Fixing false negative vulnerabilities on macOS Homebrew python packages. (#17709)

getvictor · web-flow · commit 759003e37db4 · 2024-03-19T14:12:07.000-05:00
#17061 TODO: Need to also merge this fix into patch branch. # Checklist for submitter - [x] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Added/updated tests - [x] Manual QA for all new/changed functionality
diff --git a/changes/17061-homebrew-python b/changes/17061-homebrew-python
@@ -0,0 +1 @@
+Fixing false negative vulnerabilities on macOS Homebrew python packages.
diff --git a/server/vulnerabilities/nvd/cpe_test.go b/server/vulnerabilities/nvd/cpe_test.go
@@ -1604,6 +1604,15 @@ func TestCPEFromSoftwareIntegration(t *testing.T) {
 			// DO NOT MATCH with Cisco Umbrella
 			cpe: "",
 		},
+		{
+			software: fleet.Software{
+				Name:    "python@3.9",
+				Source:  "homebrew_packages",
+				Version: "3.9.18_2",
+				Vendor:  "",
+			},
+			cpe: `cpe:2.3:a:python:python:3.9.18_2:*:*:*:*:*:*:*`,
+		},
 	}
 
 	// NVD_TEST_CPEDB_PATH can be used to speed up development (sync cpe.sqlite only once).
diff --git a/server/vulnerabilities/nvd/sanitize.go b/server/vulnerabilities/nvd/sanitize.go
@@ -81,11 +81,13 @@ var langCodes = map[string]bool{
 // - Removing any extra spaces
 // - Lowercasing the name
 // - Removing parts from the bundle identifier
+// - Removing version contained in homebrew_packages name
 func sanitizeSoftwareName(s *fleet.Software) string {
 	archs := regexp.MustCompile(` \(?x64\)?|\(?64-bit\)?|\(?64bit\)?|\(?amd64\)? `)
 	ver := regexp.MustCompile(` \.?\(?(\d+\.)?(\d+\.)?(\*|\d+)\)?\s?`)
 	gen := regexp.MustCompile(` \(\w+\)\s?`)
 	comments := regexp.MustCompile(` (-|:)\s?.+`)
+	versions := regexp.MustCompile(`@\d+($|(\.\d+($|\..+)))`) // @3 or @3.9 or @3.9.18 or @3.9.18_2
 
 	r := strings.ToLower(s.Name)
 	r = strings.TrimSuffix(r, ".app")
@@ -119,6 +121,11 @@ func sanitizeSoftwareName(s *fleet.Software) string {
 	r = strings.Replace(r, ")", " ", -1)
 	r = strings.Join(strings.Fields(r), " ")
 
+	// Remove @<version> from homebrew names
+	if s.Source == "homebrew_packages" {
+		r = versions.ReplaceAllString(r, "")
+	}
+
 	return r
 }
 

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Fixing false negative vulnerabilities on macOS Homebrew python packages.`