add CVE chart filtering

[sgress454]

Related issue: Resolves #44746

Checklist for submitter

If some of the following don't apply, delete the relevant line.

• Changes file added for user-visible changes in changes/, orbit/changes/ or ee/fleetd-chrome/changes.
  See Changes files for more information.

• Input data is properly validated, SELECT * is avoided, SQL injection is prevented (using placeholders for values in statements), JS inline code is prevented especially for url redirects, and untrusted data interpolated into shell scripts/commands is validated against shell metacharacters.

• Timeouts are implemented and retries are limited to avoid infinite loops

• If paths of existing endpoints are modified without backwards compatibility, checked the frontend/CLI for any necessary changes

Testing

• Added/updated automated tests

• Where appropriate, automated tests simulate multiple hosts and test for host isolation (updates to one hosts's records do not affect another)

• QA'd all new/changed functionality manually

For unreleased bug fixes in a release candidate, one of:

• Confirmed that the fix is not expected to adversely impact load test results
• Alerted the release DRI if additional load testing is needed

Database migrations

• Checked schema for all modified table for columns that will auto-update timestamps during migration.
• Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects.
• Ensured the correct collation is explicitly set for character columns (COLLATE utf8mb4_unicode_ci).

New Fleet configuration settings

• Setting(s) is/are explicitly excluded from GitOps

If you didn't check the box above, follow this checklist for GitOps-enabled settings:

• Verified that the setting is exported via fleetctl generate-gitops
• Verified the setting is documented in a separate PR to the GitOps documentation
• Verified that the setting is cleared on the server if it is not supplied in a YAML file (or that it is documented as being optional)
• Verified that any relevant UI is disabled when GitOps mode is enabled

fleetd/orbit/Fleet Desktop

• Verified compatibility with the latest released version of Fleet (see Must rule)
• If the change applies to only one platform, confirmed that runtime.GOOS is used as needed to isolate changes
• Verified that fleetd runs on macOS, Linux and Windows
• Verified auto-update works from the released version of component to the new version (see tools/tuf/test)

Summary by CodeRabbit

• New Features

  • Added advanced CVE filtering options including software categories, EPSS score ranges, severity levels, and known exploit status.
  • Enabled ability to exclude specific CVEs from chart data.
  • Expanded CVE data collection to include all collectible vulnerabilities across severities.

• Tests

  • Added comprehensive test coverage for CVE chart filtering and entity resolution.

[sgress454]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: ee66f43c-d09d-4910-9fba-0175b23ef820

📥 Commits

Reviewing files that changed from the base of the PR and between 17d80dc and a390fd5.

📒 Files selected for processing (12)

• server/chart/api/chart.go
• server/chart/api/http/types.go
• server/chart/bootstrap/bootstrap.go
• server/chart/datasets.go
• server/chart/internal/mysql/charts.go
• server/chart/internal/mysql/cve_filter_test.go
• server/chart/internal/service/handler.go
• server/chart/internal/service/service.go
• server/chart/internal/service/service_test.go
• server/chart/internal/testutils/testutils.go
• server/chart/internal/types/chart.go
• tools/charts-backfill/main.go

---

Walkthrough

This PR refactors the CVE chart data flow by replacing a single TrackedCriticalCVEs method with a two-phase pattern: CollectibleCVEs returns the full curated universe of CVE IDs, and ResolveCVEChartEntities applies read-time filters (software category, CVSS/EPSS bounds, known-exploit flag, CVE exclusions) to produce a display-ready allow-set. Changes span API contracts, HTTP request/response types, MySQL datastore implementation with software matchers categorized by CVECategory* constants, service layer entity resolution, bootstrap helpers, and comprehensive test coverage validating collection scope and filter resolution across all dimensions.

Possibly related issues

• fleetdm/fleet#44746: This PR implements the backend API contract and filtering logic needed to support CVE chart filtering by software category and CVSS/EPSS bounds specified in that vulnerability exposure filtering story.

Possibly related PRs

• fleetdm/fleet#45813: Both PRs update the CVE chart GetChartData read-path logic to move away from TrackedCriticalCVEs for entity-ID selection; this PR implements the new entity resolution path while the related PR removes the call entirely.
• fleetdm/fleet#45247: Both PRs refactor the CVE collection scope in CVEDataset: the related PR constrains collection to tracked critical CVEs, while this PR broadens the collection to a "collectible" universe and defers narrowing to read-time resolution via ResolveCVEChartEntities.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 61.90% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'add CVE chart filtering' is concise and directly summarizes the main change: adding filtering capabilities to the CVE chart API.
Description check	✅ Passed	The PR description matches the required template with the related issue #44746 filled in, though all checklist items remain unchecked per the incomplete state of this draft PR.
Linked Issues check	✅ Passed	The PR changes implement the engineering REST API requirements for CVE chart filtering: new filter parameters (software categories, known exploit, EPSS/severity bounds, excluded CVEs) are added to RequestOpts and HTTP types; database layer supports CollectibleCVEs and ResolveCVEChartEntities methods; and comprehensive test coverage validates the filtering logic.
Out of Scope Changes check	✅ Passed	All changes are directly related to implementing CVE chart filtering: API contracts, HTTP types, data store methods, service logic, MySQL implementation, tests, and helper utilities all focus on the filtering feature with no unrelated modifications.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch sgress454/44746-add-cve-filtering

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

❌ Patch coverage is 77.11864% with 27 lines in your changes missing coverage. Please review.
✅ Project coverage is 67.22%. Comparing base (4d82562) to head (a390fd5).
⚠️ Report is 14 commits behind head on main.

Files with missing lines	Patch %	Lines
server/chart/internal/mysql/charts.go	81.39%	8 Missing and 8 partials ⚠️
server/chart/internal/service/handler.go	0.00%	7 Missing ⚠️
server/chart/bootstrap/bootstrap.go	0.00%	2 Missing ⚠️
server/chart/internal/service/service.go	89.47%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #47470      +/-   ##
==========================================
+ Coverage   67.20%   67.22%   +0.01%     
==========================================
  Files        3393     3395       +2     
  Lines      228256   228363     +107     
  Branches    11755    11755              
==========================================
+ Hits       153396   153508     +112     
+ Misses      61034    61026       -8     
- Partials    13826    13829       +3     

Flag	Coverage Δ
backend	68.85% <77.11%> (+0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.