From 160755ad1da88048a8a5dfe2ae7d7c94161e4f22 Mon Sep 17 00:00:00 2001
From: Victor Lyuboslavsky <victor.lyuboslavsky@gmail.com>
Date: Tue, 31 Oct 2023 16:18:24 -0500
Subject: [PATCH] Adding CPE support for different Jetbrains IDEA and PyCharm
 app names. (#14806)

Adding vulnerability data support for JetBrains applications (like IDEA,
PyCharm, etc.) that have similar names.
- For example: IntelliJ IDEA.app and IntelliJ IDEA Ultimate.app

Resolves #13889

# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] Added/updated tests
- [x] Manual QA for all new/changed functionality
---
 changes/13889-IDEA-apps-with-similar-names    |  2 +
 server/vulnerabilities/nvd/cpe.go             | 14 +++++++
 server/vulnerabilities/nvd/cpe_test.go        | 40 +++++++++++++++++++
 .../vulnerabilities/nvd/cpe_translations.json | 10 +++++
 4 files changed, 66 insertions(+)
 create mode 100644 changes/13889-IDEA-apps-with-similar-names

diff --git a/changes/13889-IDEA-apps-with-similar-names b/changes/13889-IDEA-apps-with-similar-names
new file mode 100644
index 000000000..906be1921
--- /dev/null
+++ b/changes/13889-IDEA-apps-with-similar-names
@@ -0,0 +1,2 @@
+Adding vulnerability data support for JetBrains applications (like IDEA, PyCharm, etc.) that have similar names.
+- For example: IntelliJ IDEA.app and IntelliJ IDEA Ultimate.app
\ No newline at end of file
diff --git a/server/vulnerabilities/nvd/cpe.go b/server/vulnerabilities/nvd/cpe.go
index 1f83665b0..d815ce6b4 100644
--- a/server/vulnerabilities/nvd/cpe.go
+++ b/server/vulnerabilities/nvd/cpe.go
@@ -114,6 +114,9 @@ func DownloadCPEDBFromGithub(vulnPath string, cpeDBURL string) error {
 	return nil
 }
 
+// cpeGeneralSearchQuery puts together several search statements to find the correct row in the CPE datastore.
+// Each statement has a custom weight column, where 1 is the highest priority (most likely to be correct).
+// The SQL statements are combined into a master statements with UNION.
 func cpeGeneralSearchQuery(software *fleet.Software) (string, []interface{}, error) {
 	dialect := goqu.Dialect("sqlite")
 
@@ -147,6 +150,17 @@ func cpeGeneralSearchQuery(software *fleet.Software) (string, []interface{}, err
 
 	datasets := []*goqu.SelectDataset{search1, search2, search3}
 
+	// 4 - Try vendor/product from bundle identifier, like tld.vendor.product
+	bundleParts := strings.Split(software.BundleIdentifier, ".")
+	if len(bundleParts) >= 3 {
+		search4 := dialect.From(goqu.I("cpe_2").As("c")).
+			Select("c.rowid", "c.product", "c.vendor", "c.deprecated", goqu.L("4 as weight")).
+			Where(
+				goqu.Or(goqu.L("c.vendor = ?", strings.ToLower(bundleParts[1]))), goqu.L("c.product = ?", strings.ToLower(bundleParts[2])),
+			)
+		datasets = append(datasets, search4)
+	}
+
 	var sqlParts []string
 	var args []interface{}
 	var stm string
diff --git a/server/vulnerabilities/nvd/cpe_test.go b/server/vulnerabilities/nvd/cpe_test.go
index cb0dccb29..b16b8030d 100644
--- a/server/vulnerabilities/nvd/cpe_test.go
+++ b/server/vulnerabilities/nvd/cpe_test.go
@@ -1290,6 +1290,46 @@ func TestCPEFromSoftwareIntegration(t *testing.T) {
 				Version: "6.0.1",
 			}, cpe: "",
 		},
+		{
+			software: fleet.Software{
+				Name:             "IntelliJ IDEA.app",
+				Source:           "apps",
+				Version:          "2022.3.3",
+				Vendor:           "",
+				BundleIdentifier: "com.jetbrains.intellij",
+			},
+			cpe: "cpe:2.3:a:jetbrains:intellij_idea:2022.3.3:*:*:*:*:macos:*:*",
+		},
+		{
+			software: fleet.Software{
+				Name:             "IntelliJ IDEA CE.app",
+				Source:           "apps",
+				Version:          "2022.3.3",
+				Vendor:           "",
+				BundleIdentifier: "com.jetbrains.intellij.ce",
+			},
+			cpe: "cpe:2.3:a:jetbrains:intellij_idea:2022.3.3:*:*:*:*:macos:*:*",
+		},
+		{
+			software: fleet.Software{
+				Name:             "User PyCharm Custom Name.app", // 2023/10/31: The actual product name must be part of the app name per our code in CPEFromSoftware
+				Source:           "apps",
+				Version:          "2019.2",
+				Vendor:           "",
+				BundleIdentifier: "com.jetbrains.pycharm",
+			},
+			cpe: "cpe:2.3:a:jetbrains:pycharm:2019.2:*:*:*:*:macos:*:*",
+		},
+		{
+			software: fleet.Software{
+				Name:             "PyCharm Community Edition.app",
+				Source:           "apps",
+				Version:          "2022.1",
+				Vendor:           "",
+				BundleIdentifier: "com.jetbrains.pycharm.ce",
+			},
+			cpe: "cpe:2.3:a:jetbrains:pycharm:2022.1:*:*:*:*:macos:*:*",
+		},
 	}
 
 	tempDir := t.TempDir()
diff --git a/server/vulnerabilities/nvd/cpe_translations.json b/server/vulnerabilities/nvd/cpe_translations.json
index 2d63d3f24..0dcfd1477 100644
--- a/server/vulnerabilities/nvd/cpe_translations.json
+++ b/server/vulnerabilities/nvd/cpe_translations.json
@@ -119,5 +119,15 @@
       "product": ["flock"],
       "vendor": ["flock"]
     }
+  },
+  {
+    "software": {
+      "bundle_identifier": ["/^com\\.jetbrains\\.intellij/"],
+      "source": ["apps"]
+    },
+    "filter": {
+      "product": ["intellij_idea"],
+      "vendor": ["jetbrains"]
+    }
   }
 ]