feat(suse): replace CVRF feed with advisory CSAF updater

Switch SUSE security data from the legacy CVRF XML archive to the
upstream CSAF feed, storing trimmed native JSON under csaf/suse/.

Co-authored-by: Cursor <cursoragent@cursor.com>

Author: manojkrishnanomula

.github/workflows/update.yml

@@ -116,15 +116,15 @@ jobs:
           commit-message: "CWE"
 
       - if: always()
-        name: SUSE CVRF
+        name: SUSE CSAF
         uses: ./.github/actions/update-source
         with:
-          target: suse-cvrf
+          target: suse-csaf
           client-id: ${{ secrets.SA_GH_VULN_LIST_UPDATE_GH_APP_CLIENT_ID }}
           private-key: ${{ secrets.SA_GH_VULN_LIST_UPDATE_GH_APP_PRIVATE_KEY }}
           owner: ${{ github.repository_owner }}
           repository: ${{ env.VULN_LIST_DIR }}
-          commit-message: "SUSE CVRF"
+          commit-message: "SUSE CSAF"
 
       - if: always()
         name: GitLab Advisory Database

README.md

@@ -20,7 +20,7 @@ https://github.com/aquasecurity/vuln-list/
 $ vuln-list-update -h
 Usage of vuln-list-update:
   -target string
-        update target (nvd, alpine, alpine-unfixed, redhat, redhat-oval, debian, ubuntu, amazon, oracle-oval, suse-cvrf, photon, arch-linux, ghsa, glad, cwe, osv, mariner, kevc, wolfi, chainguard, azure, openeuler, echo, minimos, rootio, seal)
+        update target (nvd, alpine, alpine-unfixed, redhat, redhat-oval, debian, ubuntu, amazon, oracle-oval, suse-csaf, photon, arch-linux, ghsa, glad, cwe, osv, mariner, kevc, wolfi, chainguard, azure, openeuler, echo, minimos, rootio, seal)
   -target-branch string
     	alternative repository branch (only glad)
   -target-uri string

main.go

@@ -31,15 +31,15 @@ import (
 	"github.com/aquasecurity/vuln-list-update/rocky"
 	"github.com/aquasecurity/vuln-list-update/rootio"
 	"github.com/aquasecurity/vuln-list-update/seal"
-	susecvrf "github.com/aquasecurity/vuln-list-update/suse/cvrf"
+	susecsaf "github.com/aquasecurity/vuln-list-update/suse/csaf"
 	"github.com/aquasecurity/vuln-list-update/ubuntu"
 	"github.com/aquasecurity/vuln-list-update/utils"
 	"github.com/aquasecurity/vuln-list-update/wolfi"
 )
 
 var (
 	target = flag.String("target", "", "update target (nvd, alpine, alpine-unfixed, redhat, redhat-oval, "+
-		"redhat-csaf-vex, debian, ubuntu, amazon, oracle-oval, suse-cvrf, photon, arch-linux, glad, cwe, osvdev, mariner, kevc, wolfi, "+
+		"redhat-csaf-vex, debian, ubuntu, amazon, oracle-oval, suse-csaf, photon, arch-linux, glad, cwe, osvdev, mariner, kevc, wolfi, "+
 		"chainguard, azure, openeuler, echo, minimos, eoldates, rootio)")
 	vulnListDir  = flag.String("vuln-list-dir", "", "vuln-list dir")
 	targetUri    = flag.String("target-uri", "", "alternative repository URI (only glad)")
@@ -108,10 +108,10 @@ func run() error {
 		if err := oc.Update(); err != nil {
 			return xerrors.Errorf("Oracle OVAL update error: %w", err)
 		}
-	case "suse-cvrf":
-		sc := susecvrf.NewConfig()
+	case "suse-csaf":
+		sc := susecsaf.NewConfig()
 		if err := sc.Update(); err != nil {
-			return xerrors.Errorf("SUSE CVRF update error: %w", err)
+			return xerrors.Errorf("SUSE CSAF update error: %w", err)
 		}
 	case "photon":
 		pc := photon.NewConfig()

suse/csaf/csaf.go

@@ -0,0 +1,183 @@
+package csaf
+
+import (
+	"archive/tar"
+	"bytes"
+	"compress/bzip2"
+	"compress/gzip"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"log"
+	"path/filepath"
+	"regexp"
+	"strings"
+	"unicode/utf8"
+
+	csaflib "github.com/csaf-poc/csaf_distribution/v3/csaf"
+	"github.com/spf13/afero"
+	"golang.org/x/xerrors"
+
+	"github.com/aquasecurity/vuln-list-update/utils"
+)
+
+const (
+	csafArchiveURL = "https://ftp.suse.com/pub/projects/security/csaf.tar.bz2"
+	csafDir        = "csaf"
+	suseDir        = "suse"
+	retries        = 5
+)
+
+var fileRegexp = regexp.MustCompile(`^(suse-su|opensuse-su)-`)
+
+type Config struct {
+	VulnListDir string
+	URL         string
+	AppFs       afero.Fs
+}
+
+// archiveEntry is a single JSON document from the SUSE CSAF tar archive.
+type archiveEntry struct {
+	Filename string
+	Data     []byte
+}
+
+func NewConfig() Config {
+	return Config{
+		VulnListDir: utils.VulnListDir(),
+		URL:         csafArchiveURL,
+		AppFs:       afero.NewOsFs(),
+	}
+}
+
+func (c Config) Update() error {
+	log.Print("Fetching SUSE CSAF archive...")
+
+	return walkArchive(c.URL, retries, fileRegexp, func(e archiveEntry) error {
+		osName, err := osNameFromFilename(e.Filename)
+		if err != nil {
+			log.Printf("skip %s: %v", e.Filename, err)
+			return nil
+		}
+
+		var adv csaflib.Advisory
+		if err := json.Unmarshal(e.Data, &adv); err != nil {
+			log.Printf("skip invalid CSAF json (%s): %v", e.Filename, err)
+			return nil
+		}
+
+		if err := adv.Validate(); err != nil {
+			log.Printf("skip invalid CSAF advisory (%s): %v", e.Filename, err)
+			return nil
+		}
+
+		if adv.Document == nil || adv.Document.Tracking == nil || adv.Document.Tracking.ID == nil {
+			log.Printf("skip advisory without tracking id (%s)", e.Filename)
+			return nil
+		}
+
+		dir := filepath.Join(csafDir, suseDir, osName)
+		if err := c.savePerYear(dir, string(*adv.Document.Tracking.ID), adv); err != nil {
+			return xerrors.Errorf("failed to save CSAF: %w", err)
+		}
+		return nil
+	})
+}
+
+func osNameFromFilename(filename string) (string, error) {
+	match := fileRegexp.FindStringSubmatch(filename)
+	if len(match) < 2 {
+		return "", fmt.Errorf("unexpected filename")
+	}
+	switch match[1] {
+	case "suse-su":
+		return "suse", nil
+	case "opensuse-su":
+		return "opensuse", nil
+	default:
+		return "", fmt.Errorf("unknown prefix %q", match[1])
+	}
+}
+
+func (c Config) savePerYear(dirName, advisoryID string, data any) error {
+	s := strings.Split(advisoryID, "-")
+	if len(s) < 4 {
+		log.Printf("invalid advisory ID format: %s", advisoryID)
+		return nil
+	}
+
+	year := strings.Split(s[2], ":")[0]
+	if len(year) < 4 {
+		log.Printf("invalid advisory ID format: %s", advisoryID)
+		return nil
+	}
+
+	yearDir := filepath.Join(c.VulnListDir, dirName, year)
+	fileName := fmt.Sprintf("%s.json", strings.Replace(advisoryID, ":", "-", 1))
+	if err := utils.WriteJSON(c.AppFs, yearDir, fileName, data); err != nil {
+		return xerrors.Errorf("failed to write file: %w", err)
+	}
+	return nil
+}
+
+func walkArchive(url string, retries int, nameRegexp *regexp.Regexp, handler func(archiveEntry) error) error {
+	body, err := utils.FetchURL(url, "", retries)
+	if err != nil {
+		return xerrors.Errorf("failed to download archive: %w", err)
+	}
+
+	decompressed, err := decompressArchive(url, body)
+	if err != nil {
+		return err
+	}
+
+	tr := tar.NewReader(decompressed)
+	for {
+		hdr, err := tr.Next()
+		switch {
+		case errors.Is(err, io.EOF):
+			return nil
+		case err != nil:
+			return xerrors.Errorf("failed to read tar entry: %w", err)
+		case hdr.Typeflag != tar.TypeReg:
+			continue
+		}
+
+		filename := filepath.Base(hdr.Name)
+		if !strings.HasSuffix(filename, ".json") {
+			continue
+		}
+		if nameRegexp != nil && !nameRegexp.MatchString(filename) {
+			continue
+		}
+
+		data, err := io.ReadAll(tr)
+		if err != nil {
+			return xerrors.Errorf("failed to read tar entry data: %w", err)
+		}
+		if len(data) == 0 {
+			log.Printf("empty json: %s", filename)
+			continue
+		}
+		if !utf8.Valid(data) {
+			log.Printf("invalid UTF-8: %s", filename)
+			data = []byte(strings.ToValidUTF8(string(data), ""))
+		}
+
+		if err := handler(archiveEntry{Filename: filename, Data: data}); err != nil {
+			return err
+		}
+	}
+}
+
+func decompressArchive(url string, body []byte) (io.Reader, error) {
+	switch {
+	case strings.HasSuffix(url, ".tar.bz2"):
+		return bzip2.NewReader(bytes.NewReader(body)), nil
+	case strings.HasSuffix(url, ".tar.gz"):
+		return gzip.NewReader(bytes.NewReader(body))
+	default:
+		return nil, xerrors.Errorf("unsupported archive format: %s", url)
+	}
+}

suse/csaf/csaf_test.go

@@ -0,0 +1,99 @@
+package csaf_test
+
+import (
+	"archive/tar"
+	"bytes"
+	"compress/gzip"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"testing"
+
+	"github.com/spf13/afero"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/aquasecurity/vuln-list-update/suse/csaf"
+)
+
+func createArchive(t *testing.T, dir string) []byte {
+	t.Helper()
+
+	var buf bytes.Buffer
+	gw := gzip.NewWriter(&buf)
+	tw := tar.NewWriter(gw)
+	require.NoError(t, tw.AddFS(os.DirFS(dir)))
+	require.NoError(t, tw.Close())
+	require.NoError(t, gw.Close())
+
+	return buf.Bytes()
+}
+
+func TestConfig_Update(t *testing.T) {
+	testCases := []struct {
+		name        string
+		appFs       afero.Fs
+		archiveDir  string
+		goldenFiles map[string]string
+	}{
+		{
+			name:       "positive test",
+			appFs:      afero.NewMemMapFs(),
+			archiveDir: "testdata/csaf",
+			goldenFiles: map[string]string{
+				"/tmp/csaf/suse/suse/2019/SUSE-SU-2019-0048-2.json":         "testdata/golden/SUSE-SU-2019-0048-2.json",
+				"/tmp/csaf/suse/opensuse/2019/openSUSE-SU-2019-0003-1.json": "testdata/golden/openSUSE-SU-2019-0003-1.json",
+			},
+		},
+		{
+			name:        "broken JSON is skipped",
+			appFs:       afero.NewMemMapFs(),
+			archiveDir:  "testdata/broken-csaf",
+			goldenFiles: map[string]string{},
+		},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			archiveData := createArchive(t, tc.archiveDir)
+
+			ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				_, err := w.Write(archiveData)
+				assert.NoError(t, err, tc.name)
+			}))
+			defer ts.Close()
+
+			c := csaf.Config{
+				VulnListDir: "/tmp",
+				URL:         ts.URL + "/csaf.tar.gz",
+				AppFs:       tc.appFs,
+			}
+			err := c.Update()
+			require.NoError(t, err, tc.name)
+
+			fileCount := 0
+			err = afero.Walk(c.AppFs, "/", func(path string, info os.FileInfo, err error) error {
+				if err != nil {
+					return err
+				}
+				if info.IsDir() {
+					return nil
+				}
+				fileCount++
+
+				actual, err := afero.ReadFile(c.AppFs, path)
+				require.NoError(t, err, tc.name)
+
+				goldenPath, ok := tc.goldenFiles[path]
+				require.True(t, ok, "unexpected output file: %s", path)
+				expected, err := os.ReadFile(goldenPath)
+				require.NoError(t, err, tc.name)
+
+				assert.JSONEq(t, string(expected), string(actual), tc.name)
+
+				return nil
+			})
+			require.NoError(t, err, tc.name)
+			assert.Equal(t, len(tc.goldenFiles), fileCount, tc.name)
+		})
+	}
+}

suse/csaf/testdata/broken-csaf/suse-su-2019_0048-2.json

@@ -0,0 +1 @@
+{