fleet
fleet copied to clipboard
fleetdm
Feature 7076: Ingest installed windows updates
#7076
This PR allows fleet to ingest installed windows updates. Ingested updates are stored in a new table, windows_updates. This new ingestion functionality can be turned on/off using the disable_win_os_vulnerabilities flag.
Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Ensured that input data is properly validated, SQL injection is prevented (using placeholders for values in statements)
- [x] Added/updated tests
- [x] Manual QA for all new/changed functionality
Codecov Report
Merging #7138 (192eed8) into main (4b47f76) will decrease coverage by
0.08%. The diff coverage is38.76%.
@@ Coverage Diff @@
## main #7138 +/- ##
==========================================
- Coverage 60.50% 60.41% -0.09%
==========================================
Files 410 414 +4
Lines 38981 39145 +164
==========================================
+ Hits 23584 23649 +65
- Misses 13081 13174 +93
- Partials 2316 2322 +6
| Impacted Files | Coverage Δ | |
|---|---|---|
| server/datastore/mysql/hosts.go | 80.53% <ø> (ø) |
|
| server/fleet/app.go | 0.00% <ø> (ø) |
|
| server/fleet/datastore.go | 0.00% <ø> (ø) |
|
| server/fleet/windows_updates.go | 0.00% <0.00%> (ø) |
|
| server/fleet/windows_updates_tests.go | 0.00% <0.00%> (ø) |
|
| server/service/osquery_utils/queries.go | 47.08% <68.18%> (+0.91%) |
:arrow_up: |
| server/datastore/mysql/windows_updates.go | 68.96% <68.96%> (ø) |
|
| ...ns/tables/20220809091020_AddWindowsUpdatesTable.go | 72.22% <72.22%> (ø) |
|
| server/config/config.go | 89.10% <100.00%> (+0.09%) |
:arrow_up: |
| server/service/service_appconfig.go | 69.69% <100.00%> (+0.15%) |
:arrow_up: |
| ... and 5 more |
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.
Why do we need windows updates ingestion to be configurable?
We still don't know how we want to present OS vulnerabilities to the end user yet (AFAIK) - if this and other related features are released before the UI work, I figured we might want to have this feature disabled by default (right now the default value is true, but that can be changed on a later PR). Also I think having the ability to disable certain parts of the ingestion/vulnerability detection pipeline might be useful when debugging issues.
I guess we shouldn't merge this until we implement the vulnerability check part?
I guess we shouldn't merge this until we implement the vulnerability check part?
We could do either - if we decide to merge now then maybe we might want to tweak the docs a little bit and set disable_win_os_vulnerabilities to true also, QA will need to check the database directly when testing this. If not, I'm good at just branching from this to continue my work.
