vex: add non-vuln advisories to the deleted slice

There is a corner-case where an advisory can initially show products as known_affected then as known_not_affected. Because this updated advisory doesn't result in vulnerabilities the previous vulnerabilities associated with this advisory are carried forward. This change adds any advisories that don't lead to created vulnerabilities to the deleted slice in-order to ensure no existing vulnerabilities that could be related to this advisory are carried forward. In essence, it is as-if the advisory has been parsed from the deletions.csv file. Signed-off-by: crozzy <[email protected]>
quay · Nov 8, 2024 · 420823a · 420823a
1 parent 5c68e27
commit 420823a
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 4 deletions.
diff --git a/rhel/vex/parser.go b/rhel/vex/parser.go
@@ -100,7 +100,13 @@ func (u *Updater) DeltaParse(ctx context.Context, contents io.ReadCloser) ([]*cl
 		}
 	}
 	vulns := []*claircore.Vulnerability{}
-	for _, vs := range out {
+	for n, vs := range out {
+		if len(vs) == 0 {
+			// If there are no vulns for this CVE make sure we signal that
+			// it is deleted in case it once had vulns.
+			deleted = append(deleted, n)
+			continue
+		}
 		vulns = append(vulns, vs...)
 	}
 

diff --git a/rhel/vex/parser_test.go b/rhel/vex/parser_test.go
@@ -307,10 +307,10 @@ func TestParse(t *testing.T) {
 		expectedDeleted int
 	}{
 		{
-			name:            "six_advisories_two_deletions",
+			name:            "six_advisories_four_deletions",
 			filename:        "testdata/example_vex.jsonl",
 			expectedVulns:   546,
-			expectedDeleted: 2,
+			expectedDeleted: 4,
 		},
 		{
 			name:            "cve-2022-1705",

diff --git a/rhel/vex/updater.go b/rhel/vex/updater.go
@@ -33,7 +33,7 @@ const (
 	deletionsFile  = "deletions.csv"
 	lookBackToYear = 2014
 	repoKey        = "rhel-cpe-repository"
-	updaterVersion = "2"
+	updaterVersion = "3"
 )
 
 // Factory creates an Updater to process all of the Red Hat VEX data.