate between "no vulnerabilities" and "vulnerabilities still processing".

@RachelElysia is this still the case? We can't differentiate between "no vulnerabilities" and "vulnerabilities still processing" ?

Vulnerabilities table only has 1 empty state (Vulnerabilities.tsx):

const NoVulnsDetected = (): JSX.Element => {
  return (
    <div className={`${baseClass}__empty-vulnerabilities`}>
      <div className="empty-vulnerabilities__inner">
        <h1>No vulnerabilities detected for this software item.</h1>
        <p>
          Expecting to see vulnerabilities?{" "}
          <a
            href={GITHUB_NEW_ISSUE_LINK}
            target="_blank"
            rel="noopener noreferrer"
          >
            File an issue on GitHub{" "}
            <img alt="External link" src={ExternalLinkIcon} />
          </a>
        </p>
      </div>
    </div>
  );
};

[RachelElysia]

Empty state (Screenshot is with 0 hosts) for vulnerabilities differ between Homepage and Software page as well:

[mikermcneil]

@RachelElysia would you link up your comments in the other issue? Want to make sure we don’t lose track once this one gets closed