Tweak CVE feed build to avoid false positives in CVE-2024-54559

server/vulnerabilities/nvd/cve_test.go

@@ -229,6 +229,14 @@ func TestTranslateCPEToCVE(t *testing.T) {
 			},
 			continuesToUpdate: true,
 		},
+		"cpe:2.3:a:apple:garageband:10.4.11:*:*:*:*:macos:*:*": {
+			excludedCVEs:      []string{"CVE-2024-54559"},
+			continuesToUpdate: true,
+		},
+		"cpe:2.3:o:apple:macos:15.1.1:*:*:*:*:*:*:*": {
+			includedCVEs:      []cve{{ID: "CVE-2024-54559", resolvedInVersion: "15.2"}},
+			continuesToUpdate: true,
+		},
 		"cpe:2.3:a:avira:password_manager:2.18.4.38471:*:*:*:*:firefox:*:*": {
 			includedCVEs: []cve{
 				{ID: "CVE-2022-28795"},

server/vulnerabilities/nvd/sync/cve_syncer.go

@@ -433,7 +433,7 @@ func (s *CVE) sync(ctx context.Context, lastModStartDate *string) (newLastModSta
 				return "", err
 			}
 			vulnerabilitiesReceived++
-			cvesByYear[year] = append(cvesByYear[year], vuln)
+			cvesByYear[year] = append(cvesByYear[year], transformVuln(vuln))
 		}
 
 		// Dump vulnerabilities to the year files to reduce memory footprint.
@@ -481,6 +481,16 @@ func (s *CVE) sync(ctx context.Context, lastModStartDate *string) (newLastModSta
 	return newLastModStartDate, nil
 }
 
+// cleans up vulnerability feed entries that are incorrect from NVD, allowing fixing bugged NVD rules without needing
+// to update Fleet server
+func transformVuln(item nvdapi.CVEItem) nvdapi.CVEItem {
+	if item.CVE.ID != nil && *item.CVE.ID == "CVE-2024-54559" {
+		item.CVE.Configurations[0].Nodes[0].CPEMatch = item.CVE.Configurations[0].Nodes[0].CPEMatch[0:1]
+	}
+
+	return item
+}
+
 func (s *CVE) DoVulnCheck(ctx context.Context) error {
 	vulnCheckArchive := "vulncheck.zip"
 	baseURL := "https://api.vulncheck.com/v3/backup/nist-nvd2"