Filter vulnerable software by cvss on my device page

[dantecatalfamo]

Related issue: Resolves #35694

Checklist for submitter

If some of the following don't apply, delete the relevant line.

• Changes file added for user-visible changes in changes/, orbit/changes/ or ee/fleetd-chrome/changes.
  See Changes files for more information.
• Input data is properly validated, SELECT * is avoided, SQL injection is prevented (using placeholders for values in statements), JS inline code is prevented especially for url redirects, and untrusted data interpolated into shell scripts/commands is validated against shell metacharacters.

Testing

• Added/updated automated tests
• QA'd all new/changed functionality manually

Summary by CodeRabbit

• New Features

  • Added CVSS severity score range filtering (min_cvss_score, max_cvss_score) and known exploit status filtering for vulnerable software in Fleet Premium's "My device" tab.

• Improvements

  • Premium-tier license requirement now enforced for vulnerability severity and exploit filters on the device software endpoint.

[codecov]

Codecov Report

❌ Patch coverage is 42.85714% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 67.22%. Comparing base (88c8a34) to head (e706d2d).
⚠️ Report is 59 commits behind head on main.

Files with missing lines	Patch %	Lines
...ages/hosts/details/cards/Software/HostSoftware.tsx	0.00%	4 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #47372      +/-   ##
==========================================
+ Coverage   67.18%   67.22%   +0.03%     
==========================================
  Files        3177     3394     +217     
  Lines      227069   228352    +1283     
  Branches    11743    11766      +23     
==========================================
+ Hits       152565   153507     +942     
- Misses      60766    61023     +257     
- Partials    13738    13822      +84     

Flag	Coverage Δ
backend	68.85% <100.00%> (+0.02%)	⬆️
frontend	58.01% <0.00%> (+0.18%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Copilot]

Pull request overview

Adds support for filtering vulnerable software on the device-authenticated “My device” software inventory endpoint by CVSS score range and “known exploited” status, while enforcing Fleet Premium licensing for those severity-based filters.

Changes:

• Added integration coverage for CVSS/exploit filtering behavior on the device token endpoint (premium) and missing-license behavior (free tier).
• Enforced Fleet Premium gating in ListHostSoftware when severity-based vulnerability filters are requested.
• Wired frontend “My device” software UI to pass premium-tier status and accept the new query params; documented the new endpoint parameters for contributors.

Reviewed changes

Copilot reviewed 5 out of 6 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
server/service/integration_enterprise_test.go	Adds premium integration assertions for CVSS/exploit filters on the device software endpoint.
server/service/integration_desktop_test.go	Verifies free-tier rejects premium severity filters (402) while still allowing vulnerable=true.
server/service/hosts.go	Enforces Premium license requirement when CVSS/exploit filters are used.
frontend/pages/hosts/details/DeviceUserPage/DeviceUserPage.tsx	Extends query typing and passes premium-tier flag into the “My device” software card.
frontend/pages/hosts/details/cards/Software/HostSoftware.tsx	Uses passed premium-tier flag for token-authenticated “My device” view (no app session context).
docs/Contributing/reference/api-for-contributors.md	Documents new query parameters for device software listing (with a needed correction noted in review).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 1bdaa6ea-e6ab-440d-855d-5455a99d7b80

📥 Commits

Reviewing files that changed from the base of the PR and between a78b878 and e706d2d.

📒 Files selected for processing (1)

• changes/35694-device-software-cvss-filter

---

Walkthrough

This PR adds CVSS range and known-exploit query parameters (min_cvss_score, max_cvss_score, exploit) to the device-authenticated GET /device/{token}/software flow, extends the My Device frontend to accept those query params and pass isPremiumTier to HostSoftware, enforces Premium-only access for those filters in ListHostSoftware (returning ErrMissingLicense / 402 when used on free tier), and adds integration tests covering behavior and license gating including boundary and validation cases.

Possibly related issues

• Filtering for vulnerability exposure pt. 1 #44746: Implements CVSS/exploit vulnerability filters and Premium gating for the device software endpoint/UI, matching the feature described.
• View critical vulnerabilities that contribute to issues count on "My device" page #35652: Implements My Device critical-vulnerability filtering via CVSS/exploit query params and frontend premium prop plumbing.
• Improve self-service software vulnerability filter #46435: Adds CVSS score and exploit query parameters and enforces premium-only access for device/self-service software filtering.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: adding CVSS filtering for vulnerable software on the My device page, which is the core feature in this PR.
Description check	✅ Passed	The PR description follows the template with the linked issue, critical checklist items marked, but omits several non-critical sections (database migrations, security details, fleetd/orbit checks).
Linked Issues check	✅ Passed	The changes fully implement the API requirements from issue #35694: backend premium-tier enforcement for CVSS/exploit filters [35694], frontend prop passing for premium status [35694], and comprehensive test coverage [35694].
Out of Scope Changes check	✅ Passed	All changes are directly scoped to the linked issue #35694: API parameter additions, premium-tier gating, frontend prop handling, and test coverage for the new filtering feature.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch 35694-filter-cvss-criticality

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}