False-positive vulnerabilities are cleared at a counterintuitive interval #25898
Assignees
Labels
bug
Something isn't working as documented
#g-software
Software product group
:product
Product Design department (shows up on 🦢 Drafting board)
~released bug
This bug was found in a stable release.
~vulnerability-management
Comments
|
Hey team! Please add your planning poker estimate with Zenhub @iansltx @jahzielv @ksykulev |
|
@mostlikelee we decided to document the current behavior as the expected behavior. You mentioned that this time lag (~2 hrs) makes testing harder. Up to you to file a separate eng-initiated story to tackle that. |
noahtalerman
added a commit
that referenced
this issue
Feb 13, 2025
Documentation for the following bug: - #25898
|
@iansltx @mostlikelee we decided to document the current behavior as the expected behavior. PR is here. Plan is to close the bug once the PR is merged. Please feel free to file an eng initiated story if you think we should consider prioritizing an improvement. |
noahtalerman
added a commit
that referenced
this issue
Feb 14, 2025
Documentation for the following bug: - #25898
|
PR is merged: #26329 |
|
False-positives cleared, |
17 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
UPDATE: @noahtalerman: we decided to document the current behavior as the expected behavior. PR is here.
Fleet version: <= 4.64.0
💥 Actual behavior
False-positive vulnerabilities are cleared out based on a time limit rather than based on when the current vulnerabilities run started. This means that successive vulns runs will appear to persist false-positive issues that were already resolved.
🧑💻 Steps to reproduce
🕯️ More info
This is most obvious when attempting to QA false-positive fixes, but this also trips up customers after they update to a Fleet release that includes false-positive fixes that couldn't be handled by vuln feed updates, e.g. in #25571.
This behavior is documented in contributor docs, albeit in a footnote, and this behavior is counterintuitive to anyone encountering it for the first time.
From what I can gather here, the intent was to clear false-positives while keeping vulnerabilities runs from clearing vulnerabilities that were added within the same vuln processing run, but we can explicitly check for that condition rather than guessing at how long the vulns run might have taken.
For concerns around concurrent vulnerability scans trampling each other's CVEs after implementing this method (which wouldn't have happened before due to longer periodicity), we set a lock in the DB when starting the vulnerability processing process, so that we shouldn't have concurrent vuln processing runs happening anyway (and if we do, we should fix the locking mechanism, not work around it here).
🛠️ To fix
DeleteOutOfDateVulnerabilitiesandDeleteOutOfDateOSVulnerabilitiesin the datastore to clear vulnerabilities updated before a set timestamp, rather than by a lookback period.checkNVDVulnerabilitiesis called inscanVulnerabilitiesincron.go(probably directly from the database to avoid clock skew issues between app servers and the database) and pass that to the calls modified in step 1.The text was updated successfully, but these errors were encountered: