Filter vulnerable software by cvss on my device page by dantecatalfamo · Pull Request #47372 · fleetdm/fleet

dantecatalfamo · 2026-06-10T20:37:13Z

Related issue: Resolves #35694

Checklist for submitter

If some of the following don't apply, delete the relevant line.

Changes file added for user-visible changes in changes/, orbit/changes/ or ee/fleetd-chrome/changes.
See Changes files for more information.
Input data is properly validated, SELECT * is avoided, SQL injection is prevented (using placeholders for values in statements), JS inline code is prevented especially for url redirects, and untrusted data interpolated into shell scripts/commands is validated against shell metacharacters.

Testing

Added/updated automated tests
QA'd all new/changed functionality manually

Summary by CodeRabbit

New Features
- Added CVSS severity score range filtering (min_cvss_score, max_cvss_score) and known exploit status filtering for vulnerable software in Fleet Premium's "My device" tab.
Improvements
- Premium-tier license requirement now enforced for vulnerability severity and exploit filters on the device software endpoint.

codecov · 2026-06-10T20:41:14Z

Codecov Report

❌ Patch coverage is 42.85714% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 67.22%. Comparing base (88c8a34) to head (e706d2d).
⚠️ Report is 59 commits behind head on main.

Files with missing lines	Patch %	Lines
...ages/hosts/details/cards/Software/HostSoftware.tsx	0.00%	4 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #47372      +/-   ##
==========================================
+ Coverage   67.18%   67.22%   +0.03%     
==========================================
  Files        3177     3394     +217     
  Lines      227069   228352    +1283     
  Branches    11743    11766      +23     
==========================================
+ Hits       152565   153507     +942     
- Misses      60766    61023     +257     
- Partials    13738    13822      +84

Flag	Coverage Δ
backend	`68.85% <100.00%> (+0.02%)`	⬆️
frontend	`58.01% <0.00%> (+0.18%)`	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Copilot

Pull request overview

Adds support for filtering vulnerable software on the device-authenticated “My device” software inventory endpoint by CVSS score range and “known exploited” status, while enforcing Fleet Premium licensing for those severity-based filters.

Changes:

Added integration coverage for CVSS/exploit filtering behavior on the device token endpoint (premium) and missing-license behavior (free tier).
Enforced Fleet Premium gating in ListHostSoftware when severity-based vulnerability filters are requested.
Wired frontend “My device” software UI to pass premium-tier status and accept the new query params; documented the new endpoint parameters for contributors.

Reviewed changes

Copilot reviewed 5 out of 6 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
server/service/integration_enterprise_test.go	Adds premium integration assertions for CVSS/exploit filters on the device software endpoint.
server/service/integration_desktop_test.go	Verifies free-tier rejects premium severity filters (402) while still allowing `vulnerable=true`.
server/service/hosts.go	Enforces Premium license requirement when CVSS/exploit filters are used.
frontend/pages/hosts/details/DeviceUserPage/DeviceUserPage.tsx	Extends query typing and passes premium-tier flag into the “My device” software card.
frontend/pages/hosts/details/cards/Software/HostSoftware.tsx	Uses passed premium-tier flag for token-authenticated “My device” view (no app session context).
docs/Contributing/reference/api-for-contributors.md	Documents new query parameters for device software listing (with a needed correction noted in review).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

coderabbitai · 2026-06-10T20:44:39Z

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 1bdaa6ea-e6ab-440d-855d-5455a99d7b80

📥 Commits

Reviewing files that changed from the base of the PR and between a78b878 and e706d2d.

📒 Files selected for processing (1)

changes/35694-device-software-cvss-filter

Walkthrough

This PR adds CVSS range and known-exploit query parameters (min_cvss_score, max_cvss_score, exploit) to the device-authenticated GET /device/{token}/software flow, extends the My Device frontend to accept those query params and pass isPremiumTier to HostSoftware, enforces Premium-only access for those filters in ListHostSoftware (returning ErrMissingLicense / 402 when used on free tier), and adds integration tests covering behavior and license gating including boundary and validation cases.

Possibly related issues

Filtering for vulnerability exposure pt. 1 #44746: Implements CVSS/exploit vulnerability filters and Premium gating for the device software endpoint/UI, matching the feature described.
View critical vulnerabilities that contribute to issues count on "My device" page #35652: Implements My Device critical-vulnerability filtering via CVSS/exploit query params and frontend premium prop plumbing.
Improve self-service software vulnerability filter #46435: Adds CVSS score and exploit query parameters and enforces premium-only access for device/self-service software filtering.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: adding CVSS filtering for vulnerable software on the My device page, which is the core feature in this PR.
Description check	✅ Passed	The PR description follows the template with the linked issue, critical checklist items marked, but omits several non-critical sections (database migrations, security details, fleetd/orbit checks).
Linked Issues check	✅ Passed	The changes fully implement the API requirements from issue `#35694`: backend premium-tier enforcement for CVSS/exploit filters [35694], frontend prop passing for premium status [35694], and comprehensive test coverage [35694].
Out of Scope Changes check	✅ Passed	All changes are directly scoped to the linked issue `#35694`: API parameter additions, premium-tier gating, frontend prop handling, and test coverage for the new filtering feature.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests
Commit unit tests in branch 35694-filter-cvss-criticality

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

dantecatalfamo added 2 commits June 10, 2026 13:30

Filter vulnerable software by cvss backend

e9de4ab

Show software CVSS vulnerability filter on my device page

a78b878

Copilot AI review requested due to automatic review settings June 10, 2026 20:37

dantecatalfamo requested review from a team and rachaelshaw as code owners June 10, 2026 20:37

dantecatalfamo temporarily deployed to Docker Hub June 10, 2026 20:37 — with GitHub Actions Inactive

Copilot started reviewing on behalf of dantecatalfamo June 10, 2026 20:37 View session

Copilot AI reviewed Jun 10, 2026

View reviewed changes

Comment thread docs/Contributing/reference/api-for-contributors.md

dantecatalfamo marked this pull request as draft June 10, 2026 20:51

dantecatalfamo assigned mostlikelee Jun 11, 2026

Add changes/

e706d2d

dantecatalfamo temporarily deployed to Docker Hub June 11, 2026 20:10 — with GitHub Actions Inactive

dantecatalfamo marked this pull request as ready for review June 11, 2026 20:12

rachaelshaw approved these changes Jun 11, 2026

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Filter vulnerable software by cvss on my device page#47372

Filter vulnerable software by cvss on my device page#47372
dantecatalfamo wants to merge 3 commits into
mainfrom
35694-filter-cvss-criticality

dantecatalfamo commented Jun 10, 2026 •

edited by coderabbitai Bot

Loading

Uh oh!

codecov Bot commented Jun 10, 2026 •

edited

Loading

Uh oh!

Copilot AI left a comment

Uh oh!

Uh oh!

coderabbitai Bot commented Jun 10, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Conversation

dantecatalfamo commented Jun 10, 2026 • edited by coderabbitai Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Checklist for submitter

Testing

Summary by CodeRabbit

Uh oh!

codecov Bot commented Jun 10, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Reviewed changes

Uh oh!

Uh oh!

coderabbitai Bot commented Jun 10, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Walkthrough

Possibly related issues

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

dantecatalfamo commented Jun 10, 2026 •

edited by coderabbitai Bot

Loading

codecov Bot commented Jun 10, 2026 •

edited

Loading

coderabbitai Bot commented Jun 10, 2026 •

edited

Loading