From 27073720c553572dc0fcd2a970d417e048e24ab0 Mon Sep 17 00:00:00 2001
From: Tim Lee <timlee@fleetdm.com>
Date: Thu, 14 Dec 2023 10:39:28 -0700
Subject: [PATCH] 15254 oval scan err (#15499)

---
 changes/15254-oval-scan-err                   |  1 +
 server/datastore/mysql/software_test.go       | 24 ++++++++++++++-----
 server/fleet/vulnerabilities.go               |  6 ++---
 server/service/integration_enterprise_test.go |  2 +-
 server/vulnerabilities/nvd/cve.go             |  3 ++-
 5 files changed, 25 insertions(+), 11 deletions(-)
 create mode 100644 changes/15254-oval-scan-err

diff --git a/changes/15254-oval-scan-err b/changes/15254-oval-scan-err
new file mode 100644
index 000000000..a3ae1fd3d
--- /dev/null
+++ b/changes/15254-oval-scan-err
@@ -0,0 +1 @@
+- resolved scan error during oval vulnerability processing
\ No newline at end of file
diff --git a/server/datastore/mysql/software_test.go b/server/datastore/mysql/software_test.go
index ccfcce2af..e3aa9a2f8 100644
--- a/server/datastore/mysql/software_test.go
+++ b/server/datastore/mysql/software_test.go
@@ -553,9 +553,9 @@ func testSoftwareList(t *testing.T, ds *Datastore) {
 	})
 
 	vulns := []fleet.SoftwareVulnerability{
-		{SoftwareID: host1.Software[0].ID, CVE: "CVE-2022-0001", ResolvedInVersion: "2.0.0"},
-		{SoftwareID: host1.Software[0].ID, CVE: "CVE-2022-0002", ResolvedInVersion: "2.0.0"},
-		{SoftwareID: host3.Software[0].ID, CVE: "CVE-2022-0003", ResolvedInVersion: "2.0.0"},
+		{SoftwareID: host1.Software[0].ID, CVE: "CVE-2022-0001", ResolvedInVersion: ptr.String("2.0.0")},
+		{SoftwareID: host1.Software[0].ID, CVE: "CVE-2022-0002", ResolvedInVersion: ptr.String("2.0.0")},
+		{SoftwareID: host3.Software[0].ID, CVE: "CVE-2022-0003", ResolvedInVersion: ptr.String("2.0.0")},
 	}
 
 	for _, v := range vulns {
@@ -1864,19 +1864,31 @@ func testInsertSoftwareVulnerability(t *testing.T, ds *Datastore) {
 		vuln := fleet.SoftwareVulnerability{
 			SoftwareID:        host.Software[0].ID,
 			CVE:               "cve-3",
-			ResolvedInVersion: "1.2.3",
+			ResolvedInVersion: ptr.String("1.2.3"),
 		}
 
 		inserted, err := ds.InsertSoftwareVulnerability(ctx, vuln, fleet.UbuntuOVALSource)
 		require.NoError(t, err)
 		require.True(t, inserted)
 
+		// vulnerability with no ResolvedInVersion
+		vuln = fleet.SoftwareVulnerability{
+			SoftwareID: host.Software[0].ID,
+			CVE:        "cve-4",
+		}
+
+		inserted, err = ds.InsertSoftwareVulnerability(ctx, vuln, fleet.UbuntuOVALSource)
+		require.NoError(t, err)
+		require.True(t, inserted)
+
 		storedVulns, err := ds.ListSoftwareVulnerabilitiesByHostIDsSource(ctx, []uint{host.ID}, fleet.UbuntuOVALSource)
 		require.NoError(t, err)
 
-		require.Len(t, storedVulns[host.ID], 1)
+		require.Len(t, storedVulns[host.ID], 2)
 		require.Equal(t, "cve-3", storedVulns[host.ID][0].CVE)
-		require.Equal(t, "1.2.3", storedVulns[host.ID][0].ResolvedInVersion)
+		require.Equal(t, "1.2.3", *storedVulns[host.ID][0].ResolvedInVersion)
+		require.Equal(t, "cve-4", storedVulns[host.ID][1].CVE)
+		require.Nil(t, storedVulns[host.ID][1].ResolvedInVersion)
 	})
 }
 
diff --git a/server/fleet/vulnerabilities.go b/server/fleet/vulnerabilities.go
index 5449d270a..c528a5589 100644
--- a/server/fleet/vulnerabilities.go
+++ b/server/fleet/vulnerabilities.go
@@ -49,9 +49,9 @@ type SoftwareCPE struct {
 // SoftwareVulnerability is a vulnerability on a software.
 // Represents an entry in the `software_cve` table.
 type SoftwareVulnerability struct {
-	SoftwareID        uint   `db:"software_id"`
-	CVE               string `db:"cve"`
-	ResolvedInVersion string `db:"resolved_in_version"`
+	SoftwareID        uint    `db:"software_id"`
+	CVE               string  `db:"cve"`
+	ResolvedInVersion *string `db:"resolved_in_version"`
 }
 
 // String implements fmt.Stringer.
diff --git a/server/service/integration_enterprise_test.go b/server/service/integration_enterprise_test.go
index d073f2849..62ccfb19c 100644
--- a/server/service/integration_enterprise_test.go
+++ b/server/service/integration_enterprise_test.go
@@ -3415,7 +3415,7 @@ func (s *integrationEnterpriseTestSuite) TestListSoftware() {
 		ctx, fleet.SoftwareVulnerability{
 			SoftwareID:        bar.ID,
 			CVE:               "cve-123",
-			ResolvedInVersion: "1.2.3",
+			ResolvedInVersion: ptr.String("1.2.3"),
 		}, fleet.NVDSource,
 	)
 	require.NoError(t, err)
diff --git a/server/vulnerabilities/nvd/cve.go b/server/vulnerabilities/nvd/cve.go
index 28fa39782..99014f92b 100644
--- a/server/vulnerabilities/nvd/cve.go
+++ b/server/vulnerabilities/nvd/cve.go
@@ -22,6 +22,7 @@ import (
 	"github.com/facebookincubator/nvdtools/wfn"
 	"github.com/fleetdm/fleet/v4/server/contexts/ctxerr"
 	"github.com/fleetdm/fleet/v4/server/fleet"
+	"github.com/fleetdm/fleet/v4/server/ptr"
 	nvdsync "github.com/fleetdm/fleet/v4/server/vulnerabilities/nvd/sync"
 	"github.com/go-kit/log"
 	kitlog "github.com/go-kit/log"
@@ -322,7 +323,7 @@ func checkCVEs(
 						vuln := fleet.SoftwareVulnerability{
 							SoftwareID:        softwareCPE.SoftwareID,
 							CVE:               matches.CVE.ID(),
-							ResolvedInVersion: resolvedVersion,
+							ResolvedInVersion: ptr.String(resolvedVersion),
 						}
 
 						mu.Lock()