fleetdm
Software inventory: add IntelliJ plugins
Goal
| User story |
|---|
| As a security engineer on the Software page, |
| I want to see macOS IntelliJ plugins in Fleet's software inventory |
| so that I can report on the hosts that have vulnerable plugins. |
Objective
Customer promises + renewal requests
Original request
- #20644
Context
- Product designer: @noahtalerman
Changes
Product
- [x] UI changes: Figma
- [x] CLI (fleetctl) usage changes: N/A
- [x] YAML changes: N/A
- [x] REST API changes: N/A
- [x] Fleet's agent (fleetd) changes: N/A
- [x] Activity changes: N/A
- [x] Permissions changes: N/A
- [x] Changes to paid features or tiers: Fleet Free and Fleet Premium
- [x] Other reference documentation changes: N/A
- [ ] Once shipped, requester has been notified
Engineering
- [x] Feature guide changes: No need
- [x] Database schema migrations: No need
- [x] Load testing: No need
- [x] Test-plan - To be created by the DRI engineer and approved by QA person
ℹ️ Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".
QA
Risk assessment
- Requires load testing: No
- Risk level: Low
Manual testing steps
On mac / windows / linux (this data should be available on all three platforms)
- On an enrolled host with IntelliJ installed, follow instructions to install some IntelliJ plugins
- Refetch host vitals for the enrolled host (take a look at the testing notes, although this is the final happy path, ensure to test the data fetching via raw osquery)
- Navigate to the software inventory page and ensure that the intellij plugins are present
- Click on the view all hosts button on the right side of the intellij table row, you should the host in the list
- Click on the host
- Click on the software tab on the host detail page. You should see the intellij plugins
~🔴 Will these be reported in the host software list or only reported via host query? Does this require just an osquery change/testing or also a Fleet change/testing?~
Testing notes
There are a few different touch points to consider while testing this. You will need to grab osquery binaries for each platform. This can be done from the PR on osquery/osquery. 
Once you grab the binary, it would be a good idea to verify that osquery can detect the intellij plugins you have installed by issuing a simple query: select * from jetbrains_plugins;. If the plugins returned are not what you expect, we know the bug exists in the osquery code.
Now take this binary and substitute it for the binary in orbit. Enroll your host, and run a refetch. You should see those same plugins in the software inventory. If the plugins returned are not what you expect, we know that the bug exists somewhere in fleet.
Confirmation
- [ ] Engineer (@____): Added comment to user story confirming successful completion of QA.
- [ ] QA (@____): Added comment to user story confirming successful completion of QA.
@noahtalerman, if this is just Macos, the estimation will go down to (Edit:) 5 points
if this is just Macos, the estimation will go down to 2-3 points
@rachaelshaw how would this impact the IT admin experience?
It looks like we might already handle this scenario (some platforms support a type of software) by being explicit in the guide here:
If doing something similar for IntelliJ plugins makes sense I'm all for making this a smaller iterative change.
cc @sharon-fdm
Hey @zayhanlon heads up, this user story didn't make it into the upcoming engineering sprint due to capacity.
It's still prioritized. We left it on the drafting board so that it can be pulled into the next engineering sprint.
@noahtalerman @eugkuo i'll split this effort up by platform (macos / windows / linux) and plan to prioritize them in that same order
@noahtalerman - When I did the original research on this I found that we can implement this in one of two ways.
- Add a new table to osquery
- Add an osquery extension to fleet
The effort is probably fairly similar, however, the deployment time will likely vary. Osquery doesn't have quite the same release cadence as fleet. Osquery does feel like the more natural place for this code though. I also assume this will not be a premium feature. Any thoughts?
@ksykulev I think let's get it in osquery even if it takes longer. Fleet is only as good as osquery.
also assume this will not be a premium feature.
Yep! Sorry this wasn't clear in the issue description. I added this:
- [x] Changes to paid features or tiers: Fleet Free and Fleet Premium
The osquery work is most likely going get released with osquery-v.5.18.0, meaning the Fleet changes will have to wait for that release. I pulled out the osquery work here so we can work on it now and will move this story back to the backlog until we are closer to that osquery release.
The osquery work is most likely going get released with osquery-v.5.18.0, meaning the Fleet changes will have to wait for that release. I pulled out the osquery work here so we can work on it now and will move this story back to the backlog until we are closer to that osquery release.
Thanks @mostlikelee! Sounds like the plan is to re-estimate this story (#22463) now that the osquery changes are part of a separate story here.
So, I removed the estimate from this story (#22463) and it's subtasks.
cc @ksykulev
@noahtalerman Estimates for FE and docs remain valid, so adding those back. Will get @ksykulev to re-estimate backend as he easily has the most context here.
I added a very light test plan but there were a couple questions that should be answered so we can have a more detailed one. Thanks!
@ksykulev see above; since you're neck-deep on this probably worthwhile to self-assign as eng DRI
Pulling this back to Ready to Spec with @ksykulev as assignee to confirm test plan.
@getvictor can you drop out of Planning Poker since your estimate applies to a larger scope here?
@mostlikelee @eugkuo Now that osquery work is done (and will be live shortly), probably worth revisiting this, confirming designs, and doing the easy part to get this into software inventory in Fleet?
@noahtalerman with osquery releasing soon, this should be low hanging fruit. Should we bring this to feature fest?
@mostlikelee nice! We want to add the customer request issue to feature fest instead of this story. Then during the next feature fest, we'll weigh the request and prioritize a user story (like this one).
Why? The rest of the business lives at the customer request level.
Also, anyone can add requests that have already gone through unpacking the why to feature fest! To do this, add the ~feature fest label. I did it this time.
If it hasn't gone through unpacking, we want to add it to the drafting board (add :product)
https://fleetdm.com/handbook/company/product-groups#making-a-request
@noahtalerman @mostlikelee After watching the Gong snippets and reading the thread in the original ticket it appears that the end goal of having these plugins collected is so that we can report on vulnerabilities within Fleet.
Does that piece need to be addressed in a separate ticket? This ticket extends the osquery work to start collecting plugins so that they'll be accessible via fleet queries, but I am not sure that vulnerabilities reporting for this will come for free. May need to map CPEs similar to what we did for VSCode plugins.
cc @iansltx @ksykulev
@jmwatts good call, part of the scope here will be to find recent vulnerable plugins in NVD to see how to format the CPE
@noahtalerman @marko-lisica heads up that this functionality is merged into osquery so this is probably an S to get this into Fleet.
this functionality is merged into osquery so this is probably an S to get this into Fleet.
🔥
Added this story to 4.75 on the roadmap for now. FYI @mostlikelee @marko-lisica
TODO @noahtalerman: Move this to a separate story:
- [ ] Feature guide changes: Update vulnerability process guide: https://github.com/fleetdm/fleet/pull/32179
Part of the test plan: 8. Install a known vulnerable version of an IntelliJ extension. Verify that the vulnerability (CVE) shows up in on the Software page, Software title details page, Software version details page, Host details page, and My device page
Old testing notes:
Testing notes
There are a few different touch points to consider while testing this. You will need to grab osquery binaries for each platform. This can be done from the PR on osquery/osquery.
Once you grab the binary, it would be a good idea to verify that osquery can detect the IntelliJ extensions you have installed by issuing a simple query: select * from jetbrains_plugins;. If the IntelliJ extensions returned are not what you expect, we know the bug exists in the osquery code.
Now take this binary and substitute it for the binary in orbit. Enroll your host, and run a refetch. You should see those same IntelliJ extensions in the software inventory. If the IntelliJ extensions returned are not what you expect, we know that the bug exists somewhere in Fleet.
@sharon-fdm we thought #g-orchestration might be able to assist #g-software and take this "IntelliJ plugins" story in 4.75. But it looks like #g-orchestration didn't get a chance to spec/estimate this one.
Does #g-orchestration still have room in 4.75? If not, can you please add the #g-software label back to this story and assign @lukeheath?
That way, Luke can drive specs/estimation with the software team.
@noahtalerman, Next Monday, @mostlikelee will join Orchestration and is planned to spec, estimate and take these two stories (#31970 and #22463).
@noahtalerman heads up that there is an existing TODO for you in the Figma to translate the different Jetbrains app names from osquery into a display name for the frontend. Based on the test criteria, I think that may now be out of scope as we are only testing IntelliJ. Is that right?