From d4b91e3401a3dc74ab0bd98764f83d1063b64863 Mon Sep 17 00:00:00 2001 From: Konstantin Sykulev Date: Fri, 13 Dec 2024 17:05:30 -0600 Subject: [PATCH] Cherry-Pick: Fixed bug when using `without_vulnerability_details` and vulnerability filters (#24774) issue https://github.com/fleetdm/fleet/issues/24765 original pr https://github.com/fleetdm/fleet/pull/24769 --- ee/server/service/software.go | 2 +- server/datastore/mysql/software.go | 2 +- server/service/integration_enterprise_test.go | 19 +++++++++++++++++++ server/service/software.go | 6 +++++- 4 files changed, 26 insertions(+), 3 deletions(-) diff --git a/ee/server/service/software.go b/ee/server/service/software.go index 9ba3aafbb42d..c11d802f0769 100644 --- a/ee/server/service/software.go +++ b/ee/server/service/software.go @@ -10,7 +10,7 @@ func (svc *Service) ListSoftware(ctx context.Context, opts fleet.SoftwareListOpt // reuse ListSoftware, but include cve scores in premium version // unless without_vulnerability_details is set to true // including these details causes a lot of memory bloat - if !opts.WithoutVulnerabilityDetails { + if (opts.MaximumCVSS > 0 || opts.MinimumCVSS > 0 || opts.KnownExploit) || !opts.WithoutVulnerabilityDetails { opts.IncludeCVEScores = true } return svc.Service.ListSoftware(ctx, opts) diff --git a/server/datastore/mysql/software.go b/server/datastore/mysql/software.go index e1d0b84eecb8..77cc5ee14b08 100644 --- a/server/datastore/mysql/software.go +++ b/server/datastore/mysql/software.go @@ -917,7 +917,7 @@ func listSoftwareDB( DetailsLink: fmt.Sprintf("https://nvd.nist.gov/vuln/detail/%s", cveID), CreatedAt: *result.CreatedAt, } - if opts.IncludeCVEScores { + if opts.IncludeCVEScores && !opts.WithoutVulnerabilityDetails { cve.CVSSScore = &result.CVSSScore cve.EPSSProbability = &result.EPSSProbability cve.CISAKnownExploit = &result.CISAKnownExploit diff --git a/server/service/integration_enterprise_test.go b/server/service/integration_enterprise_test.go index b6362351039e..b82dbeda764d 100644 --- a/server/service/integration_enterprise_test.go +++ b/server/service/integration_enterprise_test.go @@ -5223,6 +5223,25 @@ func (s *integrationEnterpriseTestSuite) TestListSoftware() { require.Nil(t, cve.ResolvedInVersion) } } + // without_vulnerability_details with vulnerability filter + s.DoJSON( + "GET", "/api/latest/fleet/software/versions", + listSoftwareRequest{}, + http.StatusOK, &respVersions, + "exploit", "true", + "vulnerable", "true", + "without_vulnerability_details", "true", + ) + for _, s := range respVersions.Software { + for _, cve := range s.Vulnerabilities { + require.Nil(t, cve.CVSSScore) + require.Nil(t, cve.EPSSProbability) + require.Nil(t, cve.CISAKnownExploit) + require.Nil(t, cve.CVEPublished) + require.Nil(t, cve.Description) + require.Nil(t, cve.ResolvedInVersion) + } + } s.DoJSON( "GET", "/api/latest/fleet/software/versions", listSoftwareRequest{}, diff --git a/server/service/software.go b/server/service/software.go index eae55218f989..ef7828a1b5ce 100644 --- a/server/service/software.go +++ b/server/service/software.go @@ -106,7 +106,11 @@ func (svc *Service) ListSoftware(ctx context.Context, opt fleet.SoftwareListOpti } // Vulnerability filters are only available in premium (opt.IncludeCVEScores is only true in premium) - if !opt.IncludeCVEScores && (opt.MaximumCVSS > 0 || opt.MinimumCVSS > 0 || opt.KnownExploit) { + lic, err := svc.License(ctx) + if err != nil { + return nil, nil, err + } + if !lic.IsPremium() && (opt.MaximumCVSS > 0 || opt.MinimumCVSS > 0 || opt.KnownExploit) { return nil, nil, fleet.ErrMissingLicense }