redo under active exploit logic

macadmins · Jul 24, 2024 · 3ad843d · 3ad843d
1 parent 89f000e
commit 3ad843d
Show file tree

Hide file tree

Showing 2 changed files with 62 additions and 16 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,15 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [2.0.5] - 2024-07-24
+Requires macOS 12.0 and higher.
+
+### Changed
+- The `Actively Exploited` logic internally within Nudge and the UI on the left sidebar will show `True` if any previous updates missing on the device had active exploits.
+  - **WARNNG BREAKING CHANGE** - This changes the SLA computation and will result in a different `requiredInstallationDate` than offered in Nudge v2.0 -> v2.01.
+  - Ex: Device is on 14.3 and needing to go to 14.5.
+    - While 14.4.1 -> 14.5 are not under active exploit, 14.4 contains fixes for 14.3 that were under active exploit.
+
 ## [2.0.4] - 2024-07-23
 Requires macOS 12.0 and higher.
 

diff --git a/Nudge/UI/Main.swift b/Nudge/UI/Main.swift
@@ -178,6 +178,9 @@ class AppDelegate: NSObject, NSApplicationDelegate {
             var foundMatch = false
             Globals.sofaAssets = NetworkFileManager().getSOFAAssets()
             if let macOSSOFAAssets = Globals.sofaAssets?.osVersions {
+                // Get current installed OS version
+                let currentInstalledVersion = GlobalVariables.currentOSVersion
+
                 for osVersion in macOSSOFAAssets {
                     if PrefsWrapper.requiredMinimumOSVersion == "latest" {
                         selectedOS = osVersion.latest
@@ -204,24 +207,58 @@ class AppDelegate: NSObject, NSApplicationDelegate {
                             continue
                         }
                     }
-                    let activelyExploitedCVEs = selectedOS!.activelyExploitedCVEs.count > 0
+
+                    var totalActivelyExploitedCVEs = 0
+                    let selectedOSVersion = selectedOS!.productVersion
+                    var allVersions = [String]()
+
+                    // Collect all versions
+                    for osVersion in macOSSOFAAssets {
+                        allVersions.append(osVersion.latest.productVersion)
+                        for securityRelease in osVersion.securityReleases {
+                            allVersions.append(securityRelease.productVersion)
+                        }
+                    }
+
+                    // Sort versions
+                    allVersions.sort { VersionManager.versionLessThan(currentVersion: $0, newVersion: $1) }
+
+                    // Filter versions between current and selected OS version
+                    let filteredVersions = allVersions.filter {
+                        VersionManager.versionGreaterThan(currentVersion: $0, newVersion: currentInstalledVersion) &&
+                        VersionManager.versionLessThanOrEqual(currentVersion: $0, newVersion: selectedOSVersion)
+                    }
+
+                    // Count actively exploited CVEs in the filtered versions
+                    for osVersion in macOSSOFAAssets {
+                        if filteredVersions.contains(osVersion.latest.productVersion) {
+                            totalActivelyExploitedCVEs += osVersion.latest.activelyExploitedCVEs.count
+                        }
+                        for securityRelease in osVersion.securityReleases {
+                            if filteredVersions.contains(securityRelease.productVersion) {
+                                totalActivelyExploitedCVEs += securityRelease.activelyExploitedCVEs.count
+                            }
+                        }
+                    }
+                    let activelyExploitedCVEs = totalActivelyExploitedCVEs > 0
+
                     let presentCVEs = selectedOS!.cves.count > 0
                     let slaExtension: TimeInterval
                     switch (activelyExploitedCVEs, presentCVEs, AppStateManager().requireMajorUpgrade()) {
-                        case (false, true, true):
-                            slaExtension = TimeInterval(OSVersionRequirementVariables.nonActivelyExploitedCVEsMajorUpgradeSLA * 86400)
-                        case (false, true, false):
-                            slaExtension = TimeInterval(OSVersionRequirementVariables.nonActivelyExploitedCVEsMinorUpdateSLA * 86400)
-                        case (true, true, true):
-                            slaExtension = TimeInterval(OSVersionRequirementVariables.activelyExploitedCVEsMajorUpgradeSLA * 86400)
-                        case (true, true, false):
-                            slaExtension = TimeInterval(OSVersionRequirementVariables.activelyExploitedCVEsMinorUpdateSLA * 86400)
-                        case (false, false, true):
-                            slaExtension = TimeInterval(OSVersionRequirementVariables.standardMajorUpgradeSLA * 86400)
-                        case (false, false, false):
-                            slaExtension = TimeInterval(OSVersionRequirementVariables.standardMinorUpdateSLA * 86400)
-                        default: // If we get here, something is wrong, use 90 days as a safety
-                            slaExtension = TimeInterval(90 * 86400)
+                    case (false, true, true):
+                        slaExtension = TimeInterval(OSVersionRequirementVariables.nonActivelyExploitedCVEsMajorUpgradeSLA * 86400)
+                    case (false, true, false):
+                        slaExtension = TimeInterval(OSVersionRequirementVariables.nonActivelyExploitedCVEsMinorUpdateSLA * 86400)
+                    case (true, true, true):
+                        slaExtension = TimeInterval(OSVersionRequirementVariables.activelyExploitedCVEsMajorUpgradeSLA * 86400)
+                    case (true, true, false):
+                        slaExtension = TimeInterval(OSVersionRequirementVariables.activelyExploitedCVEsMinorUpdateSLA * 86400)
+                    case (false, false, true):
+                        slaExtension = TimeInterval(OSVersionRequirementVariables.standardMajorUpgradeSLA * 86400)
+                    case (false, false, false):
+                        slaExtension = TimeInterval(OSVersionRequirementVariables.standardMinorUpdateSLA * 86400)
+                    default: // If we get here, something is wrong, use 90 days as a safety
+                        slaExtension = TimeInterval(90 * 86400)
                     }
 
                     if OptionalFeatureVariables.disableNudgeForStandardInstalls && !presentCVEs {
@@ -252,7 +289,7 @@ class AppDelegate: NSObject, NSApplicationDelegate {
                                 supportedDevice in Globals.hardwareModelIDs.contains { $0.uppercased() == supportedDevice.uppercased() } }
                             )
                             LogManager.notice("Assessed Model ID found in SOFA Entry: \(deviceMatchFound)", logger: sofaLog)
-                            nudgePrimaryState.deviceSupportedByOSVersion = deviceMatchFound // false
+                            nudgePrimaryState.deviceSupportedByOSVersion = deviceMatchFound
                         }
                     }
                     foundMatch = true