diff --git a/changes/17061-homebrew-python b/changes/17061-homebrew-python new file mode 100644 index 000000000000..bf76e59e02af --- /dev/null +++ b/changes/17061-homebrew-python @@ -0,0 +1 @@ +Fixing false negative vulnerabilities on macOS Homebrew python packages. diff --git a/server/vulnerabilities/nvd/cpe_test.go b/server/vulnerabilities/nvd/cpe_test.go index 8c4298b0d1c0..6f8a5f4c94c4 100644 --- a/server/vulnerabilities/nvd/cpe_test.go +++ b/server/vulnerabilities/nvd/cpe_test.go @@ -1604,6 +1604,15 @@ func TestCPEFromSoftwareIntegration(t *testing.T) { // DO NOT MATCH with Cisco Umbrella cpe: "", }, + { + software: fleet.Software{ + Name: "python@3.9", + Source: "homebrew_packages", + Version: "3.9.18_2", + Vendor: "", + }, + cpe: `cpe:2.3:a:python:python:3.9.18_2:*:*:*:*:*:*:*`, + }, } // NVD_TEST_CPEDB_PATH can be used to speed up development (sync cpe.sqlite only once). diff --git a/server/vulnerabilities/nvd/sanitize.go b/server/vulnerabilities/nvd/sanitize.go index 33dc144f8a22..40e0be0ddc21 100644 --- a/server/vulnerabilities/nvd/sanitize.go +++ b/server/vulnerabilities/nvd/sanitize.go @@ -81,11 +81,13 @@ var langCodes = map[string]bool{ // - Removing any extra spaces // - Lowercasing the name // - Removing parts from the bundle identifier +// - Removing version contained in homebrew_packages name func sanitizeSoftwareName(s *fleet.Software) string { archs := regexp.MustCompile(` \(?x64\)?|\(?64-bit\)?|\(?64bit\)?|\(?amd64\)? `) ver := regexp.MustCompile(` \.?\(?(\d+\.)?(\d+\.)?(\*|\d+)\)?\s?`) gen := regexp.MustCompile(` \(\w+\)\s?`) comments := regexp.MustCompile(` (-|:)\s?.+`) + versions := regexp.MustCompile(`@\d+($|(\.\d+($|\..+)))`) // @3 or @3.9 or @3.9.18 or @3.9.18_2 r := strings.ToLower(s.Name) r = strings.TrimSuffix(r, ".app") @@ -119,6 +121,11 @@ func sanitizeSoftwareName(s *fleet.Software) string { r = strings.Replace(r, ")", " ", -1) r = strings.Join(strings.Fields(r), " ") + // Remove @ from homebrew names + if s.Source == "homebrew_packages" { + r = versions.ReplaceAllString(r, "") + } + return r }