Cherry-Pick: Fixed bug when using without_vulnerability_details and…

… vulnerability filters (#24774) issue #24765 original pr #24769
fleetdm · Dec 13, 2024 · d4b91e3 · d4b91e3
1 parent 653fc8a
commit d4b91e3
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 3 deletions.
diff --git a/ee/server/service/software.go b/ee/server/service/software.go
@@ -10,7 +10,7 @@ func (svc *Service) ListSoftware(ctx context.Context, opts fleet.SoftwareListOpt
 	// reuse ListSoftware, but include cve scores in premium version
 	// unless without_vulnerability_details is set to true
 	// including these details causes a lot of memory bloat
-	if !opts.WithoutVulnerabilityDetails {
+	if (opts.MaximumCVSS > 0 || opts.MinimumCVSS > 0 || opts.KnownExploit) || !opts.WithoutVulnerabilityDetails {
 		opts.IncludeCVEScores = true
 	}
 	return svc.Service.ListSoftware(ctx, opts)

diff --git a/server/datastore/mysql/software.go b/server/datastore/mysql/software.go
@@ -917,7 +917,7 @@ func listSoftwareDB(
 				DetailsLink: fmt.Sprintf("https://nvd.nist.gov/vuln/detail/%s", cveID),
 				CreatedAt:   *result.CreatedAt,
 			}
-			if opts.IncludeCVEScores {
+			if opts.IncludeCVEScores && !opts.WithoutVulnerabilityDetails {
 				cve.CVSSScore = &result.CVSSScore
 				cve.EPSSProbability = &result.EPSSProbability
 				cve.CISAKnownExploit = &result.CISAKnownExploit

diff --git a/server/service/integration_enterprise_test.go b/server/service/integration_enterprise_test.go
@@ -5223,6 +5223,25 @@ func (s *integrationEnterpriseTestSuite) TestListSoftware() {
 			require.Nil(t, cve.ResolvedInVersion)
 		}
 	}
+	// without_vulnerability_details with vulnerability filter
+	s.DoJSON(
+		"GET", "/api/latest/fleet/software/versions",
+		listSoftwareRequest{},
+		http.StatusOK, &respVersions,
+		"exploit", "true",
+		"vulnerable", "true",
+		"without_vulnerability_details", "true",
+	)
+	for _, s := range respVersions.Software {
+		for _, cve := range s.Vulnerabilities {
+			require.Nil(t, cve.CVSSScore)
+			require.Nil(t, cve.EPSSProbability)
+			require.Nil(t, cve.CISAKnownExploit)
+			require.Nil(t, cve.CVEPublished)
+			require.Nil(t, cve.Description)
+			require.Nil(t, cve.ResolvedInVersion)
+		}
+	}
 	s.DoJSON(
 		"GET", "/api/latest/fleet/software/versions",
 		listSoftwareRequest{},

diff --git a/server/service/software.go b/server/service/software.go
@@ -106,7 +106,11 @@ func (svc *Service) ListSoftware(ctx context.Context, opt fleet.SoftwareListOpti
 	}
 
 	// Vulnerability filters are only available in premium (opt.IncludeCVEScores is only true in premium)
-	if !opt.IncludeCVEScores && (opt.MaximumCVSS > 0 || opt.MinimumCVSS > 0 || opt.KnownExploit) {
+	lic, err := svc.License(ctx)
+	if err != nil {
+		return nil, nil, err
+	}
+	if !lic.IsPremium() && (opt.MaximumCVSS > 0 || opt.MinimumCVSS > 0 || opt.KnownExploit) {
 		return nil, nil, fleet.ErrMissingLicense
 	}