Skip to content

Updated osquery-perf for certs#48499

Open
getvictor wants to merge 20 commits into
mainfrom
victor/31294-osquery-perf-windows-certs
Open

Updated osquery-perf for certs#48499
getvictor wants to merge 20 commits into
mainfrom
victor/31294-osquery-perf-windows-certs

Conversation

@getvictor

@getvictor getvictor commented Jun 30, 2026

Copy link
Copy Markdown
Member

Related issue: Resolves #31294

osquery-perf changes only

Checklist for submitter

  • QA'd all new/changed functionality manually

Summary by CodeRabbit

Summary by CodeRabbit

  • New Features

    • Added a richer certificate inventory simulation for the performance tool, including stable shared CA-like certificates and generated per-host certificates.
    • Improved macOS and Windows certificate output to more closely match expected formatting, including correct handling of user- vs machine-scoped entries.
  • Bug Fixes

    • Enhanced certificate caching and refresh behavior to reflect realistic churn over time (including occasional certificate updates).
    • Added support for expected duplicated certificate identities across scopes.

getvictor added 12 commits June 30, 2026 07:49
Surface the existing "Certificates" card on the host details page for
Windows hosts, with parity to macOS. Requires osquery 5.23.1 or higher.

Backend (server/service/osquery_utils/queries.go):
- certificates_windows query now selects sid, store_location, subject2,
  issuer2, gated by a Discovery query on the subject2 column so older
  osquery agents (< 5.23.1, which lack the column) collect nothing instead
  of erroring.
- Scope is derived from the registry hive SID (S-1-5-21-* => User, else
  System with no owner) rather than the username == "SYSTEM" heuristic,
  which mislabeled machine-wide LocalMachine certs. Dedup by
  (SHA1, scope, username) collapses redundant hive views.

DN parsing (server/fleet/host_certificates.go):
- Replace the parseWindowsDN stub with a real X.500 (CERT_X500_NAME_STR)
  parser for subject2/issuer2: comma-separated key=value RDNs, quoted
  values, multi-valued (+) RDNs. Shared CN/O/OU/C mapping with the macOS
  parser. Populates the Issuer column and details modal for Windows.

Reconciliation (server/datastore/mysql/host_certificates.go):
- UpdateHostCertificates takes an observedScopes argument. nil (macOS/MDM)
  reconciles every scope, unchanged. The Windows path passes the scopes it
  observed so a logged-off user's certificates (hive not loaded) are
  preserved rather than soft-deleted, while System is always observed.

Frontend:
- Un-gate the Certificates card for Windows hosts, rename the "Keychain"
  column to "Scope", and make the table help text platform-aware.

Claude-Session: https://claude.ai/code/session_01H3HZ8eEZcVZoBU9rjy6ci8
@getvictor

Copy link
Copy Markdown
Member Author

@coderabbitai full review

@getvictor

Copy link
Copy Markdown
Member Author

/agentic_review

@coderabbitai

coderabbitai Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor
✅ Action performed

Full review finished.

@coderabbitai

coderabbitai Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Walkthrough

The change refactors certificate simulation in osquery-perf. In agent.go, the certificatesCache []map[string]string field is replaced with hostCertSpecs []simulatedCert, the encoding/hex import is removed, and the old inline certificatesDarwin/certificatesWindows implementations are deleted. A new certificates.go file introduces the simulatedCert model, shared certificate specs, cached per-host generation with churn, and Darwin/Windows row rendering with scope-specific fields and paths.

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name Status Explanation Resolution
Description check ⚠️ Warning The description is too sparse for the template; it lacks the required change summary, testing details, and explicit N/A handling for omitted sections. Add the missing template sections or clearly mark irrelevant items as N/A, including the change summary, testing plan, and any migration or load-testing notes.
Docstring Coverage ⚠️ Warning Docstring coverage is 75.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title is concise and accurately describes the main change: updating osquery-perf for certificate support.
Linked Issues check ✅ Passed The PR adds osquery-perf certificate simulation and platform-specific rendering, matching the issue's requested load-test environment updates.
Out of Scope Changes check ✅ Passed The changes stay within osquery-perf certificate simulation and rendering, with no obvious unrelated features added.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch victor/31294-osquery-perf-windows-certs

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@cmd/osquery-perf/certificates.go`:
- Around line 353-360: The simulator in certificates.go is emitting Windows-only
columns that the production host-detail query does not currently request, so
align the simulated result shape with the query in queries.go. Update the
Windows certificate payload built in the certificate generation path so the
fields exercised by osquery-perf match the production Windows certificate
columns selected by the host-detail query, using the existing helpers like
windowsDN and windowsLegacyDN where appropriate.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: b5a0b576-399f-465a-93cd-d0add9e6cef1

📥 Commits

Reviewing files that changed from the base of the PR and between a4086dc and 2491172.

📒 Files selected for processing (2)
  • cmd/osquery-perf/agent.go
  • cmd/osquery-perf/certificates.go

Comment thread cmd/osquery-perf/certificates.go Outdated
@qodo-free-for-open-source-projects

qodo-free-for-open-source-projects Bot commented Jun 30, 2026

Copy link
Copy Markdown

Code Review by Qodo

🐞 Bugs (1) 📘 Rule violations (0) 📎 Requirement gaps (0) 🎨 UX issues (0) 🔗 Cross-repo conflicts (0) 📜 Skill insights (0)

Grey Divider


Action required

1. Windows cert scope misread 🐞 Bug ≡ Correctness
Description
windowsRows emits machine-scoped cert rows with username="", but directIngestHostCertificatesWindows
determines system-vs-user scope using username=="SYSTEM", so machine certificates will be ingested
with the wrong Source and username semantics.
Code

cmd/osquery-perf/certificates.go[R372-378]

+	if !c.user {
+		row := maps.Clone(base)
+		row["sid"] = ""
+		row["username"] = ""
+		row["store_location"] = "LocalMachine"
+		row["path"] = "LocalMachine\\Personal"
+		return []map[string]string{row}
Evidence
osquery-perf emits username="" for machine certs, while Fleet’s Windows ingestion sets
Source=SystemHostCertificate only when username is exactly "SYSTEM"; tests also assert this
behavior.

cmd/osquery-perf/certificates.go[372-378]
server/service/osquery_utils/queries.go[3651-3655]
server/service/osquery_utils/queries_test.go[3162-3166]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
On Windows, osquery-perf currently emits machine-scoped certificate rows with `username: ""`. Fleet’s Windows certificate ingestion classifies system certificates solely via `username == "SYSTEM"`, so these rows will be ingested as user-scope with an empty username.
## Issue Context
Fleet’s `directIngestHostCertificatesWindows` sets `Source` based on `row["username"] == "SYSTEM"`.
## Fix Focus Areas
- cmd/osquery-perf/certificates.go[372-378]
## Suggested change
For the `!c.user` branch in `windowsRows`, set `row["username"] = "SYSTEM"` (and keep/adjust `path` as desired). This will align osquery-perf output with Fleet’s current Windows source-classification logic.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools



Remediation recommended

2. Seed not applied to certs ✓ Resolved 🐞 Bug ☼ Reliability
Description
osquery-perf seeds math/rand with --seed, but the new certificate generator uses math/rand/v2, so
certificate generation/churn is not reproducible even when a fixed seed is provided.
Code

cmd/osquery-perf/certificates.go[R145-170]

+func (a *agent) generateCertSpecs() []simulatedCert {
+	a.certificatesMutex.Lock()
+	defer a.certificatesMutex.Unlock()
+
+	switch {
+	case a.hostCertSpecs == nil:
+		a.hostCertSpecs = a.newPerHostCertSpecs()
+	case rand.IntN(100) < 5:
+		// 5% chance for some of this host's certs to change between polls.
+		a.churnPerHostCertSpecs()
+	}
+
+	specs := make([]simulatedCert, 0, len(sharedCerts)+len(a.hostCertSpecs))
+	specs = append(specs, sharedCerts...)
+	specs = append(specs, a.hostCertSpecs...)
+	return specs
+}
+
+// newPerHostCertSpecs generates 0-10 certificates unique to this host, with
+// random (uuid) serials so each host's certs are distinct in the Fleet server.
+func (a *agent) newPerHostCertSpecs() []simulatedCert {
+	count := rand.IntN(11) // 0..10
+	users := a.hostUsers()
+	specs := make([]simulatedCert, 0, count+1)
+	for i := range count {
+		specs = append(specs, a.newPerHostCertSpec(i, users))
Evidence
The tool seeds math/rand only, while the certificate generator imports/uses math/rand/v2; therefore
the certificate RNG is not controlled by the --seed flag.

cmd/osquery-perf/agent.go[3642-3649]
cmd/osquery-perf/agent.go[3744-3746]
cmd/osquery-perf/certificates.go[3-10]
cmd/osquery-perf/certificates.go[145-155]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The CLI `--seed` flag seeds `math/rand`, but the new certificate simulation uses `math/rand/v2` global functions, which are not affected by `math/rand.Seed`. This makes certificate output and churn non-deterministic even under a fixed `--seed`.
## Issue Context
`agent.go` calls `rand.Seed(*randSeed)` (math/rand). `certificates.go` imports and uses `math/rand/v2`.
## Fix Focus Areas
- cmd/osquery-perf/agent.go[3744-3746]
- cmd/osquery-perf/certificates.go[3-10]
- cmd/osquery-perf/certificates.go[145-170]
## Suggested change
Either:
1) Switch certificate generation to `math/rand` (replace `rand.IntN` with `rand.Intn`, adjust loops accordingly), so it follows the existing seeded RNG, OR
2) Create a per-agent `rand/v2` generator seeded from `--seed` and use it throughout the certificate generator instead of the `rand/v2` package-level functions.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


Grey Divider

Qodo Logo

Comment thread cmd/osquery-perf/certificates.go
Comment thread cmd/osquery-perf/certificates.go

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates osquery-perf’s simulated certificates detail-query output to better reflect cross-platform certificate ingestion needs (notably Windows), replacing the prior inlined generators in agent.go with a dedicated certificate generator module.

Changes:

  • Added a new certificate simulation/generation module with shared + per-host cert specs and platform-specific renderers (macOS + Windows).
  • Replaced the old per-platform certificate generators and cache in agent.go with a per-host spec cache (hostCertSpecs) guarded by a mutex.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
cmd/osquery-perf/certificates.go New certificate spec generator and macOS/Windows row renderers for the certificates_* detail queries.
cmd/osquery-perf/agent.go Removes old certificate cache/generators and adds per-host cert spec storage on the agent.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread cmd/osquery-perf/certificates.go
Comment thread cmd/osquery-perf/certificates.go
@codecov

codecov Bot commented Jun 30, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 0% with 163 lines in your changes missing coverage. Please review.
✅ Project coverage is 68.02%. Comparing base (516cef8) to head (0b51a17).

Files with missing lines Patch % Lines
cmd/osquery-perf/certificates.go 0.00% 163 Missing ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##             main   #48499      +/-   ##
==========================================
- Coverage   68.02%   68.02%   -0.01%     
==========================================
  Files        3679     3680       +1     
  Lines      233804   233868      +64     
  Branches    12453    12302     -151     
==========================================
+ Hits       159052   159079      +27     
- Misses      60446    60479      +33     
- Partials    14306    14310       +4     
Flag Coverage Δ
backend 69.65% <0.00%> (-0.03%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@qodo-free-for-open-source-projects

qodo-free-for-open-source-projects Bot commented Jun 30, 2026

Copy link
Copy Markdown

CI Feedback 🧐

(Feedback updated until commit 5a17bb8)

A test triggered by this PR failed. Here is an AI-generated analysis of the failure:

Action: test-go (fleetctl, mysql:8.0.44) / test

Failed stage: Run Go Tests [❌]

Failed test name: TestIntegrationsVulnerabilityDataStream

Failure summary:

The action failed because the Go integration test TestIntegrationsVulnerabilityDataStream failed
(reported at cmd/fleetctl/integrationtest/vuln, nettest.go:84).
The test repeatedly tried to
download the NVD CVE feed but received an HTTP 404 Not Found for:

https://github.com/fleetdm/vulnerabilities/releases/download/cve-202606291945/nvdcve-1.1-2021.meta

After exhausting its retry logic, the test failed, causing the overall make .run-go-tests job to
fail.

Relevant error logs:
1:  Runner name: 'ubuntu-8core-1000961168'
2:  Runner group name: 'default larger runners'
...

1561:  �[36;1mattempt=1�[0m
1562:  �[36;1m�[0m
1563:  �[36;1mwhile [ $attempt -le $max_attempts ]; do�[0m
1564:  �[36;1m  echo "Attempt $attempt of $max_attempts"�[0m
1565:  �[36;1m�[0m
1566:  �[36;1m  # Try to connect to MySQL�[0m
1567:  �[36;1m  if wait_for_mysql "mysql_test"; then�[0m
1568:  �[36;1m    # If MySQL is ready, try to connect to MySQL replica�[0m
1569:  �[36;1m    if wait_for_mysql "mysql_replica_test"; then�[0m
1570:  �[36;1m      # Both are ready, we're done�[0m
1571:  �[36;1m      echo "All MySQL connections successful"�[0m
1572:  �[36;1m      exit 0�[0m
1573:  �[36;1m    fi�[0m
1574:  �[36;1m  fi�[0m
1575:  �[36;1m�[0m
1576:  �[36;1m  # If we get here, at least one connection failed�[0m
1577:  �[36;1m  echo "Failed to connect to MySQL on attempt $attempt"�[0m
1578:  �[36;1m�[0m
1579:  �[36;1m  if [ $attempt -lt $max_attempts ]; then�[0m
1580:  �[36;1m    echo "Restarting containers and trying again..."�[0m
1581:  �[36;1m    restart_containers�[0m
1582:  �[36;1m  else�[0m
1583:  �[36;1m    echo "Maximum attempts reached. Failing the job."�[0m
1584:  �[36;1m    exit 1�[0m
...

1744:  make .run-go-tests PKG_TO_TEST="./cmd/fleetctl/..."
1745:  make[1]: Entering directory '/home/runner/work/fleet/fleet'
1746:  Running Go tests with gotestsum:
1747:  gotestsum --format=testdox --jsonfile=/tmp/test-output.json -- -tags full,fts5,netgo -run=  -v -race=false -timeout=20m  -parallel 8 -coverprofile=coverage.txt -covermode=atomic -coverpkg=github.com/fleetdm/fleet/v4/... ././cmd/fleetctl/... 
1748:  github.com/fleetdm/fleet/v4/cmd/fleetctl:
1749:  github.com/fleetdm/fleet/v4/cmd/fleetctl/fleetctl/fleetctltest:
1750:  github.com/fleetdm/fleet/v4/cmd/fleetctl/fleetctl/goquerycmd:
1751:  github.com/fleetdm/fleet/v4/cmd/fleetctl/fleetctl/testing_utils:
1752:  github.com/fleetdm/fleet/v4/cmd/fleetctl/integrationtest:
1753:  github.com/fleetdm/fleet/v4/cmd/fleetctl/integrationtest/package:
1754:  �[32m✓�[0m Package (3.99s)
1755:  �[32m✓�[0m Package - -use-sytem-configuration can't be used on installers that aren't pkg (0.00s)
1756:  �[32m✓�[0m Package deb (2.24s)
1757:  github.com/fleetdm/fleet/v4/cmd/fleetctl/integrationtest/preview:
1758:  �[32m✓�[0m Integrations preview (56.07s)
1759:  �[32m✓�[0m Preview fails on invalid license key (0.00s)
1760:  github.com/fleetdm/fleet/v4/cmd/fleetctl/fleetctl:
...

1865:  �[32m✓�[0m Apply specs deprecated keys app config windows updates.grace period days not a number (0.41s)
1866:  �[32m✓�[0m Apply specs deprecated keys app config windows updates.grace period days out of range (0.46s)
1867:  �[32m✓�[0m Apply specs deprecated keys config with FIM values for agent options (#869 9) (0.42s)
1868:  �[32m✓�[0m Apply specs deprecated keys config with blank required org name (0.54s)
1869:  �[32m✓�[0m Apply specs deprecated keys config with blank required server url (0.50s)
1870:  �[32m✓�[0m Apply specs deprecated keys config with invalid agent options command-line flags (0.45s)
1871:  �[32m✓�[0m Apply specs deprecated keys config with invalid agent options data type in dry-run (0.40s)
1872:  �[32m✓�[0m Apply specs deprecated keys config with invalid agent options data type with force (0.45s)
1873:  �[32m✓�[0m Apply specs deprecated keys config with invalid agent options in dry-run (0.50s)
1874:  �[32m✓�[0m Apply specs deprecated keys config with invalid key type (0.43s)
1875:  �[32m✓�[0m Apply specs deprecated keys config with invalid value for agent options command-line flags (0.40s)
1876:  �[32m✓�[0m Apply specs deprecated keys config with unknown key (0.57s)
1877:  �[32m✓�[0m Apply specs deprecated keys config with valid agent options command-line flags (0.45s)
1878:  �[32m✓�[0m Apply specs deprecated keys dry-run set with unsupported spec (0.43s)
1879:  �[32m✓�[0m Apply specs deprecated keys dry-run set with various specs, appconfig warning for legacy (0.48s)
1880:  �[32m✓�[0m Apply specs deprecated keys dry-run set with various specs, no errors (0.43s)
1881:  �[32m✓�[0m Apply specs deprecated keys empty config (0.46s)
...

1884:  �[32m✓�[0m Apply specs deprecated keys invalid agent options dry-run (0.56s)
1885:  �[32m✓�[0m Apply specs deprecated keys invalid agent options field type (0.50s)
1886:  �[32m✓�[0m Apply specs deprecated keys invalid agent options field type in overrides (0.47s)
1887:  �[32m✓�[0m Apply specs deprecated keys invalid agent options for existing team (0.38s)
1888:  �[32m✓�[0m Apply specs deprecated keys invalid agent options for new team (0.47s)
1889:  �[32m✓�[0m Apply specs deprecated keys invalid agent options force (0.58s)
1890:  �[32m✓�[0m Apply specs deprecated keys invalid known key's value type for team cannot be forced (0.59s)
1891:  �[32m✓�[0m Apply specs deprecated keys invalid team agent options command-line flag (0.65s)
1892:  �[32m✓�[0m Apply specs deprecated keys invalid top-level key for team (0.46s)
1893:  �[32m✓�[0m Apply specs deprecated keys macos updates deadline set but minimum version empty (0.39s)
1894:  �[32m✓�[0m Apply specs deprecated keys macos updates minimum version set but deadline empty (0.57s)
1895:  �[32m✓�[0m Apply specs deprecated keys macos updates.deadline with incomplete date (0.59s)
1896:  �[32m✓�[0m Apply specs deprecated keys macos updates.deadline with invalid date (0.42s)
1897:  �[32m✓�[0m Apply specs deprecated keys macos updates.deadline with timestamp (0.51s)
1898:  �[32m✓�[0m Apply specs deprecated keys macos updates.minimum version with build version (0.41s)
1899:  �[32m✓�[0m Apply specs deprecated keys missing required failing policies destination url (0.43s)
1900:  �[32m✓�[0m Apply specs deprecated keys missing required host status days count (0.50s)
...

1908:  �[32m✓�[0m Apply specs deprecated keys team config macos settings.enable disk encryption true (0.39s)
1909:  �[32m✓�[0m Apply specs deprecated keys team config macos settings.enable disk encryption with invalid value type (0.38s)
1910:  �[32m✓�[0m Apply specs deprecated keys team config macos settings.enable disk encryption without a value (0.43s)
1911:  �[32m✓�[0m Apply specs deprecated keys unknown key for team can be forced (0.49s)
1912:  �[32m✓�[0m Apply specs deprecated keys valid team agent options command-line flag (0.50s)
1913:  �[32m✓�[0m Apply specs deprecated keys windows updates unset valid (0.42s)
1914:  �[32m✓�[0m Apply specs deprecated keys windows updates valid (0.47s)
1915:  �[32m✓�[0m Apply specs deprecated keys windows updates.deadline days but grace period empty (0.43s)
1916:  �[32m✓�[0m Apply specs deprecated keys windows updates.deadline days not a number (0.44s)
1917:  �[32m✓�[0m Apply specs deprecated keys windows updates.deadline days out of range (0.59s)
1918:  �[32m✓�[0m Apply specs deprecated keys windows updates.grace period days but deadline empty (0.43s)
1919:  �[32m✓�[0m Apply specs deprecated keys windows updates.grace period days not a number (0.37s)
1920:  �[32m✓�[0m Apply specs deprecated keys windows updates.grace period days out of range (0.38s)
1921:  �[32m✓�[0m Apply specs dry-run set with unsupported spec (0.36s)
1922:  �[32m✓�[0m Apply specs dry-run set with various specs, appconfig warning for legacy (0.43s)
1923:  �[32m✓�[0m Apply specs dry-run set with various specs, no errors (0.36s)
1924:  �[32m✓�[0m Apply specs empty config (0.47s)
...

1927:  �[32m✓�[0m Apply specs invalid agent options dry-run (0.44s)
1928:  �[32m✓�[0m Apply specs invalid agent options field type (0.51s)
1929:  �[32m✓�[0m Apply specs invalid agent options field type in overrides (0.53s)
1930:  �[32m✓�[0m Apply specs invalid agent options for existing team (0.50s)
1931:  �[32m✓�[0m Apply specs invalid agent options for new team (0.36s)
1932:  �[32m✓�[0m Apply specs invalid agent options force (0.40s)
1933:  �[32m✓�[0m Apply specs invalid known key's value type for team cannot be forced (0.42s)
1934:  �[32m✓�[0m Apply specs invalid team agent options command-line flag (0.46s)
1935:  �[32m✓�[0m Apply specs invalid top-level key for team (0.45s)
1936:  �[32m✓�[0m Apply specs macos updates deadline set but minimum version empty (0.48s)
1937:  �[32m✓�[0m Apply specs macos updates minimum version set but deadline empty (0.38s)
1938:  �[32m✓�[0m Apply specs macos updates.deadline with incomplete date (0.38s)
1939:  �[32m✓�[0m Apply specs macos updates.deadline with invalid date (0.47s)
1940:  �[32m✓�[0m Apply specs macos updates.deadline with timestamp (0.41s)
1941:  �[32m✓�[0m Apply specs macos updates.minimum version with build version (0.43s)
1942:  �[32m✓�[0m Apply specs missing required failing policies destination url (0.46s)
1943:  �[32m✓�[0m Apply specs missing required host status days count (0.41s)
...

1962:  �[32m✓�[0m Apply specs windows updates.grace period days not a number (0.32s)
1963:  �[32m✓�[0m Apply specs windows updates.grace period days out of range (0.44s)
1964:  �[32m✓�[0m Apply team specs (0.61s)
1965:  �[32m✓�[0m Apply user roles (0.40s)
1966:  �[32m✓�[0m Apply user roles deprecated (0.56s)
1967:  �[32m✓�[0m Apply windows updates (0.34s)
1968:  �[32m✓�[0m Apply windows updates field omitted (0.00s)
1969:  �[32m✓�[0m Apply windows updates with null values (0.00s)
1970:  �[32m✓�[0m Apply windows updates with values (0.00s)
1971:  �[32m✓�[0m Can apply intervals in nanoseconds (0.44s)
1972:  �[32m✓�[0m Can apply intervals using durations (0.38s)
1973:  �[32m✓�[0m Clean status code err (0.00s)
1974:  �[32m✓�[0m Clean status code err bare wrapped status code err (0.00s)
1975:  �[32m✓�[0m Clean status code err nil (0.00s)
1976:  �[32m✓�[0m Clean status code err outer-wrapped status code err (0.00s)
1977:  �[32m✓�[0m Clean status code err plain error untouched (0.00s)
1978:  �[32m✓�[0m Compute label changes (0.00s)
...

2034:  �[32m✓�[0m Filename functions (0.00s)
2035:  �[32m✓�[0m Filename functions outfile name builds a file name using the name provided + current time (0.00s)
2036:  �[32m✓�[0m Filename functions outfile name with ext builds a file name using the name and extension provided + current time (0.00s)
2037:  �[32m✓�[0m FleetctlUpgradePacks empty packs (0.37s)
2038:  �[32m✓�[0m FleetctlUpgradePacks no pack (0.49s)
2039:  �[32m✓�[0m FleetctlUpgradePacks non empty (0.44s)
2040:  �[32m✓�[0m FleetctlUpgradePacks not admin (0.35s)
2041:  �[32m✓�[0m Format XML (0.00s)
2042:  �[32m✓�[0m Format XML XML with attributes (0.00s)
2043:  �[32m✓�[0m Format XML basic XML (0.00s)
2044:  �[32m✓�[0m Format XML empty XML (0.00s)
2045:  �[32m✓�[0m Format XML invalid XML (0.00s)
2046:  �[32m✓�[0m Format XML nested XML (0.00s)
2047:  �[32m✓�[0m Generate MDM apple (0.90s)
2048:  �[32m✓�[0m Generate MDM apple BM (0.38s)
2049:  �[32m✓�[0m Generate MDM apple CSR API call fails (0.42s)
2050:  �[32m✓�[0m Generate MDM apple successful run (0.48s)
2051:  �[32m✓�[0m Generate MDMVPP tokens (0.00s)
2052:  �[32m✓�[0m Generate MDMVPP tokens get VPP tokens error (0.00s)
2053:  �[32m✓�[0m Generate MDMVPP tokens multiple tokens with different teams (0.00s)
...

2071:  �[32m✓�[0m Generate org settings masked google workspace api key (0.00s)
2072:  �[32m✓�[0m Generate policies (0.00s)
2073:  �[32m✓�[0m Generate policies patch policy orphaned from fleet maintained app (0.00s)
2074:  �[32m✓�[0m Generate queries (0.00s)
2075:  �[32m✓�[0m Generate software (0.00s)
2076:  �[32m✓�[0m Generate software auto update schedule (0.00s)
2077:  �[32m✓�[0m Generate software script packages (0.00s)
2078:  �[32m✓�[0m Generate team settings (0.00s)
2079:  �[32m✓�[0m Generate team settings insecure (0.00s)
2080:  �[32m✓�[0m Generated org settings no SSO (0.00s)
2081:  �[32m✓�[0m Generated org settings okta conditional access not included (0.00s)
2082:  �[32m✓�[0m Get MDM command results (0.34s)
2083:  �[32m✓�[0m Get MDM command results command flag required (0.00s)
2084:  �[32m✓�[0m Get MDM command results command not found (0.01s)
2085:  �[32m✓�[0m Get MDM command results command results empty (0.01s)
2086:  �[32m✓�[0m Get MDM command results command results error (0.01s)
2087:  �[32m✓�[0m Get MDM command results darwin command results (0.00s)
2088:  �[32m✓�[0m Get MDM command results host specific results (0.01s)
2089:  �[32m✓�[0m Get MDM command results windows command results (0.00s)
2090:  �[32m✓�[0m Get MDM commands (0.39s)
2091:  �[32m✓�[0m Get apple BM (1.84s)
2092:  �[32m✓�[0m Get apple BM free license (0.53s)
2093:  �[32m✓�[0m Get apple BM premium license, multiple tokens (0.41s)
2094:  �[32m✓�[0m Get apple BM premium license, no token (0.37s)
2095:  �[32m✓�[0m Get apple BM premium license, single token (0.54s)
2096:  �[32m✓�[0m Get apple MDM (0.33s)
2097:  �[32m✓�[0m Get carve (0.54s)
2098:  �[32m✓�[0m Get carve with error (0.38s)
2099:  �[32m✓�[0m Get carves (0.45s)
...

2113:  �[32m✓�[0m Get hosts MDM get hosts - -mdm - -mdm-pending - (0.01s)
2114:  �[32m✓�[0m Get hosts MDM get hosts - -mdm-pending - -yaml - expected list hosts yaml.yml (0.01s)
2115:  �[32m✓�[0m Get hosts get hosts - -json - -remove-deprecated-keys (0.00s)
2116:  �[32m✓�[0m Get hosts get hosts - -json - expected list hosts json.json (0.00s)
2117:  �[32m✓�[0m Get hosts get hosts - -json test host - expected host detail response json.json (0.00s)
2118:  �[32m✓�[0m Get hosts get hosts - -yaml - expected list hosts yaml.yml (0.00s)
2119:  �[32m✓�[0m Get hosts get hosts - -yaml test host - expected host detail response yaml.yml (0.01s)
2120:  �[32m✓�[0m Get label (0.37s)
2121:  �[32m✓�[0m Get label usage include and exclude allowed (0.00s)
2122:  �[32m✓�[0m Get label usage include and exclude allowed macos (0.00s)
2123:  �[32m✓�[0m Get label usage include and exclude allowed macos# 01 (0.00s)
2124:  �[32m✓�[0m Get label usage include and exclude allowed macos# 02 (0.00s)
2125:  �[32m✓�[0m Get label usage include and exclude allowed windows (0.00s)
2126:  �[32m✓�[0m Get label usage include and exclude allowed windows# 01 (0.00s)
2127:  �[32m✓�[0m Get label usage include and exclude allowed windows# 02 (0.00s)
2128:  �[32m✓�[0m Get label usage include exclude overlap error (0.00s)
2129:  �[32m✓�[0m Get label usage include exclude overlap error macos (0.00s)
2130:  �[32m✓�[0m Get label usage include exclude overlap error macos# 01 (0.00s)
2131:  �[32m✓�[0m Get label usage include exclude overlap error macos# 02 (0.00s)
2132:  �[32m✓�[0m Get label usage include exclude overlap error windows (0.00s)
2133:  �[32m✓�[0m Get label usage include exclude overlap error windows# 01 (0.00s)
2134:  �[32m✓�[0m Get label usage include exclude overlap error windows# 02 (0.00s)
2135:  �[32m✓�[0m Get label usage multiple label keys error (0.00s)
2136:  �[32m✓�[0m Get label usage multiple label keys error macos (0.00s)
2137:  �[32m✓�[0m Get label usage multiple label keys error windows (0.00s)
2138:  �[32m✓�[0m Get label usage policy scopes (0.00s)
...

2154:  �[32m✓�[0m Get queries as observer team observer (0.01s)
2155:  �[32m✓�[0m Get query (0.45s)
2156:  �[32m✓�[0m Get query labels include all (0.40s)
2157:  �[32m✓�[0m Get reports labels include all (0.67s)
2158:  �[32m✓�[0m Get software titles (0.41s)
2159:  �[32m✓�[0m Get software versions (0.42s)
2160:  �[32m✓�[0m Get teams (0.91s)
2161:  �[32m✓�[0m Get teams YAML and apply (0.43s)
2162:  �[32m✓�[0m Get teams by name (0.42s)
2163:  �[32m✓�[0m Get teams expired license (0.53s)
2164:  �[32m✓�[0m Get teams not expired license (0.38s)
2165:  �[32m✓�[0m Get teams software from source of truth (0.45s)
2166:  �[32m✓�[0m Get user roles (0.43s)
2167:  �[32m✓�[0m Git ops ABM (5.84s)
2168:  �[32m✓�[0m Git ops ABM backwards compat (0.56s)
2169:  �[32m✓�[0m Git ops ABM both keys errors (0.53s)
2170:  �[32m✓�[0m Git ops ABM deprecated config with two tokens in the db fails (0.43s)
2171:  �[32m✓�[0m Git ops ABM new key all valid (0.63s)
2172:  �[32m✓�[0m Git ops ABM new key multiple elements (0.67s)
2173:  �[32m✓�[0m Git ops ABM no team is supported (0.50s)
2174:  �[32m✓�[0m Git ops ABM non existent org name fails (0.54s)
2175:  �[32m✓�[0m Git ops ABM not provided teams defaults to no team (0.66s)
2176:  �[32m✓�[0m Git ops ABM renamed new key all valid (0.67s)
2177:  �[32m✓�[0m Git ops ABM using an undefined team errors (0.65s)
2178:  �[32m✓�[0m Git ops EULA setting (4.17s)
...

2181:  �[32m✓�[0m Git ops EULA setting not a PDF file (0.45s)
2182:  �[32m✓�[0m Git ops EULA setting relative path to working dir to pdf file (no existing EULA uploaded) (0.51s)
2183:  �[32m✓�[0m Git ops EULA setting relative path to yaml file to pdf file (no existing EULA uploaded) (0.48s)
2184:  �[32m✓�[0m Git ops EULA setting uploading the same EULA again (0.49s)
2185:  �[32m✓�[0m Git ops EULA setting valid new pdf file (different EULA already uploaded) (0.65s)
2186:  �[32m✓�[0m Git ops EULA setting valid pdf file (no existing EULA uploaded) (0.45s)
2187:  �[32m✓�[0m Git ops MDM auth settings (0.61s)
2188:  �[32m✓�[0m Git ops SMTP settings (0.59s)
2189:  �[32m✓�[0m Git ops SSO server URL (0.53s)
2190:  �[32m✓�[0m Git ops SSO settings (0.57s)
2191:  �[32m✓�[0m Git ops android certificates add (0.48s)
2192:  �[32m✓�[0m Git ops android certificates change (0.55s)
2193:  �[32m✓�[0m Git ops android certificates delete all (0.58s)
2194:  �[32m✓�[0m Git ops android certificates delete one (0.45s)
2195:  �[32m✓�[0m Git ops app store app auto update (0.50s)
2196:  �[32m✓�[0m Git ops app store app auto update invalid auto-update window triggers error and does not call update software title auto update config (0.02s)
2197:  �[32m✓�[0m Git ops app store app auto update no auto update settings and no existing schedule does not call update software title auto update config (0.02s)
2198:  �[32m✓�[0m Git ops app store app auto update update software title auto update config is applied for i OS VPP apps (0.03s)
2199:  �[32m✓�[0m Git ops app store app auto update update software title auto update config is not called when no VPP apps provided (0.02s)
2200:  �[32m✓�[0m Git ops apple OS updates (0.40s)
2201:  �[32m✓�[0m Git ops apple OS updates ios updates (0.01s)
2202:  �[32m✓�[0m Git ops apple OS updates ios updates os updated when existing OS update declaration (0.01s)
2203:  �[32m✓�[0m Git ops apple OS updates ipados updates (0.01s)
2204:  �[32m✓�[0m Git ops apple OS updates ipados updates os updated when existing OS update declaration (0.01s)
2205:  �[32m✓�[0m Git ops apple OS updates macos updates (0.01s)
2206:  �[32m✓�[0m Git ops apple OS updates macos updates os updated when existing OS update declaration (0.01s)
2207:  �[32m✓�[0m Git ops basic global and no team (0.58s)
2208:  �[32m✓�[0m Git ops basic global and no team basic global and no-team.yml (0.07s)
2209:  �[32m✓�[0m Git ops basic global and no team both global and no-team.yml define controls -- should fail (0.02s)
2210:  �[32m✓�[0m Git ops basic global and no team controls only defined in no-team.yml (0.06s)
2211:  �[32m✓�[0m Git ops basic global and no team global DOES NOT define controls -- should fail (0.01s)
2212:  �[32m✓�[0m Git ops basic global and no team global and no-team.yml DO NOT define controls -- should fail (0.01s)
2213:  �[32m✓�[0m Git ops basic global and no team global defines software -- should fail (0.01s)
2214:  �[32m✓�[0m Git ops basic global and no team no-team provided without global -- should fail (0.02s)
2215:  �[32m✓�[0m Git ops basic global and no team no-team.yml defines policy with calendar events enabled -- should fail (0.01s)
2216:  �[32m✓�[0m Git ops basic global and no team unassigned provided without global -- should fail (0.01s)
2217:  �[32m✓�[0m Git ops basic global and team (0.74s)
...

2223:  �[32m✓�[0m Git ops custom settings global macos windows custom settings valid.yml (0.48s)
2224:  �[32m✓�[0m Git ops custom settings global windows custom settings invalid label mix 2 .yml (0.61s)
2225:  �[32m✓�[0m Git ops custom settings global windows custom settings invalid label mix.yml (0.49s)
2226:  �[32m✓�[0m Git ops custom settings global windows custom settings unknown label.yml (0.52s)
2227:  �[32m✓�[0m Git ops custom settings team macos custom settings valid deprecated.yml (0.70s)
2228:  �[32m✓�[0m Git ops custom settings team macos windows custom settings invalid labels mix 2 .yml (0.62s)
2229:  �[32m✓�[0m Git ops custom settings team macos windows custom settings invalid labels mix.yml (0.41s)
2230:  �[32m✓�[0m Git ops custom settings team macos windows custom settings unknown label.yml (0.50s)
2231:  �[32m✓�[0m Git ops custom settings team macos windows custom settings valid.yml (0.51s)
2232:  �[32m✓�[0m Git ops dry run rejects invalid label platform (0.52s)
2233:  �[32m✓�[0m Git ops exception enforcement (0.49s)
2234:  �[32m✓�[0m Git ops exception enforcement free tier (0.36s)
2235:  �[32m✓�[0m Git ops exceptions preserve omitted keys (0.42s)
2236:  �[32m✓�[0m Git ops features (0.60s)
2237:  �[32m✓�[0m Git ops filename validation (0.00s)
2238:  �[32m✓�[0m Git ops fleet failing policies webhook policy IDs (0.46s)
2239:  �[32m✓�[0m Git ops fleet webhooks and tickets enabled (0.53s)
...

2396:  �[32m✓�[0m New basic file structure has expected files (0.00s)
2397:  �[32m✓�[0m New basic file structure replaces and escapes org name template var (0.00s)
2398:  �[32m✓�[0m New basic file structure strips .template. from output filenames (0.00s)
2399:  �[32m✓�[0m New dir flag (0.01s)
2400:  �[32m✓�[0m New existing dir with force (0.01s)
2401:  �[32m✓�[0m New existing dir without force (0.00s)
2402:  �[32m✓�[0m New org name YAML quoting (0.01s)
2403:  �[32m✓�[0m New org name validation (0.01s)
2404:  �[32m✓�[0m New org name validation at max length (0.01s)
2405:  �[32m✓�[0m New org name validation control characters stripped (0.01s)
2406:  �[32m✓�[0m New org name validation only control characters (0.00s)
2407:  �[32m✓�[0m New org name validation only whitespace (0.00s)
2408:  �[32m✓�[0m New org name validation too long (0.00s)
2409:  �[32m✓�[0m New output messages (0.01s)
2410:  �[32m✓�[0m New template stripping (0.01s)
2411:  �[32m✓�[0m Print auth error (0.42s)
2412:  �[32m✓�[0m Print auth error SSO disabled shows default login message (0.00s)
2413:  �[32m✓�[0m Print auth error SSO enabled shows SSO instructions (0.00s)
2414:  �[32m✓�[0m Render template (0.00s)
...

2434:  �[32m✓�[0m Run api command get scripts full path missing (0.00s)
2435:  �[32m✓�[0m Run api command get scripts team (0.00s)
2436:  �[32m✓�[0m Run api command get scripts team no cache (0.00s)
2437:  �[32m✓�[0m Run api command get typo (0.00s)
2438:  �[32m✓�[0m Run api command upload script (0.00s)
2439:  �[32m✓�[0m Run script command (0.54s)
2440:  �[32m✓�[0m Run script command disabled scripts globally (0.00s)
2441:  �[32m✓�[0m Run script command host not found (0.00s)
2442:  �[32m✓�[0m Run script command invalid file type (0.00s)
2443:  �[32m✓�[0m Run script command invalid hashbang (0.00s)
2444:  �[32m✓�[0m Run script command invalid utf 8 (0.01s)
2445:  �[32m✓�[0m Run script command missing one of script-path and script-nqme (0.00s)
2446:  �[32m✓�[0m Run script command output truncated (0.01s)
2447:  �[32m✓�[0m Run script command posix shell hashbang (0.01s)
2448:  �[32m✓�[0m Run script command script empty (0.01s)
2449:  �[32m✓�[0m Run script command script failed (0.01s)
2450:  �[32m✓�[0m Run script command script killed (0.01s)
...

2505:  �[32m✓�[0m Validate git ops group EUA global-only run degrades id p but the team's in-run file disables EU A: accepted (0.00s)
2506:  �[32m✓�[0m Validate git ops group EUA global-only run degrades id p while a stored team keeps EUA on: rejected (#4337 1) (0.00s)
2507:  �[32m✓�[0m Validate git ops group EUA no EUA enabled anywhere is accepted (0.00s)
2508:  �[32m✓�[0m Validate git ops group EUA team enables EU A, global file adds complete id P: accepted (0.00s)
2509:  �[32m✓�[0m Validate git ops group EUA team enables EU A, global file adds id p missing entity id: rejected (0.00s)
2510:  �[32m✓�[0m Validate git ops group EUA team enables EU A, global file omits id P, stored has id P: rejected (overwrite clears) (0.00s)
2511:  �[32m✓�[0m Validate git ops group EUA team enables EU A, stored has id P, no global file: accepted (0.00s)
2512:  �[32m✓�[0m Validate git ops group EUA team enables EU A, stored has no id P, no global file: rejected (0.00s)
2513:  github.com/fleetdm/fleet/v4/cmd/fleetctl/integrationtest/gitops:
2514:  �[32m✓�[0m Git ops VPP (4.88s)
2515:  �[32m✓�[0m Git ops VPP all fleets is supported (0.58s)
2516:  �[32m✓�[0m Git ops VPP all teams is supported (0.64s)
2517:  �[32m✓�[0m Git ops VPP new key all valid (0.68s)
2518:  �[32m✓�[0m Git ops VPP new key multiple elements (0.63s)
2519:  �[32m✓�[0m Git ops VPP no team is supported (0.62s)
2520:  �[32m✓�[0m Git ops VPP non existent location fails (0.56s)
2521:  �[32m✓�[0m Git ops VPP not provided teams defaults to no team (0.57s)
2522:  �[32m✓�[0m Git ops VPP using an undefined team errors (0.62s)
2523:  �[32m✓�[0m Git ops existing team VPP apps with missing team (0.50s)
...

2616:  �[32m✓�[0m Git ops team software installers team software installer with display name.yml (1.49s)
2617:  �[32m✓�[0m Integrations enterprise gitops (318.46s)
2618:  �[32m✓�[0m Integrations enterprise gitops test CA integrations (3.96s)
2619:  �[32m✓�[0m Integrations enterprise gitops test FMA labels include all (6.07s)
2620:  �[32m✓�[0m Integrations enterprise gitops test IPA software installers (10.60s)
2621:  �[32m✓�[0m Integrations enterprise gitops test JSON configuration profile escaping (1.29s)
2622:  �[32m✓�[0m Integrations enterprise gitops test add manual labels (1.60s)
2623:  �[32m✓�[0m Integrations enterprise gitops test configuration profile escaping (1.42s)
2624:  �[32m✓�[0m Integrations enterprise gitops test delete CA with certificate templates (6.00s)
2625:  �[32m✓�[0m Integrations enterprise gitops test delete mac OS setup (4.99s)
2626:  �[32m✓�[0m Integrations enterprise gitops test deleting no team YAML (2.66s)
2627:  �[32m✓�[0m Integrations enterprise gitops test disallow software setup experience (123.72s)
2628:  �[32m✓�[0m Integrations enterprise gitops test disallow software setup experience all VPP with setup experience (1.22s)
2629:  �[32m✓�[0m Integrations enterprise gitops test disallow software setup experience no team VPP (1.13s)
2630:  �[32m✓�[0m Integrations enterprise gitops test disallow software setup experience no team installers (60.53s)
2631:  �[32m✓�[0m Integrations enterprise gitops test disallow software setup experience packages fail (60.66s)
2632:  �[32m✓�[0m Integrations enterprise gitops test dry run mac OS setup script with manual agent install conflict (0.44s)
...

2664:  �[32m✓�[0m Integrations enterprise gitops test special case teams VPP apps (3.82s)
2665:  �[32m✓�[0m Integrations enterprise gitops test special case teams VPP apps all teams (2.41s)
2666:  �[32m✓�[0m Integrations enterprise gitops test special case teams VPP apps no team (1.25s)
2667:  �[32m✓�[0m Integrations enterprise gitops test unset configuration profile labels (4.96s)
2668:  �[32m✓�[0m Integrations enterprise gitops test unset software installer labels (11.43s)
2669:  �[32m✓�[0m Integrations enterprise starter library (4.99s)
2670:  �[32m✓�[0m Integrations enterprise starter library test apply starter library premium (3.55s)
2671:  �[32m✓�[0m Integrations gitops (2.38s)
2672:  �[32m✓�[0m Integrations gitops test fleet gitops (0.53s)
2673:  �[32m✓�[0m Integrations gitops test fleet gitops DDM fleet vars requires premium (0.11s)
2674:  �[32m✓�[0m Integrations gitops test fleet gitops with fleet secrets (0.24s)
2675:  �[32m✓�[0m Integrations starter library (1.62s)
2676:  �[32m✓�[0m Integrations starter library test apply starter library free (0.19s)
2677:  github.com/fleetdm/fleet/v4/cmd/fleetctl/integrationtest/vuln:
2678:  �[31m✖�[0m Integrations vulnerability data stream (980.28s)
2679:  === �[31mFailed�[0m
2680:  === �[31mFAIL�[0m: cmd/fleetctl/integrationtest/vuln TestIntegrationsVulnerabilityDataStream (980.28s)
2681:  nettest.go:33: network test start: TestIntegrationsVulnerabilityDataStream
2682:  nettest.go:84: TestIntegrationsVulnerabilityDataStream: retrying error: Error downloading NVD CVE feed: download nvd cve feed: download nvd cve feed: 1 synchronisation error:
2683:  unexpected http response from "https://github.com/fleetdm/vulnerabilities/releases/download/cve-202606291945/nvdcve-1.1-2021.meta" ("404 Not Found"): "\n\n\n\n\n\n\n\n<!DOCTYPE html>\n<html\n  lang=\"en\"\n  \n  data-color-mode=\"auto\" data-light-theme=\"light\" data-dark-theme=\"dark\"\n  data-a11y-animated-images=\"system\" data-a11y-link-underlines=\"true\"\n  \n  >\n\n\n\n\n  <head>\n    <meta charset=\"utf-8\">\n  <link rel=\"dns-prefetch\" href=\"https://github.githubassets.com\">\n  <link rel=\"dns-prefetch\" href=\"https://avatars.githubusercontent.com\">\n  <link rel=\"dns-prefetch\" href=\"https://github-cloud.s3.amazonaws.com\">\n  <link rel=\"dns-prefetch\" href=\"https://user-images.githubusercontent.com/\">\n  <link rel=\"preconnect\" href=\"https://github.githubassets.com\" crossorigin>\n  <link rel=\"preconnect\" href=\"https://avatars.githubusercontent.com\">\n\n      <link crossorigin=\"anonymous\" rel=\"preload\" as=\"script\" href=\"https://github.githubassets.com/assets/global-banner-disable-f33ea31fa5ffa501.js\" />\n\n  <link rel=\"preload\" href=\"https://github.githubassets.com/assets/MonaSansVF-wdth-wght-opsz-902d64c7ad02.woff2\" as=\"font\" type=\"font/woff2\" crossorigin>\n\n\n  <link crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" href=\"https://github.githubassets.com/assets/light-4fded0090af0ad58.css\" /><link crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" href=\"https://github.githubassets.com/assets/light_high_contrast-cf8e26bc17e62ebc.css\" /><link crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" href=\"https://github.githubassets.com/assets/dark-06381ff23d863842.css\" /><link crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" href=\"https://github.githubassets.com/assets/dark_high_contrast-9023e6605402defb.css\" /><link data-color-theme=\"light\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/light-4fded0090af0ad58.css\" /><link data-color-theme=\"light_high_contrast\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/light_high_contrast-cf8e26bc17e62ebc.css\" /><link data-color-theme=\"light_colorblind\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/light_colorblind-3a437477a570cc40.css\" /><link data-color-theme=\"light_colorblind_high_contrast\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/light_colorblind_high_contrast-39b6c209db5491c9.css\" /><link data-color-theme=\"light_tritanopia\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/light_tritanopia-3822234d6c03b00b.css\" /><link data-color-theme=\"light_tritanopia_high_contrast\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/light_tritanopia_high_contrast-33857254a8064bf7.css\" /><link data-color-theme=\"dark\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/dark-06381ff23d863842.css\" /><link data-color-theme=\"dark_high_contrast\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/dark_high_contrast-9023e6605402defb.css\" /><link data-color-theme=\"dark_colorblind\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/dark_colorblind-37023bf69d8e0e34.css\" /><link data-color-theme=\"dark_colorblind_high_contrast\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/dark_colorblind_high_contrast-486bd43e01a2c0ec.css\" /><link data-color-theme=\"dark_tritanopia\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/dark_tritanopia-838ba2a5070c5b09.css\" /><link data-color-theme=\"dark_tritanopia_high_contrast\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/dark_tritanopia_high_contrast-2aa7245dc545d61f.css\" /><link data-color-theme=\"dark_dimmed\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/dark_dimmed-29ef2eb185e7de1c.css\" /><link data-color-theme=\"dark_dimmed_high_contrast\" crossorigin=\"anonymo"
2684:  nettest.go:84: TestIntegrationsVulnerabilityDataStream: retrying error: Error downloading NVD CVE feed: download nvd cve feed: download nvd cve feed: 1 synchronisation error:
2685:  unexpected http response from "https://github.com/fleetdm/vulnerabilities/releases/download/cve-202606291945/nvdcve-1.1-2021.meta" ("404 Not Found"): "\n\n\n\n\n\n\n\n<!DOCTYPE html>\n<html\n  lang=\"en\"\n  \n  data-color-mode=\"auto\" data-light-theme=\"light\" data-dark-theme=\"dark\"\n  data-a11y-animated-images=\"system\" data-a11y-link-underlines=\"true\"\n  \n  >\n\n\n\n\n  <head>\n    <meta charset=\"utf-8\">\n  <link rel=\"dns-prefetch\" href=\"https://github.githubassets.com\">\n  <link rel=\"dns-prefetch\" href=\"https://avatars.githubusercontent.com\">\n  <link rel=\"dns-prefetch\" href=\"https://github-cloud.s3.amazonaws.com\">\n  <link rel=\"dns-prefetch\" href=\"https://user-images.githubusercontent.com/\">\n  <link rel=\"preconnect\" href=\"https://github.githubassets.com\" crossorigin>\n  <link rel=\"preconnect\" href=\"https://avatars.githubusercontent.com\">\n\n      <link crossorigin=\"anonymous\" rel=\"preload\" as=\"script\" href=\"https://github.githubassets.com/assets/global-banner-disable-f33ea31fa5ffa501.js\" />\n\n  <link rel=\"preload\" href=\"https://github.githubassets.com/assets/MonaSansVF-wdth-wght-opsz-902d64c7ad02.woff2\" as=\"font\" type=\"font/woff2\" crossorigin>\n\n\n  <link crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" href=\"https://github.githubassets.com/assets/light-4fded0090af0ad58.css\" /><link crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" href=\"https://github.githubassets.com/assets/light_high_contrast-cf8e26bc17e62ebc.css\" /><link crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" href=\"https://github.githubassets.com/assets/dark-06381ff23d863842.css\" /><link crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" href=\"https://github.githubassets.com/assets/dark_high_contrast-9023e6605402defb.css\" /><link data-color-theme=\"light\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/light-4fded0090af0ad58.css\" /><link data-color-theme=\"light_high_contrast\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/light_high_contrast-cf8e26bc17e62ebc.css\" /><link data-color-theme=\"light_colorblind\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/light_colorblind-3a437477a570cc40.css\" /><link data-color-theme=\"light_colorblind_high_contrast\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/light_colorblind_high_contrast-39b6c209db5491c9.css\" /><link data-color-theme=\"light_tritanopia\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/light_tritanopia-3822234d6c03b00b.css\" /><link data-color-theme=\"light_tritanopia_high_contrast\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/light_tritanopia_high_contrast-33857254a8064bf7.css\" /><link data-color-theme=\"dark\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/dark-06381ff23d863842.css\" /><link data-color-theme=\"dark_high_contrast\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/dark_high_contrast-9023e6605402defb.css\" /><link data-color-theme=\"dark_colorblind\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/dark_colorblind-37023bf69d8e0e34.css\" /><link data-color-theme=\"dark_colorblind_high_contrast\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/dark_colorblind_high_contrast-486bd43e01a2c0ec.css\" /><link data-color-theme=\"dark_tritanopia\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/dark_tritanopia-838ba2a5070c5b09.css\" /><link data-color-theme=\"dark_tritanopia_high_contrast\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/dark_tritanopia_high_contrast-2aa7245dc545d61f.css\" /><link data-color-theme=\"dark_dimmed\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/dark_dimmed-29ef2eb185e7de1c.css\" /><link data-color-theme=\"dark_dimmed_high_contrast\" crossorigin=\"anonymo"
2686:  nettest.go:84: TestIntegrationsVulnerabilityDataStream: retrying error: Error downloading NVD CVE feed: download nvd cve feed: download nvd cve feed: 1 synchronisation error:
2687:  unexpected http response from "https://github.com/fleetdm/vulnerabilities/releases/download/cve-202606291945/nvdcve-1.1-2021.meta" ("404 Not Found"): "\n\n\n\n\n\n\n\n<!DOCTYPE html>\n<html\n  lang=\"en\"\n  \n  data-color-mode=\"auto\" data-light-theme=\"light\" data-dark-theme=\"dark\"\n  data-a11y-animated-images=\"system\" data-a11y-link-underlines=\"true\"\n  \n  >\n\n\n\n\n  <head>\n    <meta charset=\"utf-8\">\n  <link rel=\"dns-prefetch\" href=\"https://github.githubassets.com\">\n  <link rel=\"dns-prefetch\" href=\"https://avatars.githubusercontent.com\">\n  <link rel=\"dns-prefetch\" href=\"https://github-cloud.s3.amazonaws.com\">\n  <link rel=\"dns-prefetch\" href=\"https://user-images.githubusercontent.com/\">\n  <link rel=\"preconnect\" href=\"https://github.githubassets.com\" crossorigin>\n  <link rel=\"preconnect\" href=\"https://avatars.githubusercontent.com\">\n\n      <link crossorigin=\"anonymous\" rel=\"preload\" as=\"script\" href=\"https://github.githubassets.com/assets/global-banner-disable-f33ea31fa5ffa501.js\" />\n\n  <link rel=\"preload\" href=\"https://github.githubassets.com/assets/MonaSansVF-wdth-wght-opsz-902d64c7ad02.woff2\" as=\"font\" type=\"font/woff2\" crossorigin>\n\n\n  <link crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" href=\"https://github.githubassets.com/assets/light-4fded0090af0ad58.css\" /><link crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" href=\"https://github.githubassets.com/assets/light_high_contrast-cf8e26bc17e62ebc.css\" /><link crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" href=\"https://github.githubassets.com/assets/dark-06381ff23d863842.css\" /><link crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" href=\"https://github.githubassets.com/assets/dark_high_contrast-9023e6605402defb.css\" /><link data-color-theme=\"light\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/light-4fded0090af0ad58.css\" /><link data-color-theme=\"light_high_contrast\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/light_high_contrast-cf8e26bc17e62ebc.css\" /><link data-color-theme=\"light_colorblind\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/light_colorblind-3a437477a570cc40.css\" /><link data-color-theme=\"light_colorblind_high_contrast\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/light_colorblind_high_contrast-39b6c209db5491c9.css\" /><link data-color-theme=\"light_tritanopia\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/light_tritanopia-3822234d6c03b00b.css\" /><link data-color-theme=\"light_tritanopia_high_contrast\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/light_tritanopia_high_contrast-33857254a8064bf7.css\" /><link data-color-theme=\"dark\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/dark-06381ff23d863842.css\" /><link data-color-theme=\"dark_high_contrast\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/dark_high_contrast-9023e6605402defb.css\" /><link data-color-theme=\"dark_colorblind\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/dark_colorblind-37023bf69d8e0e34.css\" /><link data-color-theme=\"dark_colorblind_high_contrast\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/dark_colorblind_high_contrast-486bd43e01a2c0ec.css\" /><link data-color-theme=\"dark_tritanopia\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/dark_tritanopia-838ba2a5070c5b09.css\" /><link data-color-theme=\"dark_tritanopia_high_contrast\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/dark_tritanopia_high_contrast-2aa7245dc545d61f.css\" /><link data-color-theme=\"dark_dimmed\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/dark_dimmed-29ef2eb185e7de1c.css\" /><link data-color-theme=\"dark_dimmed_high_contrast\" crossorigin=\"anonymo"
2688:  nettest.go:84: TestIntegrationsVulnerabilityDataStream: retrying error: Error downloading NVD CVE feed: download nvd cve feed: download nvd cve feed: 1 synchronisation error:
2689:  unexpected http response from "https://github.com/fleetdm/vulnerabilities/releases/download/cve-202606291945/nvdcve-1.1-2021.meta" ("404 Not Found"): "\n\n\n\n\n\n\n\n<!DOCTYPE html>\n<html\n  lang=\"en\"\n  \n  data-color-mode=\"auto\" data-light-theme=\"light\" data-dark-theme=\"dark\"\n  data-a11y-animated-images=\"system\" data-a11y-link-underlines=\"true\"\n  \n  >\n\n\n\n\n  <head>\n    <meta charset=\"utf-8\">\n  <link rel=\"dns-prefetch\" href=\"https://github.githubassets.com\">\n  <link rel=\"dns-prefetch\" href=\"https://avatars.githubusercontent.com\">\n  <link rel=\"dns-prefetch\" href=\"https://github-cloud.s3.amazonaws.com\">\n  <link rel=\"dns-prefetch\" href=\"https://user-images.githubusercontent.com/\">\n  <link rel=\"preconnect\" href=\"https://github.githubassets.com\" crossorigin>\n  <link rel=\"preconnect\" href=\"https://avatars.githubusercontent.com\">\n\n      <link crossorigin=\"anonymous\" rel=\"preload\" as=\"script\" href=\"https://github.githubassets.com/assets/global-banner-disable-f33ea31fa5ffa501.js\" />\n\n  <link rel=\"preload\" href=\"https://github.githubassets.com/assets/MonaSansVF-wdth-wght-opsz-902d64c7ad02.woff2\" as=\"font\" type=\"font/woff2\" crossorigin>\n\n\n  <link crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" href=\"https://github.githubassets.com/assets/light-4fded0090af0ad58.css\" /><link crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" href=\"https://github.githubassets.com/assets/light_high_contrast-cf8e26bc17e62ebc.css\" /><link crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" href=\"https://github.githubassets.com/assets/dark-06381ff23d863842.css\" /><link crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" href=\"https://github.githubassets.com/assets/dark_high_contrast-9023e6605402defb.css\" /><link data-color-theme=\"light\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/light-4fded0090af0ad58.css\" /><link data-color-theme=\"light_high_contrast\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/light_high_contrast-cf8e26bc17e62ebc.css\" /><link data-color-theme=\"light_colorblind\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/light_colorblind-3a437477a570cc40.css\" /><link data-color-theme=\"light_colorblind_high_contrast\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/light_colorblind_high_contrast-39b6c209db5491c9.css\" /><link data-color-theme=\"light_tritanopia\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/light_tritanopia-3822234d6c03b00b.css\" /><link data-color-theme=\"light_tritanopia_high_contrast\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/light_tritanopia_high_contrast-33857254a8064bf7.css\" /><link data-color-theme=\"dark\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/dark-06381ff23d863842.css\" /><link data-color-theme=\"dark_high_contrast\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/dark_high_contrast-9023e6605402defb.css\" /><link data-color-theme=\"dark_colorblind\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/dark_colorblind-37023bf69d8e0e34.css\" /><link data-color-theme=\"dark_colorblind_high_contrast\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/dark_colorblind_high_contrast-486bd43e01a2c0ec.css\" /><link data-color-theme=\"dark_tritanopia\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/dark_tritanopia-838ba2a5070c5b09.css\" /><link data-color-theme=\"dark_tritanopia_high_contrast\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/dark_tritanopia_high_contrast-2aa7245dc545d61f.css\" /><link data-color-theme=\"dark_dimmed\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/dark_dimmed-29ef2eb185e7de1c.css\" /><link data-color-theme=\"dark_dimmed_high_contrast\" crossorigin=\"anonymo"
2690:  nettest.go:84: TestIntegrationsVulnerabilityDataStream: retrying error: Error downloading NVD CVE feed: download nvd cve feed: download nvd cve feed: 1 synchronisation error:
2691:  unexpected http response from "https://github.com/fleetdm/vulnerabilities/releases/download/cve-202606291945/nvdcve-1.1-2021.meta" ("404 Not Found"): "\n\n\n\n\n\n\n\n<!DOCTYPE html>\n<html\n  lang=\"en\"\n  \n  data-color-mode=\"auto\" data-light-theme=\"light\" data-dark-theme=\"dark\"\n  data-a11y-animated-images=\"system\" data-a11y-link-underlines=\"true\"\n  \n  >\n\n\n\n\n  <head>\n    <meta charset=\"utf-8\">\n  <link rel=\"dns-prefetch\" href=\"https://github.githubassets.com\">\n  <link rel=\"dns-prefetch\" href=\"https://avatars.githubusercontent.com\">\n  <link rel=\"dns-prefetch\" href=\"https://github-cloud.s3.amazonaws.com\">\n  <link rel=\"dns-prefetch\" href=\"https://user-images.githubusercontent.com/\">\n  <link rel=\"preconnect\" href=\"https://github.githubassets.com\" crossorigin>\n  <link rel=\"preconnect\" href=\"https://avatars.githubusercontent.com\">\n\n      <link crossorigin=\"anonymous\" rel=\"preload\" as=\"script\" href=\"https://github.githubassets.com/assets/global-banner-disable-f33ea31fa5ffa501.js\" />\n\n  <link rel=\"preload\" href=\"https://github.githubassets.com/assets/MonaSansVF-wdth-wght-opsz-902d64c7ad02.woff2\" as=\"font\" type=\"font/woff2\" crossorigin>\n\n\n  <link crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" href=\"https://github.githubassets.com/assets/light-4fded0090af0ad58.css\" /><link crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" href=\"https://github.githubassets.com/assets/light_high_contrast-cf8e26bc17e62ebc.css\" /><link crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" href=\"https://github.githubassets.com/assets/dark-06381ff23d863842.css\" /><link crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" href=\"https://github.githubassets.com/assets/dark_high_contrast-9023e6605402defb.css\" /><link data-color-theme=\"light\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/light-4fded0090af0ad58.css\" /><link data-color-theme=\"light_high_contrast\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/light_high_contrast-cf8e26bc17e62ebc.css\" /><link data-color-theme=\"light_colorblind\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/light_colorblind-3a437477a570cc40.css\" /><link data-color-theme=\"light_colorblind_high_contrast\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/light_colorblind_high_contrast-39b6c209db5491c9.css\" /><link data-color-theme=\"light_tritanopia\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/light_tritanopia-3822234d6c03b00b.css\" /><link data-color-theme=\"light_tritanopia_high_contrast\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/light_tritanopia_high_contrast-33857254a8064bf7.css\" /><link data-color-theme=\"dark\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/dark-06381ff23d863842.css\" /><link data-color-theme=\"dark_high_contrast\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/dark_high_contrast-9023e6605402defb.css\" /><link data-color-theme=\"dark_colorblind\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/dark_colorblind-37023bf69d8e0e34.css\" /><link data-color-theme=\"dark_colorblind_high_contrast\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/dark_colorblind_high_contrast-486bd43e01a2c0ec.css\" /><link data-color-theme=\"dark_tritanopia\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/dark_tritanopia-838ba2a5070c5b09.css\" /><link data-color-theme=\"dark_tritanopia_high_contrast\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/dark_tritanopia_high_contrast-2aa7245dc545d61f.css\" /><link data-color-theme=\"dark_dimmed\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/dark_dimmed-29ef2eb185e7de1c.css\" /><link data-color-theme=\"dark_dimmed_high_contrast\" crossorigin=\"anonymo"
2692:  nettest.go:84: TestIntegrationsVulnerabilityDataStream: retrying error: Error downloading NVD CVE feed: download nvd cve feed: download nvd cve feed: 1 synchronisation error:
2693:  unexpected http response from "https://github.com/fleetdm/vulnerabilities/releases/download/cve-202606291945/nvdcve-1.1-2021.meta" ("404 Not Found"): "\n\n\n\n\n\n\n\n<!DOCTYPE html>\n<html\n  lang=\"en\"\n  \n  data-color-mode=\"auto\" data-light-theme=\"light\" data-dark-theme=\"dark\"\n  data-a11y-animated-images=\"system\" data-a11y-link-underlines=\"true\"\n  \n  >\n\n\n\n\n  <head>\n    <meta charset=\"utf-8\">\n  <link rel=\"dns-prefetch\" href=\"https://github.githubassets.com\">\n  <link rel=\"dns-prefetch\" href=\"https://avatars.githubusercontent.com\">\n  <link rel=\"dns-prefetch\" href=\"https://github-cloud.s3.amazonaws.com\">\n  <link rel=\"dns-prefetch\" href=\"https://user-images.githubusercontent.com/\">\n  <link rel=\"preconnect\" href=\"https://github.githubassets.com\" crossorigin>\n  <link rel=\"preconnect\" href=\"https://avatars.githubusercontent.com\">\n\n      <link crossorigin=\"anonymous\" rel=\"preload\" as=\"script\" href=\"https://github.githubassets.com/assets/global-banner-disable-f33ea31fa5ffa501.js\" />\n\n  <link rel=\"preload\" href=\"https://github.githubassets.com/assets/MonaSansVF-wdth-wght-opsz-902d64c7ad02.woff2\" as=\"font\" type=\"font/woff2\" crossorigin>\n\n\n  <link crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" href=\"https://github.githubassets.com/assets/light-4fded0090af0ad58.css\" /><link crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" href=\"https://github.githubassets.com/assets/light_high_contrast-cf8e26bc17e62ebc.css\" /><link crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" href=\"https://github.githubassets.com/assets/dark-06381ff23d863842.css\" /><link crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" href=\"https://github.githubassets.com/assets/dark_high_contrast-9023e6605402defb.css\" /><link data-color-theme=\"light\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/light-4fded0090af0ad58.css\" /><link data-color-theme=\"light_high_contrast\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/light_high_contrast-cf8e26bc17e62ebc.css\" /><link data-color-theme=\"light_colorblind\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/light_colorblind-3a437477a570cc40.css\" /><link data-color-theme=\"light_colorblind_high_contrast\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/light_colorblind_high_contrast-39b6c209db5491c9.css\" /><link data-color-theme=\"light_tritanopia\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/light_tritanopia-3822234d6c03b00b.css\" /><link data-color-theme=\"light_tritanopia_high_contrast\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/light_tritanopia_high_contrast-33857254a8064bf7.css\" /><link data-color-theme=\"dark\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/dark-06381ff23d863842.css\" /><link data-color-theme=\"dark_high_contrast\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/dark_high_contrast-9023e6605402defb.css\" /><link data-color-theme=\"dark_colorblind\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/dark_colorblind-37023bf69d8e0e34.css\" /><link data-color-theme=\"dark_colorblind_high_contrast\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/dark_colorblind_high_contrast-486bd43e01a2c0ec.css\" /><link data-color-theme=\"dark_tritanopia\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/dark_tritanopia-838ba2a5070c5b09.css\" /><link data-color-theme=\"dark_tritanopia_high_contrast\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/dark_tritanopia_high_contrast-2aa7245dc545d61f.css\" /><link data-color-theme=\"dark_dimmed\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/dark_dimmed-29ef2eb185e7de1c.css\" /><link data-color-theme=\"dark_dimmed_high_contrast\" crossorigin=\"anonymo"
2694:  nettest.go:84: TestIntegrationsVulnerabilityDataStream: retrying error: Error downloading NVD CVE feed: download nvd cve feed: download nvd cve feed: 1 synchronisation error:
2695:  unexpected http response from "https://github.com/fleetdm/vulnerabilities/releases/download/cve-202606291945/nvdcve-1.1-2021.meta" ("404 Not Found"): "\n\n\n\n\n\n\n\n<!DOCTYPE html>\n<html\n  lang=\"en\"\n  \n  data-color-mode=\"auto\" data-light-theme=\"light\" data-dark-theme=\"dark\"\n  data-a11y-animated-images=\"system\" data-a11y-link-underlines=\"true\"\n  \n  >\n\n\n\n\n  <head>\n    <meta charset=\"utf-8\">\n  <link rel=\"dns-prefetch\" href=\"https://github.githubassets.com\">\n  <link rel=\"dns-prefetch\" href=\"https://avatars.githubusercontent.com\">\n  <link rel=\"dns-prefetch\" href=\"https://github-cloud.s3.amazonaws.com\">\n  <link rel=\"dns-prefetch\" href=\"https://user-images.githubusercontent.com/\">\n  <link rel=\"preconnect\" href=\"https://github.githubassets.com\" crossorigin>\n  <link rel=\"preconnect\" href=\"https://avatars.githubusercontent.com\">\n\n      <link crossorigin=\"anonymous\" rel=\"preload\" as=\"script\" href=\"https://github.githubassets.com/assets/global-banner-disable-f33ea31fa5ffa501.js\" />\n\n  <link rel=\"preload\" href=\"https://github.githubassets.com/assets/MonaSansVF-wdth-wght-opsz-902d64c7ad02.woff2\" as=\"font\" type=\"font/woff2\" crossorigin>\n\n\n  <link crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" href=\"https://github.githubassets.com/assets/light-4fded0090af0ad58.css\" /><link crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" href=\"https://github.githubassets.com/assets/light_high_contrast-cf8e26bc17e62ebc.css\" /><link crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" href=\"https://github.githubassets.com/assets/dark-06381ff23d863842.css\" /><link crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" href=\"https://github.githubassets.com/assets/dark_high_contrast-9023e6605402defb.css\" /><link data-color-theme=\"light\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/light-4fded0090af0ad58.css\" /><link data-color-theme=\"light_high_contrast\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/light_high_contrast-cf8e26bc17e62ebc.css\" /><link data-color-theme=\"light_colorblind\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/light_colorblind-3a437477a570cc40.css\" /><link data-color-theme=\"light_colorblind_high_contrast\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/light_colorblind_high_contrast-39b6c209db5491c9.css\" /><link data-color-theme=\"light_tritanopia\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/light_tritanopia-3822234d6c03b00b.css\" /><link data-color-theme=\"light_tritanopia_high_contrast\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/light_tritanopia_high_contrast-33857254a8064bf7.css\" /><link data-color-theme=\"dark\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/dark-06381ff23d863842.css\" /><link data-color-theme=\"dark_high_contrast\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/dark_high_contrast-9023e6605402defb.css\" /><link data-color-theme=\"dark_colorblind\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/dark_colorblind-37023bf69d8e0e34.css\" /><link data-color-theme=\"dark_colorblind_high_contrast\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/dark_colorblind_high_contrast-486bd43e01a2c0ec.css\" /><link data-color-theme=\"dark_tritanopia\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/dark_tritanopia-838ba2a5070c5b09.css\" /><link data-color-theme=\"dark_tritanopia_high_contrast\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/dark_tritanopia_high_contrast-2aa7245dc545d61f.css\" /><link data-color-theme=\"dark_dimmed\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/dark_dimmed-29ef2eb185e7de1c.css\" /><link data-color-theme=\"dark_dimmed_high_contrast\" crossorigin=\"anonymo"
2696:  nettest.go:84: TestIntegrationsVulnerabilityDataStream: retrying error: Error downloading NVD CVE feed: download nvd cve feed: download nvd cve feed: 1 synchronisation error:
2697:  unexpected http response from "https://github.com/fleetdm/vulnerabilities/releases/download/cve-202606291945/nvdcve-1.1-2021.meta" ("404 Not Found"): "\n\n\n\n\n\n\n\n<!DOCTYPE html>\n<html\n  lang=\"en\"\n  \n  data-color-mode=\"auto\" data-light-theme=\"light\" data-dark-theme=\"dark\"\n  data-a11y-animated-images=\"system\" data-a11y-link-underlines=\"true\"\n  \n  >\n\n\n\n\n  <head>\n    <meta charset=\"utf-8\">\n  <link rel=\"dns-prefetch\" href=\"https://github.githubassets.com\">\n  <link rel=\"dns-prefetch\" href=\"https://avatars.githubusercontent.com\">\n  <link rel=\"dns-prefetch\" href=\"https://github-cloud.s3.amazonaws.com\">\n  <link rel=\"dns-prefetch\" href=\"https://user-images.githubusercontent.com/\">\n  <link rel=\"preconnect\" href=\"https://github.githubassets.com\" crossorigin>\n  <link rel=\"preconnect\" href=\"https://avatars.githubusercontent.com\">\n\n      <link crossorigin=\"anonymous\" rel=\"preload\" as=\"script\" href=\"https://github.githubassets.com/assets/global-banner-disable-f33ea31fa5ffa501.js\" />\n\n  <link rel=\"preload\" href=\"https://github.githubassets.com/assets/MonaSansVF-wdth-wght-opsz-902d64c7ad02.woff2\" as=\"font\" type=\"font/woff2\" crossorigin>\n\n\n  <link crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" href=\"https://github.githubassets.com/assets/light-4fded0090af0ad58.css\" /><link crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" href=\"https://github.githubassets.com/assets/light_high_contrast-cf8e26bc17e62ebc.css\" /><link crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" href=\"https://github.githubassets.com/assets/dark-06381ff23d863842.css\" /><link crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" href=\"https://github.githubassets.com/assets/dark_high_contrast-9023e6605402defb.css\" /><link data-color-theme=\"light\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/light-4fded0090af0ad58.css\" /><link data-color-theme=\"light_high_contrast\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/light_high_contrast-cf8e26bc17e62ebc.css\" /><link data-color-theme=\"light_colorblind\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/light_colorblind-3a437477a570cc40.css\" /><link data-color-theme=\"light_colorblind_high_contrast\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/assets/light_colorblind_high_contrast-39b6c209db5491c9.css\" /><link data-color-theme=\"light_tritanopia\" crossorigin=\"anonymous\" media=\"all\" rel=\"stylesheet\" data-href=\"https://github.githubassets.com/as...

@getvictor getvictor marked this pull request as ready for review July 3, 2026 11:11
@getvictor getvictor requested a review from a team as a code owner July 3, 2026 11:11

@claude claude Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

Tip: disable this comment in your organization's Code Review settings.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
cmd/osquery-perf/certificates.go (1)

160-225: 🎯 Functional Correctness | 🔵 Trivial | ⚡ Quick win

Cross-scope duplicate can silently desync during churn.

newPerHostCertSpecs() intentionally duplicates specs[0] into a second scope (same serial/SHA1, machine + user) to model the cross-scope dedup case the server needs to handle. But churnPerHostCertSpecs() picks a random index each rotation and mutates its serial independently, with no awareness that index 0 and the last-appended duplicate are supposed to stay in sync. Once churn hits only one side of the pair, the two entries diverge (different SHA1s), and the "one host_certificates row, two host_certificate_sources rows" scenario this duplication was built to exercise quietly stops being modeled for that host going forward.

Since certChurnPercent is rolled on every detail refresh, this drift can happen fairly quickly in a long-running load test.

💡 Possible mitigation

Track which index holds the cross-scope duplicate (e.g., a field on agent or a sentinel in simulatedCert) and keep it excluded from independent random selection in churnPerHostCertSpecs, always refreshing it in lockstep with its paired base cert.

 func (a *agent) churnPerHostCertSpecs() {
 	if len(a.hostCertSpecs) == 0 {
 		return
 	}
 	n := rand.Intn(min(10, len(a.hostCertSpecs))) + 1
 	for range n {
 		idx := rand.Intn(len(a.hostCertSpecs))
 		a.hostCertSpecs[idx].serial = uuid.NewString()
 		a.hostCertSpecs[idx].commonName = uuid.NewString()
 		a.hostCertSpecs[idx].notValidAfterUnix = fmt.Sprint(time.Now().Add(-1 * certDay).Add(time.Duration(rand.Intn(100)) * certDay).Unix())
+		// if idx is part of a cross-scope pair, mirror the update onto the paired index
+		// so both entries retain the same serial/sha1 across rotations.
 	}
 }
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@cmd/osquery-perf/certificates.go` around lines 160 - 225, The cross-scope
duplicated cert created in newPerHostCertSpecs can drift when
churnPerHostCertSpecs mutates only one copy, breaking the intended shared-SHA1
machine/user model. Update the agent/cert bookkeeping so the paired duplicate
(the extra cert appended in newPerHostCertSpecs) is identifiable, then make
churnPerHostCertSpecs either exclude that duplicate from random independent
churn or always update it in lockstep with its source cert. Use the existing
newPerHostCertSpecs, newPerHostCertSpec, and churnPerHostCertSpecs symbols to
keep the duplicate and its paired scope synchronized.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@cmd/osquery-perf/certificates.go`:
- Around line 160-225: The cross-scope duplicated cert created in
newPerHostCertSpecs can drift when churnPerHostCertSpecs mutates only one copy,
breaking the intended shared-SHA1 machine/user model. Update the agent/cert
bookkeeping so the paired duplicate (the extra cert appended in
newPerHostCertSpecs) is identifiable, then make churnPerHostCertSpecs either
exclude that duplicate from random independent churn or always update it in
lockstep with its source cert. Use the existing newPerHostCertSpecs,
newPerHostCertSpec, and churnPerHostCertSpecs symbols to keep the duplicate and
its paired scope synchronized.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: f5aff7d9-48a2-4f68-afaf-9fa30f4b8871

📥 Commits

Reviewing files that changed from the base of the PR and between 2491172 and 0b51a17.

📒 Files selected for processing (2)
  • cmd/osquery-perf/agent.go
  • cmd/osquery-perf/certificates.go
🚧 Files skipped from review as they are similar to previous changes (1)
  • cmd/osquery-perf/agent.go

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Show certificates on Host details page for Windows

3 participants