Critical Patches

jpboisen · March 18, 2021, 12:22pm

@JasonWalker, you have an Analysis on Bigfix.me for Applicable Patch Listing. The number of Critical Patches meets one of the requirements I need.

I have been playing around with the “Names of relevant fixlets” relevance, trying to return only Critical patches without success. I need to return only Critical patches and need to return the Source Release Date and Source ID values. If possible I also need another snippet of relevance that would just return the Source Release Date and Source ID of the oldest patch only based on Source Release Date.

Can you help me out?

jpboisen · March 20, 2021, 1:20pm

@JasonWalker, I was able to solve this. The relevance may not be the prettiest, but it does what I need.

((month of it as two digits & “/” & day_of_month of it as two digits & “/” & year of it as string) of item 0 of it, item 1 of it) of ((value of header “X-Fixlet-Source-Release-Date” of it as date), (value of header “X-Fixlet-Source-ID” of it), (values of headers “X-Fixlet-Source-Severity” of it as lowercase)) whose (item 1 of it contains (minimum of (it) of (following texts of firsts “KB” of item 0 of it as integer) of ((value of header “X-Fixlet-Source-ID” of it),(values of headers “X-Fixlet-Source-Severity” of it as lowercase)) whose (item 0 of it starts with “KB” And item 1 of it = “critical”) of relevant fixlets whose (not exists (headers “X-Fixlet-Type” of it) whose (value of it is contained by set of (“Task”;“Analysis”;“Baseline”)) and exists headers “X-Fixlet-Default-Action” of it) of sites whose (name of it is contained by set of (“Enterprise Security”))) as string And item 2 of it = “critical”) of relevant fixlets whose (not exists (headers “X-Fixlet-Type” of it) whose (value of it is contained by set of (“Task”;“Analysis”;“Baseline”)) and exists headers “X-Fixlet-Default-Action” of it) of sites whose (name of it is contained by set of (“Enterprise Security”))

JasonWalker · March 20, 2021, 3:39pm

I think we talked about this a little bit offline, but I just want to make it clear here…please don’t make an analysis of this. I cringed a bit reading what I posted to bigfix.me a decade ago

To get a report of this, we’re much better off using Session Relevance, either in a Web Report, or a Console Dashboard.

The problem with this in an Analysis, is it potentially reports a huge amount of data up through the relays and stores them as property results in the BFEnterprise database - information that we already know, and can access in other forms. Duplicating all of this in a fairly inefficient text format can make the database grow unnecessarily, increase the size of client reports, and affect the network and database efficiency of the deployment.

I haven’t taken down the posting from bigfix.me though because there is a use-case for retrieving this at the client - this could be useful in the Client Compliance API, or in a client-set BESClientUI Dashboard. Just don’t report it up through an Analysis.

jpboisen · March 20, 2021, 7:54pm

I am just using a couple of properties in the analysis. For some of the extracts I do there are many transforms, many columns and a large dataset of about 125,000 computes. I have tired using Session relevance with some things in the past and it takes forever, times out, or makes Web Reports unusable for others. I will try this in Session Relevance is better as you say and the main reason is because it knows about Globally hidden Fixlets and the Client relevance does not. Thanks for the advise.

jpboisen · March 25, 2021, 9:02pm

@JasonWalker, I took your advise and am switching over to Session Relevance. I am still having issues with getting the oldest Critical patch needed. I have two snippets of relevance below. The first one is relevance to return the small KB number. The second one returns the data I need about the particular KB. When I try to merge them I seem to lose reference to “it” and is referring to the wrong one. Can you take a look at this and see what I am doing wrong of it you have a better methodology?

Lowest KB number
minimum of
(
following texts of firsts “KB” of source id of it as integer
)
of relevant fixlets
whose
(
(
name of site of it = "Enterprise Security"
and
source severity of it = "Critical"
and
name of it does not contain "(Superseded)"
and
name of it does not contain "CORRUPT PATCH"
and
fixlet flag of it
and
globally visible flag of it = True
)
)
of bes computers
whose
(
name of it contains “COMPUTER NAME”
)

Data to return

(
	(month of source release date of it as two digits as string & "/" & day_of_month of source release date of it as two digits as string & "/" & year of source release date of it as string) & " | " & source id of it as string 
)
of relevant fixlets 
whose
(
	(
		name of site of it = "Enterprise Security" 
	and
		source id of it contains (RELEVANCE THAT RETURNS FULL KB# OR PARTIAL KB#) 
	)
)
of bes computers 
whose
(
	name of it contains "COMPUTERNAME" 
)

JasonWalker · March 25, 2021, 10:17pm

My server is shut down at the moment but so should be able to test the full query tomorrow.

There is a common pattern to this that I can share though, for finding one specific item from a collection of items, and that is to loop through them as a set.

Start with

set of relevant fixlets whose ("your filter") of bes computers whose ("your filter")

Then find the lowest KB among those elements of the fixlet set

(it
  , minimum of     
     (It as integer) of 
   following texts of firsts “KB” of source ids of elements of it) 
    of set of fixlets....

Then, with “item 0” as the set and “item 1” as the KB to search for, you can get the single fixlet via

Items 0 of (
    elements of item 0 of it
    , Item 1 of it)
 whose (
   following text of first "KB" of source id of item 0 of it as integer = item 1 of it
  ) of
(it
  , minimum of     
     (It as integer) of following texts of firsts “KB” of source ids of elements of it) of 
set of relevant fixlets 
    whose ("your filter") of 
bes computers 
    whose ("your filter")

At this point ‘item 0’ should be a single fixlet, and you can retrieve (id of it, name of it) of items 0 of ... along with any other fixlet properties you need.

JasonWalker · March 29, 2021, 11:33pm

Ok I had a chance to test in my lab, and this query does seem to work. In the end, "item 0 " is a Fixlet, so you need to retrieve Fixlet properties from it

(id of it, name of it ) of items 0 of 
  (elements of item 0 of it 
    , Item 1 of it) whose (
         following text of first "KB" of source id of item 0 of it as integer = item 1 of it
 ) of (
  it 
  , minimum of (it as integer) of following texts of firsts "KB" of source ids of elements of it
) of set of relevant fixlets whose (
      name of site of it = "Enterprise Security" 
      and source severity of it = "Critical" 
      and name of it does not contain "(Superseded)" 
      and name of it does not contain "CORRUPT PATCH" 
      and fixlet flag of it 
      and globally visible flag of it = True
   ) of bes computers whose (name of it as lowercase contains "bes-root")

A: 458032519, MS20-OCT: Security Update for Adobe Flash Player for Windows Server 2016 - Windows Server 2016 - Adobe Flash Player - KB4580325 (x64)