33990 scan goval

[mostlikelee]

Related issue: Resolves #33990

This change will use the RHEL goval-dictionary sqlite to detect kernel vulnerabilities on RHEL based systems.

Checklist for submitter

Dependencies:
fleetdm/vulnerabilities#28

If some of the following don't apply, delete the relevant line.

• Changes file added for user-visible changes in changes/, orbit/changes/ or ee/fleetd-chrome/changes.
  See Changes files for more information.

• Input data is properly validated, SELECT * is avoided, SQL injection is prevented (using placeholders for values in statements)

Testing

• Added/updated automated tests

• QA'd all new/changed functionality manually

Summary by CodeRabbit

• New Features

  • Added kernel vulnerability scanning capability for RHEL-based systems (RHEL 7, 8, 9) to enhance vulnerability detection coverage.

• Documentation

  • Updated tooltips to reflect support for Ubuntu, Debian, and RHEL-based systems.

[codecov]

Codecov Report

❌ Patch coverage is 52.94118% with 8 lines in your changes missing coverage. Please review.
✅ Project coverage is 66.26%. Comparing base (9f60dad) to head (674c4c3).
⚠️ Report is 11 commits behind head on main.

Files with missing lines	Patch %	Lines
...erver/vulnerabilities/goval_dictionary/analyzer.go	0.00%	5 Missing ⚠️
server/service/osquery_utils/queries.go	0.00%	2 Missing and 1 partial ⚠️

Additional details and impacted files

@@           Coverage Diff            @@
##             main   #39749    +/-   ##
========================================
  Coverage   66.26%   66.26%            
========================================
  Files        2438     2439     +1     
  Lines      195266   195348    +82     
  Branches     8540     8643   +103     
========================================
+ Hits       129386   129445    +59     
- Misses      54166    54181    +15     
- Partials    11714    11722     +8     

Flag	Coverage Δ
backend	68.05% <52.94%> (+<0.01%)	⬆️
frontend	54.18% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[mostlikelee]

Not technically part of scope, but found that we were displaying a truncated version of the full kernel version in the API/UI:
5.14 -> 5.14.0-611.5.1.el9_7

Resolved in version shows the later, so it's easy to see the diff

[mostlikelee]

To reiterate the comment, I scoped use of goval to kernel vulns only so we can keep the scope down. testing all RHEL vulns would be a bigger effort.

[mostlikelee]

@coderabbitai full review

[coderabbitai]

✅ Actions performed

Full review triggered.

[coderabbitai]

Walkthrough

This PR introduces kernel vulnerability scanning capability for RHEL-based hosts. It adds a KernelsOnly filter to VulnSoftwareFilter that restricts vulnerability detection to kernel packages, updates database queries to apply this filter when needed, extends the OVAL platform configuration to identify RHEL as kernel-only platforms for goval-dictionary scanning, and modifies software ingestion logic to format RPM kernel version strings appropriately. The changes enable Fleet to detect vulnerabilities in Linux kernels on RHEL, CentOS, and Fedora systems.

Possibly related PRs

• \Fixed MySQL DB performance regressions #33184: Implements kernel-focused filtering in vulnerability datastore queries and adds related schema indices for efficient kernel software lookups.
• \Remove duplicate RHEL kernel in os_version #39746: Modifies kernel package identification and normalization logic for RHEL systems, including is\_kernel field handling and RPM package naming.
• \31214 linux vulns optimization #31722: Introduces kernel software mapping infrastructure used by vulnerability detection queries to correlate kernel packages with hosts.

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 40.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check	❓ Inconclusive	The title '33990 scan goval' is vague and does not clearly communicate the main purpose or change to someone unfamiliar with the issue number.	Use a more descriptive title that explains the feature, e.g., 'Add RHEL kernel vulnerability scanning via goval-dictionary' or 'Enable kernel vulnerability detection on RHEL-based systems'.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description check	✅ Passed	The pull request description includes the related issue (#33990), confirms key checklist items (changes file added, input validation, SQL injection prevention, automated tests, manual QA), and references the upstream dependency.
Linked Issues check	✅ Passed	The code changes comprehensively implement the objectives from #33990: supporting RHEL kernel vulnerability scanning through goval-dictionary via filtering, platform detection, and SQL modifications.
Out of Scope Changes check	✅ Passed	All changes are directly related to enabling RHEL kernel vulnerability scanning; no unrelated modifications or scope creep is evident in the file changes.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch 33990-scan-goval

Tip

Issue Planner is now in beta. Read the docs and try it out! Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@frontend/pages/DashboardPage/cards/OperatingSystems/OSTableConfig.tsx`:
- Line 122: Update the tooltip text in the OSTableConfig component to explicitly
include Amazon Linux; change the sentence that currently reads "for Ubuntu,
Debian, and RHEL based systems." to mention "Ubuntu, Debian, Amazon Linux, and
RHEL based systems" so Amazon Linux users are clearly covered (locate the
tooltip string in the OSTableConfig React component).

🧹 Nitpick comments (2)

server/vulnerabilities/oval/oval_platform.go (1)

23-39: RHEL platforms are duplicated across three lists.

rhel_07, rhel_08, rhel_09 appear in SupportedGovalPlatforms, GovalKernelOnlyPlatforms, and the IsSupported() method's local list. Consider deriving one from the other to reduce the risk of them drifting out of sync when new RHEL versions are added.

server/service/osquery_utils/queries.go (1)

2278-2284: Combined Version-Release could theoretically exceed column width.

After SoftwareFromOsqueryRow truncates Version to 255 chars and Release to 64 chars, this mutation concatenates them as "Version-Release", yielding up to 320 chars — exceeding the SoftwareVersionMaxLength (255) DB column. In practice kernel versions are short, but a defensive truncation would prevent a future DB error.

🛡️ Optional defensive truncation

 	if s != nil && s.Source == "rpm_packages" && s.Name == rpmKernelName && s.Release != "" {
 		s.Version = fmt.Sprintf("%s-%s", s.Version, s.Release)
+		if len(s.Version) > SoftwareVersionMaxLength {
+			s.Version = s.Version[:SoftwareVersionMaxLength]
+		}
 		s.Release = "" // Clear release to avoid issues with vulnerability matching
 	}

Note: SoftwareVersionMaxLength would need to be referenced from the fleet package (e.g., fleet.SoftwareVersionMaxLength).

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Tooltip no longer mentions Amazon Linux — is that intentional?

The previous text listed "Ubuntu, Debian, and Amazon Linux." The new text says "RHEL based systems" which doesn't clearly cover Amazon Linux (Amazon Linux isn't RHEL-based). Users with Amazon Linux hosts may wonder if vulnerability scanning is supported for them.

Consider: "for Ubuntu, Debian, Amazon Linux, and RHEL based systems."

🤖 Prompt for AI Agents

In `@frontend/pages/DashboardPage/cards/OperatingSystems/OSTableConfig.tsx` at
line 122, Update the tooltip text in the OSTableConfig component to explicitly
include Amazon Linux; change the sentence that currently reads "for Ubuntu,
Debian, and RHEL based systems." to mention "Ubuntu, Debian, Amazon Linux, and
RHEL based systems" so Amazon Linux users are clearly covered (locate the
tooltip string in the OSTableConfig React component).

[RachelElysia]

lmk if this is good to go as is and I can approve

[mostlikelee]

@RachelElysia thx yeah this is good, Amazon is a rhel based system

[getvictor]

LGTM