Skip to content
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions changes/43328-python3-prefix-cpe
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
- Fixed vulnerability detection for Python packages on Ubuntu/Debian devices by stripping the "python3-" name prefix during CPE matching.
7 changes: 7 additions & 0 deletions server/vulnerabilities/nvd/sanitize.go
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,13 @@ func sanitizeSoftwareName(s *fleet.Software) string {
r := strings.ToLower(s.Name)
r = strings.TrimSuffix(r, ".app")

// Strip "python3-" prefix from python_packages names for CPE matching.
// On Ubuntu/Debian, pythonPackageFilter prepends "python3-" to match OVAL definitions,
// but the CPE database uses the bare package name (e.g. "geopandas" not "python3-geopandas").
if s.Source == "python_packages" {
r = strings.TrimPrefix(r, "python3-")
}

// Remove vendor, for 'apps' the vendor name is usually after the top level domain part.
r = strings.ReplaceAll(r, strings.ToLower(s.Vendor), "")
bundleParts := strings.Split(s.BundleIdentifier, ".")
Expand Down
56 changes: 56 additions & 0 deletions server/vulnerabilities/nvd/sanitize_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -162,6 +162,14 @@
vendorVariations: []string{"microsoft", "ms-python"},
productVariations: []string{"python", "ms-python.python"},
},
{
software: fleet.Software{Name: "python3-geopandas", Version: "1.0.1", Source: "python_packages"},
productVariations: []string{"geopandas"},
},
{
software: fleet.Software{Name: "python3-django", Version: "3.2.12", Source: "python_packages"},
productVariations: []string{"django"},
},
}

for _, tc := range variationsTestCases {
Expand Down Expand Up @@ -378,6 +386,54 @@
require.Equal(t, tc.expected, actual)
}
})

t.Run("strips python3- prefix from python_packages", func(t *testing.T) {
testCases := []struct {
software fleet.Software
expected string
}{
{
software: fleet.Software{
Name: "python3-geopandas",
Version: "1.0.1",
Source: "python_packages",
},
expected: "geopandas",
},
{
software: fleet.Software{
Name: "python3-django",
Version: "3.2.12",
Source: "python_packages",
},
expected: "django",
},
{
// python_packages without the prefix should not be affected
software: fleet.Software{
Name: "requests",
Version: "2.28.0",
Source: "python_packages",
},
expected: "requests",
},
{
// deb_packages with python3- prefix should NOT be stripped
software: fleet.Software{
Name: "python3-geopandas",
Version: "1.0.1",
Source: "deb_packages",
},
expected: "python3-geopandas",
},
}

for _, tc := range testCases {
tc := tc

Check failure on line 432 in server/vulnerabilities/nvd/sanitize_test.go

View workflow job for this annotation

GitHub Actions / lint-incremental (ubuntu-4core)

forvar: copying variable is unneeded (modernize)
actual := sanitizeSoftwareName(&tc.software)
require.Equal(t, tc.expected, actual)
}
})
}

func TestParseUpdateFromVersion(t *testing.T) {
Expand Down
Loading