Add versions to product names in MSRC bulletins to aid Windows vulner…

…ability matching (#24172) for #24041 This PR addresses an issue that can cause Windows vulnerability checks to fail (possibly causing false negatives). We determine whether a vulnerability in an MSRC bulletin applies to any hosts in a Fleet instance by attempting to matching the data in [each row of the `operating_systems` table](https://github.com/fleetdm/fleet/blob/65e374c85c32a7dd582aa1d438161663a4abc43c/cmd/fleet/cron.go#L297-L303) with [at least one "product" in a bulletin](https://github.com/fleetdm/fleet/blob/e2d9a9016cb2bbf6cfe0ef7512f58d9934bf69de/server/vulnerabilities/msrc/analyzer.go#L39), including [matching architecture and "display version"](https://github.com/fleetdm/fleet/blob/76f5baced9360576743c9aa87a62f30b0fe63d45/server/vulnerabilities/msrc/parsed/product.go#L26-L39). However a subset of products listed in these bulletins do not include the display version, so for example a host whose OS was listed as `Microsoft Windows Server 2022 Datacenter 21H2` (21H2 being the "display version") would match nothing in the bulletins because no listed Server 2022 products include "21H2" in their names. The fix made here is to add relevant version info to the products list when we do our ETL of the MSRC bulletins. The version info was gleaned from https://en.wikipedia.org/wiki/List_of_Microsoft_Windows_versions. We see logs related to this issue a lot, so cleaning this up will alleviate some noise and infra costs as well.
fleetdm · Dec 17, 2024 · edc68d3 · edc68d3
1 parent 35f0741
commit edc68d3
Show file tree

Hide file tree

Showing 5 changed files with 409 additions and 215 deletions.
diff --git a/cmd/fleet/cron.go b/cmd/fleet/cron.go
@@ -309,7 +309,7 @@ func checkWinVulnerabilities(
 				"found new", len(r))
 			results = append(results, r...)
 			if err != nil {
-				errHandler(ctx, logger, "analyzing hosts for Windows vulnerabilities", err)
+				errHandler(ctx, kitlog.With(logger, "os name", o.Name, "display version", o.DisplayVersion), "analyzing hosts for Windows vulnerabilities", err)
 			}
 		}
 	}

diff --git a/server/vulnerabilities/msrc/parsed/product.go b/server/vulnerabilities/msrc/parsed/product.go
@@ -66,7 +66,53 @@ func (p Products) GetMatchForOS(ctx context.Context, os fleet.OperatingSystem) (
 }
 
 func NewProductFromFullName(fullName string) Product {
-	return Product(fullName)
+	// If the full name includes a version, return it as-is.
+	p := Product(fullName)
+	if p.HasDisplayVersion() {
+		return p
+	}
+
+	// Several Windows products listed in MSRC bulletins don't include the OS version number.
+	// We need this to match the product with a host's OS, so we'll add them here.
+	versionString := ""
+	switch {
+	case strings.Contains(fullName, "Windows Server 2022"):
+		versionString = "21H2"
+
+	case strings.Contains(fullName, "Windows Server 2016"):
+		versionString = "1607"
+
+	case strings.Contains(fullName, "Windows Server 2019"):
+		versionString = "1809"
+
+	case strings.Contains(fullName, "Windows 8.1"):
+		versionString = "6.3 / NT 6.3"
+
+	case strings.Contains(fullName, "Windows RT 8.1"):
+		versionString = "6.3 / NT 6.3"
+
+	case strings.Contains(fullName, "Windows Server 2012 R2"):
+		versionString = "6.3 / NT 6.3"
+
+	case strings.Contains(fullName, "Windows Server 2012"):
+		versionString = "6.2 / NT 6.2"
+
+	case strings.Contains(fullName, "Windows Server 2008 R2"):
+		versionString = "6.1 / NT 6.1"
+
+	case strings.Contains(fullName, "Windows 7"):
+		versionString = "6.1 / NT 6.1"
+
+	case strings.Contains(fullName, "Windows Server 2008"):
+		versionString = "6.0 / NT 6.0"
+	}
+
+	finalName := fullName
+	if versionString != "" {
+		finalName += (" Version " + versionString)
+	}
+
+	return Product(finalName)
 }
 
 func NewProductFromOS(os fleet.OperatingSystem) Product {