OS list/detail shows the same CVE twice when an OS version has multiple architectures #27061
Comments
iansltx
added
#g-software
iansltx
removed
the
:reproduce
|
Marking this as a released bug as this is almost certainly an issue with the @rfairburn can you pull the results of the following query from Dogfood? SELECT id FROM operating_systems WHERE name = "macOS" AND version = "15.3.1"Pretty sure there will be two rows there, one per arch, in which case that'll confirm my suspicion of where the problem is. If that's the issue, fix would probably be to add a group-by on CVE number, at which point we'll need to pick a reasonable value for |
iansltx
removed
the
:release
Further inspection confirms that they are differentiated by |
iansltx
changed the title
iansltx
changed the title
Fleet version: 4.65RC and older
π₯ Β Actual behavior
CVE-2025-24201 is shown twice for macOS 15.3.1.
π§βπ» Β Steps to reproduce
Enroll an Intel Mac and an Arm Mac, both on the same macOS version, on a version old enough to have a CVE. Then run vulnerabilities and check the OS version detail page.
This is also visible in the OS list view when hovering the vulnerabilities column for an affected version.
See Dogfood. The duplicate is from the API, so this is a backend issue.
π οΈ To fix
Since we don't split out different architectures in the UI for OS version, seems like we need to merge rows for the OS vulnerabilities query so there is one result row per CVE per name/version combo, even if there are multiple architectures and this multiple rows.
If we want to split out OS versions by architecture later we can revise the query logic to look at vulns by OS version ID rather than by name/version, which will give us one row per vuln.
The text was updated successfully, but these errors were encountered: