Skip to content

Tightening the CPE matching to reduce false positive rate.#15187

Merged
getvictor merged 1 commit into
mainfrom
15143-CPE-false-matches-on-bundle-id
Nov 20, 2023
Merged

Tightening the CPE matching to reduce false positive rate.#15187
getvictor merged 1 commit into
mainfrom
15143-CPE-false-matches-on-bundle-id

Conversation

@getvictor
Copy link
Copy Markdown
Member

@getvictor getvictor commented Nov 17, 2023

#15143 and #15162

Previous fix for #13889 caused false positives on software with similar names. Tightening the matching to reduce false positive rate.

  • Google Chrome Helper.app no longer matches Google Chrome.app
  • Acrobat Uninstaller.app no longer matches Acrobat.app

Checklist for submitter

  • Changes file added for user-visible changes in changes/ or orbit/changes/.
    See Changes files for more information.
  • Added/updated tests

getvictor
getvictor commented Nov 17, 2023
View reviewed changes
Comment thread server/vulnerabilities/nvd/cpe.go
Select("c.rowid", "c.product", "c.vendor", "c.deprecated", goqu.L("4 as weight")).
Where(
goqu.Or(goqu.L("c.vendor = ?", strings.ToLower(bundleParts[1]))), goqu.L("c.product = ?", strings.ToLower(bundleParts[2])),
goqu.L("c.vendor = ?", strings.ToLower(bundleParts[1])), goqu.L("c.product = ?", strings.ToLower(bundleParts[2])),
Copy link
Copy Markdown
Member Author

@getvictor getvictor Nov 17, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was just unnecessary OR statement.

getvictor
getvictor commented Nov 17, 2023
View reviewed changes
Comment thread server/vulnerabilities/nvd/cpe.go
// 4 - Try vendor/product from bundle identifier, like tld.vendor.product
bundleParts := strings.Split(software.BundleIdentifier, ".")
if len(bundleParts) >= 3 {
if len(bundleParts) == 3 {
Copy link
Copy Markdown
Member Author

@getvictor getvictor Nov 17, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was the bug. Software with 4 part bundle identifiers was matching without considering the 4th part of the bundle.

If we encounter software with a long bundle identifier that we need to match, we can add it later. I scanned a list of software on my machine and didn't see anything interesting with a long bundle identifier that we'd want to match.

getvictor
getvictor commented Nov 17, 2023
View reviewed changes
Comment thread server/vulnerabilities/nvd/cpe_translations.json
"filter": {
"product": ["pycharm"],
"vendor": ["jetbrains"]
}
Copy link
Copy Markdown
Member Author

@getvictor getvictor Nov 17, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is so that com.jetbrains.pycharm.ce bundle matches JetBrains PyCharm.

@codecov
Copy link
Copy Markdown

codecov Bot commented Nov 17, 2023
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (b49cea6) 59.03% compared to head (d29db91) 59.16%.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #15187      +/-   ##
==========================================
+ Coverage   59.03%   59.16%   +0.13%     
==========================================
  Files         965      965              
  Lines       81941    82307     +366     
  Branches     2277     2277              
==========================================
+ Hits        48371    48697     +326     
- Misses      29842    29870      +28     
- Partials     3728     3740      +12
Flag Coverage Δ
backend 59.80% <100.00%> (+0.14%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@getvictor getvictor marked this pull request as ready for review November 17, 2023 18:20
@getvictor getvictor requested a review from a team as a code owner November 17, 2023 18:20
@getvictor getvictor merged commit 8ae88cf into main Nov 20, 2023
@getvictor getvictor deleted the 15143-CPE-false-matches-on-bundle-id branch November 20, 2023 17:59
@getvictor getvictor mentioned this pull request Nov 21, 2023
Merged
2 tasks
getvictor added a commit that referenced this pull request Nov 21, 2023
@getvictor
UmbrellaMenu.app no longer matches Cisco Umbrella (#15262)
fbbd81f 
#15176 
This was already fixed earlier in the sprint by
#15187
Adding docs and a test.

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

<!-- Note that API documentation changes are now addressed by the
product design team. -->

- [x] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [x] Added/updated tests
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@jahzielv jahzielv jahzielv approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@getvictor @jahzielv