feat(vulnsrc): add RapidFort Security Advisories source#654
Open
vaibhav-rf wants to merge 6 commits intoaquasecurity:mainfrom
Open
feat(vulnsrc): add RapidFort Security Advisories source#654vaibhav-rf wants to merge 6 commits intoaquasecurity:mainfrom
vaibhav-rf wants to merge 6 commits intoaquasecurity:mainfrom
Conversation
Adds a new vulnerability source that ingests RapidFort's curated OS
advisories from vuln-list/rapidfort/{os}/{codename}/{package}.json into
trivy.db. Supports Ubuntu and Debian with automatic codename-to-version
mapping (e.g. focal→20.04, bookworm→12). OSV-style version events are
converted to PatchedVersions/VulnerableVersions ranges for trivy's
version checker.
Remove the codename→version mapping tables entirely. vuln-list-update now writes version numbers (e.g. 20.04, 12) directly as the directory name and distro_version JSON field, so trivy-db can use the value as-is when naming platform buckets.
…raints Signed-off-by: Vaibhav Thatai <vaibhav@rapidfort.com>
Add identifier tracking to CVEEntry events (e.g. el9, fc39) for
Red Hat advisories. Store identifiers in Advisory.Custom parallel
to VulnerableVersions for distro-specific version matching. Includes
Red Hat test fixtures and test cases for both Update and Get paths.
- Register RapidFort as a first-class ecosystem.Type in ecosystem.go - Add rapidFortBucket with Name/Ecosystem/BaseOS methods in bucket.go, replacing the ad-hoc fmt.Sprintf platform name construction - Refactor rapidfort.go to use utils.FileWalk (consistent with other vulnsrc implementations), carry baseOS through the entry struct, and split Update into parse/put helpers - Fix import ordering in vulnsrc.go; normalise map[string]any in tests
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds
rapidfortas a new vulnerability source intrivy-db, ingestingadvisory data published by RapidFort in
rapidfort/security-advisories.
What's added
pkg/ecosystem/ecosystem.goRapidFort Type = "rapidfort"ecosystem constant.pkg/vulnsrc/bucket/bucket.gorapidFortBuckettype implementing theBucketinterface with aName()of the form"rapidfort {os} {version}"(e.g."rapidfort ubuntu 22.04").NewRapidFort(baseOS, version)constructor used by both the builderand the getter to guarantee consistent platform key derivation.
pkg/vulnsrc/rapidfort/types.go—PackageAdvisory,CVEEntry,Event, andRapidFortCustomtypes matching the JSON format written byvuln-list-update.rapidfort.go—VulnSrc(DB builder) andVulnSrcGetter(scanner query path):
vuln-list/rapidfort/{os}/{version}/{pkg}.jsonusingutils.FileWalk(consistent with other vulnsrc implementations).baseOSfrom the directory path — authoritative, nodependence on JSON field names.
DataSource.BaseID = baseOSso the scanner can resolve thecorrect upstream source per OS.
el9,fc39) inAdvisory.CustomviaRapidFortCustom; Ubuntu/Alpine advisoriesleave
Customnil.rapidfort_test.go—TestVulnSrc_UpdateandTestVulnSrc_Getcovering Ubuntu, Debian, and Red Hat happy paths; empty dir; invalid
JSON; and missing-advisory cases.
pkg/vulnsrc/vulnsrc.gorapidfort.NewVulnSrc()registered in the global source list.Supported OSes (initial)
Testing
go test ./pkg/vulnsrc/rapidfort/... go build ./...