Skip to content

OSV vulnerabilities sync and ingest on fleet server POC #41589

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
ksykulev wants to merge 1 commit into from
Closed

OSV vulnerabilities sync and ingest on fleet server POC #41589

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
61 changes: 59 additions & 2 deletions cmd/fleet/cron.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@
"github.com/fleetdm/fleet/v4/server/vulnerabilities/macoffice"
"github.com/fleetdm/fleet/v4/server/vulnerabilities/msrc"
"github.com/fleetdm/fleet/v4/server/vulnerabilities/nvd"
"github.com/fleetdm/fleet/v4/server/vulnerabilities/osv"
"github.com/fleetdm/fleet/v4/server/vulnerabilities/oval"
"github.com/fleetdm/fleet/v4/server/vulnerabilities/utils"
"github.com/fleetdm/fleet/v4/server/webhooks"
Expand Down Expand Up @@ -193,7 +194,16 @@
}

nvdVulns := checkNVDVulnerabilities(ctx, ds, logger, vulnPath, config, vulnAutomationEnabled != "", startTime)
ovalVulns := checkOvalVulnerabilities(ctx, ds, logger, vulnPath, config, vulnAutomationEnabled != "")

// Use OSV or OVAL for Ubuntu vulnerabilities based on feature flag
var ovalVulns []fleet.SoftwareVulnerability
var osvVulns []fleet.SoftwareVulnerability
if config.OSVForUbuntu {
osvVulns = checkOSVVulnerabilities(ctx, ds, logger, vulnPath, config, vulnAutomationEnabled != "")
} else {
ovalVulns = checkOvalVulnerabilities(ctx, ds, logger, vulnPath, config, vulnAutomationEnabled != "")
}

govalDictVulns := checkGovalDictionaryVulnerabilities(ctx, ds, logger, vulnPath, config, vulnAutomationEnabled != "")
macOfficeVulns := checkMacOfficeVulnerabilities(ctx, ds, logger, vulnPath, config, vulnAutomationEnabled != "")
customVulns := checkCustomVulnerabilities(ctx, ds, logger, vulnAutomationEnabled != "", startTime)
Expand All @@ -209,9 +219,10 @@
trace.WithAttributes(attribute.String("automation_type", vulnAutomationEnabled)))
defer automationSpan.End()

vulns := make([]fleet.SoftwareVulnerability, 0, len(nvdVulns)+len(ovalVulns)+len(macOfficeVulns))
vulns := make([]fleet.SoftwareVulnerability, 0, len(nvdVulns)+len(ovalVulns)+len(osvVulns)+len(macOfficeVulns))
vulns = append(vulns, nvdVulns...)
vulns = append(vulns, ovalVulns...)
vulns = append(vulns, osvVulns...)
vulns = append(vulns, macOfficeVulns...)
vulns = append(vulns, govalDictVulns...)
vulns = append(vulns, customVulns...)
Expand Down Expand Up @@ -430,6 +441,52 @@
return results
}

func checkOSVVulnerabilities(
ctx context.Context,
ds fleet.Datastore,
logger *logging.Logger,
vulnPath string,
config *config.VulnerabilitiesConfig,
collectVulns bool,
) []fleet.SoftwareVulnerability {
ctx, span := tracer.Start(ctx, "vuln.check_osv")
defer span.End()

var results []fleet.SoftwareVulnerability

// Get Platforms

Check failure on line 457 in cmd/fleet/cron.go

View workflow job for this annotation

GitHub Actions / build-binaries 

undefined: logging

Check failure on line 457 in cmd/fleet/cron.go

View workflow job for this annotation

GitHub Actions / lint (ubuntu-latest) 

undefined: logging (typecheck)

Check failure on line 457 in cmd/fleet/cron.go

View workflow job for this annotation

GitHub Actions / lint-incremental (ubuntu-latest) 

undefined: logging (typecheck)

Check failure on line 457 in cmd/fleet/cron.go

View workflow job for this annotation

GitHub Actions / test-go (main, mysql:9.5.0) / test 

undefined: logging

Check failure on line 457 in cmd/fleet/cron.go

View workflow job for this annotation

GitHub Actions / test-go (main, mysql:9.5.0) / test 

undefined: logging

Check failure on line 457 in cmd/fleet/cron.go

View workflow job for this annotation

GitHub Actions / test-go (main, mysql:8.0.44) / test 

undefined: logging

Check failure on line 457 in cmd/fleet/cron.go

View workflow job for this annotation

GitHub Actions / test-go (main, mysql:8.0.44) / test 

undefined: logging

Check failure on line 457 in cmd/fleet/cron.go

View workflow job for this annotation

GitHub Actions / lint-incremental (macos-latest) 

undefined: logging (typecheck)

Check failure on line 457 in cmd/fleet/cron.go

View workflow job for this annotation

GitHub Actions / lint (macos-latest) 

undefined: logging (typecheck)
versions, err := ds.OSVersions(ctx, nil, nil, nil, nil)
if err != nil {
errHandler(ctx, logger, "getting os versions for OSV", err)
return nil
}

// Analyze all supported os versions using the OSV artifacts
analyzeCtx, analyzeSpan := tracer.Start(ctx, "vuln.osv.analyze",
trace.WithAttributes(attribute.Int("os_count", len(versions.OSVersions))))
for _, version := range versions.OSVersions {
start := time.Now()
r, err := osv.Analyze(analyzeCtx, ds, version, vulnPath, collectVulns)
if err != nil && errors.Is(err, osv.ErrUnsupportedPlatform) {
logger.DebugContext(analyzeCtx, "osv-analysis-unsupported", "platform", version.Name)
continue
}

elapsed := time.Since(start)
logger.DebugContext(analyzeCtx, "osv-analysis-done",
"platform", version.Name,
"elapsed", elapsed,
"found new", len(r))
results = append(results, r...)
if err != nil {
errHandler(analyzeCtx, logger, "analyzing osv definitions", err)
}
}
analyzeSpan.End()

return results
}

func checkGovalDictionaryVulnerabilities(
ctx context.Context,
ds fleet.Datastore,
Expand Down
Loading
Loading