From 206921751c068fd96f31fbb28faf6fab18da0d8a Mon Sep 17 00:00:00 2001
From: Ian Littman <iansltx@gmail.com>
Date: Thu, 10 Oct 2024 17:29:57 -0500
Subject: [PATCH] 4.57 Cherry-Pick: Strip RSR suffixes prior to handing off OS
 version from Nudge check to Semver comparison (#22842)

Cherry-pick for patch release of #22830, for #22829

Fixes 500s in config endpoint when a machine with an RSR version
installed is in a team with enforced macOS updates

---------

Co-authored-by: Tim Lee <timlee@fleetdm.com>
---
 changes/22829-nudge-500-fix            | 1 +
 server/fleet/operating_systems.go      | 5 ++++-
 server/fleet/operating_systems_test.go | 4 ++++
 server/vulnerabilities/nvd/cve_test.go | 2 +-
 4 files changed, 10 insertions(+), 2 deletions(-)
 create mode 100644 changes/22829-nudge-500-fix

diff --git a/changes/22829-nudge-500-fix b/changes/22829-nudge-500-fix
new file mode 100644
index 000000000000..439923c534fd
--- /dev/null
+++ b/changes/22829-nudge-500-fix
@@ -0,0 +1 @@
+* Fixes Orbit configuration endpoint 500s for Macs running Rapid Security Response macOS releases that are enrolled in OS major version enforcement
diff --git a/server/fleet/operating_systems.go b/server/fleet/operating_systems.go
index dda49c63f2c3..04189730cf22 100644
--- a/server/fleet/operating_systems.go
+++ b/server/fleet/operating_systems.go
@@ -2,6 +2,7 @@ package fleet
 
 import (
 	"fmt"
+	"regexp"
 	"strings"
 
 	"github.com/Masterminds/semver"
@@ -34,6 +35,7 @@ func (os OperatingSystem) IsWindows() bool {
 }
 
 var macOSNudgeLastVersion = semver.MustParse("14")
+var macOSRapidSecurityResponseVersionSuffix = regexp.MustCompile(` \([a-z]\)`)
 
 // RequiresNudge returns whether the target platform is darwin and
 // below version 14. Starting at macOS 14 nudge is no longer required,
@@ -43,7 +45,8 @@ func (os *OperatingSystem) RequiresNudge() (bool, error) {
 		return false, nil
 	}
 
-	version, err := semver.NewVersion(os.Version)
+	// strip Rapid Security Response suffix (e.g. version 13.3.7 (a)) if any
+	version, err := semver.NewVersion(macOSRapidSecurityResponseVersionSuffix.ReplaceAllString(os.Version, ``))
 	if err != nil {
 		return false, fmt.Errorf("parsing macos version \"%s\": %w", os.Version, err)
 	}
diff --git a/server/fleet/operating_systems_test.go b/server/fleet/operating_systems_test.go
index 9fc35e686c46..1099d2391350 100644
--- a/server/fleet/operating_systems_test.go
+++ b/server/fleet/operating_systems_test.go
@@ -35,8 +35,12 @@ func TestOperatingSystemRequiresNudge(t *testing.T) {
 		{platform: "darwin", parseError: true},
 		{platform: "darwin", version: "12.0.9", requiresNudge: true},
 		{platform: "darwin", version: "11", requiresNudge: true},
+		{platform: "darwin", version: "13.3.1 (a)", requiresNudge: true},
+		{platform: "darwin", version: "13.4.1 (c)", requiresNudge: true},
 		{platform: "darwin", version: "14.0"},
 		{platform: "darwin", version: "14.3.2"},
+		{platform: "darwin", version: "15.0.1"},
+		{platform: "darwin", version: "15.0.1 (a)"},
 		{platform: "windows"},
 		{platform: "windows", version: "12.2"},
 		{platform: "windows", version: "15.4"},
diff --git a/server/vulnerabilities/nvd/cve_test.go b/server/vulnerabilities/nvd/cve_test.go
index 691f3e321a7d..f9f8b12562ab 100644
--- a/server/vulnerabilities/nvd/cve_test.go
+++ b/server/vulnerabilities/nvd/cve_test.go
@@ -343,7 +343,7 @@ func TestTranslateCPEToCVE(t *testing.T) {
 		},
 		"cpe:2.3:a:python:python:3.9.6:*:*:*:*:windows:*:*": {
 			includedCVEs: []cve{
-				{ID: "CVE-2024-4030", resolvedInVersion: "3.12.4"},
+				{ID: "CVE-2024-4030", resolvedInVersion: "3.9.20"},
 			},
 			continuesToUpdate: true,
 		},