fix(vulnfeeds): only upload Debian CVEs if file has changed. (#3987)

Closes #3983

Author: jess-lowe

deployment/clouddeploy/gke-workers/environments/oss-vdb-test/debian-cve-convert.yaml

@@ -16,3 +16,5 @@ spec:
               value: osv-test-debian-osv
             - name: INPUT_GCS_BUCKET
               value: osv-test-cve-osv-conversion
+            - name: NUM_WORKERS
+              value: 256

vulnfeeds/cmd/debian/Dockerfile

@@ -22,13 +22,13 @@ COPY ./go.sum /src/go.sum
 RUN go mod download
 
 COPY ./ /src/
-RUN go build -o debian-osv ./cmd/debian/
+RUN go build -o debian ./cmd/debian/
 
 
 FROM gcr.io/google.com/cloudsdktool/google-cloud-cli:alpine@sha256:af3dac7ae5f9d28fee1c2ec738f616467a99f9f23bc31a49bb8a297af5f1eabf
 
 WORKDIR /root/
-COPY --from=GO_BUILD /src/debian-osv ./
+COPY --from=GO_BUILD /src/debian ./
 COPY ./cmd/debian/run_debian_convert.sh ./
 
 RUN chmod 755 ./run_debian_convert.sh

vulnfeeds/cmd/debian/main.go

@@ -2,20 +2,25 @@
 package main
 
 import (
+	"context"
+	"crypto/sha256"
 	"encoding/csv"
+	"encoding/hex"
 	"encoding/json"
+	"errors"
 	"flag"
 	"fmt"
 	"log/slog"
-
 	"net/http"
 	"os"
 	"path"
 	"sort"
 	"strconv"
 	"strings"
+	"sync"
 	"time"
 
+	"cloud.google.com/go/storage"
 	"github.com/google/osv/vulnfeeds/cves"
 	"github.com/google/osv/vulnfeeds/faulttolerant"
 	"github.com/google/osv/vulnfeeds/models"
@@ -29,12 +34,16 @@ const (
 	debianOutputPathDefault  = "debian-cve-osv"
 	debianDistroInfoURL      = "https://debian.pages.debian.net/distro-info-data/debian.csv"
 	debianSecurityTrackerURL = "https://security-tracker.debian.org/tracker/data/json"
+	outputBucketDefault      = "debian-osv"
+	hashMetadataKey          = "sha256-hash"
 )
 
 func main() {
 	logger.InitGlobalLogger()
 
 	debianOutputPath := flag.String("output_path", debianOutputPathDefault, "Path to output OSV files.")
+	outputBucketName := flag.String("output_bucket", outputBucketDefault, "The GCS bucket to write to.")
+	numWorkers := flag.String("num_workers", "64", "Number of workers to process records")
 	flag.Parse()
 
 	err := os.MkdirAll(*debianOutputPath, 0755)
@@ -53,15 +62,106 @@ func main() {
 	}
 
 	allCVEs := vulns.LoadAllCVEs(defaultCvePath)
-	osvCves := generateOSVFromDebianTracker(debianData, debianReleaseMap, allCVEs)
 
-	if err = writeToOutput(osvCves, *debianOutputPath); err != nil {
-		logger.Fatal("Failed to write OSV output file", slog.Any("err", err))
+	ctx := context.Background()
+	storageClient, err := storage.NewClient(ctx)
+	if err != nil {
+		logger.Fatal("Failed to create storage client", slog.Any("err", err))
+	}
+	bkt := storageClient.Bucket(*outputBucketName)
+
+	var wg sync.WaitGroup
+	vulnChan := make(chan *vulns.Vulnerability)
+
+	for range *numWorkers {
+		wg.Add(1)
+		go func() {
+			defer wg.Done()
+			worker(ctx, vulnChan, bkt, *debianOutputPath)
+		}()
+	}
+
+	osvCVEs := generateOSVFromDebianTracker(debianData, debianReleaseMap, allCVEs)
+
+	for _, v := range osvCVEs {
+		if len(v.Affected) == 0 {
+			logger.Warn(fmt.Sprintf("Skipping %s as no affected versions found.", v.ID), slog.String("id", v.ID))
+			continue
+		}
+		vulnChan <- v
 	}
+	close(vulnChan)
+	wg.Wait()
 
 	logger.Info("Debian CVE conversion succeeded.")
 }
 
+func worker(ctx context.Context, vulnChan <-chan *vulns.Vulnerability, bkt *storage.BucketHandle, outputDir string) {
+	for v := range vulnChan {
+		debianID := v.ID
+		if len(v.Affected) == 0 {
+			logger.Warn(fmt.Sprintf("Skipping %s as no affected versions found.", debianID), slog.String("id", debianID))
+			continue
+		}
+
+		// Marshal before setting modified time to generate hash.
+		buf, err := json.MarshalIndent(v, "", "  ")
+		if err != nil {
+			logger.Error("failed to marshal vulnerability", slog.String("id", debianID), slog.Any("err", err))
+			continue
+		}
+
+		hash := sha256.Sum256(buf)
+		hexHash := hex.EncodeToString(hash[:])
+
+		objName := path.Join(outputDir, debianID+".json")
+		obj := bkt.Object(objName)
+
+		// Check if object exists and if hash matches.
+		attrs, err := obj.Attrs(ctx)
+		if err == nil {
+			// Object exists, check hash.
+			if attrs.Metadata != nil && attrs.Metadata[hashMetadataKey] == hexHash {
+				logger.Info("Skipping upload, hash matches", slog.String("id", debianID))
+				continue
+			}
+		} else if !errors.Is(err, storage.ErrObjectNotExist) {
+			logger.Error("failed to get object attributes", slog.String("id", debianID), slog.Any("err", err))
+			continue
+		}
+
+		// Object does not exist or hash differs, upload.
+		v.Modified = time.Now().UTC()
+		buf, err = json.MarshalIndent(v, "", "  ")
+		if err != nil {
+			logger.Error("failed to marshal vulnerability with modified time", slog.String("id", debianID), slog.Any("err", err))
+			continue
+		}
+
+		logger.Info("Uploading", slog.String("id", debianID))
+		wc := obj.NewWriter(ctx)
+		wc.Metadata = map[string]string{
+			hashMetadataKey: hexHash,
+		}
+		wc.ContentType = "application/json"
+
+		if _, err := wc.Write(buf); err != nil {
+			logger.Error("failed to write to GCS object", slog.String("id", debianID), slog.Any("err", err))
+			// Try to close writer even if write failed.
+			if closeErr := wc.Close(); closeErr != nil {
+				logger.Error("failed to close GCS writer after write error", slog.String("id", debianID), slog.Any("err", closeErr))
+			}
+
+			continue
+		}
+
+		if err := wc.Close(); err != nil {
+			logger.Error("failed to close GCS writer", slog.String("id", debianID), slog.Any("err", err))
+			continue
+		}
+	}
+}
+
 // generateOSVFromDebianTracker converts Debian Security Tracker entries to OSV format.
 func generateOSVFromDebianTracker(debianData DebianSecurityTrackerData, debianReleaseMap map[string]string, allCVEs map[cves.CVEID]cves.Vulnerability) map[string]*vulns.Vulnerability {
 	logger.Info("Converting Debian Security Tracker data to OSV.")
@@ -100,7 +200,6 @@ func generateOSVFromDebianTracker(debianData DebianSecurityTrackerData, debianRe
 					Vulnerability: osvschema.Vulnerability{
 						ID:        "DEBIAN-" + cveID,
 						Upstream:  []string{cveID},
-						Modified:  time.Now().UTC(),
 						Published: allCVEs[cves.CVEID(cveID)].CVE.Published.Time,
 						Details:   cveData.Description,
 						References: []osvschema.Reference{
@@ -198,34 +297,6 @@ func getDebianReleaseMap() (map[string]string, error) {
 	return releaseMap, err
 }
 
-func writeToOutput(osvCves map[string]*vulns.Vulnerability, debianOutputPath string) error {
-	logger.Info("Writing OSV files to the output.")
-	for cveID, osv := range osvCves {
-		debianID := "DEBIAN-" + cveID
-		if len(osv.Affected) == 0 {
-			logger.Warn(fmt.Sprintf("Skipping %s as no affected versions found.", debianID), slog.String("id", debianID))
-			continue
-		}
-		file, err := os.OpenFile(path.Join(debianOutputPath, debianID+".json"), os.O_CREATE|os.O_RDWR|os.O_TRUNC, 0644)
-		if err != nil {
-			return err
-		}
-
-		encoder := json.NewEncoder(file)
-		encoder.SetIndent("", "  ")
-		err = encoder.Encode(osv)
-		closeErr := file.Close()
-		if err != nil {
-			return err
-		}
-		if closeErr != nil {
-			return closeErr
-		}
-	}
-
-	return nil
-}
-
 // downloadDebianSecurityTracker download Debian json file
 func downloadDebianSecurityTracker() (DebianSecurityTrackerData, error) {
 	res, err := faulttolerant.Get(debianSecurityTrackerURL)

vulnfeeds/cmd/debian/run_debian_convert.sh

@@ -9,10 +9,10 @@
 set -e
 
 OSV_OUTPUT_PATH="debian-cve-osv"
-INPUT_BUCKET="${INPUT_GCS_BUCKET:=cve-osv-conversion}"
-OUTPUT_BUCKET="${OUTPUT_GCS_BUCKET:=debian-osv}"
+INPUT_BUCKET="${INPUT_GCS_BUCKET:=osv-test-cve-osv-conversion}"
+OUTPUT_BUCKET="${OUTPUT_GCS_BUCKET:=osv-test-debian-osv}"
 CVE_OUTPUT="cve_jsons/"
-
+WORKERS="${NUM_WORKERS:=256}"
 
 echo "Setup initial directories ${OSV_OUTPUT_PATH}"
 rm -rf $OSV_OUTPUT_PATH && mkdir -p $OSV_OUTPUT_PATH
@@ -22,7 +22,5 @@ echo "Begin syncing NVD data from GCS bucket ${INPUT_BUCKET}"
 gcloud --no-user-output-enabled storage -q cp "gs://${INPUT_BUCKET}/nvd/*-????.json" "${CVE_OUTPUT}"
 echo "Successfully synced from GCS bucket"
 
-./debian-osv
-echo "Begin Syncing with cloud, GCS bucket: ${OUTPUT_BUCKET}"
-gsutil -q -m rsync -c -d $OSV_OUTPUT_PATH "gs://$OUTPUT_BUCKET/$OSV_OUTPUT_PATH"
-echo "Successfully synced with cloud"
+./debian-osv -output_bucket "$OUTPUT_BUCKET" -output_path "$OSV_OUTPUT_PATH" -num_workers "$WORKERS"
+echo "Successfully converted and uploaded to cloud"

vulnfeeds/go.mod

@@ -4,6 +4,7 @@ go 1.24.6
 
 require (
 	cloud.google.com/go/secretmanager v1.15.0
+	cloud.google.com/go/storage v1.56.2
 	github.com/aquasecurity/go-pep440-version v0.0.1
 	github.com/atombender/go-jsonschema v0.20.0
 	github.com/charmbracelet/lipgloss v1.0.0
@@ -18,29 +19,41 @@ require (
 )
 
 require (
-	cloud.google.com/go/auth v0.16.2 // indirect
+	cel.dev/expr v0.24.0 // indirect
+	cloud.google.com/go v0.121.6 // indirect
+	cloud.google.com/go/auth v0.16.5 // indirect
 	cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
-	cloud.google.com/go/compute/metadata v0.7.0 // indirect
+	cloud.google.com/go/compute/metadata v0.8.0 // indirect
 	cloud.google.com/go/iam v1.5.2 // indirect
+	cloud.google.com/go/monitoring v1.24.2 // indirect
 	dario.cat/mergo v1.0.2 // indirect
+	github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.27.0 // indirect
+	github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.53.0 // indirect
+	github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.53.0 // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
 	github.com/ProtonMail/go-crypto v1.1.6 // indirect
 	github.com/aquasecurity/go-version v0.0.1 // indirect
 	github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/charmbracelet/x/ansi v0.4.5 // indirect
 	github.com/cloudflare/circl v1.6.1 // indirect
+	github.com/cncf/xds/go v0.0.0-20250501225837-2ac532fd4443 // indirect
 	github.com/cyphar/filepath-securejoin v0.4.1 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
+	github.com/envoyproxy/go-control-plane/envoy v1.32.4 // indirect
+	github.com/envoyproxy/protoc-gen-validate v1.2.1 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
 	github.com/go-git/go-billy/v5 v5.6.2 // indirect
-	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/go-jose/go-jose/v4 v4.0.5 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/goccy/go-yaml v1.18.0 // indirect
 	github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
 	github.com/google/s2a-go v0.1.9 // indirect
+	github.com/google/uuid v1.6.0 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.6 // indirect
-	github.com/googleapis/gax-go/v2 v2.14.2 // indirect
+	github.com/googleapis/gax-go/v2 v2.15.0 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
 	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
@@ -49,30 +62,36 @@ require (
 	github.com/package-url/packageurl-go v0.1.3 // indirect
 	github.com/pjbgf/sha1cd v0.3.2 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
+	github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect
 	github.com/skeema/knownhosts v1.3.1 // indirect
+	github.com/spiffe/go-spiffe/v2 v2.5.0 // indirect
 	github.com/xanzy/ssh-agent v0.3.3 // indirect
+	github.com/zeebo/errs v1.4.0 // indirect
 	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
+	go.opentelemetry.io/contrib/detectors/gcp v1.36.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 // indirect
 	go.opentelemetry.io/otel v1.36.0 // indirect
 	go.opentelemetry.io/otel/metric v1.36.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.36.0 // indirect
+	go.opentelemetry.io/otel/sdk/metric v1.36.0 // indirect
 	go.opentelemetry.io/otel/trace v1.36.0 // indirect
-	golang.org/x/crypto v0.39.0 // indirect
+	golang.org/x/crypto v0.41.0 // indirect
 	golang.org/x/exp v0.0.0-20250819193227-8b4c13bb791b // indirect
-	golang.org/x/net v0.41.0 // indirect
+	golang.org/x/net v0.43.0 // indirect
 	golang.org/x/oauth2 v0.30.0 // indirect
 	golang.org/x/sync v0.16.0 // indirect
-	golang.org/x/sys v0.33.0 // indirect
-	golang.org/x/text v0.26.0 // indirect
+	golang.org/x/sys v0.35.0 // indirect
+	golang.org/x/text v0.28.0 // indirect
 	golang.org/x/time v0.12.0 // indirect
 	golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da // indirect
-	google.golang.org/api v0.237.0 // indirect
-	google.golang.org/genproto v0.0.0-20250505200425-f936aa4a68b2 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20250603155806-513f23925822 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250603155806-513f23925822 // indirect
-	google.golang.org/grpc v1.73.0 // indirect
-	google.golang.org/protobuf v1.36.6 // indirect
+	google.golang.org/api v0.247.0 // indirect
+	google.golang.org/genproto v0.0.0-20250603155806-513f23925822 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20250818200422-3122310a409c // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250818200422-3122310a409c // indirect
+	google.golang.org/grpc v1.74.2 // indirect
+	google.golang.org/protobuf v1.36.7 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 )