From 25506c6bb75ac5d75b05036c4348f511b458d707 Mon Sep 17 00:00:00 2001 From: Ian Littman Date: Tue, 24 Jun 2025 18:21:16 -0500 Subject: [PATCH] Tweak CVE feed build to avoid false positives in CVE-2024-54559 Fixes #28207. --- server/vulnerabilities/nvd/cve_test.go | 8 ++++++++ server/vulnerabilities/nvd/sync/cve_syncer.go | 12 +++++++++++- 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/server/vulnerabilities/nvd/cve_test.go b/server/vulnerabilities/nvd/cve_test.go index c5d92fe6555..5fbe09b8fe6 100644 --- a/server/vulnerabilities/nvd/cve_test.go +++ b/server/vulnerabilities/nvd/cve_test.go @@ -229,6 +229,14 @@ func TestTranslateCPEToCVE(t *testing.T) { }, continuesToUpdate: true, }, + "cpe:2.3:a:apple:garageband:10.4.11:*:*:*:*:macos:*:*": { + excludedCVEs: []string{"CVE-2024-54559"}, + continuesToUpdate: true, + }, + "cpe:2.3:o:apple:macos:15.1.1:*:*:*:*:*:*:*": { + includedCVEs: []cve{{ID: "CVE-2024-54559", resolvedInVersion: "15.2"}}, + continuesToUpdate: true, + }, "cpe:2.3:a:avira:password_manager:2.18.4.38471:*:*:*:*:firefox:*:*": { includedCVEs: []cve{ {ID: "CVE-2022-28795"}, diff --git a/server/vulnerabilities/nvd/sync/cve_syncer.go b/server/vulnerabilities/nvd/sync/cve_syncer.go index 696d3adaca1..79c0084ac41 100644 --- a/server/vulnerabilities/nvd/sync/cve_syncer.go +++ b/server/vulnerabilities/nvd/sync/cve_syncer.go @@ -433,7 +433,7 @@ func (s *CVE) sync(ctx context.Context, lastModStartDate *string) (newLastModSta return "", err } vulnerabilitiesReceived++ - cvesByYear[year] = append(cvesByYear[year], vuln) + cvesByYear[year] = append(cvesByYear[year], transformVuln(vuln)) } // Dump vulnerabilities to the year files to reduce memory footprint. @@ -481,6 +481,16 @@ func (s *CVE) sync(ctx context.Context, lastModStartDate *string) (newLastModSta return newLastModStartDate, nil } +// cleans up vulnerability feed entries that are incorrect from NVD, allowing fixing bugged NVD rules without needing +// to update Fleet server +func transformVuln(item nvdapi.CVEItem) nvdapi.CVEItem { + if item.CVE.ID != nil && *item.CVE.ID == "CVE-2024-54559" { + item.CVE.Configurations[0].Nodes[0].CPEMatch = item.CVE.Configurations[0].Nodes[0].CPEMatch[0:1] + } + + return item +} + func (s *CVE) DoVulnCheck(ctx context.Context) error { vulnCheckArchive := "vulncheck.zip" baseURL := "https://api.vulncheck.com/v3/backup/nist-nvd2"