fix: Debian-CVE with no fixed not being converted (and added dryrun mode) (#4033)

jess-lowe · web-flow · commit 1abe3689b854 · 2025-09-25T10:42:15.000+10:00
diff --git a/vulnfeeds/cmd/debian/main.go b/vulnfeeds/cmd/debian/main.go
@@ -44,6 +44,7 @@ func main() {
 	debianOutputPath := flag.String("output_path", debianOutputPathDefault, "Path to output OSV files.")
 	outputBucketName := flag.String("output_bucket", outputBucketDefault, "The GCS bucket to write to.")
 	numWorkers := flag.Int("num_workers", 64, "Number of workers to process records")
+	uploadToGCS := flag.Bool("uploadToGCS", false, "If true, do not write to GCS bucket and instead write to local disk.")
 	flag.Parse()
 
 	err := os.MkdirAll(*debianOutputPath, 0755)
@@ -64,11 +65,14 @@ func main() {
 	allCVEs := vulns.LoadAllCVEs(defaultCvePath)
 
 	ctx := context.Background()
-	storageClient, err := storage.NewClient(ctx)
-	if err != nil {
-		logger.Fatal("Failed to create storage client", slog.Any("err", err))
+	var bkt *storage.BucketHandle
+	if *uploadToGCS {
+		storageClient, err := storage.NewClient(ctx)
+		if err != nil {
+			logger.Fatal("Failed to create storage client", slog.Any("err", err))
+		}
+		bkt = storageClient.Bucket(*outputBucketName)
 	}
-	bkt := storageClient.Bucket(*outputBucketName)
 
 	var wg sync.WaitGroup
 	vulnChan := make(chan *vulns.Vulnerability)
@@ -97,6 +101,7 @@ func main() {
 }
 
 func worker(ctx context.Context, vulnChan <-chan *vulns.Vulnerability, bkt *storage.BucketHandle, outputDir string) {
+	noUpload := bkt == nil
 	for v := range vulnChan {
 		debianID := v.ID
 		if len(v.Affected) == 0 {
@@ -111,10 +116,26 @@ func worker(ctx context.Context, vulnChan <-chan *vulns.Vulnerability, bkt *stor
 			continue
 		}
 
+		objName := path.Join(outputDir, debianID+".json")
+
+		if noUpload {
+			logger.Info("Writing to local disk", slog.String("path", objName))
+			v.Modified = time.Now().UTC()
+			buf, err = json.MarshalIndent(v, "", "  ")
+			if err != nil {
+				logger.Error("failed to marshal vulnerability with modified time", slog.String("id", debianID), slog.Any("err", err))
+				continue
+			}
+			if err := os.WriteFile(objName, buf, 0600); err != nil {
+				logger.Error("failed to write file in dry run", slog.String("path", objName), slog.Any("err", err))
+			}
+
+			continue
+		}
+
 		hash := sha256.Sum256(buf)
 		hexHash := hex.EncodeToString(hash[:])
 
-		objName := path.Join(outputDir, debianID+".json")
 		obj := bkt.Object(objName)
 
 		// Check if object exists and if hash matches.
@@ -237,7 +258,9 @@ func generateOSVFromDebianTracker(debianData DebianSecurityTrackerData, debianRe
 				}
 
 				if release.Status == "resolved" {
-					pkgInfo.VersionInfo.AffectedVersions = []models.AffectedVersion{{Fixed: release.FixedVersion}}
+					pkgInfo.VersionInfo.AffectedVersions = []models.AffectedVersion{{Introduced: "0"}, {Fixed: release.FixedVersion}}
+				} else {
+					pkgInfo.VersionInfo.AffectedVersions = []models.AffectedVersion{{Introduced: "0"}}
 				}
 
 				if len(pkgInfo.VersionInfo.AffectedVersions) > 0 {
diff --git a/vulnfeeds/cmd/debian/main_test.go b/vulnfeeds/cmd/debian/main_test.go
@@ -102,6 +102,21 @@ func TestGenerateOSVFromDebianTracker(t *testing.T) {
 				Published: now,
 				Details:   "In all versions of AppArmor mount rules are accidentally widened when compiled.",
 				Affected: []osvschema.Affected{
+					{
+						Package:           osvschema.Package{Ecosystem: "Debian:10", Name: "apparmor"},
+						Ranges:            []osvschema.Range{{Type: "ECOSYSTEM", Events: []osvschema.Event{{Introduced: "0"}}}},
+						EcosystemSpecific: map[string]any{"urgency": string("unimportant")},
+					},
+					{
+						Package:           osvschema.Package{Ecosystem: "Debian:11", Name: "apparmor"},
+						Ranges:            []osvschema.Range{{Type: "ECOSYSTEM", Events: []osvschema.Event{{Introduced: "0"}}}},
+						EcosystemSpecific: map[string]any{"urgency": string("unimportant")},
+					},
+					{
+						Package:           osvschema.Package{Ecosystem: "Debian:12", Name: "apparmor"},
+						Ranges:            []osvschema.Range{{Type: "ECOSYSTEM", Events: []osvschema.Event{{Introduced: "0"}}}},
+						EcosystemSpecific: map[string]any{"urgency": string("unimportant")},
+					},
 					{
 						Package:           osvschema.Package{Name: "apparmor", Ecosystem: "Debian:13"},
 						Ranges:            []osvschema.Range{{Type: "ECOSYSTEM", Events: []osvschema.Event{{Introduced: "0"}, {Fixed: "3.0.12-1"}}}},
