https://github.com/osquery/osquery logo
#fleet
Title
# fleet
s

SK

12/21/2021, 2:15 PM
Hey all, great improvements in the latest Fleet version 🎉🦜 I was wondering is there a way at this moment to search based on CVE? I saw that future versions might hold this feature but I was wondering if there is a workaround I can use at this moment.
l

Lucas Rodriguez

12/21/2021, 2:16 PM
Hi SK! Let me check with the team and I'll get back to you.
I was wondering is there a way at this moment to search based on CVE?
Do you mean to filter the vulnerable detected software by some CVE entered by the user?
E.g. "of all the vulnerable software only list those affected by CVE-X-Y"
n

Noah Talerman

12/21/2021, 3:59 PM
Hey SK, the ability to search by CVE is tracked in the following GitHub issue here: https://github.com/fleetdm/fleet/issues/2814 The ability to search for a specific CVE is planned for an upcoming release of Fleet.
s

SK

12/21/2021, 4:10 PM
Hey @Lucas Rodriguez Yes the idea is, to filter the vulnerable software based on CVE that is detected
Hey @Noah Talerman I indeed saw this one but was not clear for me what the timeframe would be, that is why I was thinking on a workaround for now
n

Noah Talerman

12/21/2021, 4:18 PM
was not clear for me what the timeframe would be
Ah. This improvement will likely be added in early to late Feb 2022 (~1.5-2 months)
l

Lucas Rodriguez

12/21/2021, 4:27 PM
One way to workaround this is to use the
fleetctl get hosts
and some script to process the JSON (or YAML) data.
In my local test I did:
Copy code
fleetctl get hosts $my_test_hostname > test.txt

# In test.txt I found the following (the test host has a sqlite version that has a CVE):

  - generated_cpe: cpe:2.3:a:sqlite:sqlite:3.36.0:*:*:*:*:*:*:*
    id: 398
    name: sqlite
    source: homebrew_packages
    version: 3.36.0
    vulnerabilities:
    - cve: CVE-2021-36690
      details_link: <https://nvd.nist.gov/vuln/detail/CVE-2021-36690>
🦜 2
s

SK

12/21/2021, 4:33 PM
Ow that is a great idea @Lucas Rodriguez thanks.
👍 1
It seems to only work when querying individual hosts and not all at once...
Figured it out, not host based but if I retrieve the software list in json format I also get all the CVE's
👍 1
4 Views