Handle Generic CPEs for "Running On" Configurations

src/wazuh_modules/vulnerability_scanner/qa/test_data/011/expected_005.out

@@ -2,6 +2,5 @@
     "Initiating a vulnerability scan for package 'mail' (pkg) (apple) with CVE Numbering Authorities (CNA) 'nvd' on Agent '' (ID: '002', Version: '').",
     "The vendor is not the same for Package: mail, Version: 16.0, CVE: CVE-2008-4584, Content vendor: chilkat_software, Package vendor: apple",
     "The vendor is not the same for Package: mail, Version: 16.0, CVE: CVE-2017-15806, Content vendor: zetacomponents, Package vendor: apple",
-    "Vendor match for Package: mail, Version: 16.0, CVE: CVE-2005-2512, Vendor: apple",
-    "Match found, the package 'mail' is vulnerable to 'CVE-2005-2512' due to default status. - Agent '' (ID: '002', Version: '')."
+    "Platform not included in list. Package: mail, Version: 16.0, CVE: CVE-2005-2512, OS CPE: cpe:/o:apple:macos:::::, OS code name:"
 ]

src/wazuh_modules/vulnerability_scanner/qa/test_data/021/expected_002.out

@@ -1,7 +1,7 @@
 [
     "Initiating a vulnerability scan for package 'bsdutils' (deb) (ubuntu developers <ubuntu-devel-discuss@lists.ubuntu.com>) with CVE Numbering Authorities (CNA) 'canonical' on Agent '' (ID: '001', Version: '').",
-    "The platform is not in the list for Package: bsdutils, Version: 1:2.37.2-4ubuntu3.4, CVE: CVE-2016-5011, OS CPE: , OS code name: jammy",
-    "The platform is not in the list for Package: bsdutils, Version: 1:2.37.2-4ubuntu3.4, CVE: CVE-2018-7738, OS CPE: , OS code name: jammy",
-    "The platform is not in the list for Package: bsdutils, Version: 1:2.37.2-4ubuntu3.4, CVE: CVE-2021-3995, OS CPE: , OS code name: jammy",
-    "The platform is not in the list for Package: bsdutils, Version: 1:2.37.2-4ubuntu3.4, CVE: CVE-2021-3996, OS CPE: , OS code name: jammy"
+    "Platform not included in list. Package: bsdutils, Version: 1:2.37.2-4ubuntu3.4, CVE: CVE-2016-5011, OS CPE: , OS code name: jammy",
+    "Platform not included in list. Package: bsdutils, Version: 1:2.37.2-4ubuntu3.4, CVE: CVE-2018-7738, OS CPE: , OS code name: jammy",
+    "Platform not included in list. Package: bsdutils, Version: 1:2.37.2-4ubuntu3.4, CVE: CVE-2021-3995, OS CPE: , OS code name: jammy",
+    "Platform not included in list. Package: bsdutils, Version: 1:2.37.2-4ubuntu3.4, CVE: CVE-2021-3996, OS CPE: , OS code name: jammy"
 ]

src/wazuh_modules/vulnerability_scanner/src/scanOrchestrator/osDataCache.hpp

@@ -42,6 +42,7 @@ struct Os final
     std::string kernelVersion;  ///< Version of the kernel operating system.
     std::string kernelRelease;  ///< Release of the kernel operating system.
     std::string cpeName;        ///< CPE name of the operating system.
+    std::string cpeGeneric;     ///< CPE running or generic of the operating system.
 };
 
 /**
@@ -96,6 +97,7 @@ class OsDataCache final : public Singleton<OsDataCache<>>
         osData.kernelVersion = data.value("version", "");
         osData.kernelRelease = data.value("release", "");
         osData.cpeName = data.value("cpe_name", "");
+        osData.cpeGeneric = data.value("cpe_generic", "");
 
         return osData;
     }

src/wazuh_modules/vulnerability_scanner/src/scanOrchestrator/packageScanner.hpp

@@ -296,7 +296,24 @@ class TPackageScanner final : public AbstractHandler<std::shared_ptr<TScanContex
                         if (ScannerHelper::compareCPE(cpe, ScannerHelper::parseCPE(contextData->osCPEName().data())))
                         {
                             logDebug2(WM_VULNSCAN_LOGTAG,
-                                      "The platform is in the list based on CPE comparison for "
+                                      "Platform included in list after CPE comparison. "
+                                      "Package: %s, Version: %s, CVE: %s, Content platform CPE: %s OS CPE: %s",
+                                      package.name.c_str(),
+                                      package.version.c_str(),
+                                      callbackData.cveId()->str().c_str(),
+                                      platformValue.c_str(),
+                                      contextData->osCPEName().data());
+                            matchPlatform = true;
+                            break;
+                        }
+                        else if (ScannerHelper::compareCPE(
+                                     cpe,
+                                     ScannerHelper::parseCPE(contextData->osCPENameGeneric()
+                                                                 .data()))) // Not match in the list of platforms, but
+                                                                            // could be generic case.
+                        {
+                            logDebug2(WM_VULNSCAN_LOGTAG,
+                                      "Platform included in list after CPE comparison for generic case. "
                                       "Package: %s, Version: %s, CVE: %s, Content platform CPE: %s OS CPE: %s",
                                       package.name.c_str(),
                                       package.version.c_str(),
@@ -315,7 +332,7 @@ class TPackageScanner final : public AbstractHandler<std::shared_ptr<TScanContex
                     if (platformValue.compare(contextData->osCodeName()) == 0)
                     {
                         logDebug2(WM_VULNSCAN_LOGTAG,
-                                  "The platform is in the list based on OS code name comparison for "
+                                  "Platform included in list after comparison with OS code name. "
                                   "Package: %s, Version: %s, CVE: %s, Content OS code name: %s, OS code name: %s",
                                   package.name.c_str(),
                                   package.version.c_str(),
@@ -331,7 +348,7 @@ class TPackageScanner final : public AbstractHandler<std::shared_ptr<TScanContex
             if (!matchPlatform)
             {
                 logDebug2(WM_VULNSCAN_LOGTAG,
-                          "The platform is not in the list for Package: %s, Version: %s, CVE: %s, OS CPE: %s, "
+                          "Platform not included in list. Package: %s, Version: %s, CVE: %s, OS CPE: %s, "
                           "OS code name: %s",
                           package.name.c_str(),
                           package.version.c_str(),

src/wazuh_modules/vulnerability_scanner/src/scanOrchestrator/scanContext.hpp

@@ -106,6 +106,9 @@ struct AgentData
     std::string ip;      ///< Agent IP.
 };
 
+constexpr auto KEY_GENERIC_CPE = "generic";
+constexpr auto KEY_REVERSE_VENDOR = "reverseVendor";
+
 /**
  * @brief ScanContext structure.
  *
@@ -208,6 +211,57 @@ struct TScanContext final
             // Clear the cpeName if the OS is not supported
             m_osData.cpeName = "";
         }
+
+        // Build CPE for generic cases or running OS when build the CPE name.
+        buildCPENameForGeneric();
+    }
+
+    /**
+     * @brief Build CPE for generic cases or running OS.
+     */
+    void buildCPENameForGeneric()
+    {
+        // Get references to global data maps
+        const auto& osCpeMaps = TGlobalData::instance().osCpeMaps();
+        const auto& reverseVendorMaps = TGlobalData::instance().vendorMaps();
+
+        // Initialize the CPE name
+        m_osData.cpeGeneric = "cpe:/o:";
+
+        if (!(osCpeMaps.contains(KEY_GENERIC_CPE) && reverseVendorMaps.contains(KEY_REVERSE_VENDOR)))
+        {
+            // Clear the CPE name if the OS is not supported
+            m_osData.cpeGeneric.clear();
+            return;
+        }
+
+        // Get the generic CPE from the OS CPE maps
+        std::string cpeTemplate = osCpeMaps.at(KEY_GENERIC_CPE);
+        std::string vendorName;
+
+        // Find the vendor name in the reverse vendor maps
+        for (const auto& item : reverseVendorMaps.at(KEY_REVERSE_VENDOR))
+        {
+            if (item.contains(m_osData.platform))
+            {
+                vendorName = item.at(m_osData.platform);
+                break;
+            }
+        }
+
+        // Replace placeholders in the CPE template
+        if (vendorName.empty())
+        {
+            Utils::replaceAll(cpeTemplate, "$(TARGET_VENDOR)", m_osData.codeName);
+        }
+        else
+        {
+            Utils::replaceAll(cpeTemplate, "$(TARGET_VENDOR)", vendorName);
+        }
+        Utils::replaceAll(cpeTemplate, "$(TARGET_PLATFORM)", m_osData.platform);
+
+        // Set the CPE name, converting it to lower case
+        m_osData.cpeGeneric += Utils::toLowerCase(cpeTemplate);
     }
 
 public:
@@ -1416,6 +1470,15 @@ struct TScanContext final
         return m_osData.cpeName;
     }
 
+    /**
+     * @brief Gets OS CPE for generic cases
+     * @return OS CPE for generic cases.
+     */
+    std::string_view osCPENameGeneric() const
+    {
+        return m_osData.cpeGeneric;
+    }
+
     /**
      * @brief get the hotfix identifier being installed in the current scan.
      *

src/wazuh_modules/vulnerability_scanner/tests/unit/scanContext_test.cpp

@@ -1166,7 +1166,7 @@ TEST_F(ScanContextTest, TestBuildCPEWindows10)
     const nlohmann::json osCpeMap = nlohmann::json::parse(osCpeRules);
 
     spGlobalDataMock = std::make_shared<MockGlobalData>();
-    EXPECT_CALL(*spGlobalDataMock, osCpeMaps()).WillOnce(testing::Return(osCpeMap));
+    EXPECT_CALL(*spGlobalDataMock, osCpeMaps()).Times(2).WillRepeatedly(testing::Return(osCpeMap));
 
     spOsDataCacheMock = std::make_shared<MockOsDataCache>();
     EXPECT_CALL(*spOsDataCacheMock, setOsData(_, _)).Times(1);
@@ -1229,7 +1229,7 @@ TEST_F(ScanContextTest, TestBuildCPECentos)
     const nlohmann::json osCpeMap = nlohmann::json::parse(osCpeRules);
 
     spGlobalDataMock = std::make_shared<MockGlobalData>();
-    EXPECT_CALL(*spGlobalDataMock, osCpeMaps()).WillOnce(testing::Return(osCpeMap));
+    EXPECT_CALL(*spGlobalDataMock, osCpeMaps()).Times(2).WillRepeatedly(testing::Return(osCpeMap));
 
     spOsDataCacheMock = std::make_shared<MockOsDataCache>();
     EXPECT_CALL(*spOsDataCacheMock, setOsData(_, _)).Times(1);
@@ -1292,7 +1292,7 @@ TEST_F(ScanContextTest, TestBuildCPERedHat)
     const nlohmann::json osCpeMap = nlohmann::json::parse(osCpeRules);
 
     spGlobalDataMock = std::make_shared<MockGlobalData>();
-    EXPECT_CALL(*spGlobalDataMock, osCpeMaps()).WillOnce(testing::Return(osCpeMap));
+    EXPECT_CALL(*spGlobalDataMock, osCpeMaps()).Times(2).WillRepeatedly(testing::Return(osCpeMap));
 
     spOsDataCacheMock = std::make_shared<MockOsDataCache>();
     EXPECT_CALL(*spOsDataCacheMock, setOsData(_, _)).Times(1);
@@ -1350,7 +1350,7 @@ TEST_F(ScanContextTest, TestBuildCPEOpensuseTumbleweed)
     const nlohmann::json osCpeMap = nlohmann::json::parse(osCpeRules);
 
     spGlobalDataMock = std::make_shared<MockGlobalData>();
-    EXPECT_CALL(*spGlobalDataMock, osCpeMaps()).WillOnce(testing::Return(osCpeMap));
+    EXPECT_CALL(*spGlobalDataMock, osCpeMaps()).Times(2).WillRepeatedly(testing::Return(osCpeMap));
 
     spOsDataCacheMock = std::make_shared<MockOsDataCache>();
     EXPECT_CALL(*spOsDataCacheMock, setOsData(_, _)).Times(1);
@@ -1408,7 +1408,7 @@ TEST_F(ScanContextTest, TestBuildCPEOpensuseLeap)
     const nlohmann::json osCpeMap = nlohmann::json::parse(osCpeRules);
 
     spGlobalDataMock = std::make_shared<MockGlobalData>();
-    EXPECT_CALL(*spGlobalDataMock, osCpeMaps()).WillOnce(testing::Return(osCpeMap));
+    EXPECT_CALL(*spGlobalDataMock, osCpeMaps()).Times(2).WillRepeatedly(testing::Return(osCpeMap));
 
     spOsDataCacheMock = std::make_shared<MockOsDataCache>();
     EXPECT_CALL(*spOsDataCacheMock, setOsData(_, _)).Times(1);
@@ -1468,7 +1468,7 @@ TEST_F(ScanContextTest, TestBuildCPENameFedora)
     const nlohmann::json osCpeMap = nlohmann::json::parse(osCpeRules);
 
     spGlobalDataMock = std::make_shared<MockGlobalData>();
-    EXPECT_CALL(*spGlobalDataMock, osCpeMaps()).WillOnce(testing::Return(osCpeMap));
+    EXPECT_CALL(*spGlobalDataMock, osCpeMaps()).Times(2).WillRepeatedly(testing::Return(osCpeMap));
 
     spOsDataCacheMock = std::make_shared<MockOsDataCache>();
     EXPECT_CALL(*spOsDataCacheMock, setOsData(_, _)).Times(1);