macOS vulnerability alerts are not correctly collected

[Rebits]

Description

It has been detected Additional Vulnerability Detection End-to-End that vulnerability alerts for macOS agents are not correctly collected.
If we check the evidence we can see in the manager alerts file and in the indexed vulnerabilities that the alerts indeed appear. However the validator is ignoring it

Note

Report is provided here #5287

[Rebits]

To streamline the troubleshooting process for this issue, we've devised a straightforward script to replicate failing cases. This approach simplifies the debugging of current parsing vulnerability methods, eliminating the need to run the entire test suite.

parse_macos_vuln.py

import os
import json

from wazuh_testing.end_to_end.vulnerability_detector import get_vulnerability_detector_alerts, \
    parse_vulnerabilities_from_alerts
from wazuh_testing.end_to_end.remote_operations_handler import get_expected_alerts
from wazuh_testing.end_to_end.check_validators import compare_expected_found_vulnerabilities_alerts

from wazuh_testing.tools.system import HostManager


host_manager = HostManager("<INVPATH>")

package_data = {
    'centos': {
        'amd64': 'grafana-8.5.5-1',
        'arm64v8': 'grafana-8.5.5-1'
    },
    'ubuntu': {
        'amd64': 'grafana-8.5.5',
        'arm64v8': 'grafana-8.5.5'
    },
    'windows': {
        'amd64': 'node-v17.0.1'
    },
    'macos': {
        'amd64': 'http-proxy-0.5.9',
        'arm64v8': 'http-proxy-0.5.9'
    }
}

if __name__ == "__main__":
    vulnerabilities_alerts = []
    with open("alerts.json", "r") as f:
        vulnerabilities_alerts = json.load(f)

    alerts = get_vulnerability_detector_alerts(vulnerabilities_alerts)
    parsed_vulnerabilities_mitigated = parse_vulnerabilities_from_alerts(alerts['mitigated'])
    parsed_vulnerabilities_affected = parse_vulnerabilities_from_alerts(alerts['affected'])

    expected_alerts = get_expected_alerts(host_manager, ['agent6'], 'install_package', package_data)

    alerts = {"affected": {"agent6": parsed_vulnerabilities_affected}}

    result_alert = compare_expected_found_vulnerabilities_alerts(alerts, expected_alerts)
    print(result_alert)

In addition we are going to use the following alert index to simulate real information collected from the wazuh-indexer

http-proxy Alert Index Example

[
{
  "_index": "wazuh-alerts-4.x-2024.04.22",
  "_id": "YqpJBY8BJodbzcVedMR2",
  "_score": 4.6972857,
  "_source": {
    "cluster": {
      "node": "master",
      "name": "wazuh"
    },
    "agent": {
      "ip": "192.168.64.5",
      "name": "agent6",
      "id": "006"
    },
    "manager": {
      "name": "ip-172-31-7-224"
    },
    "data": {
      "vulnerability": {
        "severity": "Medium",
        "package": {
          "condition": "Package less than 0.7.0",
          "name": "http-proxy",
          "source": " ",
          "version": "0.5.9",
          "architecture": " "
        },
        "assigner": "hackerone",
        "cwe_reference": "CWE-388",
        "published": "2018-06-04T19:29:00Z",
        "title": "CVE-2017-16014 affects http-proxy",
        "type": "Packages",
        "rationale": "Http-proxy is a proxying library. Because of the way errors are handled in versions before 0.7.0, an attacker that forces an error can crash the server, causing a denial of service.",
        "reference": "https://github.com/nodejitsu/node-http-proxy/pull/101, https://nodesecurity.io/advisories/323",
        "cve": "CVE-2017-16014",
        "enumeration": "CVE",
        "cvss": {
          "cvss2": {
            "base_score": "5",
            "vector": {
              "integrity_impact": "NONE",
              "availability": "PARTIAL",
              "confidentiality_impact": "NONE",
              "access_complexity": "LOW",
              "authentication": "NONE"
            }
          }
        },
        "updated": "2019-10-09T23:24:36Z",
        "status": "Active"
      }
    },
    "rule": {
      "firedtimes": 13,
      "mail": false,
      "level": 7,
      "pci_dss": ["11.2.1", "11.2.3"],
      "tsc": ["CC7.1", "CC7.2"],
      "description": "CVE-2017-16014 affects http-proxy",
      "groups": ["vulnerability-detector"],
      "id": "23504",
      "gdpr": ["IV_35.7.d"]
    },
    "decoder": {
      "name": "json"
    },
    "input": {
      "type": "log"
    },
    "@timestamp": "2024-04-22T10:10:45.737Z",
    "location": "vulnerability-detector",
    "id": "1713780645.2742706",
    "timestamp": "2024-04-22T10:10:45.737+0000"
  }
}
]

Currently, we can see, that it is not detecting expected vulnerability:

{'vulnerabilities_affected_not_found': {'agent6': [Vulnerability(cve='CVE-2017-16014', package_name='http-proxy', package_version='0.5.9', architecture='')]}, 'vulnerabilities_mitigated_not_found': {}, 'failed_agents': ['agent6'], 'result': False}

However, if we check the currently detected vulnerability, we see that it is expecting a vulnerability with as architecture instead of ``:

{'agent6': [Vulnerability(cve='CVE-2017-16014', package_name='http-proxy', package_version='0.5.9', architecture=' ')]}

We need to stript collected vulnerability fields in the parse_vulnerabilities_from_alerts and get_vulnerabilities_from_states functions

[rafabailon]

LGTM

[davidjiglesias]

LGTM