feat: add check-advisories to check BRSA fields

Signed-off-by: Piyush Jena <jepiyush@amazon.com>

Author: piyush-jena

Cargo.lock

@@ -21,6 +21,7 @@ members = [
     "tools/testsys-config",
     "tools/unplug",
     "tools/update-metadata",
+    "tools/advisory-parser",
 
     "twoliter",
     "twoliter/src/tool-crates/*",
@@ -54,6 +55,7 @@ pre-build = [
 ]
 
 [workspace.dependencies]
+advisory-parser = { version = "0.1", path = "tools/advisory-parser", artifact = [ "bin:advisory-parser" ] }
 amispec = { version = "0.1", path = "tools/amispec" }
 bottlerocket-types = { version = "0.0.16", git = "https://github.com/bottlerocket-os/bottlerocket-test-system", tag = "v0.0.16" }
 bottlerocket-variant = { version = "0.1", path = "tools/bottlerocket-variant" }
@@ -76,6 +78,7 @@ testsys-config = { version = "0.1", path = "tools/testsys-config" }
 testsys-model = { version = "0.0.16", git = "https://github.com/bottlerocket-os/bottlerocket-test-system", tag = "v0.0.16" }
 
 twoliter = { version = "0.13.0", path = "twoliter", artifact = [ "bin:twoliter" ] }
+twoliter-tool-advisory-parser = { version = "0.1", path = "twoliter/src/tool-crates/advisory-parser" }
 twoliter-tool-buildsys = { version = "0.1", path = "twoliter/src/tool-crates/buildsys" }
 twoliter-tool-embedded-bundle = { version = "0.1", path = "twoliter/src/tool-crates/embedded-bundle" }
 twoliter-tool-pipesys = { version = "0.1", path = "twoliter/src/tool-crates/pipesys" }

Cargo.toml

@@ -0,0 +1,17 @@
+[package]
+name = "advisory-parser"
+version = "0.1.0"
+edition = "2021"
+license = "Apache-2.0 OR MIT"
+
+[dependencies]
+lazy_static.workspace = true
+test-case.workspace = true
+nutype = { version = "0.6.2", features = ["regex", "serde"] }
+regex.workspace = true
+serde = { workspace = true, features = ["derive"] }
+snafu.workspace = true
+toml.workspace = true
+
+[lints]
+workspace = true

tools/advisory-parser/Cargo.toml

@@ -0,0 +1,174 @@
+//! Advisory Parser parses Bottlerocket Security Advisory TOML files in bottlerocket kits
+//! and outputs the package metadata in a pipe-separated format. This tool is used by rpm2kit
+//! to validate the BRSA fields and the corresponding rpm included in the kit is higher than
+//! the expected version.
+
+mod models;
+
+use models::Advisory;
+use snafu::{ensure, ResultExt};
+use std::path::PathBuf;
+use std::{env, fs, process};
+
+fn run() -> Result<()> {
+    let args: Vec<String> = env::args().collect();
+
+    // Enforce the requirement of 2 arguments because the binary expects the BRSA file to parse.
+    ensure!(args.len() == 2, error::UsageSnafu { program: &args[0] });
+
+    let path = PathBuf::from(&args[1]);
+    let content = fs::read_to_string(&path).context(error::ReadFileSnafu { path: &path })?;
+    let advisory: Advisory =
+        toml::from_str(&content).context(error::ParseAdvisorySnafu { path: &path })?;
+
+    // Output product information in pipe-separated format to be parsed in the script in rpm2kit
+    for product in advisory.advisory.products {
+        println!(
+            "{}|{}|{}",
+            product.package_name, product.patched_version, product.patched_epoch
+        );
+    }
+
+    Ok(())
+}
+
+fn main() {
+    if let Err(e) = run() {
+        eprintln!("{e}");
+        process::exit(1);
+    }
+}
+
+// =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=
+
+mod error {
+    use snafu::Snafu;
+    use std::path::PathBuf;
+
+    #[derive(Debug, Snafu)]
+    #[snafu(visibility(pub(super)))]
+    pub(super) enum Error {
+        #[snafu(display("Usage: {} <advisory-file>", program))]
+        Usage { program: String },
+
+        #[snafu(display("Failed to read '{}': {}", path.display(), source))]
+        ReadFile {
+            path: PathBuf,
+            source: std::io::Error,
+        },
+
+        #[snafu(display("Failed to parse advisory '{}': {}", path.display(), source))]
+        ParseAdvisory {
+            path: PathBuf,
+            source: toml::de::Error,
+        },
+    }
+}
+
+type Result<T> = std::result::Result<T, error::Error>;
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use models::{CveId, GhsaId};
+    use test_case::test_case;
+
+    fn make_advisory_toml(id_field: &str, id_value: &str) -> String {
+        format!(
+            r#"
+[advisory]
+id = "TEST-001"
+title = "Test Advisory"
+severity = "high"
+description = "Test description"
+{id_field} = "{id_value}"
+[[advisory.products]]
+package-name = "test"
+patched-version = "1.0"
+"#
+        )
+    }
+
+    #[test_case("CVE-2024-1234"; "basic 4 digit")]
+    #[test_case("CVE-2024-12345"; "5 digit")]
+    #[test_case("CVE-2025-472688"; "6 digit")]
+    #[test_case("CVE-1999-0001"; "old year")]
+    fn valid_cve(cve: &str) {
+        let toml = make_advisory_toml("cve", cve);
+        assert!(
+            toml::from_str::<Advisory>(&toml).is_ok(),
+            "Failed to parse valid CVE: {cve}"
+        );
+    }
+
+    #[test_case("CVE-2024-001"; "too few digits")]
+    #[test_case("CVE-2024-INVALID"; "non numeric")]
+    #[test_case("CVE-24-1234"; "year too short")]
+    #[test_case("CVE-2024-0"; "single digit")]
+    #[test_case("CVE–2024–1234"; "en dash")]
+    #[test_case("CVE—2024—1234"; "em dash")]
+    #[test_case("GHSA-xxxx-xxxx-xxxx"; "wrong format")]
+    fn invalid_cve(cve: &str) {
+        let toml = make_advisory_toml("cve", cve);
+        assert!(
+            toml::from_str::<Advisory>(&toml).is_err(),
+            "Should reject invalid CVE: {cve}"
+        );
+    }
+
+    #[test_case("GHSA-23fg-6c23-wxrv"; "standard")]
+    #[test_case("GHSA-2222-3333-4444"; "all numeric")]
+    #[test_case("GHSA-cfgh-jmpq-rvwx"; "all alpha")]
+    fn valid_ghsa(ghsa: &str) {
+        let toml = make_advisory_toml("ghsa", ghsa);
+        assert!(
+            toml::from_str::<Advisory>(&toml).is_ok(),
+            "Failed to parse valid GHSA: {ghsa}"
+        );
+    }
+
+    #[test_case("GHSA-123-456-789"; "too short")]
+    #[test_case("GHSA-12345-67890-12345"; "too long")]
+    #[test_case("CVE-2024-1234"; "wrong format")]
+    fn invalid_ghsa(ghsa: &str) {
+        let toml = make_advisory_toml("ghsa", ghsa);
+        assert!(
+            toml::from_str::<Advisory>(&toml).is_err(),
+            "Should reject invalid GHSA: {ghsa}"
+        );
+    }
+
+    #[test]
+    fn complete_advisory() {
+        let toml = r#"
+[advisory]
+id = "BRSA-test123"
+title = "Test Advisory"
+cve = "CVE-2025-12345"
+ghsa = "GHSA-23fg-6c23-wxrv"
+severity = "high"
+description = "Test description"
+
+[[advisory.products]]
+package-name = "test-package"
+patched-version = "1.2.3"
+patched-epoch = "1"
+
+[[advisory.products]]
+package-name = "another-package"
+patched-version = "2.0.0"
+"#;
+
+        let advisory: Advisory = toml::from_str(toml).expect("Failed to parse complete advisory");
+        assert_eq!(advisory.advisory.id, "BRSA-test123");
+        assert_eq!(advisory.advisory.cve, CveId::try_new("CVE-2025-12345").ok());
+        assert_eq!(
+            advisory.advisory.ghsa,
+            GhsaId::try_new("GHSA-23fg-6c23-wxrv").ok()
+        );
+        assert_eq!(advisory.advisory.products.len(), 2);
+        assert_eq!(advisory.advisory.products[0].package_name, "test-package");
+        assert_eq!(advisory.advisory.products[0].patched_epoch, "1");
+        assert_eq!(advisory.advisory.products[1].patched_epoch, "0");
+    }
+}