https://github.com/osquery/osquery logo
#fleet
Title
# fleet
g

Gavin

09/09/2022, 2:48 PM
👋 Random one I don’t know if it’s an open issue but Github search has failed but on the latest fleet v4.19.1 we’re seeing CVE’s being created for the same software daily and at multiple times.
s

Shawn Maddock

09/09/2022, 2:51 PM
I keep getting crashes after vuln scans on 4.19.1, I wonder if that's why
k

Kathy Satterlee

09/09/2022, 3:11 PM
Hi, @Gavin! Wanted to double check before I start digging in to this. Is the issue that you're getting multiple triggers of your webhook/integration?
g

Gavin

09/09/2022, 3:12 PM
Bingo , I can stick on debug logging
For example , every day I get 30-40 of the same CVE
It seems to get stuck then makes the same one for the amount of open vulns.
Almost like it’s trying to range over the open vulns , but the index does not increment so it creates the count of vulnerabilities left to be created , as the same ticket.
k

Kathy Satterlee

09/09/2022, 3:16 PM
Ouch. Sorry about that, @Gavin! That's not a good look. We're digging in to it.
@Shawn Maddock Do you also have a webhook/integration set up for vulnerabilities? How much memory is allocated for Fleet?
s

Shawn Maddock

09/09/2022, 3:20 PM
I don’t, so perhaps unrelated. Memory for Fleet is not limited.
k

Kathy Satterlee

09/09/2022, 3:21 PM
Sounds like it's likely unrelated. Would you mind starting a new thread for that for better visibility?
What's your setup, @Gavin? Looks like Jira, are you using the integration?
g

Gavin

09/09/2022, 3:27 PM
Jira Cloud SAAS
k

Kathy Satterlee

09/09/2022, 3:27 PM
Thanks! Ticket incoming.
I'm seeing the same behavior with
CVE-2022-27664
on our end. Are you seeing this with other CVEs?
I'm actually seeing it with others as well, think that just jumped out because it's a recent find.
It looks like there is an existing ticket (my search skills failed me as well): https://github.com/fleetdm/fleet/issues/6717 On the Fleet side, are you sending this directly to Jira using the built-in integration, or are you using a webhook to send the data elsewhere and then piping it in to Jira?
g

Gavin

09/09/2022, 4:22 PM
To confirm , directly to Jira Cloud
We are yet to investigate the webhook , but long term will move to DefectDojo , Dependancy Track for this powered by the Webhook
k

Kathy Satterlee

09/09/2022, 4:24 PM
Thanks for the confirmation!
s

Shawn Maddock

09/12/2022, 4:50 PM
k

Kathy Satterlee

09/12/2022, 5:00 PM
Indeed! Thanks for pointing that one out.
m

mikermcneil

09/16/2022, 3:50 AM
Thanks for the heads up on this one, Gavin and Shawn.
g

Gavin

09/22/2022, 2:10 PM
Small update on this one, when we rolled out the fix we got a couple of hundred tickets created , then expected behaviour after. So fully expected with state correction on the existing queue then only new items created.
k

Kathy Satterlee

09/22/2022, 5:49 PM
That's great news, @Gavin! Thanks (again) for bringing this to us.
4 Views