Add RHEL OSV vulnerability scanning

[mostlikelee]

Closes #43184

Changes

Adds RHEL OSV support to Fleet's vulnerability scanning pipeline, gated by the existing osv_for_vulnerabilities config flag. When enabled, Fleet downloads RHEL OSV artifacts from GitHub releases, matches them against installed RPM software, and replaces both OVAL and goval-dictionary as the RHEL vulnerability source.

What's new

Data model — RHELOSVSource (value 9) added to VulnerabilitySource enum

Sync (server/vulnerabilities/osv/sync.go)

• RefreshRHEL() downloads RHEL OSV artifacts from GitHub releases
• getNeededRHELVersions() extracts major versions from RHEL hosts, skips Fedora
• removeOldRHELOSVArtifacts() cleans up stale artifacts
• Downloader updated to match both osv-ubuntu-* and osv-rhel-* assets

Analyzer (server/vulnerabilities/osv/analyzer.go)

• AnalyzeRHEL() scans RHEL hosts against OSV artifacts
• matchSoftwareToRHELOSV() maps kernel variants (kernel-core, kernel-modules, etc.) to kernel
• isVulnerableRPM() compares RPM versions via utils.Rpmvercmp() (handles epochs)
• extractRHELMajorVersion() parses OSVersion.Version (e.g., "9.4.0" → "9")
• IsPlatformSupported() now returns true for both ubuntu and rhel

Cron (cmd/fleet/cron.go)

• checkRHELOSVVulnerabilities() orchestrates refresh + analyze
• RHEL excluded from OVAL and goval-dictionary when OSV enabled
• Fedora hosts (platform: "rhel", name: "Fedora...") stay in OVAL/goval — Red Hat OSV data does not cover Fedora
• Cleanup functions for RHEL OVAL → OSV transition
• GovalDictionarySource not bulk-deleted (shared with Amazon Linux) — relies on natural aging

Fedora handling

Fedora reports platform: "rhel" in osquery. Red Hat OSV data does not include Fedora. Fedora hosts are explicitly skipped in:

• getNeededRHELVersions() — no artifact downloaded
• AnalyzeRHEL() — returns ErrUnsupportedPlatform
• OVAL/goval exclusion — Fedora kept in both scanners

Test plan

• go test -v ./server/vulnerabilities/osv/... — all tests pass (existing + new)
• make lint-go — 0 issues

New tests:

• TestExtractRHELMajorVersion — version parsing
• TestIsVulnerableRPM — epoch handling, version/release comparison, introduced ranges
• TestMatchSoftwareToRHELOSV — kernel-* mapping, regular packages, patched packages
• TestGetNeededRHELVersions — version extraction, Fedora skip, dedup
• TestRemoveOldRHELOSVArtifacts — cleanup isolation (RHEL vs Ubuntu artifacts)
• TestRHELOSVFilename — filename generation
• TestIsPlatformSupported — updated: RHEL now supported

Manual verification:

# Generate artifacts
go run ./cmd/osv-processor --platform rhel \
  --input /tmp/rhel-osv --output /tmp/rhel-artifacts --versions "8,9"

# Copy to Fleet vuln path and run with:
#   vulnerabilities.osv_for_vulnerabilities: true

Dependencies

• Add RHEL support to osv-processor #43277 (osv-processor --platform rhel support)
• Add RHEL OSV feed generation vulnerabilities#32 (workflow to generate RHEL artifacts in CI)

Summary by CodeRabbit

• New Features

  • Enabled OSV-based vulnerability scanning for RHEL systems, including artifact syncing and version-aware matching.
  • Added RHEL as a tracked vulnerability source and improved platform filtering to preserve Fedora-like reporting.
  • Automatic cleanup of stale RHEL/OVAL vulnerability data when scanning mode changes.

• Tests

  • Added extensive RHEL-focused unit tests covering version parsing, RPM matching, artifact selection, sync, and cleanup behavior.

[mostlikelee]

@coderabbitai full review

[coderabbitai]

✅ Actions performed

Full review triggered.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 3998c277-ab51-4a85-9bd3-80a31242c60a

📥 Commits

Reviewing files that changed from the base of the PR and between d8a65f7 and 3f93cc8.

📒 Files selected for processing (1)

• cmd/fleet/cron.go

✅ Files skipped from review due to trivial changes (1)

• cmd/fleet/cron.go

---

Walkthrough

Adds RHEL support to the OSV pipeline: syncs RHEL OSV artifacts, loads and decodes gzip JSON RHEL feeds, extracts RHEL major versions, matches RPM packages (including kernel subpackages) against OSV introduced/fixed ranges, records RHEL-sourced vulnerabilities, introduces a new vulnerability source constant, and updates the cron/cleanup flow to conditionally remove stale RHEL OSV or OVAL records based on config flags. Platform filtering for OVAL/goval-dictionary was adjusted to keep Fedora-like RHEL entries.

Possibly related PRs

• Add RHEL support to osv-processor #43277: Adds RHEL-specific OSV artifact handling and related RHEL processing/epoch/version logic, matching this PR’s RHEL artifact filename and processing changes.
• Use OSV for ubuntu vulnerability scanning #42063: Extends the OSV integration (analyzer, sync, downloader) for Ubuntu previously; this PR builds on that pipeline to add RHEL support.
• Fixing issue with OSV artifact cleanup on date boundaries #43408: Modifies the OSV downloader/sync internals and asset selection/cleanup logic, overlapping with this PR’s downloader/sync refactors and RHEL artifact selection.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 58.33% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Add RHEL OSV vulnerability scanning' accurately and concisely summarizes the main change: introducing RHEL OSV (Open Source Vulnerabilities) support to Fleet's vulnerability scanning pipeline.
Linked Issues check	✅ Passed	All primary coding requirements from issue #43184 are met: sync RHEL OSV feed (RefreshRHEL in sync.go, downloader updates), analyze RHEL OSV feed (AnalyzeRHEL in analyzer.go, vulnerability matching), and Fedora exclusion implemented.
Out of Scope Changes check	✅ Passed	All changes are directly aligned with #43184 objectives: RHEL OSV sync/analysis infrastructure, vulnerability source enum, RPM matching logic, and OVAL/goval filtering for RHEL hosts. No unrelated modifications detected.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch tlee/43184-rhel-osv-server

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@cmd/fleet/cron.go`:
- Line 481: The call to cleanupStaleRHELOSVVulnerabilities is being executed
unconditionally, which can delete the old RHEL source even when the
replacement/sync/analyze step failed; change the flow so
cleanupStaleRHELOSVVulnerabilities(ctx, ds, logger,
config.OSVForVulnerabilities) only runs after the replacement pass completes
successfully — locate the code path that flips or performs the replacement of
osv_for_vulnerabilities and move or wrap the cleanup call inside the success
branch (check the success/err return of that replacement/sync/analyze function),
and apply the same gating to the other occurrences mentioned (the calls around
the later lines 636-637).

In `@server/vulnerabilities/osv/analyzer.go`:
- Around line 27-30: The IsPlatformSupported helper was broadened to include
"rhel" which causes Analyze to route RHEL artifacts into Ubuntu-specific logic
(extractUbuntuVersion, loadOSVArtifact) and produce errors instead of
ErrUnsupportedPlatform; revert or split this check so that IsPlatformSupported
only returns true for Ubuntu (or create a new generic helper like
IsLinuxPlatform and a distinct IsUbuntuPlatform used by Analyze). Update Analyze
to call the Ubuntu-specific gate (IsUbuntuPlatform) before invoking
extractUbuntuVersion/loadOSVArtifact, and ensure RHEL paths return
ErrUnsupportedPlatform or use their own analyzer when checkOSVVulnerabilities
iterates OS versions.
- Around line 452-458: The RHEL/RPM vulnerability handling omits the feed's fix
information; update the vuln append in the RPM path so that the
fleet.SoftwareVulnerability includes ResolvedInVersion set to vuln.Fixed
(similar to the Ubuntu path). Locate the loop over vulns where
isVulnerableRPM(sw.Version, sw.Release, vuln) is checked and add
ResolvedInVersion: vuln.Fixed to the constructed fleet.SoftwareVulnerability so
fixed RPM versions from the feed are preserved.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 36a40d83-19dd-4b54-a90c-1a450f6266d6

📥 Commits

Reviewing files that changed from the base of the PR and between 90f75f1 and d8a65f7.

📒 Files selected for processing (7)

• cmd/fleet/cron.go
• server/fleet/vulnerabilities.go
• server/vulnerabilities/osv/analyzer.go
• server/vulnerabilities/osv/analyzer_test.go
• server/vulnerabilities/osv/downloader.go
• server/vulnerabilities/osv/sync.go
• server/vulnerabilities/osv/sync_test.go

[codecov]

Codecov Report

❌ Patch coverage is 29.66102% with 249 lines in your changes missing coverage. Please review.
✅ Project coverage is 65.05%. Comparing base (28473e7) to head (3f93cc8).
⚠️ Report is 42 commits behind head on main.

Files with missing lines	Patch %	Lines
server/vulnerabilities/osv/analyzer.go	26.04%	141 Missing and 1 partial ⚠️
cmd/fleet/cron.go	6.84%	64 Missing and 4 partials ⚠️
server/vulnerabilities/osv/sync.go	55.26%	29 Missing and 5 partials ⚠️
server/vulnerabilities/osv/downloader.go	61.53%	5 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #43377      +/-   ##
==========================================
- Coverage   65.07%   65.05%   -0.03%     
==========================================
  Files        2603     2604       +1     
  Lines      253139   254054     +915     
  Branches     9242     9242              
==========================================
+ Hits       164740   165263     +523     
- Misses      75638    75981     +343     
- Partials    12761    12810      +49     

Flag	Coverage Δ
backend	66.24% <29.66%> (-0.04%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Copilot]

Pull request overview

Adds RHEL support to Fleet’s OSV-based vulnerability scanning pipeline (behind the existing osv_for_vulnerabilities flag), including artifact sync, analysis, and cron orchestration, with explicit Fedora exclusions.

Changes:

• Add RHEL OSV artifact download/cleanup + version discovery logic alongside existing Ubuntu OSV sync.
• Add RHEL OSV analyzer (RPM matching/version comparison) and expand OSV platform support detection.
• Wire RHEL OSV refresh/analyze into the vuln cron flow and introduce a new RHELOSVSource vulnerability source.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
server/vulnerabilities/osv/sync.go	Adds RHEL OSV artifact naming, refresh/sync, version extraction, and cleanup logic.
server/vulnerabilities/osv/downloader.go	Extends release asset selection to include osv-rhel-* and generalizes downloader helper via filename function.
server/vulnerabilities/osv/analyzer.go	Adds RHEL artifact model, RPM vulnerability matching, and RHEL OSV analysis flow.
cmd/fleet/cron.go	Orchestrates RHEL OSV refresh/analyze and excludes non-Fedora RHEL from OVAL + goval-dictionary when OSV is enabled.
server/fleet/vulnerabilities.go	Adds RHELOSVSource to VulnerabilitySource enum.
server/vulnerabilities/osv/sync_test.go	Adds tests for RHEL version selection, artifact cleanup isolation, and filename generation; updates downloader test call signature.
server/vulnerabilities/osv/analyzer_test.go	Adds tests for RHEL major version parsing, RPM version comparisons, and package-to-OSV matching.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}