Generate CPE for Firefox Developer Edition on macOS#48924
Conversation
Firefox Developer Edition produced no CPE, so it never matched any Firefox CVEs and showed as vulnerability-free. Its bundle identifier (org.mozilla.firefoxdeveloperedition) yields a product token that has no NVD entry, and it matches none of the name/sanitize/full-text fallbacks either. Add a CPE translation mapping it to the standard mozilla:firefox product, the same mechanism the Firefox ESR rule already uses (minus sw_edition, since Developer Edition tracks standard Firefox advisories).
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (3)
WalkthroughThis change adds a new CPE translation rule for Firefox Developer Edition, mapping the macOS bundle identifier org.mozilla.firefoxdeveloperedition to the mozilla:firefox product/vendor pair in cpe_translations.json. Corresponding tests were added: a new case in the CPE integration test suite verifying the expected CPE output for Firefox Developer Edition, and a dedicated test loading the real translations file to validate the translation rule and resulting filter fields. Changes
Sequence Diagram(s)sequenceDiagram
participant Test as TestFirefoxDeveloperEditionTranslation
participant Translations as translations.Translate
participant JSON as cpe_translations.json
Test->>JSON: Load cpe_translations.json
Test->>Translations: Translate(Firefox Developer Edition software)
Translations-->>Test: filter.Product=firefox, filter.Vendor=mozilla
Related issues: #48689 — resolves the missing generated_cpe for Firefox Developer Edition by adding the translation mapping. Suggested labels: bug, vulnerability-processing, nvd Suggested reviewers: getvictor, sharon-fdm Poem A rabbit hopped through Firefox's den, 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #48924 +/- ##
==========================================
- Coverage 68.12% 68.11% -0.01%
==========================================
Files 3708 3708
Lines 235053 235053
Branches 12502 12502
==========================================
- Hits 160119 160100 -19
- Misses 60570 60584 +14
- Partials 14364 14369 +5
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
Related issue: Resolves #48689
Adds a CPE translation so Firefox Developer Edition on macOS resolves to the standard
mozilla:firefoxproduct. Without it,CPEFromSoftwaregenerates no CPE for the app, so it matches no Firefox CVEs and shows as vulnerability-free — a silent false negative.The root cause is that none of the standard matching paths fit Developer Edition: its bundle identifier
org.mozilla.firefoxdevelopereditionsplits to a product token (firefoxdeveloperedition) that has no NVD entry, and the sanitized-name and full-text fallbacks don't resolve tofirefoxeither. Regular Firefox works only because its bundle (org.mozilla.firefox) splits cleanly tomozilla/firefox. The fix uses the same translation mechanism the existing Firefox ESR rule uses, mapping the Developer Edition bundle toproduct: firefox,vendor: mozilla— with nosw_edition, since Developer Edition tracks standard Firefox advisories (ESR is the special case that needs theesredition).Match is on the bundle identifier rather than the display name so it's stable regardless of how the app name is ingested.
Out of scope: Firefox Nightly (
org.mozilla.nightly) has the same failure mode but uses pre-release version strings (e.g.155.0a1) that don't line up with NVD's per-version Firefox CPEs, so mapping it tofirefoxrisks bad matches — it warrants separate handling. Firefox Beta already works today (its bundle isorg.mozilla.firefox), so it needs no change.Testing. Two layers, matching how the codebase already tests CPE rules:
TestFirefoxDeveloperEditionTranslation) loads the real shippedcpe_translations.jsonand asserts Developer Edition translates tomozilla:firefoxwith nosw_edition. It needs no CPE dictionary or network, so it runs in the fast suite.TestCPEFromSoftwareIntegration, alongside the existing regular-Firefox case, asserts the full CPE string against the live NVD dictionary in CI. It reuses the known-good105.0.1Firefox entry. The downstream CPE→CVE step is unchanged and already covered formozilla:firefoxbyTestTranslateCPEToCVE, so no new CVE-matching test is needed.Checklist for submitter
changes/,orbit/changes/oree/fleetd-chrome/changes.See Changes files for more information.
Testing
Added/updated automated tests
QA'd all new/changed functionality manually — ran
TestFirefoxDeveloperEditionTranslationlocally against the shipped rule (passes); the full software→CPE resolution against live NVD data is exercised by the network-gated integration case in CI.Summary by CodeRabbit