Add RHEL OSV vulnerability scanning

[mostlikelee]

Closes #43184

Changes

Adds RHEL OSV support to Fleet's vulnerability scanning pipeline, gated by the existing osv_for_vulnerabilities config flag. When enabled, Fleet downloads RHEL OSV artifacts from GitHub releases, matches them against installed RPM software, and replaces both OVAL and goval-dictionary as the RHEL vulnerability source.

What's new

Data model — RHELOSVSource (value 9) added to VulnerabilitySource enum

Sync (server/vulnerabilities/osv/sync.go)

• RefreshRHEL() downloads RHEL OSV artifacts from GitHub releases
• getNeededRHELVersions() extracts major versions from RHEL hosts, skips Fedora
• removeOldRHELOSVArtifacts() cleans up stale artifacts
• Downloader updated to match both osv-ubuntu-* and osv-rhel-* assets

Analyzer (server/vulnerabilities/osv/analyzer.go)

• AnalyzeRHEL() scans RHEL hosts against OSV artifacts
• matchSoftwareToRHELOSV() maps kernel variants (kernel-core, kernel-modules, etc.) to kernel
• isVulnerableRPM() compares RPM versions via utils.Rpmvercmp() (handles epochs)
• extractRHELMajorVersion() parses OSVersion.Version (e.g., "9.4.0" → "9")
• IsPlatformSupported() now returns true for both ubuntu and rhel

Cron (cmd/fleet/cron.go)

• checkRHELOSVVulnerabilities() orchestrates refresh + analyze
• RHEL excluded from OVAL and goval-dictionary when OSV enabled
• Fedora hosts (platform: "rhel", name: "Fedora...") stay in OVAL/goval — Red Hat OSV data does not cover Fedora
• Cleanup functions for RHEL OVAL → OSV transition
• GovalDictionarySource not bulk-deleted (shared with Amazon Linux) — relies on natural aging

Fedora handling

Fedora reports platform: "rhel" in osquery. Red Hat OSV data does not include Fedora. Fedora hosts are explicitly skipped in:

• getNeededRHELVersions() — no artifact downloaded
• AnalyzeRHEL() — returns ErrUnsupportedPlatform
• OVAL/goval exclusion — Fedora kept in both scanners

Test plan

• go test -v ./server/vulnerabilities/osv/... — all tests pass (existing + new)
• make lint-go — 0 issues

New tests:

• TestExtractRHELMajorVersion — version parsing
• TestIsVulnerableRPM — epoch handling, version/release comparison, introduced ranges
• TestMatchSoftwareToRHELOSV — kernel-* mapping, regular packages, patched packages
• TestGetNeededRHELVersions — version extraction, Fedora skip, dedup
• TestRemoveOldRHELOSVArtifacts — cleanup isolation (RHEL vs Ubuntu artifacts)
• TestRHELOSVFilename — filename generation
• TestIsPlatformSupported — updated: RHEL now supported

Manual verification:

# Generate artifacts
go run ./cmd/osv-processor --platform rhel \
  --input /tmp/rhel-osv --output /tmp/rhel-artifacts --versions "8,9"

# Copy to Fleet vuln path and run with:
#   vulnerabilities.osv_for_vulnerabilities: true

Dependencies

• Add RHEL support to osv-processor #43277 (osv-processor --platform rhel support)
• Add RHEL OSV feed generation vulnerabilities#32 (workflow to generate RHEL artifacts in CI)

Summary by CodeRabbit

• New Features

  • Enabled vulnerability scanning for RHEL systems via OSV
  • Introduced new vulnerability source type for RHEL detection
  • Enhanced platform-specific vulnerability handling with improved cleanup procedures
  • Added special handling for Fedora platform identification

• Tests

  • Added comprehensive test coverage for new RHEL vulnerability analysis features

[mostlikelee]

@coderabbitai full review

[coderabbitai]

✅ Actions performed

Full review triggered.

[coderabbitai]

Walkthrough

This pull request adds support for syncing and analyzing OSV (Open Source Vulnerabilities) feeds for RHEL systems. The changes extend the existing OSV scanning infrastructure to handle RHEL-specific vulnerability data by introducing artifact download logic for RHEL OSV feeds, RPM package vulnerability matching, platform-specific processing, and a new vulnerability source enum. The cron scheduler is updated to orchestrate RHEL OSV checks alongside existing OVAL scanning with conditional cleanup of stale vulnerabilities based on configuration state.

Possibly related PRs

• Use OSV for ubuntu vulnerability scanning #42063: Extends the same OSV scanning pipeline—the retrieved PR introduces Ubuntu OSV support while this PR adds RHEL OSV feed handling to the analyzer and sync components.
• 33990 scan goval #39749: Modifies RHEL kernel vulnerability scanning in the same cron scheduler and goval-dictionary platform selection logic that this PR adjusts for OSV coverage.
• Added vulnerabilities cleanup cron #41195: Alters the vulnerability cleanup behavior in the cron scheduler for stale OSV/OVAL records that this PR extends with RHEL-specific cleanup logic.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 58.33% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Add RHEL OSV vulnerability scanning' clearly and concisely summarizes the main change—introducing RHEL OSV support to the vulnerability scanning pipeline.
Description check	✅ Passed	The description is comprehensive, covers all major changes across files, includes testing details, and references the related issue #43184. It follows the template's key sections and provides clear context.
Linked Issues check	✅ Passed	The PR fully addresses issue #43184 objectives: syncing RHEL OSV feeds via RefreshRHEL(), analyzing feeds via AnalyzeRHEL(), and providing manual verification steps with test coverage.
Out of Scope Changes check	✅ Passed	All changes are directly aligned with adding RHEL OSV support. File modifications focus on sync/analyzer logic, data models, and cron orchestration—no unrelated refactoring or scope creep detected.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch tlee/43184-rhel-osv-server

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@cmd/fleet/cron.go`:
- Line 481: The call to cleanupStaleRHELOSVVulnerabilities is being executed
unconditionally, which can delete the old RHEL source even when the
replacement/sync/analyze step failed; change the flow so
cleanupStaleRHELOSVVulnerabilities(ctx, ds, logger,
config.OSVForVulnerabilities) only runs after the replacement pass completes
successfully — locate the code path that flips or performs the replacement of
osv_for_vulnerabilities and move or wrap the cleanup call inside the success
branch (check the success/err return of that replacement/sync/analyze function),
and apply the same gating to the other occurrences mentioned (the calls around
the later lines 636-637).

In `@server/vulnerabilities/osv/analyzer.go`:
- Around line 27-30: The IsPlatformSupported helper was broadened to include
"rhel" which causes Analyze to route RHEL artifacts into Ubuntu-specific logic
(extractUbuntuVersion, loadOSVArtifact) and produce errors instead of
ErrUnsupportedPlatform; revert or split this check so that IsPlatformSupported
only returns true for Ubuntu (or create a new generic helper like
IsLinuxPlatform and a distinct IsUbuntuPlatform used by Analyze). Update Analyze
to call the Ubuntu-specific gate (IsUbuntuPlatform) before invoking
extractUbuntuVersion/loadOSVArtifact, and ensure RHEL paths return
ErrUnsupportedPlatform or use their own analyzer when checkOSVVulnerabilities
iterates OS versions.
- Around line 452-458: The RHEL/RPM vulnerability handling omits the feed's fix
information; update the vuln append in the RPM path so that the
fleet.SoftwareVulnerability includes ResolvedInVersion set to vuln.Fixed
(similar to the Ubuntu path). Locate the loop over vulns where
isVulnerableRPM(sw.Version, sw.Release, vuln) is checked and add
ResolvedInVersion: vuln.Fixed to the constructed fleet.SoftwareVulnerability so
fixed RPM versions from the feed are preserved.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 36a40d83-19dd-4b54-a90c-1a450f6266d6

📥 Commits

Reviewing files that changed from the base of the PR and between 90f75f1 and d8a65f7.

📒 Files selected for processing (7)

• cmd/fleet/cron.go
• server/fleet/vulnerabilities.go
• server/vulnerabilities/osv/analyzer.go
• server/vulnerabilities/osv/analyzer_test.go
• server/vulnerabilities/osv/downloader.go
• server/vulnerabilities/osv/sync.go
• server/vulnerabilities/osv/sync_test.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Only purge the previous RHEL source after the replacement scan succeeds.

These deletes run even when the replacement path failed to sync or analyze. In that case, flipping osv_for_vulnerabilities can wipe the old RHEL source and leave hosts with no RHEL vuln coverage until a later successful run. Please gate the cleanup on a successful replacement pass instead of calling it unconditionally.

Also applies to: 636-637

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@cmd/fleet/cron.go` at line 481, The call to
cleanupStaleRHELOSVVulnerabilities is being executed unconditionally, which can
delete the old RHEL source even when the replacement/sync/analyze step failed;
change the flow so cleanupStaleRHELOSVVulnerabilities(ctx, ds, logger,
config.OSVForVulnerabilities) only runs after the replacement pass completes
successfully — locate the code path that flips or performs the replacement of
osv_for_vulnerabilities and move or wrap the cleanup call inside the success
branch (check the success/err return of that replacement/sync/analyze function),
and apply the same gating to the other occurrences mentioned (the calls around
the later lines 636-637).

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Don't route RHEL through the existing Ubuntu analyzer.

Broadening IsPlatformSupported here also changes the early gate in Analyze, but that code path still assumes Ubuntu artifacts (extractUbuntuVersion/loadOSVArtifact). Since checkOSVVulnerabilities() iterates every OS version, RHEL entries now fall into the Ubuntu analyzer and error instead of returning ErrUnsupportedPlatform. Please keep the Ubuntu analyzer gate explicit, or split the generic platform helper from the Ubuntu-specific one.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@server/vulnerabilities/osv/analyzer.go` around lines 27 - 30, The
IsPlatformSupported helper was broadened to include "rhel" which causes Analyze
to route RHEL artifacts into Ubuntu-specific logic (extractUbuntuVersion,
loadOSVArtifact) and produce errors instead of ErrUnsupportedPlatform; revert or
split this check so that IsPlatformSupported only returns true for Ubuntu (or
create a new generic helper like IsLinuxPlatform and a distinct IsUbuntuPlatform
used by Analyze). Update Analyze to call the Ubuntu-specific gate
(IsUbuntuPlatform) before invoking extractUbuntuVersion/loadOSVArtifact, and
ensure RHEL paths return ErrUnsupportedPlatform or use their own analyzer when
checkOSVVulnerabilities iterates OS versions.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Preserve the fixed RPM in ResolvedInVersion.

The Ubuntu OSV path already carries vuln.Fixed into ResolvedInVersion, but the RHEL path drops it. That loses remediation info for every RHEL vulnerability row even when the feed provides a fixed package version.

Proposed fix

 		for _, vuln := range vulns {
 			if isVulnerableRPM(sw.Version, sw.Release, vuln) {
+				var resolvedIn *string
+				if vuln.Fixed != "" {
+					fixed := vuln.Fixed
+					resolvedIn = &fixed
+				}
 				result = append(result, fleet.SoftwareVulnerability{
-					SoftwareID: sw.ID,
-					CVE:        vuln.CVE,
+					SoftwareID:        sw.ID,
+					CVE:               vuln.CVE,
+					ResolvedInVersion: resolvedIn,
 				})
 			}
 		}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@server/vulnerabilities/osv/analyzer.go` around lines 452 - 458, The RHEL/RPM
vulnerability handling omits the feed's fix information; update the vuln append
in the RPM path so that the fleet.SoftwareVulnerability includes
ResolvedInVersion set to vuln.Fixed (similar to the Ubuntu path). Locate the
loop over vulns where isVulnerableRPM(sw.Version, sw.Release, vuln) is checked
and add ResolvedInVersion: vuln.Fixed to the constructed
fleet.SoftwareVulnerability so fixed RPM versions from the feed are preserved.

[codecov]

Codecov Report

❌ Patch coverage is 29.24188% with 196 lines in your changes missing coverage. Please review.
✅ Project coverage is 66.81%. Comparing base (b2e6162) to head (d8a65f7).
⚠️ Report is 44 commits behind head on main.

Files with missing lines	Patch %	Lines
server/vulnerabilities/osv/analyzer.go	24.30%	108 Missing and 1 partial ⚠️
cmd/fleet/cron.go	5.26%	50 Missing and 4 partials ⚠️
server/vulnerabilities/osv/sync.go	55.55%	23 Missing and 5 partials ⚠️
server/vulnerabilities/osv/downloader.go	61.53%	5 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #43377      +/-   ##
==========================================
- Coverage   66.85%   66.81%   -0.04%     
==========================================
  Files        2588     2590       +2     
  Lines      207579   207921     +342     
  Branches     9175     9175              
==========================================
+ Hits       138778   138929     +151     
- Misses      56166    56345     +179     
- Partials    12635    12647      +12     

Flag	Coverage Δ
backend	68.59% <29.24%> (-0.05%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.