From 12b29143c5d75d030d4fd91ed6d7dbdda081c924 Mon Sep 17 00:00:00 2001
From: Ian Littman <iansltx@gmail.com>
Date: Tue, 29 Oct 2024 09:16:09 -0700
Subject: [PATCH] Merge duplicate package entries for deb-installed Python
 packages for Debian (#23325)

#22219

Note caveats in added tests; we may need to add more matching logic here
based on the Debian Bookworm repro I did.

# Checklist for submitter

- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files)
for more information.
- [x] Added/updated tests
- [x] Manual QA for all new/changed functionality
---
 changes/22219-python-package-demian |  1 +
 server/service/osquery.go           |  8 ++---
 server/service/osquery_test.go      | 53 ++++++++++++++++++++++++++++-
 3 files changed, 57 insertions(+), 5 deletions(-)
 create mode 100644 changes/22219-python-package-demian

diff --git a/changes/22219-python-package-demian b/changes/22219-python-package-demian
new file mode 100644
index 000000000000..f9b50d4ea24b
--- /dev/null
+++ b/changes/22219-python-package-demian
@@ -0,0 +1 @@
+- Addressed Debian python package false positive vulnerabilities by removing duplicate entries for Debian python packages installed by dpkg and renaming remaining pip installed packages to match OVAL definitions.
diff --git a/server/service/osquery.go b/server/service/osquery.go
index 55afcd433fcf..c0f79bddcc3b 100644
--- a/server/service/osquery.go
+++ b/server/service/osquery.go
@@ -1249,11 +1249,11 @@ func preProcessSoftwareResults(
 		preProcessSoftwareExtraResults(fullQueryName, host.ID, results, statuses, messages, query, logger)
 	}
 
-	// Filter out python packages that are also deb packages on ubuntu
+	// Filter out python packages that are also deb packages on ubuntu/debian
 	pythonPackageFilter(host.Platform, results, statuses)
 }
 
-// pythonPackageFilter filters out duplicate python_packages that are installed under deb_packages on Ubuntu.
+// pythonPackageFilter filters out duplicate python_packages that are installed under deb_packages on Ubuntu and Debian.
 // python_packages not matching a Debian package names are updated to "python3-packagename" to match OVAL definitions.
 func pythonPackageFilter(platform string, results *fleet.OsqueryDistributedQueryResults, statuses *map[string]fleet.OsqueryStatus) {
 	const pythonPrefix = "python3-"
@@ -1261,9 +1261,9 @@ func pythonPackageFilter(platform string, results *fleet.OsqueryDistributedQuery
 	const debSource = "deb_packages"
 	const linuxSoftware = hostDetailQueryPrefix + "software_linux"
 
-	// Return early if platform is not Ubuntu
+	// Return early if platform is not Ubuntu or Debian
 	// We may need to add more platforms in the future
-	if platform != "ubuntu" {
+	if platform != "ubuntu" && platform != "debian" {
 		return
 	}
 
diff --git a/server/service/osquery_test.go b/server/service/osquery_test.go
index d73b564d6e69..286b6b8a28aa 100644
--- a/server/service/osquery_test.go
+++ b/server/service/osquery_test.go
@@ -3964,7 +3964,58 @@ func TestPreProcessSoftwareResults(t *testing.T) {
 			},
 		},
 		{
-			name: "non-ubuntu installed python packages are NOT filtered out",
+			name: "debian dpkg installed python packages are filtered out",
+			host: &fleet.Host{ID: 1, Platform: "debian"},
+			statusesIn: map[string]fleet.OsqueryStatus{
+				hostDetailQueryPrefix + "software_linux": fleet.StatusOK,
+			},
+			resultsIn: fleet.OsqueryDistributedQueryResults{
+				hostDetailQueryPrefix + "software_linux": []map[string]string{
+					{
+						"name":    "python3-twisted",
+						"version": "22.4.0-4",
+						"source":  "deb_packages",
+					},
+					{
+						"name":    "Twisted", // duplicate of python3-twisted
+						"version": "22.4.0-4",
+						"source":  "python_packages",
+					},
+					// known issue below: names don't match so we don't deduplicate
+					{
+						"name":    "python3-attr", // osquery source column is python-attrs
+						"version": "22.2.0-1",
+						"source":  "deb_packages",
+					},
+					{
+						"name":    "Attrs",
+						"version": "22.2.0",
+						"source":  "python_packages",
+					},
+				},
+			},
+			resultsOut: fleet.OsqueryDistributedQueryResults{
+				hostDetailQueryPrefix + "software_linux": []map[string]string{
+					{
+						"name":    "python3-twisted",
+						"version": "22.4.0-4",
+						"source":  "deb_packages",
+					},
+					{
+						"name":    "python3-attr",
+						"version": "22.2.0-1",
+						"source":  "deb_packages",
+					},
+					{
+						"name":    "python3-attrs",
+						"version": "22.2.0",
+						"source":  "python_packages",
+					},
+				},
+			},
+		},
+		{
+			name: "non-ubuntu/debian installed python packages are NOT filtered out",
 			host: &fleet.Host{ID: 1, Platform: "rhel"},
 			statusesIn: map[string]fleet.OsqueryStatus{
 				hostDetailQueryPrefix + "software_linux": fleet.StatusOK,