Skip to content

chore(deps/vuls2): update vuls2 and optimize kernel package name handling#2396

Merged
shino merged 4 commits intomasterfrom
shino/update-vuls2
Jan 30, 2026
Merged

chore(deps/vuls2): update vuls2 and optimize kernel package name handling#2396
shino merged 4 commits intomasterfrom
shino/update-vuls2

Conversation

@shino
Copy link
Copy Markdown
Collaborator

@shino shino commented Jan 20, 2026
edited
Loading

What did you implement:

cf. MaineK00n/vuls2#305

By updating vuls2 to current nightly HEAD, Ubuntu detection got somewhat slow.
This PR fixes it.

Before:

[0]% go build -trimpath -o vuls ./cmd/vuls && /usr/bin/time -v ./vuls report -refresh-cve -format-one-line-text
[Jan 20 18:29:32]  INFO [localhost] vuls-`make build` or `make install` will show the version-
[Jan 20 18:29:32]  INFO [localhost] Validating config...
[Jan 20 18:29:32]  INFO [localhost] cveDict.type=sqlite3, cveDict.url=, cveDict.SQLite3Path=/home/shino/g/go-cve-dictionary/cve.sqlite3
[Jan 20 18:29:32]  INFO [localhost] ovalDict.type=sqlite3, ovalDict.url=, ovalDict.SQLite3Path=/data/vulsctl/docker.empty/oval.sqlite3
[Jan 20 18:29:32]  INFO [localhost] gost.type=sqlite3, gost.url=, gost.SQLite3Path=/data/vulsctl/docker.empty/gost.sqlite3
[Jan 20 18:29:32]  INFO [localhost] exploit.type=sqlite3, exploit.url=, exploit.SQLite3Path=/data/vulsctl/docker.empty/go-exploitdb.sqlite3
[Jan 20 18:29:32]  INFO [localhost] metasploit.type=sqlite3, metasploit.url=, metasploit.SQLite3Path=/data/vulsctl/docker.empty/go-msfdb.sqlite3
[Jan 20 18:29:32]  INFO [localhost] kevuln.type=sqlite3, kevuln.url=, kevuln.SQLite3Path=/data/vulsctl/docker.empty/go-kev.sqlite3
[Jan 20 18:29:32]  INFO [localhost] cti.type=sqlite3, cti.url=, cti.SQLite3Path=/data/vulsctl/docker.empty/go-cti.sqlite3
[Jan 20 18:29:33]  INFO [localhost] Loaded: /home/shino/g/vuls/results/2026-01-19T13-28-22+0900
[Jan 20 18:32:16]  INFO [localhost] ubuntu_2004: 5153 CVEs are detected with vuls2
[Jan 20 18:32:16]  INFO [localhost] ubuntu_2004: 0 CVEs are detected with CPE
[Jan 20 18:32:19]  INFO [localhost] ubuntu_2004: 0 PoC are detected
[Jan 20 18:32:19]  INFO [localhost] ubuntu_2004: 0 exploits are detected
[Jan 20 18:32:20]  INFO [localhost] ubuntu_2004: Known Exploited Vulnerabilities are detected for 0 CVEs
[Jan 20 18:32:20]  INFO [localhost] ubuntu_2004: Cyber Threat Intelligences are detected for 0 CVEs
[Jan 20 18:32:20]  INFO [localhost] ubuntu_2004: total 5153 CVEs detected
[Jan 20 18:32:20]  INFO [localhost] ubuntu_2004: 0 CVEs filtered by --confidence-over=80


One Line Summary
================
ubuntu_2004     Total: 5153 (Critical:4 High:356 Medium:4573 Low:220 ?:0)       2540/5153 Fixed 595 installed   0 poc   0 exploits      0 kevs  uscert: 0, jpcert: 0 alerts



        Command being timed: "./vuls report -refresh-cve -format-one-line-text"
        User time (seconds): 382.43
        System time (seconds): 15.76
        Percent of CPU this job got: 237%
        Elapsed (wall clock) time (h:mm:ss or m:ss): 2:47.79
        Average shared text size (kbytes): 0
        Average unshared data size (kbytes): 0
        Average stack size (kbytes): 0
        Average total size (kbytes): 0
        Maximum resident set size (kbytes): 1020304

After

0]% go build -trimpath -o vuls ./cmd/vuls && /usr/bin/time -v ./vuls report -refresh-cve -format-one-line-text
[Jan 20 19:01:01]  INFO [localhost] vuls-`make build` or `make install` will show the version-
[Jan 20 19:01:01]  INFO [localhost] Validating config...
[Jan 20 19:01:01]  INFO [localhost] cveDict.type=sqlite3, cveDict.url=, cveDict.SQLite3Path=/home/shino/g/go-cve-dictionary/cve.sqlite3
[Jan 20 19:01:01]  INFO [localhost] ovalDict.type=sqlite3, ovalDict.url=, ovalDict.SQLite3Path=/data/vulsctl/docker.empty/oval.sqlite3
[Jan 20 19:01:01]  INFO [localhost] gost.type=sqlite3, gost.url=, gost.SQLite3Path=/data/vulsctl/docker.empty/gost.sqlite3
[Jan 20 19:01:01]  INFO [localhost] exploit.type=sqlite3, exploit.url=, exploit.SQLite3Path=/data/vulsctl/docker.empty/go-exploitdb.sqlite3
[Jan 20 19:01:01]  INFO [localhost] metasploit.type=sqlite3, metasploit.url=, metasploit.SQLite3Path=/data/vulsctl/docker.empty/go-msfdb.sqlite3
[Jan 20 19:01:01]  INFO [localhost] kevuln.type=sqlite3, kevuln.url=, kevuln.SQLite3Path=/data/vulsctl/docker.empty/go-kev.sqlite3
[Jan 20 19:01:01]  INFO [localhost] cti.type=sqlite3, cti.url=, cti.SQLite3Path=/data/vulsctl/docker.empty/go-cti.sqlite3
[Jan 20 19:01:01]  INFO [localhost] Loaded: /home/shino/g/vuls/results/2026-01-19T13-28-22+0900
[Jan 20 19:01:09]  INFO [localhost] ubuntu_2004: 5153 CVEs are detected with vuls2
[Jan 20 19:01:09]  INFO [localhost] ubuntu_2004: 0 CVEs are detected with CPE
[Jan 20 19:01:13]  INFO [localhost] ubuntu_2004: 0 PoC are detected
[Jan 20 19:01:13]  INFO [localhost] ubuntu_2004: 0 exploits are detected
[Jan 20 19:01:14]  INFO [localhost] ubuntu_2004: Known Exploited Vulnerabilities are detected for 0 CVEs
[Jan 20 19:01:14]  INFO [localhost] ubuntu_2004: Cyber Threat Intelligences are detected for 0 CVEs
[Jan 20 19:01:14]  INFO [localhost] ubuntu_2004: total 5153 CVEs detected
[Jan 20 19:01:14]  INFO [localhost] ubuntu_2004: 0 CVEs filtered by --confidence-over=80


One Line Summary
================
ubuntu_2004     Total: 5153 (Critical:4 High:356 Medium:4573 Low:220 ?:0)       2540/5153 Fixed 595 installed   0 poc   0 exploits      0 kevs  uscert: 0, jpcert: 0 alerts



        Command being timed: "./vuls report -refresh-cve -format-one-line-text"
        User time (seconds): 25.85
        System time (seconds): 2.63
        Percent of CPU this job got: 213%
        Elapsed (wall clock) time (h:mm:ss or m:ss): 0:13.35
        Average shared text size (kbytes): 0
        Average unshared data size (kbytes): 0
        Average stack size (kbytes): 0
        Average total size (kbytes): 0
        Maximum resident set size (kbytes): 729532

Then, with the following setup, no diff found by "make diff".

[0]% git diff
diff --git a/GNUmakefile b/GNUmakefile
index adc325a..7931836 100644
--- a/GNUmakefile
+++ b/GNUmakefile
@@ -107,15 +107,15 @@ ifneq ($(shell ls -U1 ${BASE_DIR} | wc -l), 0)
 endif
        mkdir -p ${NOW_JSON_DIR}
        sleep 1
-       ./vuls.old scan -config=./integration/int-config.toml --results-dir=${BASE_DIR} ${LIBS}
-       cp ${BASE_DIR}/$(CURRENT)/*.json ${NOW_JSON_DIR}
+#      ./vuls.old scan -config=./integration/int-config.toml --results-dir=${BASE_DIR} ${LIBS}
+#      cp ${BASE_DIR}/$(CURRENT)/*.json ${NOW_JSON_DIR}
        - cp integration/data/results/*.json ${NOW_JSON_DIR}
        ./vuls.old report --format-json --refresh-cve --results-dir=${BASE_DIR} -config=./integration/int-config.toml ${NOW}

        mkdir -p ${ONE_SEC_AFTER_JSON_DIR}
        sleep 1
-       ./vuls.new scan -config=./integration/int-config.toml --results-dir=${BASE_DIR} ${LIBS}
-       cp ${BASE_DIR}/$(CURRENT)/*.json ${ONE_SEC_AFTER_JSON_DIR}
+#      ./vuls.new scan -config=./integration/int-config.toml --results-dir=${BASE_DIR} ${LIBS}
+#      cp ${BASE_DIR}/$(CURRENT)/*.json ${ONE_SEC_AFTER_JSON_DIR}
        - cp integration/data/results/*.json ${ONE_SEC_AFTER_JSON_DIR}
        ./vuls.new report --format-json --refresh-cve --results-dir=${BASE_DIR} -config=./integration/int-config.toml ${ONE_SEC_AFTER}

diff --git a/integration b/integration
--- a/integration
+++ b/integration
@@ -1 +1 @@
-Subproject commit 4f82b22b460a26c4931b0e87eed2f9e844292eef
+Subproject commit 4f82b22b460a26c4931b0e87eed2f9e844292eef-dirty
[0]% ll integration/data/results
total 2.3M
-rw-r--r-- 1 shino shino 250K Jan 21 12:56 fedora_38.json
-rw-r--r-- 1 shino shino 297K Jan 21 12:56 fedora_42.json
-rw-r--r-- 1 shino shino  88K Jan 21 12:56 oracle.json
-rw-r--r-- 1 shino shino  76K Jan 21 12:56 rhel_610.json
-rw-r--r-- 1 shino shino 106K Jan 21 12:56 rhel_73.json
-rw-r--r-- 1 shino shino 124K Jan 21 12:56 rhel_80.json
-rw-r--r-- 1 shino shino 214K Jan 21 12:56 rhel_90.json
-rw-r--r-- 1 shino shino 265K Jan 21 12:56 ubuntu_1404.json
-rw-r--r-- 1 shino shino 188K Jan 21 12:56 ubuntu_1604.json
-rw-r--r-- 1 shino shino 204K Jan 21 12:56 ubuntu_1804.json
-rw-r--r-- 1 shino shino 239K Jan 20 10:48 ubuntu_2004.json
-rw-r--r-- 1 shino shino 267K Jan 20 10:48 ubuntu_2204.json

Type of change

Please delete options that are not relevant.

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • This change requires a documentation update

How Has This Been Tested?

Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce.

Checklist:

You don't have to satisfy all of the following.

  • Write tests
  • Write documentation
  • Check that there aren't other open pull requests for the same issue/feature
  • Format your source code by make fmt
  • Pass the test by make test
  • Provide verification config / commands
  • Enable "Allow edits from maintainers" for this PR
  • Update the messages below

Is this ready for review?: YES

Reference

@shino shino self-assigned this Jan 20, 2026
@shino shino force-pushed the shino/update-vuls2 branch 3 times, most recently from 0eeb554 to c1b3402 Compare January 20, 2026 09:16
@shino shino force-pushed the shino/update-vuls2 branch from c1b3402 to 1f52c0c Compare January 20, 2026 09:21
@shino shino marked this pull request as ready for review January 20, 2026 10:02
@shino shino requested a review from Copilot January 21, 2026 04:19
Copilot AI reviewed Jan 21, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the vuls2 dependency to address a significant performance regression in Ubuntu vulnerability detection, improving scan times from approximately 2:47 minutes to 13 seconds. The performance improvement is achieved through a new pruneCriteria function that filters out non-affected packages early in the detection process, and by adding early return optimizations to the kernel package name handling logic.

Changes:

  • Updated vuls2 dependency from v0.0.1-alpha.0.20260116054746-1ca48c3a06bc to v0.0.1-alpha.0.20260119095403-19e84d806e2e
  • Added early return optimization in RenameKernelSourcePackageName to skip processing non-kernel packages (those not starting with "linux-")
  • Implemented new pruneCriteria function to filter criteria trees by removing unaffected packages before walking the full criteria structure

Reviewed changes

Copilot reviewed 5 out of 6 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
go.mod Updated vuls2 dependency to newer version with performance improvements
go.sum Added checksum entries for the new vuls2 version (old version retained as expected)
models/packages.go Added early return checks for non-kernel packages in RenameKernelSourcePackageName to avoid unnecessary string replacement operations
detector/vuls2/vuls2.go Added pruneCriteria function to filter out unaffected packages from criteria trees before processing, significantly reducing processing time
detector/vuls2/vuls2_test.go Added comprehensive test coverage for pruneCriteria function with multiple test cases covering AND/OR operators and edge cases
detector/vuls2/export_test.go Exported PruneCriteria function for testing purposes

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread models/packages.go
Comment thread models/packages.go
Comment thread detector/vuls2/vuls2_test.go Outdated
@shino shino force-pushed the shino/update-vuls2 branch from 851a6e2 to 7c696b4 Compare January 21, 2026 04:50
Copy link
Copy Markdown
Contributor

Copilot AI commented Jan 21, 2026

@shino I've opened a new pull request, #2397, to work on those changes. Once the pull request is ready, I'll request review from you.

Copilot AI mentioned this pull request Jan 21, 2026
Closed
@shino shino force-pushed the shino/update-vuls2 branch from 7c696b4 to 18dbf9a Compare January 21, 2026 05:01
@shino shino requested a review from MaineK00n January 21, 2026 05:07
@shino shino force-pushed the shino/update-vuls2 branch from 18dbf9a to e17e9db Compare January 21, 2026 09:08
@shino shino requested review from MaineK00n and removed request for MaineK00n January 29, 2026 08:39
MaineK00n
MaineK00n reviewed Jan 29, 2026
View reviewed changes
Comment thread detector/vuls2/vuls2_test.go Outdated
@shino shino requested a review from MaineK00n January 30, 2026 01:06
@shino shino force-pushed the shino/update-vuls2 branch from b5fe306 to 53966fd Compare January 30, 2026 01:42
@shino
Copy link
Copy Markdown
Collaborator Author

shino commented Jan 30, 2026

Updated deps to MaineK00n/vuls2#309

@shino shino merged commit 6fd00ee into master Jan 30, 2026
7 checks passed
@shino shino deleted the shino/update-vuls2 branch January 30, 2026 02:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@MaineK00n MaineK00n MaineK00n approved these changes

Assignees

@shino shino

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@shino @MaineK00n