Skip to content

feat(mongodb): add version tracking modes#6243

Open
tpaskap wants to merge 2 commits into
centreon:developfrom
tpaskap:feature/mongodb
Open

feat(mongodb): add version tracking modes#6243
tpaskap wants to merge 2 commits into
centreon:developfrom
tpaskap:feature/mongodb

Conversation

@tpaskap

@tpaskap tpaskap commented Jun 16, 2026

Copy link
Copy Markdown

Add version, patch-drift, and patch-status modes to monitor MongoDB patch compliance and expose them through database::mongodb::plugin.

Community contributors

Description

This pull request extends the existing database::mongodb::plugin with three new monitoring modes focused on MongoDB version and patch compliance:

  • version: reports the MongoDB server version and raises alerts when the instance is below configurable minimum versions (warning/critical thresholds).
  • patch-drift: checks version consistency across replica set members, compares each member against a reference version, and detects drift between nodes.
  • patch-status: performs auto-discovery on replica set members, compares detected versions against a branch-based patch catalogue (fixed version per MongoDB branch), and raises severity-aware alerts (NONE to CRITICAL).

The custom driver was also extended to retrieve version information required by these modes.

These modes help operators reduce obsolescence exposure and detect patch drift or missing security fixes earlier in replica set environments.

Patch-status catalogues (embedded vs NVD file)

Both catalogues share the same schema (centreon-mongodb-patch-catalog/1) but differ in detail level:

Embedded default catalogue NVD catalogue file
Location $DEFAULT_CATALOG in src/database/mongodb/mode/patchstatus.pm external JSON file passed via --catalog-file or --catalog-url
Used when neither --catalog-file nor --catalog-url is provided --catalog-file=<path> (or --catalog-url=<url>) is provided
cves array empty ([]) by design populated from NVD (id, severity, cvss, fixed_in, description, advisory_url, ...)
fixed_version hard-coded per branch (5.0.33, 6.0.28, 7.0.34, 8.0.23) computed from NVD (max of fixed_in per branch)
Purpose self-contained plugin bundle, lightweight offline fallback production use: CVE-level alerting and up-to-date branch fixes

Each branch entry in both catalogues contains the same top-level fields:

{
  "branch": "6.0",
  "vulnerable_range": { "min_inclusive": "6.0.0", "max_exclusive": "6.0.28" },
  "fixed_version": "6.0.28",
  "default_severity": "HIGH",
  "cves": [ ... ]
}

When browsing an external catalogue JSON file, the cves array is long and appears first in pretty-printed output, which can make the file look different from the embedded catalogue. Scroll within the same branch object (or inspect with jq) to see fixed_version, vulnerable_range, and default_severity.

How patch-status uses them:

  • With CVE details (--catalog-file): compares the member version against each fixed_in in cves[] and counts outstanding CVEs.
  • Without CVE details (embedded default): falls back to fixed_version + default_severity when the running version is below the branch fix.

Recommended usage:

  • quick test / standalone run: run without --catalog-file (embedded catalogue).
  • production: provide a refreshed NVD catalogue via --catalog-file=<path-to>/mongodb-patch-catalog.json (or --catalog-url=<url>).

Fixes # (issue)

Type of change

  • Patch fixing an issue (non-breaking change)
  • New functionality (non-breaking change)
  • Functionality enhancement or optimization (non-breaking change)
  • Breaking change (patch or feature) that might cause side effects breaking part of the Software

How this pull request can be tested ?

Prerequisites

  • A MongoDB instance or replica set reachable from the poller
  • Perl dependencies already required by database::mongodb::plugin (libmongodb-perl, etc.)
  • For patch-status with CVE-level detail: a local JSON catalogue file conforming to schema centreon-mongodb-patch-catalog/1. Without it, the mode falls back to the embedded default catalogue in patchstatus.pm.

1. List the new modes

./centreon_plugins.pl \
  --plugin=database::mongodb::plugin \
  --list-mode

Expected: version, patch-drift, and patch-status appear in the mode list.

2. Test version on a single instance

./centreon_plugins.pl \
  --plugin=database::mongodb::plugin \
  --mode=version \
  --hostname=<mongo-host> \
  --port=27017 \
  --minimum-version-warning=7.0.10 \
  --minimum-version-critical=6.0.0 \
  --no-ssl

Expected: plugin output shows the MongoDB version and returns OK/WARNING/CRITICAL according to thresholds.

3. Test patch-drift on a replica set

./centreon_plugins.pl \
  --plugin=database::mongodb::plugin \
  --mode=patch-drift \
  --hostname=<host1>,<host2>,<host3> \
  --port=27017 \
  --replica-set=<replica-set-name> \
  --username=<user> \
  --password=<password> \
  --auth-source=<auth-db> \
  --minimum-version-warning=7.0.0 \
  --minimum-version-critical=6.0.25 \
  --no-ssl

Expected: one status line per member, with reference version and drift information.

4a. Test patch-status with the embedded default catalogue (no --catalog-file)

./centreon_plugins.pl \
  --plugin=database::mongodb::plugin \
  --mode=patch-status \
  --hostname=<host1>,<host2>,<host3> \
  --port=27017 \
  --replica-set=<replica-set-name> \
  --username=<user> \
  --password=<password> \
  --auth-source=<auth-db> \
  --no-ssl \
  --debug

Expected: auto-discovery of members, comparison against the hard-coded branch fixed_version (no per-CVE detail). Debug output includes Using built-in default patch catalog.

4b. Test patch-status with the NVD catalogue file (recommended for production)

./centreon_plugins.pl \
  --plugin=database::mongodb::plugin \
  --mode=patch-status \
  --hostname=<host1>,<host2>,<host3> \
  --port=27017 \
  --replica-set=<replica-set-name> \
  --username=<user> \
  --password=<password> \
  --auth-source=<auth-db> \
  --catalog-file=<path-to>/mongodb-patch-catalog.json \
  --no-ssl

Expected: auto-discovery of members, comparison against branch fixed_version, and severity-aware status based on outstanding CVEs listed in the catalogue.

Example (anonymized replica set, NVD catalogue, --debug)

Command:

./src/centreon_plugins.pl \
  --plugin=database::mongodb::plugin \
  --mode=patch-status \
  --hostname='mongodb-node01.example.com,mongodb-node02.example.com,mongodb-node03.example.com' \
  --username='<username>' \
  --password='*****' \
  --auth-source='<auth-db>' \
  --replica-set='<replica-set-name>' \
  --catalog-file=<path-to>/mongodb-patch-catalog.json \
  --no-ssl \
  --debug

Sample output (all members patched on branch 6.0):

OK: MongoDB patch status members unpatched: 0 - All members run a patched MongoDB version | 'mongodb.members.unpatched.count'=0;;0:0;0; 'mongodb.members.total.count'=3;;;0; 'mongodb.cve.outstanding.total.count'=0;;;0; 'mongodb.cve.max.severity.numeric'=0;;;0;4 'mongodb-node01.example.com:27017#mongodb.member.cve.outstanding.count'=0;;;0; 'mongodb-node02.example.com:27017#mongodb.member.cve.outstanding.count'=0;;;0; 'mongodb-node03.example.com:27017#mongodb.member.cve.outstanding.count'=0;;;0;
Connection URI: mongodb://<username>:***@mongodb-node01.example.com,mongodb-node02.example.com,mongodb-node03.example.com/?authSource=<auth-db>&replicaSet=<replica-set-name>
Connection URI: mongodb://<username>:***@mongodb-node01.example.com:27017/?authSource=<auth-db>&replicaSet=<replica-set-name>
Connection URI: mongodb://<username>:***@mongodb-node02.example.com:27017/?authSource=<auth-db>&replicaSet=<replica-set-name>
Connection URI: mongodb://<username>:***@mongodb-node03.example.com:27017/?authSource=<auth-db>&replicaSet=<replica-set-name>
Member 'mongodb-node01.example.com:27017' version is '6.0.28' [branch: 6.0] [fixed: 6.0.28] [patched: yes]
Member 'mongodb-node02.example.com:27017' version is '6.0.28' [branch: 6.0] [fixed: 6.0.28] [patched: yes]
Member 'mongodb-node03.example.com:27017' version is '6.0.28' [branch: 6.0] [fixed: 6.0.28] [patched: yes]

To inspect the catalogue structure (same schema as the embedded default, with populated cves):

jq '.branches[] | {branch, fixed_version, default_severity, cve_count: (.cves | length)}' \
  <path-to>/mongodb-patch-catalog.json

Sample output:

{
  "branch": "5.0",
  "fixed_version": "5.0.33",
  "default_severity": "HIGH",
  "cve_count": 15
}
{
  "branch": "6.0",
  "fixed_version": "6.0.28",
  "default_severity": "HIGH",
  "cve_count": 25
}
{
  "branch": "7.0",
  "fixed_version": "7.0.35",
  "default_severity": "HIGH",
  "cve_count": 41
}
{
  "branch": "8.0",
  "fixed_version": "8.0.24",
  "default_severity": "HIGH",
  "cve_count": 35
}

Collection type: CLI (command + output).

Checklist

  • I have followed the coding style guidelines provided by Centreon
  • I have commented my code, especially hard-to-understand areas of the PR.
  • I have rebased my development branch on the base branch (develop).
  • I have provide data or shown output displaying the result of this code in the plugin area concerned.

@tpaskap
feat(mongodb): add version tracking modes
ff0274a 
Add version, patch-drift, and patch-status modes to monitor MongoDB patch compliance and expose them through database::mongodb::plugin.

Signed-off-by: tpaskap <tpaskap@users.noreply.github.com>
@tpaskap tpaskap requested a review from a team as a code owner June 16, 2026 17:17
@tpaskap tpaskap requested review from Evan-Adam and removed request for a team June 16, 2026 17:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Evan-Adam Evan-Adam Awaiting requested review from Evan-Adam Evan-Adam is a code owner automatically assigned from centreon/owners-perl

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

external

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tpaskap