Merge branch 'main' into edwardsb-external-vuln-scan-dogfood

Author: edwardsb

.github/ISSUE_TEMPLATE/story.md

@@ -19,11 +19,21 @@ It is [planned and ready](https://fleetdm.com/handbook/company/development-group
 | I want to _________________________________________
 | so that I can _________________________________________.
 
+## Context
+- Requestor(s): _________________________ <!-- Who are the non-customer requestor(s) for this story, if any? Put their GitHub usernames here. They should be notified if the story gets de-prioritized. For customer requestors, use the `customer-xyz` label instead. -->
+- Product designer: _________________________ <!-- Who is the product designer to contact if folks have questions about the UI, CLI, or API changes? -->
+  
+<!--
+What else should contributors [keep in mind](https://fleetdm.com/handbook/company/development-groups#developing-from-wireframes) when working on this change?  (Optional.)
+1. 
+2. 
+-->
+
 ## Changes
 
 ### Product
 - [ ] UI changes: TODO <!-- Insert the link to the relevant Figma cover page. Remove this checkbox if there are no changes to the user interface. -->
-- [ ] CLI usage changes: TODO <!-- Specify what changes to the CLI usage are required. Remove this checkbox if there are no changes to the CLI. -->
+- [ ] CLI usage changes: TODO <!-- Insert the link to the relevant Figma cover page. Remove this checkbox if there are no changes to the CLI. -->
 - [ ] REST API changes: TODO <!-- Specify what changes to the API are required.  Remove this checkbox if there are no changes necessary. The product manager may move this item to the engineering list below if they decide that engineering will design the API changes. -->
 - [ ] Permissions changes: TODO <!-- Specify what changes to the permissions are required.  Remove this checkbox if there are no changes necessary. -->
 - [ ] Outdated documentation changes: TODO <!-- Specify required documentation changes (public-facing fleetdm.com/docs or contributors) & redirects to add to /website/config/routes.js. -->
@@ -35,14 +45,6 @@ It is [planned and ready](https://fleetdm.com/handbook/company/development-group
 
 > ℹ️  Please read this issue carefully and understand it.  Pay [special attention](https://fleetdm.com/handbook/company/development-groups#developing-from-wireframes) to UI wireframes, especially "dev notes".
 
-## Context
-- Requestor(s): _________________________ <!-- Who are the non-customer requestor(s) for this story, if any? Put their GitHub usernames here. They should be notified if the story gets de-prioritized. For customer requestors, use the `customer-xyz` label instead. -->
-<!--
-What else should contributors [keep in mind](https://fleetdm.com/handbook/company/development-groups#developing-from-wireframes) when working on this change?  (Optional.)
-1. 
-2. 
--->
-
 ## QA
 
 ### Risk assessment

.github/workflows/codeql-analysis.yml

@@ -47,6 +47,11 @@ jobs:
     steps:
     - name: Checkout repository
       uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+    
+    - name: Set up Go
+      uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+      with:
+        go-version: ${{ vars.GO_VERSION }}
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL

.github/workflows/goreleaser-orbit.yaml

@@ -66,7 +66,7 @@ jobs:
         uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v2
         with:
           name: orbit-macos
-          path: dist
+          path: dist/orbit-macos_darwin_all/orbit
 
   goreleaser-linux:
     runs-on: ubuntu-20.04
@@ -94,7 +94,7 @@ jobs:
         uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v2
         with:
           name: orbit-linux
-          path: dist
+          path: dist/orbit_linux_amd64_v1/orbit
 
   goreleaser-windows:
     runs-on: windows-2022
@@ -122,4 +122,4 @@ jobs:
         uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v2
         with:
           name: orbit-windows
-          path: dist
+          path: dist/orbit_windows_amd64_v1/orbit.exe

CHANGELOG.md

@@ -1,3 +1,68 @@
+## Fleet 4.45.1 (Feb 23, 2024)
+
+### Bug fixes
+
+* Fixed a bug that caused macOS ADE enrollments gated behind SSO to get a "method not allowed" error.
+* Fixed a bug where the "Done" button on the add hosts modal for plain osquery could be covered.
+
+## Fleet 4.45.0 (Feb 20, 2024)
+
+### Changes
+
+* **Endpoint operations**:
+  - Added two new API endpoints for running provided live query SQL on a single host.
+  - Added `fleetctl gitops` command for GitOps workflow synchronization.
+  - Added capabilities to the `gitops` role to support reading queries/policies and writing scripts.
+  - Updated policy names to be unique per team.
+  - Updated fleetd-chrome to use the latest wa-sqlite v0.9.11.
+  - Updated "Add hosts" modal UI to dynamically include the `--enable-scripts` flag.
+  - Added count of upcoming activities to host vitals UI.
+  - Updated UI to include upcoming activity counts in host vitals.
+  - Updated 405 response for `POST` requests on the root path to highlight misconfigured osquery instances.
+
+* **Device management (MDM)**:
+  - Added MDM command payloads to the response of `GET /api/_version_/fleet/mdm/commandresults`.
+  - Changed several MDM-related endpoints to be platform-agnostic.
+  - Added script capabilities to UI for Linux hosts.
+  - Added UI for locking and unlocking hosts managed by Fleet MDM.
+  - Added `fleetctl mdm lock` and `fleetctl mdm unlock` commands.
+  - Added validation to reject script enqueue requests for hosts without fleetd.
+  - Added the `host_mdm_actions` DB table for MDM lock and wipe functionality.
+  - Updated backend MDM migration flow and added logging.
+  - Updated UI text for disk encryption to reflect cross-platform functionality.
+  - Renamed and updated fields in MDM configuration profiles for clarity.
+  - Improved validation of Windows profiles to prevent delivery errors.
+  - Improved Windows MDM profile error tooltip messages.
+  - Fixed MDM unlock flow and updated lock/unlock functionality for Windows and Linux.
+  - Fixed a bug that would cause OS Settings verification to fail with MySQL's `only_full_group_by` mode enabled.
+
+* **Vulnerability management**:
+  - Windows OS Vulnerabilities now include a `resolved_in_version` in the `/os_versions` API response.
+  - Fixed an issue where software from a Parallels VM would incorrectly appear as the host's software.
+  - Implemented permission checks for software and software titles.
+  - Fixed software title aggregation when triggering vulnerability scans.
+
+### Bug fixes and improvements
+  - Updated text and style across the app for consistency and clarity.
+  - Improved UI for the view disk encryption key, host details activity card, and "Add hosts" modal.
+  - Addressed a bug where updating the search field caused unwanted loss of focus.
+  - Corrected alignment bugs on empty table states for software details.
+  - Updated URL query parameters to reset when switching tabs.
+  - Fixed device page showing invalid date for the last restarted.
+  - Fixed visual display issues with chevron right icons on Chrome.
+  - Fixed Windows vulnerabilities without exploit/severity from crashing the software page.
+  - Fixed issues with checkboxes in hidden modals and long enroll secrets overlapping action buttons.
+  - Fixed a bug with built-in platform labels.
+  - Fixed enroll secret error messaging showing secret in cleartext.
+  - Fixed various UI bugs including disk encryption key input icons, alignment issues, and dropdown menus.
+  - Fixed dropdown behavior in administrative settings and software title/version tables.
+  - Fixed various UI and style bugs, including issues with long OS names causing table render issues.
+  - Fixed a bug where checkboxes within a hidden modal were not correctly hidden.
+  - Fixed vulnerable software dropdown from switching back to all teams.
+  - Fixed wall_time to report in milliseconds for consistency with other query performance stats.
+  - Fixed generating duplicate activities when locking or unlocking a host with scripts disabled.
+  - Fixed how errors are reported to APM to avoid duplicates and improve stack trace accuracy.
+
 ## Fleet 4.44.1 (Feb 13, 2024)
 
 ### Bug fixes

Dockerfile-desktop-linux

@@ -1,4 +1,4 @@
-FROM --platform=linux/amd64 golang:1.21.6-bullseye@sha256:fa52abd182d334cfcdffdcc934e21fcfbc71c3cde568e606193ae7db045b1b8d
+FROM --platform=linux/amd64 golang:1.21.7-bullseye@sha256:447afe790df28e0bc19d782a9f776a105ce3b8417cdd21f33affc4ed6d38f9d5
 LABEL maintainer="Fleet Developers"
 
 RUN apt-get update && apt-get install -y \

articles/fleet-4.26.0.md

@@ -48,8 +48,6 @@ You already have a lot of raw data to sift through in your data lake, especially
 
 Fleet 4.26.0 reduces the number of calls you have to make to pull software data with the REST API. Each time a host has software added, updated, or deleted, a `host_software_updated_at` timestamp gets updated for that host. The `host_software_updated_at` timestamp is exposed through the API. This lets you send the latest software data to your data lake, so you can avoid drowning in outdated information.
 
-<call-to-action preset="mdm-beta"></call-to-action>
-
 ## Fleet MDM
 **MDM features are not ready for production and are currently in development. These features are disabled by default.**
 

articles/fleet-4.27.0.md

@@ -21,8 +21,6 @@ In the UI an account administrator will see the following information:
 
 If you pair this new login activity with the audit improvements from [release 4.26](https://fleetdm.com/releases/fleet-4.26.0) you can now set up an alert if multiple failed login attempts occur. 
 
-<call-to-action preset="premium-upgrade"></call-to-action>
-
 ## Better search filters on the ‘Select Targets’ screen in Fleet
 
 **Available in Fleet Free and Fleet Premium**

articles/fleet-4.28.0.md

@@ -32,8 +32,6 @@ Premium and Ultimate Fleet plans have the ability to import the CIS benchmarks i
 
 For more information on adding CIS Benchmarks, check out the [documentation here](https://fleetdm.com/docs/using-fleet/cis-benchmarks#how-to-add-cis-benchmarks).
 
-<call-to-action preset="premium-upgrade"></call-to-action>
-
 ## Reduced false negatives from MS Office products related to vulnerabilities reported in the NVD
 
 A false negative occurs when a policy reports there is not a vulnerability, but there actually is a vulnerability. Even if a policy reports zero vulnerabilities, that does not imply there are no vulnerabilities present. Both of these types of errors can cause problems when trying to identify vulnerabilities that need attention.
@@ -69,8 +67,6 @@ For more information on enabling this functionality, check out the [documentati
 *   Enabled installation and auto-updates of Nudge via Orbit.
 *   Added support for providing macos\_settings.custom\_settings profiles for team (with Fleet Premium) and no-team levels via fleetctl apply.
 
-<call-to-action preset="mdm-beta"></call-to-action>
-
 #### List of other features
 
 *   Added --policies-team flag to fleetctl apply to easily import a group of policies into a team.

articles/fleet-4.29.0.md

@@ -27,8 +27,6 @@ Users created via JIT provisioning can be assigned Fleet roles using SAML custom
 
 Learn more about [JIT user role setting](https://fleetdm.com/docs/deploying/configuration#just-in-time-jit-user-provisioning).
 
-<call-to-action preset="premium-upgrade"></call-to-action>
-
 ## CIS benchmarks manual intervention
 
 _Available in Fleet Premium and Fleet Ultimate_
@@ -65,8 +63,6 @@ Fleet updated translation rules to provide better 🟢 Results and avoid false p
 * Added MDM profiles status filter to hosts endpoints.
 * Added indicators of aggregate host count for each possible status of MDM-enforced mac settings (hidden until 4.30.0).
 
-<call-to-action preset="mdm-beta"></call-to-action>
-
 #### List of other features
 
 * As part of JIT provisioning, read user roles from SAML custom attributes.