fix: check if there are no metrics on NVD before attempting to add to Alpine/Debian records (#4044)

jess-lowe · web-flow · commit bcd6685720df · 2025-09-26T08:24:23.000+10:00
diff --git a/vulnfeeds/cmd/alpine/main.go b/vulnfeeds/cmd/alpine/main.go
@@ -36,7 +36,7 @@ func main() {
 	logger.InitGlobalLogger()
 
 	alpineOutputPath := flag.String(
-		"alpineOutput",
+		"output_path",
 		alpineOutputPathDefault,
 		"path to output general alpine affected package information")
 	outputBucketName := flag.String("output_bucket", outputBucketDefault, "The GCS bucket to write to.")
@@ -220,7 +220,10 @@ func generateAlpineOSV(allAlpineSecDb map[string][]VersionAndPkg, allCVEs map[cv
 			logger.Warn(fmt.Sprintf("Skipping %s as no affected versions found.", v.ID), slog.String("cveID", cveID))
 			continue
 		}
-		v.AddSeverity(cve.CVE.Metrics)
+		if cve.CVE.Metrics != nil {
+			v.AddSeverity(cve.CVE.Metrics)
+		}
+
 		osvVulnerabilities = append(osvVulnerabilities, v)
 	}
 
diff --git a/vulnfeeds/cmd/debian/main.go b/vulnfeeds/cmd/debian/main.go
@@ -143,7 +143,10 @@ func generateOSVFromDebianTracker(debianData DebianSecurityTrackerData, debianRe
 						},
 					},
 				}
-				v.AddSeverity(currentNVDCVE.CVE.Metrics)
+				if currentNVDCVE.CVE.Metrics != nil {
+					v.AddSeverity(currentNVDCVE.CVE.Metrics)
+				}
+
 				osvCves[cveID] = v
 			}
 

Original file line number	Diff line number	Diff line change
`@@ -143,7 +143,10 @@ func generateOSVFromDebianTracker(debianData DebianSecurityTrackerData, debianRe`
`143`	`143`	`},`
`144`	`144`	`},`
`145`	`145`	`}`
`146`		`- v.AddSeverity(currentNVDCVE.CVE.Metrics)`
	`146`	`+ if currentNVDCVE.CVE.Metrics != nil {`
	`147`	`+ v.AddSeverity(currentNVDCVE.CVE.Metrics)`
	`148`	`+ }`
	`149`	`+`
`147`	`150`	`osvCves[cveID] = v`
`148`	`151`	`}`
`149`	`152`