Graham
Let's investigate what CVEs are unpatched on your macOS device with osquery and SOFA https://grahamgilbert.com/blog/2024/05/03/investigating-unpatched-cves-with-osquery-and-sofa/
Investigating unpatched CVEs with osquery and SOFA

This week, Mac Admins Open Source released a new tool called SOFA. SOFA is a machine readable feed of macOS and iOS update data - including CVEs. Of course, my mind immediately jumped to “this would be a great osquery table”, so the macadmins osquery extension was updated this week to include tables for both the security release information for macOS (sofa_security_release_info) and unpatched CVEs (sofa_unpatched_cves). In this post, I’ll show you how to use the new sofa_unpatched_cves table to investigate unpatched CVEs on your macOS fleet.

graham gilbert
May 3, 2024 at 8:45pmWeb
Show threadAllister BanksMay 3, 2024
.@grahamgilbert Three from-the-hip reactions to this:
• this whole time I’d been aware of SOFA I would have never guessed this is how the data would be leveraged in osquery
• the way this leverages a live feed of data over the internet at runtime is… a design choice! Maybe a local cache would be nicer to the fleet’s internet connection/CDN you’re (hopefully) pointed at?
• nobody on LinkedIn pointed out how this should take a whole bunch of low-hanging fruit away from Tenable/Rapid7/CVE scanners
Show threadGrahamMay 3, 2024
@Arubdesu caching (and a lever to specify how long it should cache for) is 100% a pull request I would merge
Show threadAllister BanksMay 3, 2024
.@grahamgilbert (yes I know there’s a url key, yes the data is relatively small and already behind cloudflare, your message is received/communication is clear, I’m not trying to sound alarmist or TL;DR)
Show threadAllister BanksMay 3, 2024
.@grahamgilbert I’ve been thinking Very Seriously about being a good shepard/API designer/host (well, @natewalck is helping out the most from that front) and am realizing… I’m not particularly in the best position to make all the best choices for every community use case! So I hope I’m communicating similarly openly and clearly and with empathy and rigor so we can be trustworthy and engage-able and reliable