fleetdm · getvictor · May 24, 2024 · May 23, 2024 · May 23, 2024
diff --git a/.github/actions/r2-upload/action.yml b/.github/actions/r2-upload/action.yml
@@ -9,9 +9,8 @@ description: Upload a file to R2
 # - R2_BUCKET: The bucket to upload to
 
 inputs:
-  filename:
-    # Future improvement: accept array of filenames as JSON string, and loop over it like in https://www.starkandwayne.com/blog/bash-for-loop-over-json-array-using-jq/index.html
-    description: 'Name of the file to upload'
+  filenames:
+    description: 'Comma-delimited names of the file(s) to upload. For example: file1,manifest.json,file with spaces.txt'
     required: true
 
 runs:
@@ -27,8 +26,12 @@ runs:
         provider = Cloudflare
         region = auto
         no_check_bucket = true
-        access_key_id = $R2_ACCESS_KEY_ID
-        secret_access_key = $R2_ACCESS_KEY_SECRET
-        endpoint = $R2_ENDPOINT
+        access_key_id = ${{ env.R2_ACCESS_KEY_ID }}
+        secret_access_key = ${{ env.R2_ACCESS_KEY_SECRET }}
+        endpoint = ${{ env.R2_ENDPOINT }}
         " > ~/.config/rclone/rclone.conf
-        rclone copy --verbose ${{ inputs.filename }} r2:${R2_BUCKET}/
+        : # Loop over each filename in the array of filenames and upload each one.
+        IFS=$'\n'
+        for row in $(echo "${{ inputs.filenames }}" | tr "," "\n"); do
+          rclone copy --verbose "$row" r2:${{ env.R2_BUCKET }}/
+        done
@@ -24,7 +24,7 @@ defaults:
     shell: bash
 
 env:
-  FLEET_DESKTOP_VERSION: 1.24.0
+  FLEET_DESKTOP_VERSION: 1.25.0
 
 permissions:
   contents: read

diff --git a/.github/workflows/release-fleetd-base.yml b/.github/workflows/release-fleetd-base.yml
@@ -20,10 +20,10 @@ permissions:
 
 env:
   R2_ENDPOINT: ${{ secrets.R2_ENDPOINT }}
-  R2_ACCESS_KEY_ID: ${{ secrets.R2_DOWNLOAD_ACCESS_KEY_ID }} # Production: ${{ secrets.R2_DOWNLOAD_ACCESS_KEY_ID }} | Testing: ${{ secrets.R2_DOWNLOAD_TESTING_ACCESS_KEY_ID }}
-  R2_ACCESS_KEY_SECRET: ${{ secrets.R2_DOWNLOAD_ACCESS_KEY_SECRET }} # Production: ${{ secrets.R2_DOWNLOAD_ACCESS_KEY_SECRET }} | Testing: ${{ secrets.R2_DOWNLOAD_TESTING_ACCESS_KEY_SECRET }}
-  R2_BUCKET: download # Production: download | Testing: download-testing
-  BASE_URL: https://download.fleetdm.com # Production: https://download.fleetdm.com | Testing: https://download-testing.fleetdm.com
+  R2_ACCESS_KEY_ID: ${{ secrets.R2_DOWNLOAD_TESTING_ACCESS_KEY_ID }} # Production: ${{ secrets.R2_DOWNLOAD_ACCESS_KEY_ID }} | Testing: ${{ secrets.R2_DOWNLOAD_TESTING_ACCESS_KEY_ID }}
+  R2_ACCESS_KEY_SECRET: ${{ secrets.R2_DOWNLOAD_TESTING_ACCESS_KEY_SECRET }} # Production: ${{ secrets.R2_DOWNLOAD_ACCESS_KEY_SECRET }} | Testing: ${{ secrets.R2_DOWNLOAD_TESTING_ACCESS_KEY_SECRET }}
+  R2_BUCKET: download-testing # Production: download | Testing: download-testing
+  BASE_URL: https://download-testing.fleetdm.com # Production: https://download.fleetdm.com | Testing: https://download-testing.fleetdm.com
 
 jobs:
   check-for-fleetd-component-updates:
@@ -109,11 +109,40 @@ jobs:
         run: |
           fleetctl package --type pkg --fleet-desktop --use-system-configuration --sign-identity $PACKAGE_SIGNING_IDENTITY_SHA1 --notarize
           mv fleet-osquery*.pkg fleetd-base.pkg
+          : # Calculate the SHA256 checksum of the package for the next step
+          echo "FLEETD_BASE_PKG_CHECKSUM=$(shasum -a 256 fleetd-base.pkg | cut -d ' ' -f 1)" >> $GITHUB_ENV
+
+      - name: Create plist
+        run: |
+          echo '<plist version="1.0">
+            <dict>
+              <key>items</key>
+              <array>
+                <dict>
+                  <key>assets</key>
+                  <array>
+                    <dict>
+                      <key>kind</key>
+                      <string>software-package</string>
+                      <key>sha256-size</key>
+                      <integer>32</integer>
+                      <key>sha256s</key>
+                      <array>
+                        <string>${{ env.FLEETD_BASE_PKG_CHECKSUM }}</string>
+                      </array>
+                      <key>url</key>
+                      <string>${{ env.BASE_URL }}/fleetd-base.pkg</string>
+                    </dict>
+                  </array>
+                </dict>
+              </array>
+            </dict>
+          </plist>' > fleetd-base-manifest.plist
 
       - name: Upload package
         uses: ./.github/actions/r2-upload
         with:
-          filename: fleetd-base.pkg
+          filenames: fleetd-base.pkg,fleetd-base-manifest.plist
 
   update-fleetd-base-msi:
     needs: [check-for-fleetd-component-updates]
@@ -144,7 +173,7 @@ jobs:
       - name: Upload package
         uses: ./.github/actions/r2-upload
         with:
-          filename: fleetd-base.msi
+          filenames: fleetd-base.msi
 
   update-meta-json:
     needs: [update-fleetd-base-pkg, update-fleetd-base-msi]
@@ -174,4 +203,4 @@ jobs:
       - name: Upload meta.json
         uses: ./.github/actions/r2-upload
         with:
-          filename: meta.json
+          filenames: meta.json
@@ -37,36 +37,34 @@ jobs:
         run: |
           npm install && npm run test
 
+      - name: Set the version
+        working-directory: ./ee/fleetd-chrome
+        run: |
+          echo "FLEETD_CHROME_VERSION=$(npm pkg get version --workspaces=false | tr -d \")" >> $GITHUB_ENV
+
       - name: Build & sign extension
         working-directory: ./ee/fleetd-chrome
         env:
           CHROME_SIGNING_KEY: ${{ secrets.FLEETD_CHROME_SIGNING_KEY_BETA }}
         run: |
           echo -e 'FLEET_URL=""\nFLEET_ENROLL_SECRET=""' > .env
-          npm install && npm run build
+          npm run build
+          sed -i "s/FLEETD_CHROME_VERSION/${{ env.FLEETD_CHROME_VERSION }}/g" updates-beta.xml
           echo "$CHROME_SIGNING_KEY" > chrome.pem
           /usr/bin/google-chrome --pack-extension=./dist --pack-extension-key=chrome.pem
 
-      - name: Upload extension
+      - name: Prepare files for upload
         working-directory: ./ee/fleetd-chrome
-        env:
-          R2_ENDPOINT: ${{ secrets.R2_ENDPOINT }}
-          R2_CHROME_BETA_ACCESS_KEY_ID: ${{ secrets.R2_CHROME_BETA_ACCESS_KEY_ID }}
-          R2_CHROME_BETA_ACCESS_KEY_SECRET: ${{ secrets.R2_CHROME_BETA_ACCESS_KEY_SECRET }}
         run: |
-          sudo apt-get install rclone
-          mkdir -p ~/.config/rclone
-          echo "[r2]
-          type = s3
-          provider = Cloudflare
-          region = auto
-          no_check_bucket = true
-          access_key_id = $R2_CHROME_BETA_ACCESS_KEY_ID
-          secret_access_key = $R2_CHROME_BETA_ACCESS_KEY_SECRET
-          endpoint = $R2_ENDPOINT
-
-          " > ~/.config/rclone/rclone.conf
           mv dist.crx fleetd.crx
-          rclone copy fleetd.crx r2:chrome-beta/
           mv updates-beta.xml updates.xml
-          rclone copy updates.xml r2:chrome-beta/
+
+      - name: Upload extension
+        uses: ./.github/actions/r2-upload
+        env:
+          R2_ENDPOINT: ${{ secrets.R2_ENDPOINT }}
+          R2_ACCESS_KEY_ID: ${{ secrets.R2_CHROME_BETA_ACCESS_KEY_ID }}
+          R2_ACCESS_KEY_SECRET: ${{ secrets.R2_CHROME_BETA_ACCESS_KEY_SECRET }}
+          R2_BUCKET: chrome-beta
+        with:
+          filenames: ./ee/fleetd-chrome/fleetd.crx,./ee/fleetd-chrome/updates.xml
@@ -38,35 +38,33 @@ jobs:
         run: |
           npm install && npm run test
 
+      - name: Set the version
+        working-directory: ./ee/fleetd-chrome
+        run: |
+          echo "FLEETD_CHROME_VERSION=$(npm pkg get version --workspaces=false | tr -d \")" >> $GITHUB_ENV
+
       - name: Build & sign extension
         working-directory: ./ee/fleetd-chrome
         env:
           CHROME_SIGNING_KEY: ${{ secrets.FLEETD_CHROME_SIGNING_KEY }}
         run: |
           echo -e 'FLEET_URL=""\nFLEET_ENROLL_SECRET=""' > .env
-          npm install && npm run build
+          npm run build
+          sed -i "s/FLEETD_CHROME_VERSION/${{ env.FLEETD_CHROME_VERSION }}/g" updates.xml
           echo "$CHROME_SIGNING_KEY" > chrome.pem
           /usr/bin/google-chrome --pack-extension=./dist --pack-extension-key=chrome.pem
 
-      - name: Upload extension
+      - name: Prepare files for upload
         working-directory: ./ee/fleetd-chrome
-        env:
-          R2_ENDPOINT: ${{ secrets.R2_ENDPOINT }}
-          R2_CHROME_ACCESS_KEY_ID: ${{ secrets.R2_CHROME_ACCESS_KEY_ID }}
-          R2_CHROME_ACCESS_KEY_SECRET: ${{ secrets.R2_CHROME_ACCESS_KEY_SECRET }}
         run: |
-          sudo apt-get install rclone
-          mkdir -p ~/.config/rclone
-          echo "[r2]
-          type = s3
-          provider = Cloudflare
-          region = auto
-          no_check_bucket = true
-          access_key_id = $R2_CHROME_ACCESS_KEY_ID
-          secret_access_key = $R2_CHROME_ACCESS_KEY_SECRET
-          endpoint = $R2_ENDPOINT
-
-          " > ~/.config/rclone/rclone.conf
           mv dist.crx fleetd.crx
-          rclone copy fleetd.crx r2:chrome/
-          rclone copy updates.xml r2:chrome/
+
+      - name: Upload extension
+        uses: ./.github/actions/r2-upload
+        env:
+          R2_ENDPOINT: ${{ secrets.R2_ENDPOINT }}
+          R2_ACCESS_KEY_ID: ${{ secrets.R2_CHROME_ACCESS_KEY_ID }}
+          R2_ACCESS_KEY_SECRET: ${{ secrets.R2_CHROME_ACCESS_KEY_SECRET }}
+          R2_BUCKET: chrome
+        with:
+          filenames: ./ee/fleetd-chrome/fleetd.crx,./ee/fleetd-chrome/updates.xml
diff --git a/.vscode/settings.json b/.vscode/settings.json
@@ -38,5 +38,6 @@
     "prettier.requireConfig": true,
     "yaml.schemas": {
         "https://json.schemastore.org/codecov.json": ".github/workflows/codecov.yml"
-    }
+    },
+    "favorites.sortOrder": "ASC"
 }
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,60 @@
+## Fleet 4.50.0 (May 22, 2024)
+
+### Endpoint Operations
+
+- Added optional AI-generated policy descriptions and remediations. 
+- Added flag to enable deletion of old activities and associated data in cleanup cron job.
+- Added support for escaping `$` (with `\`) in gitops yaml files.
+- Optimized policy_stats updates to not lock the policy_membership table.
+- Optimized the hourly host_software count query to reduce individual query runtime.
+- Updated built-in labels to support being applied via `fleetctl apply`.
+
+### Device Management (MDM)
+
+- Added endpoints to upload, delete, and download software installers.
+- Added ability to upload software from the UI.
+- Added functionality to filter hosts by software installer status.
+- Added support to the global activity feed for "Added software" and "Deleted software" actions.
+- Added the `POST /api/fleet/orbit/software_install/result` endpoint for fleetd to send results for a software installation attempt.
+- Added the `GET /api/v1/fleet/hosts/{id}/software` endpoint to list the installed software for the host.
+- Added support for uploading and running zsh scripts on macOS and Linux hosts.
+- Added the `cron` job to periodically remove unused software installers from the store.
+- Added a new command `fleetctl api` to easily use fleetctl to hit any REST endpoint via the CLI.
+- Added support to extract package name and version from software installers.
+- Added the uninstalled but available software installers to the response payload of the "List software titles" endpoint.
+- Updated MySQL host_operating_system insert statement to reduce table lock time.
+- Updated software page to support new add software feature.
+- Updated fleetctl to print team id as part of the `fleetctl get teams` command.
+- Implemented an S3-based and local filesystem-based storage abstraction for software installers.
+
+### Vulnerability Management
+
+- Added OVAL vulnerability scanning support on Ubuntu 22.10, 23.04, 23.10, and 24.04.
+
+### Bug fixes and improvements
+
+- Fixed ingestion of private IPv6 address from agent.
+- Fixed a bug where a singular software version in the Software table generated a tooltip unnecessarily.
+- Fixed bug where updating user via `/api/v1/fleet/users/:id` endpoint sometimes did not update activity feed.
+- Fixed bug where hosts query results were not cleared after transferring the host to other teams.
+- Fixed a bug where the returned `count` field included hosts that the user did not have permission to see.
+- Fixed issue where resolved_in_version was not returning if the version number differed by a 4th part.
+- Fixed MySQL sort buffer overflow when fetching activities.
+- Fixed a bug with users not being collected on Linux devices.
+- Fixed typo in Powershell scripts for installing Windows software.
+- Fixed an issue with software severity column display in Fleet UI.
+- Fixed the icon on Software OS table to show a Linux icon for Linux operating systems.
+- Fixed missing tooltips in disabled "Calendar events" manage automations dropdown option.
+- Updated switched accordion text.
+- Updated sort the host details page queries table case-insensitively.
+- Added support for ExternalId in STS Assume Role APIs.
+
+## Fleet 4.49.4 (May 20, 2024)
+
+### Bug fixes
+
+* Fixed an issue with SCEP renewals that could prevent commands to renew from being enqueued.
+
 ## Fleet 4.49.3 (May 06, 2024)
 
 ### Bug fixes

diff --git a/CODEOWNERS b/CODEOWNERS
@@ -86,20 +86,26 @@ go.mod @fleetdm/go
 #
 # (see website/config/custom.js for DRIs of other paths not listed here)
 ##############################################################################################
-/handbook/company/README.md            @mikermcneil
-/handbook/company/communications.md    @mikermcneil
-/handbook/company/leadership.md        @mikermcneil
-/handbook/company/why-this-way.md      @mikermcneil
-/handbook/README.md                    @mikermcneil
-/handbook/company/open-positions.yml   @sampfluger88
-/handbook/company/product-groups.md    @mikermcneil @sampfluger88 @lukeheath
-/handbook/business-operations       @sampfluger88
-/handbook/digital-experience        @sampfluger88
-/handbook/customer-success          @sampfluger88
-/handbook/demand                    @sampfluger88
-/handbook/engineering               @sampfluger88 @lukeheath
-/handbook/sales                     @sampfluger88
-/handbook/product-design            @sampfluger88
+/handbook/company/README.md                                      @mikermcneil
+/handbook/company/communications.md                              @mikermcneil
+/handbook/company/leadership.md                                  @mikermcneil
+/handbook/company/why-this-way.md                                @mikermcneil
+/handbook/README.md                                              @mikermcneil
+/handbook/company/open-positions.yml                             @sampfluger88
+/handbook/company/product-groups.md                              @lukeheath
+/handbook/business-operations/README.md                          @sampfluger88
+/handbook/business-operations/business-operations.rituals.yml    @sampfluger88
+/handbook/business-operations/Application-security.md            @lukeheath
+/handbook/business-operations/security-audits.md                 @lukeheath
+/handbook/business-operations/security-policies.md               @lukeheath
+/handbook/business-operations/security.md                        @lukeheath
+/handbook/business-operations/vendor-questionnaires.md           @lukeheath
+/handbook/digital-experience                              @sampfluger88
+/handbook/customer-success                                @sampfluger88
+/handbook/demand                                          @sampfluger88
+/handbook/engineering                                     @sampfluger88 @lukeheath
+/handbook/sales                                           @sampfluger88
+/handbook/product-design                                  @sampfluger88
 
 ##############################################################################################
 # 🌐 GitHub issue templates

diff --git a/Dockerfile-desktop-linux b/Dockerfile-desktop-linux
@@ -1,4 +1,4 @@
-FROM --platform=linux/amd64 golang:1.21.7-bullseye@sha256:447afe790df28e0bc19d782a9f776a105ce3b8417cdd21f33affc4ed6d38f9d5
+FROM --platform=linux/amd64 golang:1.22.3-bullseye@sha256:78b171fe51f25b8c3197710f281dacae94759a254e9a486576005f9dadba9e7d
 LABEL maintainer="Fleet Developers"
 
 RUN mkdir -p /usr/src/fleet

diff --git a/SECURITY.md b/SECURITY.md
@@ -11,3 +11,6 @@ Fleet endeavors to acknowledge and fix any reported vulnerabilities ASAP. Acknow
 To encrypt vulnerability reports before sending them, please use this [PGP key](https://keys.openpgp.org/vks/v1/by-fingerprint/23A19D1F16D7184657D16D67320DB57DE4F0EE8F). 
 
 The fingerprint of the key is `23A1 9D1F 16D7 1846 57D1  6D67 320D B57D E4F0 EE8F`.
+
+### Vulnerability tracking
+GitHub issues concerning vulnerabilities will be tagged with the **security** label to differentiate them from other issues and maintain SOC2 compliance.  
diff --git a/articles/deploy-fleet-on-aws-ecs.md b/articles/deploy-fleet-on-aws-ecs.md
@@ -1,6 +1,6 @@
 # Deploy Fleet on AWS ECS
 
-> **This article was archived on May 15, 2024** and may be out of date. Check out [Deploy Fleet](https://fleetdm.com/docs/deploy/deploy-fleet) for our recommended deployment method.
+> **This article was archived on May 16, 2024,** and may be outdated. Check out [Deploy Fleet](https://fleetdm.com/docs/deploy/deploy-fleet) for our recommended deployment method.
 
 ![Deploy Fleet on AWS ECS](../website/assets/images/articles/[email protected])
 
@@ -30,7 +30,7 @@ Alternatively you can bake the prepare command into the same task definition see
 <meta name="articleTitle" value="Deploy Fleet on AWS ECS">
 <meta name="authorGitHubUsername" value="edwardsb">
 <meta name="authorFullName" value="Ben Edwards">
-<meta name="publishedOn" value="2022-02-14">
+<meta name="publishedOn" value="2021-10-06">
 <meta name="category" value="guides">
 <meta name="articleImageUrl" value="../website/assets/images/articles/[email protected]">
 <meta name="description" value="Information for deploying Fleet on AWS ECS.">
diff --git a/articles/deploy-fleet-on-aws-with-terraform.md b/articles/deploy-fleet-on-aws-with-terraform.md
@@ -1,13 +1,13 @@
 # Deploy Fleet on AWS with Terraform
 
+> **This article was archived on May 16, 2024,** and may be outdated. Check out [Deploy Fleet](https://fleetdm.com/docs/deploy/deploy-fleet) for our recommended deployment method.
+
 ![Deploy Fleet on AWS ECS](../website/assets/images/articles/[email protected])
 
 Learn how to deploy Fleet on AWS with Terraform IaC (infrastructure as code).
 
 Deploying on AWS with Fleet’s reference architecture is an easy way to get a fully functional Fleet instance that can scale to your needs.
 
-> Updated May 2023 to reflect Fleet's current Terraform Module setup. 
-
 ## Prerequisites:
 
 - AWS CLI installed and configured.
@@ -23,8 +23,7 @@ Remote state can be simple (local state) or complicated (S3, state locking, etc.
 
 ### Modules
 
-[Fleet terraform](https://github.com/fleetdm/fleet/tree/main/terraform) is made up of multiple modules. These modules can be used independently, or as group to stand up an opinionated
-set of infrastructure that we have found success with.
+[Fleet terraform](https://github.com/fleetdm/fleet/tree/main/terraform) is made up of multiple modules. These modules can be used independently, or as group to stand up an opinionated set of infrastructure that we have found success with.
 
 Each module defines the required resource and consumes the next nested module. The root module creates the VPC and then pulls in the `byo-vpc` module configuring it as necessary. The `byo-vpc` module creates the database and cache instances that get passed into the `byo-db` module. And finally the `byo-db` module creates the ECS cluster and load balancer to be consumed by the `byo-ecs` module.