Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sofa tables #42

Merged
merged 6 commits into from
Apr 29, 2024
Merged

Sofa tables #42

merged 6 commits into from
Apr 29, 2024

Conversation

grahamgilbert
Copy link
Contributor

@grahamgilbert grahamgilbert commented Apr 27, 2024
edited
Loading

When running on macOS 14.0

osquery> select * from sofa_unpatched_cves;
+------------+----------------+-----------------+--------------------+
| os_version | cve            | patched_version | actively_exploited |
+------------+----------------+-----------------+--------------------+
| 14.0.0     | CVE-2024-1580  | 14.4.1          | false              |
| 14.0.0     | CVE-2024-23231 | 14.4            | false              |
| 14.0.0     | CVE-2024-23245 | 14.4            | false              |
| 14.0.0     | CVE-2024-23281 | 14.4            | false              |
| 14.0.0     | CVE-2022-48554 | 14.4            | false              |
| 14.0.0     | CVE-2024-23279 | 14.4            | false              |
| 14.0.0     | CVE-2024-23259 | 14.4            | false              |
| 14.0.0     | CVE-2024-23293 | 14.4            | false              |
| 14.0.0     | CVE-2024-23291 | 14.4            | false              |
| 14.0.0     | CVE-2024-23216 | 14.4            | false              |
| 14.0.0     | CVE-2024-23289 | 14.4            | false              |
| 14.0.0     | CVE-2024-23280 | 14.4            | false              |
| 14.0.0     | CVE-2024-23270 | 14.4            | false              |
| 14.0.0     | CVE-2024-23234 | 14.4            | false              |
| 14.0.0     | CVE-2024-23241 | 14.4            | false              |
| 14.0.0     | CVE-2024-23274 | 14.4            | false              |
| 14.0.0     | CVE-2024-23226 | 14.4            | false              |
| 14.0.0     | CVE-2024-23277 | 14.4            | false              |
| 14.0.0     | CVE-2024-23250 | 14.4            | false              |
| 14.0.0     | CVE-2024-23235 | 14.4            | false              |
| 14.0.0     | CVE-2024-23273 | 14.4            | false              |
| 14.0.0     | CVE-2024-23258 | 14.4            | false              |
| 14.0.0     | CVE-2024-23267 | 14.4            | false              |
| 14.0.0     | CVE-2024-23275 | 14.4            | false              |
| 14.0.0     | CVE-2023-48795 | 14.4            | false              |
| 14.0.0     | CVE-2023-51385 | 14.4            | false              |
| 14.0.0     | CVE-2024-23255 | 14.4            | false              |
| 14.0.0     | CVE-2024-23246 | 14.4            | false              |
| 14.0.0     | CVE-2024-23233 | 14.4            | false              |
| 14.0.0     | CVE-2024-23288 | 14.4            | false              |
| 14.0.0     | CVE-2024-23266 | 14.4            | false              |
| 14.0.0     | CVE-2024-23260 | 14.4            | false              |
| 14.0.0     | CVE-2024-23284 | 14.4            | false              |
| 14.0.0     | CVE-2024-23225 | 14.4            | true               |
| 14.0.0     | CVE-2024-23296 | 14.4            | true               |
| 14.0.0     | CVE-2024-23239 | 14.4            | false              |
| 14.0.0     | CVE-2024-23290 | 14.4            | false              |
| 14.0.0     | CVE-2024-23263 | 14.4            | false              |
| 14.0.0     | CVE-2024-23283 | 14.4            | false              |
| 14.0.0     | CVE-2024-23268 | 14.4            | false              |
| 14.0.0     | CVE-2024-23238 | 14.4            | false              |
| 14.0.0     | CVE-2024-23265 | 14.4            | false              |
| 14.0.0     | CVE-2024-23287 | 14.4            | false              |
| 14.0.0     | CVE-2024-23272 | 14.4            | false              |
| 14.0.0     | CVE-2024-23244 | 14.4            | false              |
| 14.0.0     | CVE-2024-23264 | 14.4            | false              |
| 14.0.0     | CVE-2024-23276 | 14.4            | false              |
| 14.0.0     | CVE-2024-23286 | 14.4            | false              |
| 14.0.0     | CVE-2024-23285 | 14.4            | false              |
| 14.0.0     | CVE-2023-51384 | 14.4            | false              |
| 14.0.0     | CVE-2024-23230 | 14.4            | false              |
| 14.0.0     | CVE-2022-42816 | 14.4            | false              |
| 14.0.0     | CVE-2024-23253 | 14.4            | false              |
| 14.0.0     | CVE-2024-23257 | 14.4            | false              |
| 14.0.0     | CVE-2024-23278 | 14.4            | false              |
| 14.0.0     | CVE-2023-42853 | 14.4            | false              |
| 14.0.0     | CVE-2024-23254 | 14.4            | false              |
| 14.0.0     | CVE-2024-23227 | 14.4            | false              |
| 14.0.0     | CVE-2024-23249 | 14.4            | false              |
| 14.0.0     | CVE-2024-0258  | 14.4            | false              |
| 14.0.0     | CVE-2024-23205 | 14.4            | false              |
| 14.0.0     | CVE-2024-23294 | 14.4            | false              |
| 14.0.0     | CVE-2024-23232 | 14.4            | false              |
| 14.0.0     | CVE-2024-23292 | 14.4            | false              |
| 14.0.0     | CVE-2024-23242 | 14.4            | false              |
| 14.0.0     | CVE-2024-23269 | 14.4            | false              |
| 14.0.0     | CVE-2024-23247 | 14.4            | false              |
| 14.0.0     | CVE-2024-23248 | 14.4            | false              |
| 14.0.0     | CVE-2024-23208 | 14.3            | false              |
| 14.0.0     | CVE-2024-23201 | 14.3            | false              |
| 14.0.0     | CVE-2024-23209 | 14.3            | false              |
| 14.0.0     | CVE-2024-23271 | 14.3            | false              |
| 14.0.0     | CVE-2024-23224 | 14.3            | false              |
| 14.0.0     | CVE-2024-27791 | 14.3            | false              |
| 14.0.0     | CVE-2024-23203 | 14.3            | false              |
| 14.0.0     | CVE-2024-23204 | 14.3            | false              |
| 14.0.0     | CVE-2024-23217 | 14.3            | false              |
| 14.0.0     | CVE-2024-23210 | 14.3            | false              |
| 14.0.0     | CVE-2024-23214 | 14.3            | false              |
| 14.0.0     | CVE-2024-23207 | 14.3            | false              |
| 14.0.0     | CVE-2024-23213 | 14.3            | false              |
| 14.0.0     | CVE-2024-23222 | 14.3            | true               |
| 14.0.0     | CVE-2024-23211 | 14.3            | false              |
| 14.0.0     | CVE-2024-23218 | 14.3            | false              |
| 14.0.0     | CVE-2024-23223 | 14.3            | false              |
| 14.0.0     | CVE-2024-23215 | 14.3            | false              |
| 14.0.0     | CVE-2024-23206 | 14.3            | false              |
| 14.0.0     | CVE-2024-23212 | 14.3            | false              |
| 14.0.0     | CVE-2023-42940 | 14.2.1          | false              |
| 14.0.0     | CVE-2023-42909 | 14.2            | false              |
| 14.0.0     | CVE-2023-42974 | 14.2            | false              |
| 14.0.0     | CVE-2023-42907 | 14.2            | false              |
| 14.0.0     | CVE-2023-42881 | 14.2            | false              |
| 14.0.0     | CVE-2023-42884 | 14.2            | false              |
| 14.0.0     | CVE-2023-42913 | 14.2            | false              |
| 14.0.0     | CVE-2023-42901 | 14.2            | false              |
| 14.0.0     | CVE-2023-42900 | 14.2            | false              |
| 14.0.0     | CVE-2023-42932 | 14.2            | false              |
| 14.0.0     | CVE-2023-42919 | 14.2            | false              |
| 14.0.0     | CVE-2023-42905 | 14.2            | false              |
| 14.0.0     | CVE-2023-3618  | 14.2            | false              |
| 14.0.0     | CVE-2023-42930 | 14.2            | false              |
| 14.0.0     | CVE-2023-42950 | 14.2            | false              |
| 14.0.0     | CVE-2023-42894 | 14.2            | false              |
| 14.0.0     | CVE-2023-42892 | 14.2            | false              |
| 14.0.0     | CVE-2020-19187 | 14.2            | false              |
| 14.0.0     | CVE-2020-19190 | 14.2            | false              |
| 14.0.0     | CVE-2023-42947 | 14.2            | false              |
| 14.0.0     | CVE-2023-42902 | 14.2            | false              |
| 14.0.0     | CVE-2023-42896 | 14.2            | false              |
| 14.0.0     | CVE-2023-38545 | 14.2            | false              |
| 14.0.0     | CVE-2023-42931 | 14.2            | false              |
| 14.0.0     | CVE-2023-42904 | 14.2            | false              |
| 14.0.0     | CVE-2023-42924 | 14.2            | false              |
| 14.0.0     | CVE-2020-19185 | 14.2            | false              |
| 14.0.0     | CVE-2023-42883 | 14.2            | false              |
| 14.0.0     | CVE-2023-42903 | 14.2            | false              |
| 14.0.0     | CVE-2023-42914 | 14.2            | false              |
| 14.0.0     | CVE-2023-42936 | 14.2            | false              |
| 14.0.0     | CVE-2023-42926 | 14.2            | false              |
| 14.0.0     | CVE-2023-42842 | 14.2            | false              |
| 14.0.0     | CVE-2023-42910 | 14.2            | false              |
| 14.0.0     | CVE-2023-38039 | 14.2            | false              |
| 14.0.0     | CVE-2023-42887 | 14.2            | false              |
| 14.0.0     | CVE-2023-40390 | 14.2            | false              |
| 14.0.0     | CVE-2023-5344  | 14.2            | false              |
| 14.0.0     | CVE-2023-42937 | 14.2            | false              |
| 14.0.0     | CVE-2023-42890 | 14.2            | false              |
| 14.0.0     | CVE-2023-42911 | 14.2            | false              |
| 14.0.0     | CVE-2023-42874 | 14.2            | false              |
| 14.0.0     | CVE-2023-42886 | 14.2            | false              |
| 14.0.0     | CVE-2023-42956 | 14.2            | false              |
| 14.0.0     | CVE-2023-42912 | 14.2            | false              |
| 14.0.0     | CVE-2023-42898 | 14.2            | false              |
| 14.0.0     | CVE-2023-42899 | 14.2            | false              |
| 14.0.0     | CVE-2023-42888 | 14.2            | false              |
| 14.0.0     | CVE-2023-42891 | 14.2            | false              |
| 14.0.0     | CVE-2020-19186 | 14.2            | false              |
| 14.0.0     | CVE-2020-19188 | 14.2            | false              |
| 14.0.0     | CVE-2023-42922 | 14.2            | false              |
| 14.0.0     | CVE-2023-42893 | 14.2            | false              |
| 14.0.0     | CVE-2023-42906 | 14.2            | false              |
| 14.0.0     | CVE-2023-42908 | 14.2            | false              |
| 14.0.0     | CVE-2023-42882 | 14.2            | false              |
| 14.0.0     | CVE-2023-45866 | 14.2            | false              |
| 14.0.0     | CVE-2023-38546 | 14.2            | false              |
| 14.0.0     | CVE-2020-19189 | 14.2            | false              |
| 14.0.0     | CVE-2023-42916 | 14.1.2          | true               |
| 14.0.0     | CVE-2023-42917 | 14.1.2          | true               |
| 14.0.0     | CVE-2023-30774 | 14.1            | false              |
| 14.0.0     | CVE-2023-40444 | 14.1            | false              |
| 14.0.0     | CVE-2023-42945 | 14.1            | false              |
| 14.0.0     | CVE-2023-42823 | 14.1            | false              |
| 14.0.0     | CVE-2023-42438 | 14.1            | false              |
| 14.0.0     | CVE-2023-41988 | 14.1            | false              |
| 14.0.0     | CVE-2023-42842 | 14.1            | false              |
| 14.0.0     | CVE-2023-4751  | 14.1            | false              |
| 14.0.0     | CVE-2023-42843 | 14.1            | false              |
| 14.0.0     | CVE-2023-42857 | 14.1            | false              |
| 14.0.0     | CVE-2023-40449 | 14.1            | false              |
| 14.0.0     | CVE-2023-42847 | 14.1            | false              |
| 14.0.0     | CVE-2023-42839 | 14.1            | false              |
| 14.0.0     | CVE-2023-4734  | 14.1            | false              |
| 14.0.0     | CVE-2023-4738  | 14.1            | false              |
| 14.0.0     | CVE-2023-41975 | 14.1            | false              |
| 14.0.0     | CVE-2023-42849 | 14.1            | false              |
| 14.0.0     | CVE-2023-42942 | 14.1            | false              |
| 14.0.0     | CVE-2023-42853 | 14.1            | false              |
| 14.0.0     | CVE-2023-42845 | 14.1            | false              |
| 14.0.0     | CVE-2023-42873 | 14.1            | false              |
| 14.0.0     | CVE-2023-41976 | 14.1            | false              |
| 14.0.0     | CVE-2023-42854 | 14.1            | false              |
| 14.0.0     | CVE-2023-42834 | 14.1            | false              |
| 14.0.0     | CVE-2023-42935 | 14.1            | false              |
| 14.0.0     | CVE-2023-42889 | 14.1            | false              |
| 14.0.0     | CVE-2023-42841 | 14.1            | false              |
| 14.0.0     | CVE-2023-4735  | 14.1            | false              |
| 14.0.0     | CVE-2023-40416 | 14.1            | false              |
| 14.0.0     | CVE-2023-40446 | 14.1            | false              |
| 14.0.0     | CVE-2023-42859 | 14.1            | false              |
| 14.0.0     | CVE-2023-4750  | 14.1            | false              |
| 14.0.0     | CVE-2023-42835 | 14.1            | false              |
| 14.0.0     | CVE-2023-42946 | 14.1            | false              |
| 14.0.0     | CVE-2023-4752  | 14.1            | false              |
| 14.0.0     | CVE-2023-40447 | 14.1            | false              |
| 14.0.0     | CVE-2023-42877 | 14.1            | false              |
| 14.0.0     | CVE-2023-42953 | 14.1            | false              |
| 14.0.0     | CVE-2023-42860 | 14.1            | false              |
| 14.0.0     | CVE-2023-41977 | 14.1            | false              |
| 14.0.0     | CVE-2023-40413 | 14.1            | false              |
| 14.0.0     | CVE-2023-42848 | 14.1            | false              |
| 14.0.0     | CVE-2023-42850 | 14.1            | false              |
| 14.0.0     | CVE-2023-41982 | 14.1            | false              |
| 14.0.0     | CVE-2023-36191 | 14.1            | false              |
| 14.0.0     | CVE-2023-41989 | 14.1            | false              |
| 14.0.0     | CVE-2023-38403 | 14.1            | false              |
| 14.0.0     | CVE-2023-28826 | 14.1            | false              |
| 14.0.0     | CVE-2023-42856 | 14.1            | false              |
| 14.0.0     | CVE-2023-42840 | 14.1            | false              |
| 14.0.0     | CVE-2023-40423 | 14.1            | false              |
| 14.0.0     | CVE-2023-42861 | 14.1            | false              |
| 14.0.0     | CVE-2023-4733  | 14.1            | false              |
| 14.0.0     | CVE-2023-40408 | 14.1            | false              |
| 14.0.0     | CVE-2023-40404 | 14.1            | false              |
| 14.0.0     | CVE-2023-41254 | 14.1            | false              |
| 14.0.0     | CVE-2023-42852 | 14.1            | false              |
| 14.0.0     | CVE-2023-42878 | 14.1            | false              |
| 14.0.0     | CVE-2023-4736  | 14.1            | false              |
| 14.0.0     | CVE-2023-4781  | 14.1            | false              |
| 14.0.0     | CVE-2023-42858 | 14.1            | false              |
| 14.0.0     | CVE-2023-42952 | 14.1            | false              |
| 14.0.0     | CVE-2023-41072 | 14.1            | false              |
| 14.0.0     | CVE-2023-42844 | 14.1            | false              |
| 14.0.0     | CVE-2023-42836 | 14.1            | false              |
| 14.0.0     | CVE-2023-41997 | 14.1            | false              |
| 14.0.0     | CVE-2023-40421 | 14.1            | false              |
| 14.0.0     | CVE-2023-41983 | 14.1            | false              |
| 14.0.0     | CVE-2023-40405 | 14.1            | false              |
| 14.0.0     | CVE-2023-42838 | 14.1            | false              |
+------------+----------------+-----------------+--------------------+
osquery>

When running requesting info on os versions since 14.4.0

osquery> select * from sofa_security_release_info where os_version="14.4.0";
+---------------------+-----------------+----------------------+---------------------------------------+-------------------+-----------------------------+------------+
| update_name | product_version | release_date | security_info | unique_cves_count | days_since_previous_release | os_version |
+---------------------+-----------------+----------------------+---------------------------------------+-------------------+-----------------------------+------------+
| macOS Sonoma 14.4.1 | 14.4.1 | 2024-03-25T00:00:00Z | https://support.apple.com/kb/HT214096 | 1 | 18 | 14.4.0 |
| macOS Sonoma 14.4 | 14.4 | 2024-03-07T00:00:00Z | https://support.apple.com/kb/HT214084 | 67 | 28 | 14.4.0 |
+---------------------+-----------------+----------------------+---------------------------------------+-------------------+-----------------------------+------------+

@github-actions GitHub Actions
Copy link

github-actions bot commented Apr 27, 2024
edited
Loading

LCOV of commit 38bb7be during Test Coverage #17

Summary coverage rate:
  lines......: 41.0% (323 of 788 lines)
  functions..: no data found
  branches...: no data found

Files changed coverage rate:
                                                   |Lines       |Functions  |Branches    
  Filename                                         |Rate     Num|Rate    Num|Rate     Num
  =======================================================================================
  tables/sofa/sofa_cves.go                         |23.2%     82|    -     0|    -      0
  tables/sofa/sofa_info.go                         |43.3%    134|    -     0|    -      0

@natewalck
Copy link
Member

For the 14.4.1 example, that CVE says it was patched on 14.4.1. Shouldn't that query come up empty since it is running on the version of macOS for which it was patched?

I'd definitely expect that to show up on a 14.4.0 machine since it wasn't patched until 14.4.1.

@grahamgilbert
Copy link
Contributor Author

grahamgilbert commented Apr 27, 2024
edited
Loading

You mean on the info table? That table is supposed to be information about the current running OS, but it could be a look back. Open to suggestions here - please elaborate on the logic you are thinking of.

Edit: I now realize I missed off the query I ran when I pasted the output. That run is for the separate info table.

@natewalck
Copy link
Member

You mean on the info table? That table is supposed to be information about the current running OS, but it could be a look back. Open to suggestions here - please elaborate on the logic you are thinking of.

Edit: I now realize I missed off the query I ran when I pasted the output. That run is for the separate info table.

Oh right.

So for sofa_unpatched_cves on 14.4.1, it would have nothing listed, presumably.

In the other table, it would show info about what the current OS has patched. That makes sense. I was thinking the second query was also sofa_unpatched_cves, which would be confusing. (Even though it obviously has totally different columns).

@natewalck natewalck self-requested a review April 27, 2024 15:22
natewalck
natewalck approved these changes Apr 27, 2024
View reviewed changes
Copy link
Member

@natewalck natewalck left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@grahamgilbert
Copy link
Contributor Author

Now I think about it more, perhaps the tables should operate the same (showing unpatched vulnerabilities for the same major os version) and accept an input for other versions. Thoughts?

@natewalck
Copy link
Member

I think that would make sense 👍

@grahamgilbert
Copy link
Contributor Author

I think that would make sense 👍

I left the sofa_security_release_info table displaying the current running os by default, as it is representing information about the release, not unpatched vulnerabilities as in the other table. Both tables will use the os_version predicate now to allow the operator to look at historical data if needed.

@grahamgilbert grahamgilbert merged commit d372904 into main Apr 29, 2024
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@natewalck natewalck natewalck approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@grahamgilbert @natewalck