Add Windows Office vulnerability detection runtime (3/3)

[mostlikelee]

Related issue: Closes #39316

This is PR 3 of 3 for Windows Office vulnerability detection:

1. PR Add Windows Office bulletin generator (1/3) #42663: Add bulletin generator dependencies (scraper, types, tests)
2. Add Windows Office bulletin generation nvd#45: Update nvd repo to generate the feed
3. This PR: Add runtime integration (analyzer, sync, cron)

Summary

Adds runtime components for Windows Office vulnerability detection:

• server/vulnerabilities/winoffice/analyzer.go - Analyzes installed Office versions against the bulletin to detect vulnerabilities
• server/vulnerabilities/winoffice/sync.go - Syncs bulletin from GitHub releases
• server/vulnerabilities/io/{fs,github,metadata}.go - I/O helpers for bulletin sync
• server/fleet/vulnerabilities.go - Adds WinOfficeSource constant
• cmd/fleet/cron.go - Integrates winoffice vulnerability scanning into the cron job

How it works

1. The cron job syncs the latest Windows Office bulletin from GitHub (generated daily by nvd repo)
2. Queries the database for Microsoft Office/365 software from "programs" source
3. For each installed Office version, checks if it's vulnerable to any CVEs in the bulletin
4. Inserts/removes vulnerabilities in the database as needed

Checklist for submitter

• Changes file added for user-visible changes in changes/
• Input data is properly validated, SQL injection is prevented
• Added/updated automated tests
• Manually tested vulnerability detection with real Office versions

Testing

• Added unit tests for analyzer (analyzer_test.go)
• Added unit tests for sync (sync_test.go)
• Added integration test that scrapes live Microsoft page (integration_test.go)

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}

[Copilot]

Pull request overview

Adds runtime support for detecting Windows Microsoft Office / Microsoft 365 Apps vulnerabilities using a Fleet-generated bulletin published in the fleetdm/nvd GitHub releases, and integrates the sync+analysis into the server’s vulnerability cron workflow.

Changes:

• Added Windows Office bulletin syncing from GitHub releases plus filesystem helpers to list/delete local bulletin files.
• Implemented Windows Office version-to-bulletin matching logic and DB upsert/removal of detected CVEs.
• Wired the Windows Office sync/analyze flow into the main vulnerability cron scan and added tests.

Reviewed changes

Copilot reviewed 12 out of 13 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
server/vulnerabilities/winoffice/sync.go	Sync latest Windows Office bulletin from GitHub releases into the local vuln data dir and clean up older copies.
server/vulnerabilities/winoffice/sync_test.go	Unit tests for Windows Office bulletin sync behavior (download, no-op, cleanup, error paths).
server/vulnerabilities/winoffice/integration_test.go	Network integration test that fetches a live bulletin and validates matching behavior.
server/vulnerabilities/winoffice/analyzer.go	Windows Office vulnerability analyzer: load latest bulletin, match installed Office versions, and write deltas to DB.
server/vulnerabilities/winoffice/analyzer_test.go	Unit tests for version parsing and build-suffix comparison helpers.
server/vulnerabilities/msrc/sync_test.go	Updated mocks to satisfy expanded GitHub/FS interfaces.
server/vulnerabilities/macoffice/sync_test.go	Updated mocks to satisfy expanded GitHub/FS interfaces.
server/vulnerabilities/io/metadata.go	Added Windows Office metadata filename parsing/validation helper.
server/vulnerabilities/io/github.go	Added WinOfficeBulletin to GitHub I/O API and implementation to select the latest asset.
server/vulnerabilities/io/fs.go	Added FS client support for listing Windows Office bulletin files.
server/fleet/vulnerabilities.go	Added WinOfficeSource vulnerability source constant.
cmd/fleet/cron.go	Integrated Windows Office bulletin sync + analysis into scheduled vulnerability scanning.
changes/39316-winoffice-vulnerability-detection	Release note entry for the new Windows Office vulnerability detection feature.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[codecov]

Codecov Report

❌ Patch coverage is 51.24378% with 98 lines in your changes missing coverage. Please review.
✅ Project coverage is 66.80%. Comparing base (baa4634) to head (a4758d0).
⚠️ Report is 61 commits behind head on main.

Files with missing lines	Patch %	Lines
server/vulnerabilities/winoffice/analyzer.go	46.87%	62 Missing and 6 partials ⚠️
server/vulnerabilities/io/github.go	0.00%	11 Missing ⚠️
server/vulnerabilities/winoffice/sync.go	68.75%	9 Missing and 1 partial ⚠️
cmd/fleet/cron.go	62.50%	7 Missing and 2 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #42872      +/-   ##
==========================================
- Coverage   66.82%   66.80%   -0.02%     
==========================================
  Files        2544     2546       +2     
  Lines      204231   204538     +307     
  Branches     9274     9274              
==========================================
+ Hits       136474   136644     +170     
- Misses      55405    55504      +99     
- Partials    12352    12390      +38     

Flag	Coverage Δ
backend	68.59% <51.24%> (-0.03%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[ksykulev]

Looks good to me. 👍

[ksykulev]

I know this is the pattern we are using from the macoffice code. So non-blocking.
But the way I understand it, is this gives us daily update granularity.

1. The sync code runs on fleet server and grabs fleet_winoffice_bulletin-2026_04_03.json from github
2. a new post is added to the win office website.
3. the nvd repo runs and generates a "newer" fleet_winoffice_bulletin-2026_04_03.json
4. the sync code runs again, but since fleet_winoffice_bulletin-2026_04_03.json is already on the file system, it doesn't pull in the newer version from github. So we have to wait until tomorrow for the update.

Non-blocking, but I feel like we should adapt a SHA256 comparison instead of a date comparison. Github gives us the sha256 of the file. And we can generate one on the fleet server when comparing what to save/overwrite.