feat(photon): add OVAL definitions parser#408
Draft
DmitriyLewen wants to merge 10 commits intoaquasecurity:mainfrom
Draft
feat(photon): add OVAL definitions parser#408DmitriyLewen wants to merge 10 commits intoaquasecurity:mainfrom
DmitriyLewen wants to merge 10 commits intoaquasecurity:mainfrom
Conversation
Add photon/oval package that fetches and parses Photon OS OVAL definitions from packages.broadcom.com/photon/photon_oval_definitions/. Photon changed its cve_metadata schema (see vmware/photon#1638) — the photon_versions.json and per-release cve_data_photon*.json files were removed and cve_score is no longer available. OVAL is now the canonical machine-readable source for Photon Security Advisories (PHSA). The OVAL feed covers Photon OS versions 1–5, uses gzip compression, and follows the same structure as other OVAL-based sources in this repo. Each definition is saved as photon/oval/{osVersion}/{PHSA-ID}.json.
DmitriyLewen
added a commit
to DmitriyLewen/trivy-db
that referenced
this pull request
Mar 4, 2026
Implements pkg/vulnsrc/photon-oval — a new vulnerability source that
consumes photon-oval/{version}/{PHSA-ID}.json files produced by
vuln-list-update (see aquasecurity/vuln-list-update#408).
- Walk photon-oval/**/*.json; extract OS version from path segment
- Parse affected packages from OVAL Criteria tree by matching
"{pkg} is earlier than 0:{ver}" criterion comments
- Store per-CVE advisory details, vulnerability details, and IDs
in BoltDB using the existing Photon bucket
- Map OVAL severity (Critical/Important/Moderate/Low) to db.Severity
- Register PhotonOVAL source in vulnsrc.All and vulnerability.AllSourceIDs
This was referenced Mar 4, 2026
…f sequence counter Replace PhsaIDFromTitle with PhsaIDFromRef: extract the real advisory number from the source="PHSA" reference (e.g. PHSA:00001:5.0:20 → PHSA-5.0-20) instead of using the per-package OVAL sequence counter from the title.
Add issued year extracted from <issued date="..."/> to the advisory ID, matching the official wiki format (e.g. PHSA-2023-5.0-20).
DmitriyLewen
force-pushed
the
feat/photon-oval
branch
from
a75a978 to
70aa5fa
Compare
DmitriyLewen
added a commit
to DmitriyLewen/trivy-db
that referenced
this pull request
Mar 5, 2026
…update format
Rename PHSA-YYYY-NNNN.json → PHSA-YYYY-{osVer}-{advisory_number}.json
to match the naming scheme produced by vuln-list-update
(see aquasecurity/vuln-list-update#408).
DmitriyLewen
added a commit
to DmitriyLewen/trivy-db
that referenced
this pull request
Mar 5, 2026
…dorID The PHSA advisory ID (e.g. "PHSA-2023-5.0-20") is derived from the JSON filename, which is constructed by vuln-list-update when converting OVAL XML to JSON (see aquasecurity/vuln-list-update#408). Store it in Advisory.VendorIDs so that Trivy can surface the original advisory reference.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
photon/ovalpackage that fetches and parses Photon OS OVAL definitions frompackages.broadcom.com/photon/photon_oval_definitions/photon-ovaltarget inmain.gocom.vmware.phsa-photon{1..5}.xml.gz)Context
Photon changed its
cve_metadataschema (see vmware/photon#1638):photon_versions.jsonwas removedcve_data_photon*.jsonfiles were removedcve_scoreis no longer available in the new formatOVAL is now the canonical machine-readable source for Photon Security Advisories (PHSA).
Data changes vs old cve_metadata format
cve_id<cve>elements in advisory)pkg/res_vercve_scoreaff_vertextseverityissued/updateddatesdescriptionThe implementation follows the Oracle OVAL pattern: criterion comments are self-contained (
"telegraf is earlier than 0:1.25.2-1.ph3"), so<tests>,<objects>,<states>sections are not stored.Each definition is stored as
photon/oval/{osVersion}/{PHSA-ID}.json(e.g.photon/oval/3.0/PHSA-2026-00001.json).Test plan
go test ./photon/oval/passesPhsaIDFromTitleandOsVersionFromCriteria