Report number of days since last security update (#880)

t-aleksander · web-flow · commit 5e73b68c53b9 · 2026-05-20T12:54:12.000+02:00
* report number of days

* format

* proto
diff --git a/src-tauri/proto b/src-tauri/proto
@@ -1 +1 @@
-Subproject commit 971be5439869cc66056b45d18de40b65c1ac6619
+Subproject commit 07397d4e8712fd89804c49af3e41ddcaeb824cbf
diff --git a/src-tauri/src/enterprise/inspector/mod.rs b/src-tauri/src/enterprise/inspector/mod.rs
@@ -13,7 +13,8 @@ use sysinfo::System;
 
 use crate::{
     service::proto::defguard::enterprise::posture::v2::{
-        bool_check, string_check, BoolCheck, DevicePostureData, StringCheck, UnavailableReason,
+        bool_check, int32_check, string_check, BoolCheck, DevicePostureData, Int32Check,
+        StringCheck, UnavailableReason,
     },
     VERSION,
 };
@@ -109,11 +110,11 @@ fn device_integrity() -> Result<bool, UnavailableReason> {
     Err(UnavailableReason::NotApplicable)
 }
 
-/// Returns the security update status.
-fn security_update_status() -> Result<bool, UnavailableReason> {
+/// Returns the number of days since the last installed Windows security update.
+fn security_update_age_days() -> Result<i32, UnavailableReason> {
     #[cfg(windows)]
     {
-        windows::security_update_status()
+        windows::security_update_age_days()
     }
 
     #[cfg(not(windows))]
@@ -134,6 +135,18 @@ impl From<Result<bool, UnavailableReason>> for BoolCheck {
     }
 }
 
+/// Convert `Result` to `Int32Check`.
+impl From<Result<i32, UnavailableReason>> for Int32Check {
+    fn from(value: Result<i32, UnavailableReason>) -> Self {
+        Self {
+            result: Some(match value {
+                Ok(inner) => int32_check::Result::Value(inner),
+                Err(err) => int32_check::Result::Unavailable(err as i32),
+            }),
+        }
+    }
+}
+
 /// Convert `Result` to `StringCheck`.
 impl From<Result<String, UnavailableReason>> for StringCheck {
     fn from(value: Result<String, UnavailableReason>) -> Self {
@@ -159,7 +172,7 @@ impl DevicePostureData {
             disk_encryption: Some(BoolCheck::from(disk_encryption_status())),
             antivirus_present: Some(BoolCheck::from(anti_virus_status())),
             windows_ad_domain_joined: Some(BoolCheck::from(part_of_domain())),
-            windows_security_update_current: Some(BoolCheck::from(security_update_status())),
+            windows_security_update_age_days: Some(Int32Check::from(security_update_age_days())),
             linux_kernel_version: Some(StringCheck::from(linux_kernel_version())),
             device_integrity: Some(BoolCheck::from(device_integrity())),
         }
diff --git a/src-tauri/src/enterprise/inspector/tests/windows.rs b/src-tauri/src/enterprise/inspector/tests/windows.rs
@@ -1,6 +1,6 @@
 use super::super::{
     anti_virus_status, disk_encryption_status, os_name, os_version, part_of_domain,
-    security_update_status,
+    security_update_age_days,
 };
 
 #[test]
@@ -33,6 +33,6 @@ fn test_part_of_domain() {
 
 #[test]
 #[ignore = "development machine only"]
-fn test_security_update_status() {
-    assert!(security_update_status().unwrap());
+fn test_security_update_age_days() {
+    assert!(security_update_age_days().unwrap() >= 0);
 }
diff --git a/src-tauri/src/enterprise/inspector/windows.rs b/src-tauri/src/enterprise/inspector/windows.rs
@@ -2,13 +2,10 @@
 
 use serde::Deserialize;
 use time::{Date, OffsetDateTime};
-
 use wmi::{AuthLevel, WMIConnection, WMIError};
 
 use super::UnavailableReason;
 
-const MAX_QUICKFIX_DAYS: i64 = 60;
-
 #[derive(Deserialize)]
 #[serde(rename = "Win32_EncryptableVolume")]
 #[serde(rename_all = "PascalCase")]
@@ -137,28 +134,24 @@ pub(super) fn part_of_domain() -> Result<bool, UnavailableReason> {
     Ok(system.part_of_domain)
 }
 
-/// Find the latest security patch.
+/// Number of days since the most recently installed security patch.
 ///
 /// Check manually in PowerShell:
 /// `Get-CimInstance -ClassName Win32_QuickFixEngineering`
 ///
 /// Equivalent to PowerShell command:
 /// `Get-WmiObject -query "SELECT * FROM Win32_QuickFixEngineering"`
-pub(super) fn security_update_status() -> Result<bool, UnavailableReason> {
+pub(super) fn security_update_age_days() -> Result<i32, UnavailableReason> {
     let conn = WMIConnection::new()?;
     let fixes: Vec<Win32QuickFixEngineering> = conn.query()?;
 
-    // Days from today
     let today = OffsetDateTime::now_utc().date();
-    let mut max_days = i64::MAX;
-    for fix in fixes {
-        if let Some(installed_on) = fix.installed_on {
-            let days = (today - installed_on).whole_days();
-            if days < max_days {
-                max_days = days;
-            }
-        }
-    }
-
-    Ok(max_days <= MAX_QUICKFIX_DAYS)
+    let min_days = fixes
+        .into_iter()
+        .filter_map(|fix| fix.installed_on)
+        .map(|installed_on| (today - installed_on).whole_days())
+        .min()
+        .ok_or(UnavailableReason::DetectionFailed)?;
+
+    i32::try_from(min_days).map_err(|_| UnavailableReason::DetectionFailed)
 }
