fleet icon indicating copy to clipboard operation
fleet copied to clipboard
verified publisher icon fleetdm

Refactor vulnerability resolved in version logic

Open ksykulev opened this issue 9 months ago • 0 comments

Goal

User story
As a developer,
I want to have a cleaner server/vulnerabilities/nvd/cve.go file
so that I can change this logic easier and more efficiently.

Key result

Original requests

Clean up server/vulnerabilities/nvd/cve.go

  • Make the code more exclusively contain logic dealing with CPE to CVE translations
  • CVE -> NVD matching This will make the complicated file more easy to read and reason about.

Context

  • Product Designer: @ksykulev

As of https://github.com/fleetdm/fleet/pull/26062 we are no longer use the semver library for version parsing. We are using the nvd tools SmartVerCmp.

Changes

getMatchingVersionEndExcluding https://github.com/fleetdm/fleet/blob/main/server/vulnerabilities/nvd/cve.go#L605 and checkVersion https://github.com/fleetdm/fleet/blob/main/server/vulnerabilities/nvd/cve.go#L693 could possibly get moved onto the Vuln interface https://github.com/fleetdm/fleet/blob/main/server/vulnerabilities/nvd/tools/cvefeed/vuln.go#L22-L39 as a method.

That would move all the resolved in version logic into https://github.com/fleetdm/fleet/blob/main/server/vulnerabilities/nvd/tools/cvefeed/nvd/match_cve.go

Engineering

  • [ ] Test plan is finalized
  • [ ] Contributor API changes: none
  • [x] Feature guide changes: none
  • [x] Database schema migrations: none
  • [ ] Load testing: none

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

QA

Risk assessment

  • Requires load testing: n/a
  • Risk level: Low
  • Risk description: low because there is decent automated test coverage around this.

Test plan

Running the vulnerability cron and making sure there are no errors at the very least.

  1. Run osquery perf or load up database with some test software
  2. Take a backup
  3. Run the vulnerability cron on main branch. Get counts of software_cve and cve_meta table
  4. Checkout new code
  5. Restore database from backup
  6. Run the vulnerability cron
  7. compare counts of software_cve and cve_meta table

Testing notes

Confirmation

  1. [ ] Engineer: Added comment to user story confirming successful completion of test plan.
  2. [ ] QA: Added comment to user story confirming successful completion of test plan.

ksykulev avatar Apr 06 '25 16:04 ksykulev