Incorrect vulnerability mapping for Ruby

[zwass]

Fleet version: 4.11.0

Operating system: Host is macOS

---

💥  Actual behavior

https://dogfood.fleetdm.com/hosts/manage/?order_key=hostname&order_direction=asc&team_id=2&software_id=21269

The linked CVE (https://nvd.nist.gov/vuln/detail/CVE-2021-21289) is for a particular Ruby library (mechanize), but Fleet incorrectly matches this to the Ruby version installed.

There is probably a whole "class" of false positives generated by CVEs reported against Ruby libraries (and perhaps other ecosystems such as Python?)

More info

[chiiph]

@michalnicp would this be tackled by your macOS improvements?

[michalnicp]

This is a false positive that gets flagged because the ruby library mechanize has the word "ruby" in the title, and happens to have a version that matches a ruby version.

sqlite> select * from cpe where vendor = 'mechanize_project' and version = '2.7.5';
rowid   cpe23                                                         title                                       vendor             product    version  target_sw  deprecated
------  ------------------------------------------------------------  ------------------------------------------  -----------------  ---------  -------  ---------  ----------
501712  cpe:2.3:a:mechanize_project:mechanize:2.7.5:*:*:*:*:ruby:*:*  Mechanize Project Mechanize 2.7.5 for Ruby  mechanize_project  mechanize  2.7.5    ruby       0         

We could add an entry to the cpe_translations.json introduced in #6985 like the following

[
   {
     "match": {
       "name": ["[email protected]", ...],
       "source": ["homebrew_packages"]
     },
     "translation": {
       "product": ["ruby"],
       "vendor": ["ruby-lang"]
     }
   }
 ]

but we would need to potentially add an entry for every major.minor ruby version and keep this up to date