feat: add Root app feed

[chait-slim]

Summary

This PR adds support for Root.io application-level vulnerability feeds to vuln-list-update, extending the existing OS-level vulnerability tracking with language/framework-specific vulnerability data.

Changes Introduced

1. New Application Feed Support

• Added support for fetching application-level vulnerabilities from https://api.root.io/external/app_feed
• Application feed covers language ecosystems like npm, pip, go, etc.
• Data is saved to rootio/app/cve_feed.json for clear separation from OS data

2. Existing OS Feed Integration

• Maintains compatibility with the existing OS vulnerability feed at https://api.root.io/external/cve_feed
• OS feed continues to be saved to rootio/cve_feed.json
• Supports Alpine, Debian, Ubuntu, and other OS distributions

3. Unified Data Structure

Both feeds use the same JSON structure:

  {
    "ecosystem": [
      {
        "distroversion": "version",
        "packages": [
          {
            "pkg": {
              "name": "package-name",
              "cves": {
                "CVE-XXXX-XXXXX": {
                  "vulnerable_ranges": ["<version"],
                  "fixed_versions": ["version"]
                }
              }
            }
          }
        ]
      }
    ]
  }

4. Implementation Details

• Modular Design: Used a feedInfo struct to define feed configurations, making it easy to add/modify feeds
• Clean Separation: OS and application feeds are stored in separate locations for better organization
• Future-Proof: Architecture supports the planned migration from cve_feed to separate os_feed and app_feed endpoints
• Error Handling: Comprehensive error handling with clear error messages for debugging
• Testing: Full test coverage for both feeds with various error scenarios

Directory Structure

After running the updater, the vulnerability data is organized as:

  vuln-list/
  └── rootio/
      ├── cve_feed.json     # OS package vulnerabilities
      └── app/
          └── cve_feed.json # Application package vulnerabilities

Testing

• Tests verify correct fetching and parsing of both OS and app feeds
• Error scenarios tested include invalid JSON, missing endpoints, and server errors
• Tests ensure proper directory structure and file placement

[DmitriyLewen]

How can I download the new files for testing?
Only https://api.root.io/external/cve_feed is available.

[chait-slim]

Youre right. Its being developed at the same time. I want to validate the PRs are accepted and I'll merge it on our side before merging the Trivy ones

[DmitriyLewen]

And can you add the PR description, please?

[DmitriyLewen]

hello @chait-slim
I refactor logic a little.

Can you re-check?

[chait-slim]

hello @chait-slim I refactor logic a little.

Can you re-check?

Hi, I've rechecked. From my end its approved. I've updated the tests with the real use cases of how versioning will look like in the app feed. Tomorrow morning the new API will be running