feat(suse): add suse-cvrf-cve feed updater

- Add suse/cvrf-cve package to fetch per-CVE CVRF from ftp.suse.com cvrf-cve
- Wire target 'suse-cvrf-cve' in main.go and CI update workflow
- Move CVE CVRF logic out of suse/cvrf; keep advisory CVRF in suse/cvrf

Made-with: Cursor

Author: manojkrishna-nomula

.github/workflows/update.yml

@@ -71,6 +71,10 @@ jobs:
         name: SUSE CVRF
         run: ./scripts/update.sh suse-cvrf "SUSE CVRF"
 
+      - if: always()
+        name: SUSE CVE CVRF
+        run: ./scripts/update.sh suse-cvrf-cve "SUSE CVE CVRF"
+
       - if: always()
         name: GitLab Advisory Database
         run: ./scripts/update.sh glad "GitLab Advisory Database"

main.go

@@ -32,14 +32,15 @@ import (
 	"github.com/aquasecurity/vuln-list-update/rootio"
 	"github.com/aquasecurity/vuln-list-update/seal"
 	susecvrf "github.com/aquasecurity/vuln-list-update/suse/cvrf"
+	susecvrfcve "github.com/aquasecurity/vuln-list-update/suse/cvrf-cve"
 	"github.com/aquasecurity/vuln-list-update/ubuntu"
 	"github.com/aquasecurity/vuln-list-update/utils"
 	"github.com/aquasecurity/vuln-list-update/wolfi"
 )
 
 var (
 	target = flag.String("target", "", "update target (nvd, alpine, alpine-unfixed, redhat, redhat-oval, "+
-		"redhat-csaf-vex, debian, ubuntu, amazon, oracle-oval, suse-cvrf, photon, arch-linux, glad, cwe, osvdev, mariner, kevc, wolfi, "+
+		"redhat-csaf-vex, debian, ubuntu, amazon, oracle-oval, suse-cvrf, suse-cvrf-cve, photon, arch-linux, glad, cwe, osvdev, mariner, kevc, wolfi, "+
 		"chainguard, azure, openeuler, echo, minimos, eoldates, rootio)")
 	vulnListDir  = flag.String("vuln-list-dir", "", "vuln-list dir")
 	targetUri    = flag.String("target-uri", "", "alternative repository URI (only glad)")
@@ -113,6 +114,11 @@ func run() error {
 		if err := sc.Update(); err != nil {
 			return xerrors.Errorf("SUSE CVRF update error: %w", err)
 		}
+	case "suse-cvrf-cve":
+		sc := susecvrfcve.NewConfig()
+		if err := sc.Update(); err != nil {
+			return xerrors.Errorf("SUSE CVE CVRF update error: %w", err)
+		}
 	case "photon":
 		pc := photon.NewConfig()
 		if err := pc.Update(); err != nil {

suse/cvrf-cve/cvrf_cve.go

@@ -0,0 +1,134 @@
+package cvrfcve
+
+import (
+	"bufio"
+	"bytes"
+	"encoding/xml"
+	"fmt"
+	"log"
+	"path/filepath"
+	"regexp"
+	"strings"
+	"unicode/utf8"
+
+	"github.com/cheggaaa/pb"
+	"github.com/spf13/afero"
+	"golang.org/x/xerrors"
+
+	"github.com/aquasecurity/vuln-list-update/utils"
+)
+
+var (
+	cvrfCVEURL  = "http://ftp.suse.com/pub/projects/security/cvrf-cve/"
+	fileRegexp  = regexp.MustCompile(`<a href="(cvrf-(CVE-\d{4}-\d+)\.xml)">.*`)
+	retry       = 5
+	concurrency = 20
+	wait        = 1
+	cvrfDir     = "cvrf"
+	suseCVEDir  = "suse-cves"
+)
+
+type Config struct {
+	VulnListDir string
+	URL         string
+	AppFs       afero.Fs
+	Retry       int
+}
+
+func NewConfig() Config {
+	return Config{
+		VulnListDir: utils.VulnListDir(),
+		URL:         cvrfCVEURL,
+		AppFs:       afero.NewOsFs(),
+		Retry:       retry,
+	}
+}
+
+func (c Config) Update() error {
+	log.Print("Fetching SUSE CVE CVRF data...")
+
+	res, err := utils.FetchURL(c.URL, "", c.Retry)
+	if err != nil {
+		return xerrors.Errorf("cannot download SUSE CVE CVRF list: %w", err)
+	}
+
+	cveURLs := make(map[string]string)
+	scanner := bufio.NewScanner(bytes.NewReader(res))
+	for scanner.Scan() {
+		line := scanner.Text()
+		if match := fileRegexp.FindStringSubmatch(line); len(match) != 0 {
+			cveURLs[match[2]] = c.URL + match[1]
+		}
+	}
+	if err := scanner.Err(); err != nil {
+		return xerrors.Errorf("failed reading SUSE CVE CVRF list: %w", err)
+	}
+
+	urls := make([]string, 0, len(cveURLs))
+	for _, u := range cveURLs {
+		urls = append(urls, u)
+	}
+
+	cvrfXMLs, err := utils.FetchConcurrently(urls, concurrency, wait, c.Retry)
+	if err != nil {
+		log.Printf("failed to fetch CVE CVRF data from SUSE. err: %s", err)
+	}
+
+	log.Printf("Saving SUSE CVE CVRF data...")
+	bar := pb.StartNew(len(cvrfXMLs))
+	for _, cvrfXML := range cvrfXMLs {
+		var cv Cvrf
+		if len(cvrfXML) == 0 {
+			log.Println("empty CVE CVRF xml")
+			bar.Increment()
+			continue
+		}
+
+		if !utf8.Valid(cvrfXML) {
+			log.Println("invalid UTF-8")
+			cvrfXML = []byte(strings.ToValidUTF8(string(cvrfXML), ""))
+		}
+
+		if err = xml.Unmarshal(cvrfXML, &cv); err != nil {
+			return xerrors.Errorf("failed to decode SUSE CVE CVRF XML: %w", err)
+		}
+
+		cveID := extractCVEID(cv)
+		if cveID == "" {
+			log.Printf("invalid CVE CVRF document ID: %s", cv.Tracking.ID)
+			bar.Increment()
+			continue
+		}
+
+		if err = c.saveCVEPerYear(cveID, cv); err != nil {
+			return xerrors.Errorf("failed to save SUSE CVE CVRF: %w", err)
+		}
+		bar.Increment()
+	}
+	bar.Finish()
+	return nil
+}
+
+func extractCVEID(cv Cvrf) string {
+	for _, v := range cv.Vulnerabilities {
+		cve := strings.TrimSpace(v.CVE)
+		if cve != "" {
+			return cve
+		}
+	}
+	return strings.TrimSpace(cv.Title)
+}
+
+func (c Config) saveCVEPerYear(cveID string, data interface{}) error {
+	s := strings.Split(cveID, "-")
+	if len(s) < 3 {
+		return nil
+	}
+
+	yearDir := filepath.Join(c.VulnListDir, cvrfDir, suseCVEDir, s[1])
+	fileName := fmt.Sprintf("%s.json", cveID)
+	if err := utils.WriteJSON(c.AppFs, yearDir, fileName, data); err != nil {
+		return xerrors.Errorf("failed to write file: %w", err)
+	}
+	return nil
+}

suse/cvrf-cve/cvrf_cve_test.go

@@ -0,0 +1,79 @@
+package cvrfcve_test
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"testing"
+
+	"github.com/spf13/afero"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	cvrfcve "github.com/aquasecurity/vuln-list-update/suse/cvrf-cve"
+)
+
+func TestConfig_Update(t *testing.T) {
+	testCases := []struct {
+		name             string
+		appFs            afero.Fs
+		xmlFileNames     map[string]string
+		expectedFile     string
+		expectedErrorMsg string
+	}{
+		{
+			name:  "positive test",
+			appFs: afero.NewMemMapFs(),
+			xmlFileNames: map[string]string{
+				"/pub/projects/security/cvrf-cve/":                        "testdata/cvrf-cve-list.html",
+				"/pub/projects/security/cvrf-cve/cvrf-CVE-2014-6271.xml":  "testdata/cvrf-CVE-2014-6271.xml",
+				"/pub/projects/security/cvrf-cve/cvrf-CVE-1234-12345.xml": "testdata/cvrf-CVE-1234-12345.xml",
+			},
+			expectedFile: "/tmp/cvrf/suse-cves/2014/CVE-2014-6271.json",
+		},
+		{
+			name:  "broken XML",
+			appFs: afero.NewMemMapFs(),
+			xmlFileNames: map[string]string{
+				"/pub/projects/security/cvrf-cve/":                       "testdata/cvrf-cve-list-invalid-single.html",
+				"/pub/projects/security/cvrf-cve/cvrf-CVE-2014-6271.xml": "testdata/broken-cvrf-data.xml",
+			},
+			expectedErrorMsg: "failed to decode SUSE CVE CVRF XML",
+		},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				filePath, ok := tc.xmlFileNames[r.URL.Path]
+				if !ok {
+					http.NotFound(w, r)
+					return
+				}
+				b, err := os.ReadFile(filePath)
+				assert.NoError(t, err, tc.name)
+				_, err = w.Write(b)
+				assert.NoError(t, err, tc.name)
+			}))
+			defer ts.Close()
+
+			c := cvrfcve.Config{
+				VulnListDir: "/tmp",
+				URL:         ts.URL + "/pub/projects/security/cvrf-cve/",
+				AppFs:       tc.appFs,
+				Retry:       0,
+			}
+			err := c.Update()
+			if tc.expectedErrorMsg != "" {
+				require.Error(t, err, tc.name)
+				assert.Contains(t, err.Error(), tc.expectedErrorMsg, tc.name)
+				return
+			}
+			require.NoError(t, err, tc.name)
+
+			b, err := afero.ReadFile(c.AppFs, tc.expectedFile)
+			require.NoError(t, err, tc.name)
+			assert.Contains(t, string(b), `"CVE": "CVE-2014-6271"`)
+			assert.Contains(t, string(b), `"BaseScoreV3": "9.8"`)
+		})
+	}
+}

suse/cvrf-cve/testdata/broken-cvrf-data.xml

@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<cvrfdoc xmlns="http://docs.oasis-open.org/csaf/ns/csaf-cvrf/v1.2/cvrf">
+  <DocumentTitle xml:lang="en">CVE-2014-6271</DocumentTitle>
+  <Vulnerability xmlns="http://docs.oasis-open.org/csaf/ns/csaf-cvrf/v1.2/vuln" Ordinal="1">
+    <CVE>CVE-2014-6271</CVE>

suse/cvrf-cve/testdata/cvrf-CVE-1234-12345.xml

@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<cvrfdoc xmlns="http://docs.oasis-open.org/csaf/ns/csaf-cvrf/v1.2/cvrf">
+  <DocumentTitle xml:lang="en">CVE-1234-12345</DocumentTitle>
+  <DocumentTracking>
+    <Identification>
+      <ID>SUSE CVE-1234-12345</ID>
+    </Identification>
+  </DocumentTracking>
+  <Vulnerability xmlns="http://docs.oasis-open.org/csaf/ns/csaf-cvrf/v1.2/vuln" Ordinal="1">
+    <CVE>CVE-1234-12345</CVE>
+    <CVSSScoreSets>
+      <ScoreSetV3>
+        <BaseScoreV3>6.5</BaseScoreV3>
+        <VectorV3>CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N</VectorV3>
+      </ScoreSetV3>
+    </CVSSScoreSets>
+  </Vulnerability>
+</cvrfdoc>

…cvrf/testdata/cvrf-cve-CVE-2014-6271.xml …cvrf-cve/testdata/cvrf-CVE-2014-6271.xmlsuse/cvrf/testdata/cvrf-cve-CVE-2014-6271.xml renamed to suse/cvrf-cve/testdata/cvrf-CVE-2014-6271.xml suse/cvrf/testdata/cvrf-cve-CVE-2014-6271.xml renamed to suse/cvrf-cve/testdata/cvrf-CVE-2014-6271.xml

@@ -1,5 +1,11 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <cvrfdoc xmlns="http://docs.oasis-open.org/csaf/ns/csaf-cvrf/v1.2/cvrf">
+  <DocumentTitle xml:lang="en">CVE-2014-6271</DocumentTitle>
+  <DocumentTracking>
+    <Identification>
+      <ID>SUSE CVE-2014-6271</ID>
+    </Identification>
+  </DocumentTracking>
   <Vulnerability xmlns="http://docs.oasis-open.org/csaf/ns/csaf-cvrf/v1.2/vuln" Ordinal="1">
     <CVE>CVE-2014-6271</CVE>
     <CVSSScoreSets>

suse/cvrf-cve/testdata/cvrf-cve-list-invalid-single.html

@@ -0,0 +1,7 @@
+<html>
+<head><title>Index of /pub/projects/security/cvrf-cve/</title></head>
+<body>
+<h1>Index of /pub/projects/security/cvrf-cve/</h1><hr><pre><a href="../">../</a>
+<a href="cvrf-CVE-2014-6271.xml">cvrf-CVE-2014-6271.xml</a>                             06-Aug-2024 01:23     46K
+</pre><hr></body>
+</html>

suse/cvrf-cve/testdata/cvrf-cve-list.html

@@ -0,0 +1,8 @@
+<html>
+<head><title>Index of /pub/projects/security/cvrf-cve/</title></head>
+<body>
+<h1>Index of /pub/projects/security/cvrf-cve/</h1><hr><pre><a href="../">../</a>
+<a href="cvrf-CVE-2014-6271.xml">cvrf-CVE-2014-6271.xml</a>                             06-Aug-2024 01:23     46K
+<a href="cvrf-CVE-1234-12345.xml">cvrf-CVE-1234-12345.xml</a>                            01-May-2024 02:37    2774
+</pre><hr></body>
+</html>

suse/cvrf-cve/types.go

@@ -0,0 +1,69 @@
+package cvrfcve
+
+type Cvrf struct {
+	Title           string           `xml:"DocumentTitle"`
+	Tracking        DocumentTracking `xml:"DocumentTracking"`
+	Notes           []DocumentNote   `xml:"DocumentNotes>Note"`
+	References      []Reference      `xml:"DocumentReferences>Reference"`
+	Vulnerabilities []Vulnerability  `xml:"Vulnerability"`
+}
+
+type DocumentTracking struct {
+	ID                 string     `xml:"Identification>ID"`
+	Status             string     `xml:"Status"`
+	Version            string     `xml:"Version"`
+	InitialReleaseDate string     `xml:"InitialReleaseDate"`
+	CurrentReleaseDate string     `xml:"CurrentReleaseDate"`
+	RevisionHistory    []Revision `xml:"RevisionHistory>Revision"`
+}
+
+type DocumentNote struct {
+	Text  string `xml:",chardata"`
+	Title string `xml:"Title,attr"`
+	Type  string `xml:"Type,attr"`
+}
+
+type Revision struct {
+	Number      string `xml:"Number"`
+	Date        string `xml:"Date"`
+	Description string `xml:"Description"`
+}
+
+type Vulnerability struct {
+	CVE             string        `xml:"CVE"`
+	Description     string        `xml:"Notes>Note"`
+	Threats         []Threat      `xml:"Threats>Threat"`
+	References      []Reference   `xml:"References>Reference"`
+	ProductStatuses []Status      `xml:"ProductStatuses>Status"`
+	CVSSScoreSets   CVSSScoreSets `xml:"CVSSScoreSets" json:",omitempty"`
+}
+
+type Threat struct {
+	Type     string `xml:"Type,attr"`
+	Severity string `xml:"Description"`
+}
+
+type Reference struct {
+	URL         string `xml:"URL"`
+	Description string `xml:"Description"`
+}
+
+type Status struct {
+	Type      string   `xml:"Type,attr"`
+	ProductID []string `xml:"ProductID"`
+}
+
+type CVSSScoreSets struct {
+	ScoreSetV2 []ScoreSetV2 `xml:"ScoreSetV2" json:",omitempty"`
+	ScoreSetV3 []ScoreSetV3 `xml:"ScoreSetV3" json:",omitempty"`
+}
+
+type ScoreSetV2 struct {
+	BaseScoreV2 string `xml:"BaseScoreV2" json:",omitempty"`
+	VectorV2    string `xml:"VectorV2" json:",omitempty"`
+}
+
+type ScoreSetV3 struct {
+	BaseScoreV3 string `xml:"BaseScoreV3" json:",omitempty"`
+	VectorV3    string `xml:"VectorV3" json:",omitempty"`
+}