Add Windows FMAs (letter B): 5 apps#48950
Conversation
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #48950 +/- ##
==========================================
- Coverage 68.11% 68.11% -0.01%
==========================================
Files 3709 3714 +5
Lines 235099 235109 +10
Branches 12352 12352
==========================================
+ Hits 160129 160134 +5
- Misses 60593 60598 +5
Partials 14377 14377
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
The vendor URL already serves 5.13.1.4288 while the only winget manifest ever published says 5.13.0.4246 (validator version check failed). Unlike other ignore_hash FMAs (TeamViewer, Chrome), this package's manifest is not actively maintained, so the installed version would chronically differ from the advertised one.
|
Validation results: 5/6 — Bytello Share dropped (1133755) Bytello Share installed and was detected fine, but the version check failed: the vendor's latest-pointer URL installs 5.13.1.4288 while the winget manifest (the only version ever published for that package) pins 5.13.0.4246. Latest-pointer URLs are workable when the winget manifest is actively maintained (TeamViewer, Chrome), but this package's manifest is effectively abandoned, so the installed version would chronically differ from what the catalog advertises. Dropped and recorded in the tracker. The remaining 5 (BandiView, BleachBit, Bulk Crap Uninstaller, BrowserStackLocal, Burp Suite Professional) all passed — the 3 'warnings' are the benign no-new-top-level-dir-in-Program-Files notices for x86/(x86)-path installs. |
|
Caution Review failedThe pull request is closed. ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (5)
📒 Files selected for processing (25)
WalkthroughThis PR adds five new maintained apps for winget/Windows: BandiView, BleachBit, BrowserStackLocal, Bulk Crap Uninstaller, and Burp Suite Professional. Each app gets a winget input JSON manifest specifying installer metadata and script paths, dedicated PowerShell install/uninstall scripts handling silent installation, registry-based uninstall detection, and exit-code handling, a corresponding generated output JSON embedding version detection queries and script references, and a new entry in the apps.json registry. Additionally, new React SVG icon components are added for each app and wired into the frontend's SOFTWARE_NAME_TO_ICON_MAP lookup used on the Software page. Possibly related PRs
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Pull request overview
Expands Fleet’s Windows Fleet-maintained apps (FMA) catalog for the “B” batch by adding new Winget ingester inputs, generated Windows outputs (install/patch queries + installer metadata + embedded scripts), and corresponding Software page icons so the apps render with proper branding in the UI.
Changes:
- Add 5 new Windows FMAs: BandiView, BleachBit, Bulk Crap Uninstaller, BrowserStackLocal, Burp Suite Professional (inputs + generated outputs + catalog index).
- Add 5 new Software page icon components and wire them into the icon map for loose-prefix matching.
- Add install/uninstall PowerShell scripts (and embed them into outputs via script refs) where needed for silent install/uninstall behavior.
Reviewed changes
Copilot reviewed 25 out of 30 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| frontend/pages/SoftwarePage/components/icons/index.ts | Registers new icon components and maps normalized software names to those icons. |
| frontend/pages/SoftwarePage/components/icons/Bandiview.tsx | Adds BandiView icon component. |
| frontend/pages/SoftwarePage/components/icons/Bleachbit.tsx | Adds BleachBit icon component. |
| frontend/pages/SoftwarePage/components/icons/Browserstacklocal.tsx | Adds BrowserStackLocal icon component. |
| frontend/pages/SoftwarePage/components/icons/BulkCrapUninstaller.tsx | Adds Bulk Crap Uninstaller icon component. |
| frontend/pages/SoftwarePage/components/icons/BurpSuiteProfessional.tsx | Adds Burp Suite Professional icon component. |
| ee/maintained-apps/outputs/bandiview/windows.json | Generated Windows FMA output for BandiView (queries/installer metadata/script refs). |
| ee/maintained-apps/outputs/bleachbit/windows.json | Generated Windows FMA output for BleachBit (queries/installer metadata/script refs). |
| ee/maintained-apps/outputs/bulk-crap-uninstaller/windows.json | Generated Windows FMA output for Bulk Crap Uninstaller (queries/installer metadata/script refs). |
| ee/maintained-apps/outputs/browserstacklocal/windows.json | Generated Windows FMA output for BrowserStackLocal (queries/installer metadata/MSI upgrade code). |
| ee/maintained-apps/outputs/burp-suite-professional/windows.json | Generated Windows FMA output for Burp Suite Professional (queries/installer metadata/script refs). |
| ee/maintained-apps/outputs/apps.json | Adds the new apps to the global maintained-apps catalog index. |
| ee/maintained-apps/inputs/winget/bandiview.json | Adds Winget ingester input for BandiView. |
| ee/maintained-apps/inputs/winget/bleachbit.json | Adds Winget ingester input for BleachBit. |
| ee/maintained-apps/inputs/winget/bulk-crap-uninstaller.json | Adds Winget ingester input for Bulk Crap Uninstaller. |
| ee/maintained-apps/inputs/winget/browserstacklocal.json | Adds Winget ingester input for BrowserStackLocal (MSI, ignore_hash). |
| ee/maintained-apps/inputs/winget/burp-suite-professional.json | Adds Winget ingester input for Burp Suite Professional (custom scripts, fuzzy match). |
| ee/maintained-apps/inputs/winget/scripts/bandiview_install.ps1 | Silent install script for BandiView. |
| ee/maintained-apps/inputs/winget/scripts/bandiview_uninstall.ps1 | Silent uninstall script for BandiView via registry uninstall entry. |
| ee/maintained-apps/inputs/winget/scripts/bleachbit_install.ps1 | Silent install script for BleachBit with NsisMultiUser all-users switch. |
| ee/maintained-apps/inputs/winget/scripts/bleachbit_uninstall.ps1 | Silent uninstall script for BleachBit via registry uninstall entry. |
| ee/maintained-apps/inputs/winget/scripts/bulk-crap-uninstaller_install.ps1 | Silent install script for Bulk Crap Uninstaller (Inno Setup). |
| ee/maintained-apps/inputs/winget/scripts/bulk-crap-uninstaller_uninstall.ps1 | Silent uninstall script for Bulk Crap Uninstaller (Inno Setup) via registry uninstall entry. |
| ee/maintained-apps/inputs/winget/scripts/burp_suite_professional_install.ps1 | Silent install script for Burp Suite Professional (install4j) with explicit machine install dir. |
| ee/maintained-apps/inputs/winget/scripts/burp_suite_professional_uninstall.ps1 | Uninstall script for Burp Suite Professional (install4j) with process cleanup and arg normalization. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| { | ||
| "name": "BandiView", | ||
| "slug": "bandiview/windows", | ||
| "platform": "windows", | ||
| "unique_identifier": "BandiView", | ||
| "description": "BandiView is a fast image viewer supporting a wide range of photo and comic formats." | ||
| }, |
**Related issue:** N/A — part of the Windows Fleet-maintained apps catalog expansion (letter C batch; follows #48872, #48881, #48950). Adds seventeen new Windows Fleet-maintained apps: | App | winget package | Installer | Notes | |-----|----------------|-----------|-------| | Advanced Installer | `Caphyon.AdvancedInstaller` | MSI, machine, x64 | Versioned ARP name ("Advanced Installer 23.8") → fuzzy match. | | Certify The Web | `CertifyTheWeb.CertifySSLManager` | Inno, machine, x64 | ARP name is "Certify Certificate Manager version 7.1.0.0" (product renamed at v7) → fuzzy on "Certify Certificate Manager". | | Chatbox | `Bin-Huang.Chatbox` | NSIS (electron-builder), machine, x64 | `/allusers /S`; custom exists query excludes the separate Chatbox Community Edition; uninstall matches `Chatbox [0-9]*`. | | Citrix Workspace | `Citrix.Workspace` | Vendor bootstrapper EXE, machine, x86 universal | ARP name "Citrix Workspace \<YYMM\>" → fuzzy. Uninstall runs the registered TrolleyExpress with `/uninstall /cleanup /silent`; 3010 treated as success. See "not added" for the LTSR caveat. | | CPU-Z | `CPUID.CPU-Z` | Inno, machine | `installer_locale` pinned to en-US (manifest also carries zh-CN); `/ALLUSERS` added to Inno switches; versioned ARP name → fuzzy. | | CodeMeter Runtime Kit | `Wibu-Systems.CodeMeterRuntimeKit` | Vendor bootstrapper embedding MSI, x64 | `installer_scope: ""` (manifest declares no scope; embedded MSI is per-machine). Install `/q /nosplash /ComponentArgs "*":"/quiet /norestart"`; uninstall via msiexec by ARP name prefix. Identity verified by carving the embedded MSI. | | ClipboardFusion | `BinaryFortress.ClipboardFusion` | Inno, machine, x64 | ARP name carries a locale-dependent "(64-bit)" suffix → fuzzy pattern `ClipboardFusion%`; `/LAUNCHAFTER=0` prevents post-install launch. | | CloudShow | `BinaryFortress.CloudShow` | Inno, machine, x64 | Same Binary Fortress framework; ARP name "CloudShow Launcher (64-bit)" is framework-inferred (no third-party corroboration exists) — the CI validator is the confirmation. | | ClockAssist | `ClockAssist.ClockAssist` | MSI, machine, x64 | Latest-pointer URL but actively maintained manifest (bot replaces the single version dir ~6-weekly) → `ignore_hash`. | | Crestron AirMedia | `Crestron.AirMedia` | MSI, machine, x86 | ARP name is "Crestron AirMedia Machine-Wide Installer" (Teams-style per-user stamping); identity from msiinfo. | | Crestron AirMedia Peripherals | `Crestron.AirMediaPeripherals` | MSI, machine, x64 | Clean MSI. LaunchCondition fails install (1603) on hosts with a pending reboot — noted. | | CrisisGo | `CrisisGo.CrisisGo` | InstallShield Basic MSI, machine, x86 | Custom install script passes `ISSETUPDRIVEN=1` to defuse the "must run setup.exe" guard (vendor ships this bare MSI for network deployment; winget sandbox validates it). | | Cyberduck CLI | `Iterate.CyberduckCLI` | MSI, machine, x64 | Clean WiX MSI. winget lags the vendor by ~4 releases, but pinned URLs stay live, so installs work — just not bleeding-edge. | | Cisco Webex Recorder and Player | `Cisco.WebexRecorderAndPlayer` | InstallShield MSI, machine, x86 | Legacy WRF player but actively updated by Cisco (8 winget bumps in 10 months); latest-pointer URL → `ignore_hash`. | | Creative Force Kelvin | `CreativeForce.Kelvin` | WiX MSI, machine, x64 | Manifest offers per-user NSIS, machine NSIS, and MSI — the MSI is selected (unversioned ARP name "Kelvin"). | | Creative Force Triad | `CreativeForce.Triad` | NSIS (electron-builder), machine, x64 | `/allusers /S`; versioned ARP name → fuzzy. | | Cube Browser | `RystadEnergy.CubeBrowser` | WiX burn bundle, machine, x64 | Bundle Arp manifest carved from the installer ("Cube Browser (64 bit)"); dual-mode uninstall (prefers bundle entry, msiexec fallback) since bundle + chained MSI may both register the same name. | Considered but **not** added (recorded in the workstream tracker): - **Citrix Workspace app LTSR** (`Citrix.Workspace.LTSR`): the LTSR and current tracks register the **identical** ARP key (`CitrixOnlinePluginPackWeb`) and the same "Citrix Workspace \<YYMM\>" DisplayName with no LTSR marker — the only discriminator is a registry value outside the programs table, so Fleet inventory cannot tell the tracks apart. An LTSR FMA would cross-match current-release installs (and vice versa). **Consequence for the shipped Citrix Workspace FMA:** hosts running LTSR will match it and may show "update available" toward the current release — flagged here for reviewer judgment. - **Charles** (`XK72.Charles`): all winget 5.x manifests are per-user MSIX only. The vendor ships a machine-scope MSI for 5.2 but it isn't indexed in winget; revisit if the manifest adds it. - **Calibrite Profiler** (`Calibrite.PROFILER`): abandoned winget manifest — one version dir ever while the vendor is five releases and a major version ahead. - **Cloud Drive Mapper** (`IAMCloud.CloudDriveMapperV3`): latest-pointer URL whose manifest SHA is already stale, and the MSI sets `ARPSYSTEMCOMPONENT=1`, hiding the ARP entry from inventory entirely. - **CloudCompare** (`CloudCompare.CloudCompare`): registry DisplayVersion (and the winget PackageVersion itself) embed a parenthetical date — "2.13.2 (07-06-2024)" — which breaks version comparison; manifest also stale. - **Classic Shell** (`IvoSoft.ClassicShell`): development ended in 2017; superseded by Open-Shell. (CutePDF Writer was already deferred in the letter A batch.) Identities verified per app (msiinfo Property tables; burn bundle Arp manifests carved from installers; AppxManifest/electron-builder sources; uninstall-database corroboration). SHAs verified against manifests for pinned URLs; `ignore_hash` used only where the manifest is demonstrably actively maintained. Icons via `tools/software/icons/generate-icons.sh`; the pre-existing CitrixWorkspace icon component is reused untouched. # Checklist for submitter - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements), JS inline code is prevented especially for url redirects, and untrusted data interpolated into shell scripts/commands is validated against shell metacharacters. - [x] Timeouts are implemented and retries are limited to avoid infinite loops ## Testing - [ ] QA'd all new/changed functionality manually (relying on the FMA CI validator for Windows install/uninstall validation)
**Related issue:** N/A — part of the Windows Fleet-maintained apps catalog expansion (letter D batch; follows #48872, #48881, #48950, #48969). Adds twelve new Windows Fleet-maintained apps: | App | winget package | Installer | Notes | |-----|----------------|-----------|-------| | DataSpell | `JetBrains.DataSpell` | NSIS (install4j), machine, x64 | Mirrors the DataGrip FMA pattern: `fuzzy_match_name` + `use_display_version_for_patch` (registry version is a JetBrains build number; marketing version parsed from the name). | | dnGrep | `dnGrep.dnGrep` | MSI, machine, x64 | Versioned+arch ARP name ("dnGrep 5.0.9 (x64)") → fuzzy match. | | Draftable Desktop | `Draftable.Draftable` | MSI, machine, x64 | Uses the machine-scope `DraftableDesktopSystem` MSI. **Caveat:** hard winget dependency on .NET 10 Desktop Runtime — installs fine but won't launch without it (same class as the BleachBit VCRedist dependency). | | dRofus | `dRofus.dRofus` | MSI, machine, x64 | Versioned ARP name ("dRofus 2.18") → fuzzy match. | | Devolutions Launcher | `Devolutions.Launcher` | MSI, machine, x64 | Distinct ARP identity from the existing Remote Desktop Manager FMA. | | Devolutions Workspace | `Devolutions.Workspace` | MSI, machine, x64 | Product renamed: ARP DisplayName is **"Devolutions Password Manager"** (set as `unique_identifier`). `program_publisher` overridden to "Devolutions Inc." (capital I) — verified via msiinfo; the locale-derived lowercase would not match. | | Delinea Connection Manager | `Delinea.DelineaConnectionManager` | MSI, machine, x64 | Dual-purpose MSI defaults to **per-user** (ALLUSERS=2 + MSIINSTALLPERUSER=1); custom install script forces `ALLUSERS=1 MSIINSTALLPERUSER=""`. `program_publisher` = "Delinea Inc.." (double period, as stored in the MSI). Unversioned URL → `ignore_hash`. | | DAX Studio | `DaxStudio.DaxStudio` | Inno, machine, x64 | `/ALLUSERS` for machine scope; versioned ARP name → fuzzy. | | DevPod | `LoftLabs.DevPod` | MSI, machine, x64 | Uses the WiX MSI variant (the manifest also has an NSIS per-user one). | | Directory Opus | `GPSoftware.DirectoryOpus` | Inno, machine, x64 | Standard Inno silent install/uninstall. | | DYMO ID | `DYMO.DYMOID` | InstallShield→MSI, machine, x86 | `/S /V"/qn /norestart"`; uninstall via msiexec by ProductCode. | | digiSeal Reader | `secrypt.digiSealreader` | EXE (self-extracting), machine, x86 | `installer_scope: ""` (manifest declares no scope); `-silent` install, shipped uninstaller with `-silent`. Unversioned URL → `ignore_hash`. | Considered but **not** added (recorded in the workstream tracker): - **Datadog Agent** (`Datadog.Agent`): winget PackageVersion is `7.81.0.1` but the MSI and registry report `7.81.0.0`, so the patch policy would flag every install as perpetually outdated. `use_display_version_for_patch` can't fix it (the manifest has no `AppsAndFeaturesEntries`); it needs a version-normalizing ingester ref (like `onepassword_version_shortener`). Deferred pending that helper (task spawned). - **Dell Display and Peripheral Manager** (`Dell.DisplayAndPeripheralManager`, covers both "Dell Display Manager" and "Dell Peripheral Manager"): the winget-pinned host `dl.dell.com` returns **403** to non-browser User-Agents, and Fleet's downloader sends `Go-http-client` (same failure that dropped Crestron AirMedia in letter C). The `downloads.dell.com` mirror serves the identical path to any UA, but there's no input field to override the manifest URL. Deferred pending a downloader User-Agent fix (task spawned — would also unblock Crestron). - **Dell EMC System Update** (`Dell.SystemUpdate`): registers its ARP entry under **HKCU** (per-user) under a SYSTEM install; legacy product Dell steers users away from (toward Dell Command Update, already an FMA); firmware/driver DUP bootstrapper. - **Devolutions Remote Desktop Manager Agent** (`Devolutions.RemoteDesktopManagerAgent`): legacy/superseded by "Devolutions Agent" (2026.1); winget manifest frozen at 2025.2.28.0 since Sept 2025; vendor docs page 404s. - **Dedoose** (`Dedoose.Dedoose`): per-user-only scope, x86, latest-pointer URL (CloudShow class). - **Defraggler** (`Piriform.Defraggler`): abandoned (final release 2020, no winget commits since 2023); legacy defrag tool with an unverified ARP publisher string. - **DiRoots ProSheets** (`DiRoots.ProSheets`): validated install but its Advanced Installer bootstrapper uninstall hung to the timeout and it drags bundled PDF24 Creator entries into inventory (dropped at validation). - **DroidCam Client** (`dev47apps.DroidCam`): NSIS `/S` install hung headless to the timeout (inline vc_redist); 3DxWare/Citrix headless-hang class (dropped at validation). Identities verified per app (msiinfo Property tables; installer PE/version resources; winget AppsAndFeaturesEntries; uninstall-database corroboration). Two publisher-casing mismatches (Devolutions Workspace, Delinea) were caught by direct MSI inspection and fixed with `program_publisher` before they could silently break the exists queries. SHAs verified against manifests for pinned URLs; `ignore_hash` used only where the manifest is demonstrably actively maintained. Icons via `tools/software/icons/generate-icons.sh` (the pre-existing DataSpell icon component is reused untouched). # Checklist for submitter - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements), JS inline code is prevented especially for url redirects, and untrusted data interpolated into shell scripts/commands is validated against shell metacharacters. - [x] Timeouts are implemented and retries are limited to avoid infinite loops ## Testing - [ ] QA'd all new/changed functionality manually (relying on the FMA CI validator for Windows install/uninstall validation)
Related issue: N/A — part of the Windows Fleet-maintained apps catalog expansion (letter B batch; follows #48872 and #48881).
Adds six new Windows Fleet-maintained apps:
Bandisoft.BandiViewignore_hash(URL verified to serve the binary reliably without Referer tricks). DisplayName "BandiView" stable across releases.BleachBit.BleachBit/allusers /S— without/allusersthe NsisMultiUser installer's scope is ambiguous. winget declares a VCRedist 2010 x86 dependency Fleet can't satisfy; noted as a caveat.Klocman.BulkCrapUninstallerunique_identifier"BCUninstaller" +fuzzy_match_name. Registry version is 4-part vs winget's "6.2" —version_comparepads, verified consistent.BrowserStack.BrowserStackLocalignore_hash.PortSwigger.BurpSuite.Professional-q -Dinstall4j.suppressUnattendedReboot=trueplus the load-bearing-dirinto Program Files (install4j defaults to per-user otherwise). DisplayName is versioned without "Edition" ("Burp Suite Professional 2026.3.3"), unlike Community — fuzzy patternBurp Suite Professional %can't collide with Community's.Bytello.BytelloShareagent=dvariant whose ARP identity ("Bytello Share" / publisher "Bytello Share") matches real-world inventory; the zip variant registers a different name ("BytelloShare") and its nested-MSI path is version-pinned and already stale. Vendor URL is a latest-pointer already ahead of winget →ignore_hash. Note: the input saysinstaller_type: "msi"— the ingester classifies this nullsoft entry as msi because its URL has no file extension (vendor-type → URL-extension → machine-scope fallback chain iningester.go); the custom scripts handle the actual NSIS exe.Considered but not added (recorded in the workstream tracker):
Bambulab.Bambustudio): the uninstaller shows a keep-user-data confirmation dialog even with/S(deployment guides work around it with Send-Keys, impossible in a SYSTEM session) — same failure class that disqualified Adobe AIR in the letter A batch.StephenRessler.BridgeDesigner): installer URL 404s (file removed from SourceForge) and the desktop product was discontinued July 1, 2026 in favor of a browser-based edition.Burnaware.BurnAwareFree): the vendor deletes each old release URL — the winget-pinned installer already redirects to their homepage, so pinned downloads break every release cycle.Registry identities were verified per app (msiinfo Property tables for MSIs; vendor installer sources, winget AppsAndFeaturesEntries, and uninstall-database corroboration for EXEs). Installer SHAs verified against manifests where URLs are version-pinned; unversioned URLs use
ignore_hashper the TeamViewer/Chrome precedent. Icons generated viatools/software/icons/generate-icons.sh.Checklist for submitter
SELECT *is avoided, SQL injection is prevented (using placeholders for values in statements), JS inline code is prevented especially for url redirects, and untrusted data interpolated into shell scripts/commands is validated against shell metacharacters.Testing
Summary by CodeRabbit
New Features
Bug Fixes