Non-vulnerable apps showing when filtering by "Vulnerable software" on host details page

[jmwatts]

Fleet version: v4.63.0
Web browser and operating system: n/a

---

💥  Actual behavior

All VPP Apps installed on the host are showing as vulnerable when they have no associated vulnerabilities

🧑‍💻  Steps to reproduce

1. Enable VPP for a team and add a few macOS VPP apps in Software >> Add Software
2. On an enrolled host with MDM on in that Team, navigate to the host's detail page, click on "Software"
3. Filter by "Available for install" and click "Actions" >> Install for the VPP apps added in step 1
4. Once the apps have been installed, refetch inventory
5. Trigger the vulnerabilities cron, wait for it to finish
6. On the host's detail page, click on "Software", then filter by "Vulnerable software"

🕯️ Expected

Only vulnerable software is shown when filtered

[jmwatts]

@noahtalerman this should probably be resolved asap because it may cause confusion when using this new feature that is being worked on: #22445

[noahtalerman]

@jmwatts thanks for calling this out. If you think we should hop on this ASAP please feel free to add the P2 label: https://fleetdm.com/handbook/company/communications#high-priority-user-stories-and-bugs

I did it this time.

Up to @lukeheath to decide if we can pull this one into the current sprint.

[mostlikelee]

Hey team! Please add your planning poker estimate with Zenhub @iansltx @jahzielv @ksykulev

[iansltx]

It's not just VPP apps either from what I can tell? Repro is on @jmwatts's env.

[jmwatts]

Ah, yep, you're right... not sure if it's reporting on "Installed" software and vulnerable software maybe?

[iansltx]

That looks like a reasonable explanation of the behavior we're seeing. Tweaked the title as this is a more generic issue.