Fixed bug when using without_vulnerability_details and vulnerabilit…

…y filters
fleetdm · Dec 13, 2024 · 3e75532 · 3e75532
1 parent fb118b6
commit 3e75532
Show file tree

Hide file tree

Showing 5 changed files with 27 additions and 7 deletions.
diff --git a/changes/24765-software-versions-bugfix b/changes/24765-software-versions-bugfix
@@ -0,0 +1 @@
+* Fixed bug when using the `without_vulnerability_details` param along with vulnerability filters in fleet premium.
diff --git a/ee/server/service/software.go b/ee/server/service/software.go
@@ -8,11 +8,7 @@ import (
 
 func (svc *Service) ListSoftware(ctx context.Context, opts fleet.SoftwareListOptions) ([]fleet.Software, *fleet.PaginationMetadata, error) {
 	// reuse ListSoftware, but include cve scores in premium version
-	// unless without_vulnerability_details is set to true
-	// including these details causes a lot of memory bloat
-	if !opts.WithoutVulnerabilityDetails {
-		opts.IncludeCVEScores = true
-	}
+	opts.IncludeCVEScores = true
 	return svc.Service.ListSoftware(ctx, opts)
 }
 

diff --git a/server/datastore/mysql/software.go b/server/datastore/mysql/software.go
@@ -917,7 +917,7 @@ func listSoftwareDB(
 				DetailsLink: fmt.Sprintf("https://nvd.nist.gov/vuln/detail/%s", cveID),
 				CreatedAt:   *result.CreatedAt,
 			}
-			if opts.IncludeCVEScores {
+			if opts.IncludeCVEScores && !opts.WithoutVulnerabilityDetails {
 				cve.CVSSScore = &result.CVSSScore
 				cve.EPSSProbability = &result.EPSSProbability
 				cve.CISAKnownExploit = &result.CISAKnownExploit

diff --git a/server/service/integration_enterprise_test.go b/server/service/integration_enterprise_test.go
@@ -5223,6 +5223,25 @@ func (s *integrationEnterpriseTestSuite) TestListSoftware() {
 			require.Nil(t, cve.ResolvedInVersion)
 		}
 	}
+	// without_vulnerability_details with vulnerability filter
+	s.DoJSON(
+		"GET", "/api/latest/fleet/software/versions",
+		listSoftwareRequest{},
+		http.StatusOK, &respVersions,
+		"exploit", "true",
+		"vulnerable", "true",
+		"without_vulnerability_details", "true",
+	)
+	for _, s := range respVersions.Software {
+		for _, cve := range s.Vulnerabilities {
+			require.Nil(t, cve.CVSSScore)
+			require.Nil(t, cve.EPSSProbability)
+			require.Nil(t, cve.CISAKnownExploit)
+			require.Nil(t, cve.CVEPublished)
+			require.Nil(t, cve.Description)
+			require.Nil(t, cve.ResolvedInVersion)
+		}
+	}
 	s.DoJSON(
 		"GET", "/api/latest/fleet/software/versions",
 		listSoftwareRequest{},

diff --git a/server/service/software.go b/server/service/software.go
@@ -106,7 +106,11 @@ func (svc *Service) ListSoftware(ctx context.Context, opt fleet.SoftwareListOpti
 	}
 
 	// Vulnerability filters are only available in premium (opt.IncludeCVEScores is only true in premium)
-	if !opt.IncludeCVEScores && (opt.MaximumCVSS > 0 || opt.MinimumCVSS > 0 || opt.KnownExploit) {
+	lic, err := svc.License(ctx)
+	if err != nil {
+		return nil, nil, err
+	}
+	if !lic.IsPremium() && (opt.MaximumCVSS > 0 || opt.MinimumCVSS > 0 || opt.KnownExploit) {
 		return nil, nil, fleet.ErrMissingLicense
 	}
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		* Fixed bug when using the `without_vulnerability_details` param along with vulnerability filters in fleet premium.