Skip to content

Python packages on ubuntu devices are not reporting vulnerabilities #43328

Description

@AndreyKizimenko

Fleet versions

  • Discovered: 4.84
  • Reproduced:

Web browser and operating system: N/A


💥  Actual behavior

These vulnerabilities are not getting displayed:
https://nvd.nist.gov/vuln/detail/CVE-2025-69662
https://nvd.nist.gov/vuln/detail/cve-2024-24680

Generated-cpe is empty

{
            "id": 108311,
            "name": "python3-geopandas",
            "version": "1.0.1",
            "source": "python_packages",
            "extension_for": "",
            "browser": "",
            "generated_cpe": "",
            "vulnerabilities": null,
            "hosts_count": 1,
            "display_name": ""
        },
{
            "id": 108312,
            "name": "python3-django",
            "version": "3.2.12",
            "source": "python_packages",
            "extension_for": "",
            "browser": "",
            "generated_cpe": "",
            "vulnerabilities": null,
            "hosts_count": 1,
            "display_name": ""
        }

when we trim the python3 prefix we get the vuln

-> % go run --tags=fts5 tools/nvd/nvdvuln/nvdvuln.go --software_name geopandas -software_source python_packages --software_version 1.0.1
2026-04-09T15:27:15Z: Translating software to CPE...
2026-04-09T15:27:15Z: Matched CPE: 0: cpe:2.3:a:geopandas:geopandas:1.0.1:*:*:*:*:python:*:*
2026-04-09T15:27:15Z: Matched CPE: 0: cpe:2.3:a:geopandas:geopandas:1.0.1:*:*:*:*:python:*:*
2026-04-09T15:27:15Z: Translating CPEs to CVEs...
2026-04-09T15:27:26Z: CVEs found for geopandas (1.0.1): CVE-2025-69662

🛠️ To fix

TODO

🧑‍💻  Steps to reproduce

These steps:

  • Have been confirmed to consistently lead to reproduction in multiple Fleet instances.
  • Describe the workflow that led to the error, but have not yet been reproduced in multiple Fleet instances.
  1. On an ubuntu host run the following commands
sudo pip install geopandas==1.0.1 --break-system-packages
sudo pip install django==3.2.12 --break-system-packages
  1. Refetch the host > run vulns cron
  2. Check if these items report any vulns

🕯️ More info (optional)

N/A

Metadata

Metadata

Assignees

Labels

#g-security-complianceSecurity & Compliance product group:releaseReady to write code. Scheduled in a release. See "Making changes" in handbook.bugSomething isn't working as documented

Type

No type

Fields

No fields configured for issues without a type.

Projects

Status
🐣 In progress

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions