https://github.com/osquery/osquery logo
Title
d

defensivedepth

11/23/2021, 1:38 PM
hey all! I am testing the vulnerability processing functionality... Currently on FleetDM 4.5.1, not sure if much has changed with 4.6.1 related to these issues. So the first screencap shows that my prod centos 7 server has 1763 vulnerabilities. If we look into this further, from the 2nd screencap we can see there is a finding for
authconfig 6.2.8
. 3rd screencap shows that it was installed with the package
authconfig-6.2.8-30.el7.src.rpm
The changelog for that package can be found here: https://centos.pkgs.org/7/centos-x86_64/authconfig-6.2.8-30.el7.x86_64.rpm.html, in which we see the referenced vuln was fixed in package
6.2.8-26
which means that this finding is a false positive. This is a common occurrence for those 1763 vulnerabilities.
t

Tomas Touceda

11/23/2021, 1:43 PM
hi! the error happens because osquery reports the version as 6.2.8, and that's what fleet uses for checking CVEs
we should improve this by parsing the source and detecting patch releases, assuming that the patch release appears in the CVE database as fixed
could you create an issue with this information so that we can investigate further and improve?
while this is annoying to find, it was expected for us, given what the processing pipeline looks like. We really appreciate you investigating this to this level! This is key information to help improve things
d

defensivedepth

11/23/2021, 1:58 PM
Understood! Here is the issue - https://github.com/fleetdm/fleet/issues/3081
t

Tomas Touceda

11/23/2021, 3:11 PM
thank you!
r

Ryan

11/23/2021, 3:20 PM
nice
we were having the same issue here, so good to get that tracked and see if there’s any improvements possible