Add SOFA json feed for validating Apple-specific CVE data #18747
Comments
nonpunctual
added
:product
|
@noahtalerman @marko-lisica An osquery extension has already been built for this. Can we include the entire macadmins osquery_extension in our repo? https://grahamgilbert.com/blog/2024/05/03/investigating-unpatched-cves-with-osquery-and-sofa/ https://github.com/macadmins/osquery-extension |
|
|
Hey @nonpunctual do you know what we'd get from the SOFA feed that we don't already have in Fleet? (from NVD) What data are we missing? What workflows are we missing? Maybe we can ask the customer too.
We can certainly add the tables from this extension to fleetd. |
noahtalerman
removed
the
:product
|
https://sofa.macadmins.io/ this feed is new. I don't believe it's possible that we are currently getting this data in exactly this way. We should be taking in as much CVE data as we can get & also cross-validating sources to prevent false positives. this data can act as a primary source or as a cross-reference to validate the CVEs that Apple has researched & published. |
|
We will add the 
|
@getvictor are these tables being added as part of this bug? (targeted for 4.50) #18808 |
@nonpunctual before we can prioritize this solution I think we have to do some research to see if there is a problem w/ Fleet's vulnerability data. Using SOFA as a reference, are there false positives / negatives in Fleet? Do you think the customer success team can take on this research? |
@noahtalerman Yes |
|
@noahtalerman I am happy to research any questions you have. What exactly needs to be researched? The goal is to simply add the extensions so this data is available as a fleetd osquery table which Victor has already said he could do. This should be pretty low LoE. Regardless if this data is redundant or not I believe we should be including these extensions. The fact that it's been adopted in the Mac Admins osquery extensions should be our guide to understanding the importance of being able to query this data for endpoint-ops & MDM customers. |
@nonpunctual here's what I'm thinking: Using SOFA as a reference, are there false positives / negatives in Fleet? (removing this from feature fest because the table is being added as part of a separate issue) |
|
SOFA feed in Fleet, |
|
@noahtalerman Example of Fleet vulnerability data not matching Apple: 
|
|
The model data is extremely valuable as well. Reopening to request that we consume the entire data feed if we are only planning on getting the CVE data. Thanks. |
Hey @nonpunctual can you please open a bug report for this? We want to treat all false positives as bugs. |
|
@sharon-fdm Noah asked me to create separate issues for each false positive CVE so they could be tracked as separate bugs. Happy to have them all related to a single issue. Thanks! |
The Mac Admins foundation has created a data feed for Apple OS security information:
https://sofa.macadmins.io/
https://sofa.macadmins.io/v1/macos_data_feed.json
Not a primary source of CVE data but maybe important as a way of validating sources for Apple-specific issues / products, i.e., this feed will contain the CVE data for Apple software that has been researched by Apple.
Problem
Improve Fleet's vunerability data with as many high-quality data sources as possible.
Potential solutions
heads-up @mostlikelee @sharon-fdm
The text was updated successfully, but these errors were encountered: