From 836b58311cab37bbe20d3637488cc8f28ad92d58 Mon Sep 17 00:00:00 2001 From: Jahziel Villasana-Espinoza Date: Fri, 21 Feb 2025 16:34:02 -0500 Subject: [PATCH 1/2] fix: match sanitized output to cpe --- server/service/osquery_utils/queries.go | 6 +++--- server/service/osquery_utils/queries_test.go | 9 +++++---- server/vulnerabilities/nvd/cve_test.go | 8 ++++++++ 3 files changed, 16 insertions(+), 7 deletions(-) diff --git a/server/service/osquery_utils/queries.go b/server/service/osquery_utils/queries.go index 0e0744603695..5eebde80675c 100644 --- a/server/service/osquery_utils/queries.go +++ b/server/service/osquery_utils/queries.go @@ -1784,11 +1784,11 @@ var ( candidateSuffix := "" switch releaseLevel { // see https://github.com/python/cpython/issues/100829#issuecomment-1374656643 case "10": - candidateSuffix = "-alpha" + releaseSerial + candidateSuffix = "a" + releaseSerial case "11": - candidateSuffix = "-beta" + releaseSerial + candidateSuffix = "b" + releaseSerial case "12": - candidateSuffix = "-rc" + releaseSerial + candidateSuffix = "rc" + releaseSerial } // default if patchVersion == "" { // dot-zero patch releases have a 3-digit patch + build number diff --git a/server/service/osquery_utils/queries_test.go b/server/service/osquery_utils/queries_test.go index 8292832fd6d3..e461b2033d5a 100644 --- a/server/service/osquery_utils/queries_test.go +++ b/server/service/osquery_utils/queries_test.go @@ -1530,7 +1530,8 @@ func TestDirectIngestDiskEncryptionKeyDarwin(t *testing.T) { } ds.SetOrUpdateHostDiskEncryptionKeyFunc = func(ctx context.Context, incomingHost *fleet.Host, encryptedBase64Key, clientError string, - decryptable *bool) error { + decryptable *bool, + ) error { if base64.StdEncoding.EncodeToString([]byte(wantKey)) != encryptedBase64Key { return errors.New("key mismatch") } @@ -2013,7 +2014,7 @@ func TestSanitizeSoftware(t *testing.T) { }, sanitized: &fleet.Software{ Name: "Python 3.14.0a4 (64-bit)", - Version: "3.14.0-alpha4", + Version: "3.14.0a4", Source: "programs", }, }, @@ -2027,7 +2028,7 @@ func TestSanitizeSoftware(t *testing.T) { }, sanitized: &fleet.Software{ Name: "Python 3.14.0b3 (64-bit)", - Version: "3.14.0-beta3", + Version: "3.14.0b3", Source: "programs", }, }, @@ -2041,7 +2042,7 @@ func TestSanitizeSoftware(t *testing.T) { }, sanitized: &fleet.Software{ Name: "Python 3.14.0rc2 (64-bit)", - Version: "3.14.0-rc2", + Version: "3.14.0rc2", Source: "programs", }, }, diff --git a/server/vulnerabilities/nvd/cve_test.go b/server/vulnerabilities/nvd/cve_test.go index 819659e51d4a..450f7043aeba 100644 --- a/server/vulnerabilities/nvd/cve_test.go +++ b/server/vulnerabilities/nvd/cve_test.go @@ -381,6 +381,14 @@ func TestTranslateCPEToCVE(t *testing.T) { "cpe:2.3:a:simple_password_store_project:simple_password_store:1.7.0:*:*:*:*:macos:*:*": { includedCVEs: []cve{{ID: "CVE-2018-12356", resolvedInVersion: "1.7.2"}}, }, + "cpe:2.3:a:python:python:3.14.0a2:*:*:*:*:windows:*:*": { + includedCVEs: []cve{ + { + ID: "CVE-2024-12254", + resolvedInVersion: "3.12.9", + }, + }, + }, } cveOSTests := []struct { From 423a8c795d5d3a3b4a6efc3cf5c670af36a5f9dd Mon Sep 17 00:00:00 2001 From: Jahziel Villasana-Espinoza Date: Fri, 21 Feb 2025 16:49:38 -0500 Subject: [PATCH 2/2] chore: changes file --- changes/25991-pre-python | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 changes/25991-pre-python diff --git a/changes/25991-pre-python b/changes/25991-pre-python new file mode 100644 index 000000000000..e19369489690 --- /dev/null +++ b/changes/25991-pre-python @@ -0,0 +1,2 @@ +- Fixed an issue with Fleet's processing of Python versions to ensure that the correct CPEs are + checked for vulnerabilities. \ No newline at end of file