Skip to content

Generate CPE for Firefox Developer Edition on macOS#48924

Open
raju249 wants to merge 1 commit into
fleetdm:mainfrom
raju249:raju249/firefox-developer-edition-cpe-48689
Open

Generate CPE for Firefox Developer Edition on macOS#48924
raju249 wants to merge 1 commit into
fleetdm:mainfrom
raju249:raju249/firefox-developer-edition-cpe-48689

Conversation

@raju249

@raju249 raju249 commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Related issue: Resolves #48689

Adds a CPE translation so Firefox Developer Edition on macOS resolves to the standard mozilla:firefox product. Without it, CPEFromSoftware generates no CPE for the app, so it matches no Firefox CVEs and shows as vulnerability-free — a silent false negative.

The root cause is that none of the standard matching paths fit Developer Edition: its bundle identifier org.mozilla.firefoxdeveloperedition splits to a product token (firefoxdeveloperedition) that has no NVD entry, and the sanitized-name and full-text fallbacks don't resolve to firefox either. Regular Firefox works only because its bundle (org.mozilla.firefox) splits cleanly to mozilla/firefox. The fix uses the same translation mechanism the existing Firefox ESR rule uses, mapping the Developer Edition bundle to product: firefox, vendor: mozilla — with no sw_edition, since Developer Edition tracks standard Firefox advisories (ESR is the special case that needs the esr edition).

Match is on the bundle identifier rather than the display name so it's stable regardless of how the app name is ingested.

Out of scope: Firefox Nightly (org.mozilla.nightly) has the same failure mode but uses pre-release version strings (e.g. 155.0a1) that don't line up with NVD's per-version Firefox CPEs, so mapping it to firefox risks bad matches — it warrants separate handling. Firefox Beta already works today (its bundle is org.mozilla.firefox), so it needs no change.

Testing. Two layers, matching how the codebase already tests CPE rules:

  • An offline unit test (TestFirefoxDeveloperEditionTranslation) loads the real shipped cpe_translations.json and asserts Developer Edition translates to mozilla:firefox with no sw_edition. It needs no CPE dictionary or network, so it runs in the fast suite.
  • A case in the network-gated TestCPEFromSoftwareIntegration, alongside the existing regular-Firefox case, asserts the full CPE string against the live NVD dictionary in CI. It reuses the known-good 105.0.1 Firefox entry. The downstream CPE→CVE step is unchanged and already covered for mozilla:firefox by TestTranslateCPEToCVE, so no new CVE-matching test is needed.

Checklist for submitter

  • Changes file added for user-visible changes in changes/, orbit/changes/ or ee/fleetd-chrome/changes.
    See Changes files for more information.

Testing

  • Added/updated automated tests

  • QA'd all new/changed functionality manually — ran TestFirefoxDeveloperEditionTranslation locally against the shipped rule (passes); the full software→CPE resolution against live NVD data is exercised by the network-gated integration case in CI.

Summary by CodeRabbit

  • Bug Fixes
    • Improved recognition of Firefox Developer Edition on macOS so it maps to the expected Firefox vulnerability data.
    • Better handling of version matching for this app, helping scan results stay accurate.

Firefox Developer Edition produced no CPE, so it never matched any Firefox
CVEs and showed as vulnerability-free. Its bundle identifier
(org.mozilla.firefoxdeveloperedition) yields a product token that has no NVD
entry, and it matches none of the name/sanitize/full-text fallbacks either.
Add a CPE translation mapping it to the standard mozilla:firefox product, the
same mechanism the Firefox ESR rule already uses (minus sw_edition, since
Developer Edition tracks standard Firefox advisories).
@raju249 raju249 requested a review from a team as a code owner July 8, 2026 06:19
@coderabbitai

coderabbitai Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: f6ffc995-4fc5-4d44-9a3d-0a3c03b87227

📥 Commits

Reviewing files that changed from the base of the PR and between 31a6bb8 and 2b7b82b.

⛔ Files ignored due to path filters (1)
  • changes/48689-firefox-developer-edition-cpe.md is excluded by !**/*.md
📒 Files selected for processing (3)
  • server/vulnerabilities/nvd/cpe_test.go
  • server/vulnerabilities/nvd/cpe_translations.json
  • server/vulnerabilities/nvd/cpe_translations_test.go

Walkthrough

This change adds a new CPE translation rule for Firefox Developer Edition, mapping the macOS bundle identifier org.mozilla.firefoxdeveloperedition to the mozilla:firefox product/vendor pair in cpe_translations.json. Corresponding tests were added: a new case in the CPE integration test suite verifying the expected CPE output for Firefox Developer Edition, and a dedicated test loading the real translations file to validate the translation rule and resulting filter fields.

Changes

Area Change
Translations data Added mapping for org.mozilla.firefoxdeveloperedition bundle identifier to firefox/mozilla product/vendor
Integration tests Added test case for Firefox Developer Edition CPE resolution
Unit tests Added dedicated test validating the translation rule against the real translations file

Sequence Diagram(s)

sequenceDiagram
  participant Test as TestFirefoxDeveloperEditionTranslation
  participant Translations as translations.Translate
  participant JSON as cpe_translations.json

  Test->>JSON: Load cpe_translations.json
  Test->>Translations: Translate(Firefox Developer Edition software)
  Translations-->>Test: filter.Product=firefox, filter.Vendor=mozilla
Loading

Related issues: #48689 — resolves the missing generated_cpe for Firefox Developer Edition by adding the translation mapping.

Suggested labels: bug, vulnerability-processing, nvd

Suggested reviewers: getvictor, sharon-fdm

Poem

A rabbit hopped through Firefox's den,
Found "Developer Edition" missing again.
With JSON in paw and a mapping so neat,
Mozilla now knows this fox by its feet.
CPEs align, vulnerabilities found —
Another small burrow of bugs safely bound. 🦊🐇

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly summarizes the main change: adding Firefox Developer Edition CPE generation on macOS.
Description check ✅ Passed The description includes the related issue, summary, out-of-scope note, and testing checklist, matching the template well.
Linked Issues check ✅ Passed The code and tests add the Firefox Developer Edition translation to mozilla:firefox with no sw_edition, matching #48689's expected behavior.
Out of Scope Changes check ✅ Passed The visible changes stay focused on the Firefox Developer Edition CPE translation and related tests, with no unrelated edits apparent.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@codecov

codecov Bot commented Jul 8, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 68.11%. Comparing base (31a6bb8) to head (2b7b82b).

Additional details and impacted files
@@            Coverage Diff             @@
##             main   #48924      +/-   ##
==========================================
- Coverage   68.12%   68.11%   -0.01%     
==========================================
  Files        3708     3708              
  Lines      235053   235053              
  Branches    12502    12502              
==========================================
- Hits       160119   160100      -19     
- Misses      60570    60584      +14     
- Partials    14364    14369       +5     
Flag Coverage Δ
backend 69.72% <ø> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

False negative CVE: no generated_cpe for com.mozilla.firefoxdeveloperedition resulting in missing vulnerabilities

1 participant