Title
#fleet
SK

SK

12/21/2021, 2:15 PM
Hey all, great improvements in the latest Fleet version 🎉😛artyparrot: I was wondering is there a way at this moment to search based on CVE? I saw that future versions might hold this feature but I was wondering if there is a workaround I can use at this moment.
Lucas Rodriguez

Lucas Rodriguez

12/21/2021, 2:16 PM
Hi SK! Let me check with the team and I'll get back to you.
2:20 PM
I was wondering is there a way at this moment to search based on CVE?
Do you mean to filter the vulnerable detected software by some CVE entered by the user?
2:20 PM
E.g. "of all the vulnerable software only list those affected by CVE-X-Y"
Noah Talerman

Noah Talerman

12/21/2021, 3:59 PM
Hey SK, the ability to search by CVE is tracked in the following GitHub issue here: https://github.com/fleetdm/fleet/issues/2814 The ability to search for a specific CVE is planned for an upcoming release of Fleet.
SK

SK

12/21/2021, 4:10 PM
Hey @Lucas Rodriguez Yes the idea is, to filter the vulnerable software based on CVE that is detected
4:11 PM
Hey @Noah Talerman I indeed saw this one but was not clear for me what the timeframe would be, that is why I was thinking on a workaround for now
Noah Talerman

Noah Talerman

12/21/2021, 4:18 PM
was not clear for me what the timeframe would be
Ah. This improvement will likely be added in early to late Feb 2022 (~1.5-2 months)
Lucas Rodriguez

Lucas Rodriguez

12/21/2021, 4:27 PM
One way to workaround this is to use the
fleetctl get hosts
and some script to process the JSON (or YAML) data.
4:29 PM
In my local test I did:
fleetctl get hosts $my_test_hostname > test.txt

# In test.txt I found the following (the test host has a sqlite version that has a CVE):

  - generated_cpe: cpe:2.3:a:sqlite:sqlite:3.36.0:*:*:*:*:*:*:*
    id: 398
    name: sqlite
    source: homebrew_packages
    version: 3.36.0
    vulnerabilities:
    - cve: CVE-2021-36690
      details_link: <https://nvd.nist.gov/vuln/detail/CVE-2021-36690>
SK

SK

12/21/2021, 4:33 PM
Ow that is a great idea @Lucas Rodriguez thanks.
8:40 PM
It seems to only work when querying individual hosts and not all at once...
8:49 PM
Figured it out, not host based but if I retrieve the software list in json format I also get all the CVE's