Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve macOS vulnerability detection #6628

Closed
michalnicp opened this issue Jul 12, 2022 · 4 comments
Closed

Improve macOS vulnerability detection #6628

michalnicp opened this issue Jul 12, 2022 · 4 comments
Assignees
@michalnicp
Labels
#legacy-platform-group Legacy: platform group ~vulnerability-management
Milestone
4.20.0

Comments

@michalnicp
Copy link
Contributor

michalnicp commented Jul 12, 2022
edited by noahtalerman
Loading

WARNING: For users that download and sync Fleet's vulnerability feeds manually, there are required adjustments or else vulnerability processing will stop working.

Users with the default vulnerability processing settings can safely upgrade without adjustments.

Required adjustments

If the FLEET_VULNERABILITIES_DISABLE_DATA_SYNC environment variable, or the CLI flag equivalent, is set to true, you must manually download the latest CPE database and CPE translations files and copy them to the configured vulnerabilities databases path. The latest CPE database and CPE translations files can be downloaded from Fleet's NVD Releases repository on GitHub.

If the FLEET_VULNERABILITIES_CPE_DATABASE_URL environment variable, or the CLI flag equivalent, you must make sure that the CPE database file the URL points to is updated to the latest version. The latest CPE database and CPE translations files can be downloaded from Fleet's NVD Releases repository on GitHub.

Goal

  • Improve detection of Zoom vulnerabilities. Still needs some work as Zoom includes some extra version parts that aren't in the CPE database.
  • Reduce false positives when ruby and node are installed via Homebrew.

How?

Implement the proposed changes in proposals/improv-mac-os-vuln-detection.md.

Backend

  • [ ]
@michalnicp michalnicp self-assigned this Jul 12, 2022
@michalnicp michalnicp moved this to 🥚 Ready in 🚀 Release Jul 12, 2022
@michalnicp michalnicp moved this from 🥚 Ready to 🐣 In progress in 🚀 Release Jul 12, 2022
@michalnicp michalnicp mentioned this issue Jul 29, 2022
Merged
7 tasks
@michalnicp michalnicp moved this from 🐣 In progress to ✨ ‎ ‎In review in 🚀 Release Aug 3, 2022
@michalnicp michalnicp mentioned this issue Aug 10, 2022
Merged
@michalnicp michalnicp moved this from ✨ ‎ ‎In review to ✔️ ‎ ‎‎‎Awaiting QA in 🚀 Release Sep 1, 2022
@noahtalerman
Copy link
Member

Hey @michalnicp do you have stats or examples for how macOS vulnerability detection improved in Fleet 4.20?

For example, was Fleet not detecting vulns for some apps (false negatives) ? What apps are these?

I'd like to include these stats or examples in the release blogpost. This way, our users can answer "how did vulnerability detection improve for macOS?"

@noahtalerman noahtalerman mentioned this issue Sep 6, 2022
Closed
3 tasks
@michalnicp
Copy link
Contributor Author

michalnicp commented Sep 6, 2022
edited
Loading

  • Improved detection of Zoom vulnerabilities. Still needs some work as Zoom includes some extra version parts that aren't in the CPE database.
  • Reduced false positives when ruby and node are installed via Homebrew. I think we can close Incorrect vulnerability mapping for Ruby #4804
  • Can add additional rules to cpe_translations.json as further issues with vulnerability detection are found.

@xpkoala xpkoala mentioned this issue Sep 8, 2022
Closed
@noahtalerman
Copy link
Member

noahtalerman commented Sep 8, 2022
edited
Loading

I think we can close #4804

@michalnicp what's left to close #4804?

Do we need to move #4804 into the "QA" column of the release board so that we can test to make sure all Fleet users, by default, get correct vulns for Ruby?

@xpkoala xpkoala moved this from ✔️ ‎ ‎‎‎Awaiting QA to ✅ Ready for release in 🚀 Release Sep 8, 2022
@michalnicp
Copy link
Contributor Author

I think we can close #4804

@michalnicp what's left to close #4804?

Do we need to move #4804 into the "QA" column of the release board so that we can test to make sure all Fleet users, by default, get correct vulns for Ruby?

Yes, we should probably move this to the QA column.

@lukeheath lukeheath added this to the 4.20.0 milestone Sep 9, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@michalnicp michalnicp

Labels
#legacy-platform-group Legacy: platform group ~vulnerability-management
Milestone
4.20.0
Development

No branches or pull requests
3 participants
@lukeheath @michalnicp @noahtalerman