Vulnerability scanner - Missing functionality on translations

[sebasfalcone]

Description

Currently, the translation mechanism used on the vulnerability scanner (#22477):

• Doesn't validate that the vendor name matches the one on the translation regex
• Lacks the capability of replacing the version provided by syscollector

Version replacement - use cases

Static version

Replace the version with some fixed value:

{
  "target": [
    "windows"
  ],
  "source": {
    "vendor": "^Microsoft Corporation",
    "product": "^Microsoft Office Professional Plus 2016 - en-us$",
    "version": ""
  },
  "translation": [
    {
      "vendor": "microsoft",
      "product": "office",
      "version": "16.0.0.0"
    }
  ]
}

Dynamic version

Obtain the version information from the package name:

  {
    "scan_id": 0,
    "scan_time": "2024/05/14 14:13:18",
    "format": "win",
    "name": "Java 2 Runtime Environment Standard Edition v1.3.1", <----- VERSION IN NAME
    "version": " ", <----- EMPTY VERSION
    "priority": " ",
    "section": " ",
    "size": 0,
    "vendor": " ",
    "install_time": "2024/05/14 14:12:38",
    "architecture": "i686",
    "multiarch": null,
    "source": " ",
    "description": " ",
    "location": " ",
    "cpe": null,
    "msu_name": null,
    "checksum": "07d6fe0244cbe8abad0cdc83ae6d1f53dcd092da",
    "item_id": "8d91907b799e329bf1c472fe5898abfa946ee746"
  }

In this example, we could use the following translation

{
  "target": [
    "windows"
  ],
  "source": {
    "vendor": "^\\s",
    "product": "^Java \\d Runtime Environment Standard Edition v\\d+\\.\\d+\\.\\d+",
    "version": "v(\\d+\\.\\d+\\.\\d+)"
  },
  "translation": [
    {
      "vendor": "oracle",
      "product": "jre",
      "version": ""
    },
    {
      "vendor": "sun",
      "product": "jre",
      "version": ""
    }
  ]
}

Logic

flowchart TD
    A[Start] --> B{source.version empty}
    B -->|No| C[Use version extracted from product name]
    B -->|Yes| E{translation.version empty}
    E -->|No| F[Use translation version]
    E -->|Yes| G[No version to replace]

DoD

• Functionality implemented
• Tests updated

[pereyra-m]

Update

The changes are present temporarily at https://github.com/wazuh/wazuh/tree/enhancement/23518-add-version-replace-on-translations-temp because the target branch 4.9.0 still doesn't have the latest commits.

The QA tests pass locally

UTs pass

[pereyra-m]

Update

Rebase of PR https://github.com/wazuh/intelligence-data/pull/293 and changes in the review applied

[sebasfalcone]

Issue blocked

We are waiting for the upward merge of 4.8.0 into 4.9.0 to continue this development

[pereyra-m]

Update

The PR for this repository was created.
It's temporarily pointing to 4.8.0 until the merge to 4.9.0 is done.

[pereyra-m]

Update

PR rebased after base branch change.

[pereyra-m]

Update

Issue in progress again. Changes by review in both PRs and rebase.

[pereyra-m]

Update

Rebase and conflict solving for PR #23727