Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Potential bug with version filtering impacting active CVE assessment #666

Open
jrbarnes opened this issue Dec 11, 2024 · 6 comments
Open

Potential bug with version filtering impacting active CVE assessment #666

jrbarnes opened this issue Dec 11, 2024 · 6 comments

Comments

@jrbarnes
Copy link

Nudge Version: 2.0.12.81807
Installed OS Version: 15.1.1 (24B91)
Required Minimum OS Version: latest-minor
Latest OS at time of issue: 15.2
macOS 15.2 Security Content: https://support.apple.com/en-us/121839
MacAdmins Thread: https://macadmins.slack.com/archives/CDUU7DJQ2/p1733952369722319

Current behavior: Upon running, Nudge appears to be evaluating the vulnerabilities associated with both the currently installed OS version, 15.1.1, and 15.2 from the SOFA feed. This results in Nudge enforcing the activelyExploitedCVEsMinorUpdateSLA (7 days in our config) rather than the nonActivelyExploitedCVEsMinorUpdateSLA (14 days in our config). Apple has not identified any of the vulnerabilities in 15.2 as actively exploited and the SOFA feed likewise shows no actively exploited CVEs.

Expected behavior: Upon running, Nudge should evaluate the ActivelyExploitedCVEs value only for valid versions greater than the major.minor.patch version currently installed (15.1.1), which is 15.2. The result should be Nudge enforcing the nonActivelyExploitedCVEsMinorUpdateSLA.

Additional information: Based on the log line below and a high-level look at the sorting/filtering in Nudge/UI/Main.swift before the vulnerability assessment step I suspect the issue is related to the filtering. I would caveat this with I am not a Swift developer and have little true development experience.
2024-12-11 14:12:16.552672-0700 localhost Nudge[19153]: [com.github.macadmins.Nudge:sofa] Assessing macOS version range for active exploits: ["15.1.1", "15.2"]

Nudge log from runtime

2024-12-11 14:00:05.231615-0700  localhost Nudge[19153]: [com.github.macadmins.Nudge:user-interface] Delaying initial run (in seconds) by: 731
2024-12-11 14:12:16.301922-0700  localhost Nudge[19153]: [com.github.macadmins.Nudge:user-interface] Finished delay
2024-12-11 14:12:16.552672-0700  localhost Nudge[19153]: [com.github.macadmins.Nudge:sofa] Assessing macOS version range for active exploits: ["15.1.1", "15.2"]
2024-12-11 14:12:16.553197-0700  localhost Nudge[19153]: [com.github.macadmins.Nudge:sofa] Actively Exploited Minor Update detected. Using activelyExploitedCVEsMinorUpdateSLA value: 7
2024-12-11 14:12:16.553232-0700  localhost Nudge[19153]: [com.github.macadmins.Nudge:sofa] SOFA Actively Exploited CVEs: true
2024-12-11 14:12:16.553760-0700  localhost Nudge[19153]: [com.github.macadmins.Nudge:sofa] Setting requiredInstallationDate via SOFA to 2024-12-18 00:00:00 +0000
2024-12-11 14:12:16.553791-0700  localhost Nudge[19153]: [com.github.macadmins.Nudge:sofa] SOFA Matched OS Version: 15.2
2024-12-11 14:12:16.553904-0700  localhost Nudge[19153]: [com.github.macadmins.Nudge:sofa] SOFA Assets: ["J132AP", "J137AP", "J152FAP", "J160AP", "J174AP", "J180dAP", "J185AP", "J185FAP", "J213AP", "J214KAP", "J215AP", "J223AP", "J230KAP", "J274AP", "J293AP", "J313AP", "J314cAP", "J314sAP", "J316cAP", "J316sAP", "J375cAP", "J375dAP", "J413AP", "J414cAP", "J414sAP", "J415AP", "J416cAP", "J416sAP", "J433AP", "J434AP", "J456AP", "J457AP", "J473AP", "J474sAP", "J475cAP", "J475dAP", "J493AP", "J504AP", "J514cAP", "J514mAP", "J514sAP", "J516cAP", "J516mAP", "J516sAP", "J604AP", "J613AP", "J614cAP", "J614sAP", "J615AP", "J616cAP", "J616sAP", "J623AP", "J624AP", "J680AP", "J773gAP", "J773sAP", "J780AP", "Mac-1E7E29AD0135F9BC", "Mac-63001698E7A34814", "Mac-937A206F2EE63C01", "Mac-AA95B1DDAB278B95", "VMA2MACOSAP", "VMM-x86_64"]
2024-12-11 14:12:16.554084-0700  localhost Nudge[19153]: [com.github.macadmins.Nudge:sofa] SOFA CVEs: ["CVE-2024-54527": false, "CVE-2024-54479": false, "CVE-2024-54491": false, "CVE-2024-54465": false, "CVE-2024-54490": false, "CVE-2024-54528": false, "CVE-2024-54466": false, "CVE-2024-54508": false, "CVE-2024-44245": false, "CVE-2024-54506": false, "CVE-2024-54505": false, "CVE-2024-44224": false, "CVE-2024-44243": false, "CVE-2024-44300": false, "CVE-2024-54531": false, "CVE-2024-54513": false, "CVE-2024-44225": false, "CVE-2024-54493": false, "CVE-2024-54515": false, "CVE-2024-54514": false, "CVE-2024-45490": false, "CVE-2024-44246": false, "CVE-2024-54504": false, "CVE-2024-54476": false, "CVE-2024-54489": false, "CVE-2024-54501": false, "CVE-2024-54529": false, "CVE-2024-54494": false, "CVE-2024-54492": false, "CVE-2024-54526": false, "CVE-2024-54500": false, "CVE-2024-54486": false, "CVE-2024-54474": false, "CVE-2024-54510": false, "CVE-2024-54484": false, "CVE-2023-32395": false, "CVE-2024-44220": false, "CVE-2024-54498": false, "CVE-2024-44291": false, "CVE-2024-54495": false, "CV<…>
2024-12-11 14:12:16.695034-0700  localhost Nudge[19153]: [com.github.macadmins.Nudge:softwareupdate-device] Error assessing DeviceID: remotectl: Unable to find device "localbridge".
2024-12-11 14:12:16.695505-0700  localhost Nudge[19153]: [com.github.macadmins.Nudge:sofa] Assessed Model IDs: ["Unknown", "", "J293AP", "J293AP"]
2024-12-11 14:12:16.695572-0700  localhost Nudge[19153]: [com.github.macadmins.Nudge:sofa] Assessed Model ID found in SOFA Entry: true
2024-12-11 14:12:16.698963-0700  localhost Nudge[19153]: [com.github.macadmins.Nudge:softwareupdate-download] enforceMinorUpdates: true
2024-12-11 14:12:16.845595-0700  localhost Nudge[19153]: [com.github.macadmins.Nudge:user-interface] New Nudge event detected - resetting all deferral values
2024-12-11 14:12:19.946302-0700  localhost Nudge[19153]: [com.github.macadmins.Nudge:user-interface] User clicked secondaryQuitButton
2024-12-11 14:12:23.243800-0700  localhost Nudge[19153]: [com.github.macadmins.Nudge:user-interface] User initiated a deferral: 2024-12-12 21:12:23 +0000
2024-12-11 14:12:23.247802-0700  localhost Nudge[19153]: [com.github.macadmins.Nudge:user-interface] User clicked primaryQuitButton

Cached SOFA feed at runtime
sofa-macos_data_feed.json

LaunchAgent used at runtime

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>AssociatedBundleIdentifiers</key>
	<array>
		<string>com.github.macadmins.Nudge</string>
	</array>
	<key>Label</key>
	<string>com.github.macadmins.Nudge</string>
	<key>LimitLoadToSessionType</key>
	<array>
		<string>Aqua</string>
	</array>
	<key>ProgramArguments</key>
	<array>
		<string>/Applications/Utilities/Nudge.app/Contents/MacOS/Nudge</string>
		<!-- <string>-json-url</string> -->
		<!-- <string>https://raw.githubusercontent.com/macadmins/nudge/main/Nudge/example.json</string> -->
		<!-- <string>-demo-mode</string> -->
	</array>
	<key>RunAtLoad</key>
	<true/>
	<key>StartCalendarInterval</key>
	<array>
		<dict>
			<key>Minute</key>
			<integer>0</integer>
		</dict>
		<dict>
			<key>Minute</key>
			<integer>30</integer>
		</dict>
	</array>
</dict>
</plist>

Nudge config profile applied at runtime
Redactions made to aboutUpdateURL and mainContentText. This was exported by running /Applications/Utilities/Nudge.app/Contents/MacOS/Nudge -print-profile-config

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>optionalFeatures</key>
        <dict>
            <key>acceptableCameraUsage</key>
            <true/>
            <key>acceptableScreenSharingUsage</key>
            <true/>
            <key>aggressiveUserFullScreenExperience</key>
            <false/>
            <key>attemptToCheckForSupportedDevice</key>
            <true/>
            <key>attemptToFetchMajorUpgrade</key>
            <false/>
            <key>enforceMinorUpdates</key>
            <true/>
            <key>refreshSOFAFeedTime</key>
            <integer>14400</integer>
            <key>utilizeSOFAFeed</key>
            <true/>
        </dict>
        <key>osVersionRequirements</key>
        <array>
            <dict>
                <key>aboutUpdateURL</key>
                <string>https://example.com</string>
                <key>activelyExploitedCVEsMinorUpdateSLA</key>
                <integer>7</integer>
                <key>nonActivelyExploitedCVEsMinorUpdateSLA</key>
                <integer>14</integer>
                <key>requiredMinimumOSVersion</key>
                <string>latest-minor</string>
                <key>standardMinorUpdateSLA</key>
                <integer>14</integer>
            </dict>
        </array>
        <key>userExperience</key>
        <dict>
            <key>allowGracePeriods</key>
            <true/>
            <key>allowLaterDeferralButton</key>
            <false/>
            <key>allowedDeferrals</key>
            <integer>5000</integer>
            <key>allowedDeferralsUntilForcedSecondaryQuitButton</key>
            <integer>5000</integer>
            <key>approachingRefreshCycle</key>
            <integer>7200</integer>
            <key>approachingWindowTime</key>
            <integer>168</integer>
            <key>elapsedRefreshCycle</key>
            <integer>3600</integer>
            <key>gracePeriodLaunchDelay</key>
            <integer>2</integer>
            <key>imminentRefreshCycle</key>
            <integer>3600</integer>
            <key>imminentWindowTime</key>
            <integer>72</integer>
            <key>initialRefreshCycle</key>
            <integer>14400</integer>
            <key>nudgeRefreshCycle</key>
            <integer>3600</integer>
        </dict>
        <key>userInterface</key>
        <dict>
            <key>iconDarkPath</key>
            <string>/Library/Application Support/JAMF/bin/Nudge/NudgeDarkIcon.png</string>
            <key>iconLightPath</key>
            <string>/Library/Application Support/JAMF/bin/Nudge/NudgeLightIcon.png</string>
            <key>screenShotDarkPath</key>
            <string>/Library/Application Support/JAMF/bin/Nudge/NudgeDarkScreenshot.png</string>
            <key>screenShotLightPath</key>
            <string>/Library/Application Support/JAMF/bin/Nudge/NudgeLightScreenshot.png</string>
            <key>showActivelyExploitedCVEs</key>
            <false/>
            <key>showDeferralCount</key>
            <true/>
            <key>updateElements</key>
            <array>
                <dict>
                    <key>_language</key>
                    <string>en</string>
                    <key>informationButtonText</key>
                    <string>Get Help</string>
                    <key>mainContentHeader</key>
                    <string>This device will restart during this update</string>
                    <key>mainContentText</key>
                    <string>Redacted.</string>
                    <key>mainHeader</key>
                    <string>This device requires a security update</string>
                    <key>subHeader</key>
                    <string>macOS Security Update Reminder</string>
                </dict>
            </array>
        </dict>
    </dict>
</plist>
@erikng
Copy link
Member

erikng commented Dec 12, 2024 via email

@jrbarnes
Copy link
Author

Thanks for such a quick response and suggestion, @erikng!

I did the following:

  1. Deployed an updated config profile to the same device with the addition of minorVersionRecalculationThreshold under osVersionRequirement set to 1.
  2. Ran defaults delete ~/Library/Preferences/com.github.macadmins.Nudge.plist to reset my deferral per https://github.com/macadmins/nudge/wiki/User-Deferrals#testing-and-resetting-nudge

At the next run I received the same 7 day deadline, however I do see the recalculation step happening in the log.

Nudge log at runtime

2024-12-11 20:17:18.082120-0700  localhost Nudge[2791]: [com.github.macadmins.Nudge:user-interface] Finished delay
2024-12-11 20:17:18.101784-0700  localhost Nudge[2791]: [com.github.macadmins.Nudge:sofa] Assessing macOS version range for active exploits: ["15.1.1", "15.2"]
2024-12-11 20:17:18.102367-0700  localhost Nudge[2791]: [com.github.macadmins.Nudge:sofa] Actively Exploited Minor Update detected. Using activelyExploitedCVEsMinorUpdateSLA value: 7
2024-12-11 20:17:18.102432-0700  localhost Nudge[2791]: [com.github.macadmins.Nudge:sofa] SOFA Actively Exploited CVEs: true
2024-12-11 20:17:18.102478-0700  localhost Nudge[2791]: [com.github.macadmins.Nudge:sofa] Assessing macOS version range for recalculation: ["15.2"]
2024-12-11 20:17:18.102510-0700  localhost Nudge[2791]: [com.github.macadmins.Nudge:sofa] minorVersionRecalculationThreshold is set to 1 - Current Version: 15.1.1 - Targeting version 15.2 requiredInstallationDate via SOFA
2024-12-11 20:17:18.103244-0700  localhost Nudge[2791]: [com.github.macadmins.Nudge:sofa] Found target macOS version 15.2 - releaseDate is 2024-12-11 00:00:00 +0000, slaExtension is 7 days, 0 hours, 0 minutes, 0 seconds
2024-12-11 20:17:18.103339-0700  localhost Nudge[2791]: [com.github.macadmins.Nudge:sofa] Setting requiredInstallationDate via SOFA to 2024-12-18 00:00:00 +0000
2024-12-11 20:17:18.103373-0700  localhost Nudge[2791]: [com.github.macadmins.Nudge:sofa] SOFA Matched OS Version: 15.2
2024-12-11 20:17:18.103531-0700  localhost Nudge[2791]: [com.github.macadmins.Nudge:sofa] SOFA Assets: ["J132AP", "J137AP", "J152FAP", "J160AP", "J174AP", "J180dAP", "J185AP", "J185FAP", "J213AP", "J214KAP", "J215AP", "J223AP", "J230KAP", "J274AP", "J293AP", "J313AP", "J314cAP", "J314sAP", "J316cAP", "J316sAP", "J375cAP", "J375dAP", "J413AP", "J414cAP", "J414sAP", "J415AP", "J416cAP", "J416sAP", "J433AP", "J434AP", "J456AP", "J457AP", "J473AP", "J474sAP", "J475cAP", "J475dAP", "J493AP", "J504AP", "J514cAP", "J514mAP", "J514sAP", "J516cAP", "J516mAP", "J516sAP", "J604AP", "J613AP", "J614cAP", "J614sAP", "J615AP", "J616cAP", "J616sAP", "J623AP", "J624AP", "J680AP", "J773gAP", "J773sAP", "J780AP", "Mac-1E7E29AD0135F9BC", "Mac-63001698E7A34814", "Mac-937A206F2EE63C01", "Mac-AA95B1DDAB278B95", "VMA2MACOSAP", "VMM-x86_64"]
2024-12-11 20:17:18.103782-0700  localhost Nudge[2791]: [com.github.macadmins.Nudge:sofa] SOFA CVEs: ["CVE-2024-44300": false, "CVE-2024-54479": false, "CVE-2024-45490": false, "CVE-2024-54484": false, "CVE-2024-54498": false, "CVE-2024-54493": false, "CVE-2024-54506": false, "CVE-2024-54510": false, "CVE-2024-54492": false, "CVE-2024-54476": false, "CVE-2024-54508": false, "CVE-2024-54526": false, "CVE-2024-54527": false, "CVE-2024-54513": false, "CVE-2024-54505": false, "CVE-2024-54495": false, "CVE-2024-44225": false, "CVE-2024-44245": false, "CVE-2024-54490": false, "CVE-2024-54500": false, "CVE-2024-54466": false, "CVE-2024-54474": false, "CVE-2024-54494": false, "CVE-2023-32395": false, "CVE-2024-54529": false, "CVE-2024-54465": false, "CVE-2024-44243": false, "CVE-2024-54515": false, "CVE-2024-54491": false, "CVE-2024-44224": false, "CVE-2024-44220": false, "CVE-2024-54477": false, "CVE-2024-54486": false, "CVE-2024-54501": false, "CVE-2024-54489": false, "CVE-2024-54528": false, "CVE-2024-54524": false, "CVE-2024-54502": false, "CVE-2024-54534": false, "CVE-2024-54531": false, "CV<…>
2024-12-11 20:17:18.169213-0700  localhost Nudge[2791]: [com.github.macadmins.Nudge:softwareupdate-device] Error assessing DeviceID: remotectl: Unable to find device "localbridge".
2024-12-11 20:17:18.169882-0700  localhost Nudge[2791]: [com.github.macadmins.Nudge:sofa] Assessed Model IDs: ["Unknown", "", "J293AP", "J293AP"]
2024-12-11 20:17:18.169941-0700  localhost Nudge[2791]: [com.github.macadmins.Nudge:sofa] Assessed Model ID found in SOFA Entry: true
2024-12-11 20:17:18.173444-0700  localhost Nudge[2791]: [com.github.macadmins.Nudge:softwareupdate-download] enforceMinorUpdates: true
2024-12-11 20:17:18.294944-0700  localhost Nudge[2791]: [com.github.macadmins.Nudge:user-interface] New Nudge event detected - resetting all deferral values
2024-12-11 20:17:25.025761-0700  localhost Nudge[2791]: [com.github.macadmins.Nudge:user-interface] User clicked secondaryQuitButton
2024-12-11 20:17:28.544531-0700  localhost Nudge[2791]: [com.github.macadmins.Nudge:user-interface] User initiated a deferral: 2024-12-13 03:17:28 +0000
2024-12-11 20:17:28.549138-0700  localhost Nudge[2791]: [com.github.macadmins.Nudge:user-interface] User clicked primaryQuitButton

Nudge config profile

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>optionalFeatures</key>
        <dict>
            <key>acceptableCameraUsage</key>
            <true/>
            <key>acceptableScreenSharingUsage</key>
            <true/>
            <key>aggressiveUserFullScreenExperience</key>
            <false/>
            <key>attemptToCheckForSupportedDevice</key>
            <true/>
            <key>attemptToFetchMajorUpgrade</key>
            <false/>
            <key>enforceMinorUpdates</key>
            <true/>
            <key>refreshSOFAFeedTime</key>
            <integer>14400</integer>
            <key>utilizeSOFAFeed</key>
            <true/>
        </dict>
        <key>osVersionRequirements</key>
        <array>
            <dict>
                <key>aboutUpdateURL</key>
                <string>https://example.com</string>
                <key>activelyExploitedCVEsMinorUpdateSLA</key>
                <integer>7</integer>
                <key>minorVersionRecalculationThreshold</key>
                <integer>1</integer>
                <key>nonActivelyExploitedCVEsMinorUpdateSLA</key>
                <integer>14</integer>
                <key>requiredMinimumOSVersion</key>
                <string>latest-minor</string>
                <key>standardMinorUpdateSLA</key>
                <integer>14</integer>
            </dict>
        </array>
        <key>userExperience</key>
        <dict>
            <key>allowGracePeriods</key>
            <true/>
            <key>allowLaterDeferralButton</key>
            <false/>
            <key>allowedDeferrals</key>
            <integer>5000</integer>
            <key>allowedDeferralsUntilForcedSecondaryQuitButton</key>
            <integer>5000</integer>
            <key>approachingRefreshCycle</key>
            <integer>7200</integer>
            <key>approachingWindowTime</key>
            <integer>168</integer>
            <key>elapsedRefreshCycle</key>
            <integer>3600</integer>
            <key>gracePeriodLaunchDelay</key>
            <integer>2</integer>
            <key>imminentRefreshCycle</key>
            <integer>3600</integer>
            <key>imminentWindowTime</key>
            <integer>72</integer>
            <key>initialRefreshCycle</key>
            <integer>14400</integer>
            <key>nudgeRefreshCycle</key>
            <integer>3600</integer>
        </dict>
        <key>userInterface</key>
        <dict>
            <key>iconDarkPath</key>
            <string>/Library/Application Support/JAMF/bin/Nudge/NudgeDarkIcon.png</string>
            <key>iconLightPath</key>
            <string>/Library/Application Support/JAMF/bin/Nudge/NudgeLightIcon.png</string>
            <key>screenShotDarkPath</key>
            <string>/Library/Application Support/JAMF/bin/Nudge/NudgeDarkScreenshot.png</string>
            <key>screenShotLightPath</key>
            <string>/Library/Application Support/JAMF/bin/Nudge/NudgeLightScreenshot.png</string>
            <key>showActivelyExploitedCVEs</key>
            <false/>
            <key>showDeferralCount</key>
            <true/>
            <key>updateElements</key>
            <array>
                <dict>
                    <key>_language</key>
                    <string>en</string>
                    <key>informationButtonText</key>
                    <string>Get Help</string>
                    <key>mainContentHeader</key>
                    <string>This device will restart during this update</string>
                    <key>mainContentText</key>
                    <string>Redacted</string>
                    <key>mainHeader</key>
                    <string>This device requires a security update</string>
                    <key>subHeader</key>
                    <string>macOS Security Update Reminder</string>
                </dict>
            </array>
        </dict>
    </dict>
</plist>

@jrbarnes
Copy link
Author

jrbarnes commented Dec 12, 2024
edited
Loading

To add to this, looking at the prior day's logs before 15.2 was available I can see the device, which was running 15.1.1 at the time, evaluating against 15.1.1 via SOFA, but ultimately stopping at the end as the OS versions matched. This repeats throughout the day.

2024-12-10 17:16:15.044633-0700  localhost Nudge[71524]: [com.github.macadmins.Nudge:user-interface] Finished delay
2024-12-10 17:16:15.071019-0700  localhost Nudge[71524]: [com.github.macadmins.Nudge:sofa] Assessing macOS version range for active exploits: ["15.1.1"]
2024-12-10 17:16:15.071605-0700  localhost Nudge[71524]: [com.github.macadmins.Nudge:sofa] Actively Exploited Minor Update detected. Using activelyExploitedCVEsMinorUpdateSLA value: 7
2024-12-10 17:16:15.071671-0700  localhost Nudge[71524]: [com.github.macadmins.Nudge:sofa] SOFA Actively Exploited CVEs: true
2024-12-10 17:16:15.072498-0700  localhost Nudge[71524]: [com.github.macadmins.Nudge:sofa] Setting requiredInstallationDate via SOFA to 2024-11-26 00:00:00 +0000
2024-12-10 17:16:15.072539-0700  localhost Nudge[71524]: [com.github.macadmins.Nudge:sofa] SOFA Matched OS Version: 15.1.1
2024-12-10 17:16:15.072728-0700  localhost Nudge[71524]: [com.github.macadmins.Nudge:sofa] SOFA Assets: ["J132AP", "J137AP", "J152FAP", "J160AP", "J174AP", "J180dAP", "J185AP", "J185FAP", "J213AP", "J214KAP", "J215AP", "J223AP", "J230KAP", "J274AP", "J293AP", "J313AP", "J314cAP", "J314sAP", "J316cAP", "J316sAP", "J375cAP", "J375dAP", "J413AP", "J414cAP", "J414sAP", "J415AP", "J416cAP", "J416sAP", "J433AP", "J434AP", "J456AP", "J457AP", "J473AP", "J474sAP", "J475cAP", "J475dAP", "J493AP", "J504AP", "J514cAP", "J514mAP", "J514sAP", "J516cAP", "J516mAP", "J516sAP", "J604AP", "J613AP", "J614cAP", "J614sAP", "J615AP", "J616cAP", "J616sAP", "J623AP", "J624AP", "J680AP", "J773gAP", "J773sAP", "J780AP", "Mac-1E7E29AD0135F9BC", "Mac-63001698E7A34814", "Mac-937A206F2EE63C01", "Mac-AA95B1DDAB278B95", "VMA2MACOSAP", "VMM-x86_64"]
2024-12-10 17:16:15.072842-0700  localhost Nudge[71524]: [com.github.macadmins.Nudge:sofa] SOFA CVEs: ["CVE-2024-44309": true, "CVE-2024-44308": true]
2024-12-10 17:16:15.217392-0700  localhost Nudge[71524]: [com.github.macadmins.Nudge:softwareupdate-device] Error assessing DeviceID: remotectl: Unable to find device "localbridge".
2024-12-10 17:16:15.217928-0700  localhost Nudge[71524]: [com.github.macadmins.Nudge:sofa] Assessed Model IDs: ["Unknown", "", "J293AP", "J293AP"]
2024-12-10 17:16:15.218015-0700  localhost Nudge[71524]: [com.github.macadmins.Nudge:sofa] Assessed Model ID found in SOFA Entry: true
2024-12-10 17:16:15.218917-0700  localhost Nudge[71524]: [com.github.macadmins.Nudge:user-interface] Device permitted for gracePeriodInstallDelay - setting date from: 2024-11-26 00:00:00 +0000 to: 2024-12-12 01:16:15 +0000
2024-12-10 17:16:15.220507-0700  localhost Nudge[71524]: [com.github.macadmins.Nudge:softwareupdate-download] enforceMinorUpdates: true
2024-12-10 17:16:15.372804-0700  localhost Nudge[71524]: [com.github.macadmins.Nudge:utilities] Current operating system (15.1.1) is greater than or equal to required operating system (15.1.1)
2024-12-10 17:16:15.372833-0700  localhost Nudge[71524]: [com.github.macadmins.Nudge:user-interface] Device is fully updated
2024-12-10 17:16:15.372860-0700  localhost Nudge[71524]: [com.github.macadmins.Nudge:user-interface] Nudge is terminating due to condition met

@erikng
Copy link
Member

erikng commented Dec 12, 2024 via email

@jrbarnes
Copy link
Author

Totally understand. If I had the Swift chops to know I could hash things out I'd take a stab at it, myself, and submit a pull request. We can certainly work around it for the time being as needed.

Either way, I appreciate all of your work on Nudge! I hope that the personal matter works out for the best for you.

@jrbarnes
Copy link
Author

Not expecting a quick response given the previous comment, but may this just be a change to this line?

nudge/Nudge/UI/Main.swift

Line 233 in 533186b

VersionManager.versionGreaterThanOrEqual(currentVersion: $0, newVersion: currentInstalledVersion) &&

From what I can tell, the filteredVersions array is ultimately only used for the CVE check. If that's the case, shouldn't the line within the block referenced above use a versionGreaterThan comparison rather than a versionGreaterThanOrEqual so that the check for applicable CVEs doesn't include the currently installed version? That is, the block should be:

// Filter versions between current and selected OS version
let filteredVersions = VersionManager().removeDuplicates(from: allVersions.filter {
    VersionManager.versionGreaterThan(currentVersion: $0, newVersion: currentInstalledVersion) &&
    VersionManager.versionLessThanOrEqual(currentVersion: $0, newVersion: selectedOSVersion)
})

HowardGMac added a commit to HowardGMac/nudge that referenced this issue Dec 12, 2024
@HowardGMac
Potential Fix for issue macadmins#666
cb619b2 
Resolves a problem with the Active CVE calculation if the current version of macOS on the machine was one in which there were previously addressed active CVEs.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jrbarnes @erikng