Skip to content

feat(rapidfort): add RapidFort security advisories updater#424

Open
vaibhav-rf wants to merge 11 commits into
aquasecurity:mainfrom
vaibhav-rf:feat/add-rapidfort-advisories
Open

feat(rapidfort): add RapidFort security advisories updater#424
vaibhav-rf wants to merge 11 commits into
aquasecurity:mainfrom
vaibhav-rf:feat/add-rapidfort-advisories

Conversation

@vaibhav-rf

@vaibhav-rf vaibhav-rf commented Mar 27, 2026

Copy link
Copy Markdown

Summary

This PR adds a new updater for RapidFort Security Advisories,
enabling vuln-list-update to ingest and normalize RapidFort's per-package advisory data into the vuln-list
output format consumed by trivy-db.

What's added

New package: rapidfort/

  • types.go – Defines the source and output data models:

    • SourcePackageAdvisory – mirrors the JSON format in the security-advisories repo
      (OS/{os}/{package}.json, keyed by version → cveID → CVEEntry).
    • PackageAdvisory – the normalized output format written to vuln-list, one file per OS version per package.
    • CVEEntry and Event – per-CVE advisory detail including version ranges, severity, status, and
      optional identifiers (e.g. el9 for Red Hat).

  • rapidfort.go – Implements the Updater:

    • Clones (or pulls) https://github.com/rapidfort/security-advisories.git into the local cache.
    • Injects GITHUB_TOKEN into the clone URL automatically when set, supporting private/auth-gated repos
      in CI without SSH key configuration.
    • Processes each supported OS directory (ubuntu, alpine, redhat by default).
    • Splits each source file (one per package, all versions combined) into per-version output files at
      vuln-list/rapidfort/{os}/{version}/{package}.json.
    • Tracks and reports read errors, invalid JSON, and missing package_name fields per OS without
      failing the overall run.

  • rapidfort_test.go – Unit tests covering:

    • Happy path for Ubuntu, Alpine, and Red Hat advisory ingestion.
    • Error cases: invalid JSON, missing package_name, empty advisory maps.
    • WithRepoDir option to bypass git clone in tests.

Registration in main.go

  • Added "rapidfort" as a named target, wiring it to rapidfort.NewUpdater().

vaibhav-rf and others added 11 commits February 25, 2026 12:08
@vaibhav-rf
add RapidFort Advisories Updater
79feaaa
@vaibhav-rf
refactor(rapidfort): use version numbers instead of codenames
c40fda8 
Change SourcePackageAdvisory advisory map keys and the PackageAdvisory
output field from codenames (focal, bookworm) to version numbers
(20.04, 12). Update directory paths and testdata accordingly.
@vaibhav-rf
refactor(main.go): minor formatting changes to argument definitions, …
ef25682 
…no functional changes
@vaibhav-rf
rapidfort: simplify logging and print failure counts only when non-zero
37d2c38
@ravinder-rapidfort
rapidfort: add Red Hat advisory support (#1)
2ed4ea6 
Add redhat to supported OSes and an Identifier field to Event for
  Red Hat-specific markers (e.g. el9, fc39). Includes test fixture
  and golden output for redhat/9/curl.
@DmitriyLewen @vaibhav-rf
fix(photon): remove advisory directory before update (aquasecurity#407)
a540788
@DmitriyLewen @vaibhav-rf
fix(osv): sanitize package name in file path and clean up stale files (
95dee08 
…aquasecurity#409)
@dependabot @vaibhav-rf
chore(deps): bump actions/setup-go from 6.0.0 to 6.1.0 (aquasecurity#391
08b76b2 
)
@DmitriyLewen @vaibhav-rf
ci: add zizmor GitHub Actions linter (aquasecurity#411)
ef4cbdd 
* ci: add zizmor GitHub Actions linter

* fix(ci): address zizmor findings in GitHub Actions workflows

- Add explicit permissions: contents: read to all jobs
- Add persist-credentials: false to read-only checkouts
- Add persist-credentials: true to checkouts that require git push
- Add cooldown: default-days: 7 to dependabot.yml
- Suppress secrets-outside-env via zizmor.yml (no GitHub environments configured)
@vaibhav-rf
rapidfort: add alpine support, improve tests, and clean up dead code
ea53cda 
- Add alpine to supported OSes with source fixture (3.18, 3.19 versions)
  and golden files covering the multi-version fan-out path
- Add test cases for missing package_name and empty advisory map,
  using wantNoFiles assertions to verify no output is produced
- Add supportedOSes per-test-case to keep happy path and edge case
  scenarios independent
- Fix success log to include source/output file counts (consistent
  with failure log)
@vaibhav-rf
Merge branch 'main' into feat/add-rapidfort-advisories
bb46e1f
@ravinder-rapidfort ravinder-rapidfort mentioned this pull request Apr 9, 2026
Open
@CLAassistant

CLAassistant commented Apr 9, 2026
edited
Loading

Copy link
Copy Markdown

CLA assistant check
All committers have signed the CLA.

DmitriyLewen
DmitriyLewen reviewed Jun 11, 2026
View reviewed changes

@DmitriyLewen DmitriyLewen left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello, thanks for your work!

Do we need this PR?
We use the vuln-list repository for saving as-is advisories to show information and history in a comfortable view.
But you have advisories in your repository, so you can use this repo in trivy-db (like for GitHub, Ruby, etc.)

Regards. Dmitriy

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@DmitriyLewen DmitriyLewen DmitriyLewen left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@vaibhav-rf @CLAassistant @DmitriyLewen @ravinder-rapidfort