Skip to content

Comments

Add V2 Importer for Tuxcare advisories#2104

Open
Samk1710 wants to merge 9 commits intoaboutcode-org:mainfrom
Samk1710:add-tuxcare-importer
Open

Add V2 Importer for Tuxcare advisories#2104
Samk1710 wants to merge 9 commits intoaboutcode-org:mainfrom
Samk1710:add-tuxcare-importer

Conversation

@Samk1710
Copy link
Contributor

@Samk1710 Samk1710 commented Jan 4, 2026
edited
Loading

Addresses Issue:

Data Source: https://cve.tuxcare.com/els/download-json?orderBy=updated-desc

Importer Log Excerpt:

Importing data using tuxcare_importer_v2
INFO 2026-01-26 19:49:29.721368 UTC Pipeline [TuxCareImporterPipeline] starting
INFO 2026-01-26 19:49:29.721706 UTC Step [fetch] starting
INFO 2026-01-26 19:49:29.721766 UTC Fetching `https://cve.tuxcare.com/els/download-json?orderBy=updated-desc`
INFO 2026-01-26 19:51:10.961749 UTC Grouped 66,363 records into 9,649 unique CVEs (skipped 11,023: 0 invalid, 11,023 non-affected)
INFO 2026-01-26 19:51:10.963427 UTC Step [fetch] completed in 101 seconds (1.7 minutes)
INFO 2026-01-26 19:51:10.963586 UTC Step [collect_and_store_advisories] starting
INFO 2026-01-26 19:51:10.963635 UTC Collecting 9,649 advisories
INFO 2026-01-26 19:51:19.935667 UTC Progress: 10% (965/9649) ETA: 81 seconds (1.4 minutes)
INFO 2026-01-26 19:51:27.608222 UTC Progress: 20% (1930/9649) ETA: 67 seconds (1.1 minutes)
INFO 2026-01-26 19:51:36.572045 UTC Progress: 30% (2895/9649) ETA: 60 seconds
INFO 2026-01-26 19:51:45.463802 UTC Progress: 40% (3860/9649) ETA: 52 seconds
INFO 2026-01-26 19:51:54.916604 UTC Progress: 50% (4825/9649) ETA: 44 seconds
INFO 2026-01-26 19:52:02.836165 UTC Progress: 60% (5790/9649) ETA: 35 seconds
INFO 2026-01-26 19:52:11.500848 UTC Progress: 70% (6755/9649) ETA: 26 seconds
INFO 2026-01-26 19:52:20.017145 UTC Progress: 80% (7720/9649) ETA: 17 seconds
INFO 2026-01-26 19:52:28.159588 UTC Progress: 90% (8685/9649) ETA: 9 seconds
INFO 2026-01-26 19:52:35.721813 UTC Progress: 100% (9649/9649)
INFO 2026-01-26 19:52:35.729484 UTC Successfully collected 9,649 advisories
INFO 2026-01-26 19:52:35.729635 UTC Step [collect_and_store_advisories] completed in 85 seconds (1.4 minutes)
INFO 2026-01-26 19:52:35.729686 UTC Pipeline completed in 186 seconds (3.1 minutes)

@ziadhany ziadhany self-requested a review January 5, 2026 10:22
ziadhany
ziadhany requested changes Jan 7, 2026
View reviewed changes
Copy link
Collaborator

@ziadhany ziadhany left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Samk1710 Thanks , see feedback and suggestions below

@Samk1710
Copy link
Contributor Author

Samk1710 commented Jan 7, 2026

@ziadhany Thanks for your review.
I have updated the code as per your suggestion and feedback. Requesting a re-review. Thanks again!

@Samk1710 Samk1710 requested a review from ziadhany January 7, 2026 21:18
ziadhany
ziadhany reviewed Jan 8, 2026
View reviewed changes
@ziadhany
Copy link
Collaborator

ziadhany commented Jan 8, 2026
edited
Loading

@Samk1710, could you please also fix the CI ?

@Samk1710
Copy link
Contributor Author

Samk1710 commented Jan 10, 2026

Hey @ziadhany
I have updated the implementation as per your review and suggestion of os_name qualifier. Do let me know if it aligns with what you had in mind. Thanks !

@Samk1710 Samk1710 requested a review from ziadhany January 10, 2026 00:03
ziadhany
ziadhany requested changes Jan 12, 2026
View reviewed changes
@Samk1710
Copy link
Contributor Author

Samk1710 commented Jan 12, 2026

Hey @ziadhany
I have refactored the purl as per your suggestion and pushed. Thanks for the guidance :)

@Samk1710 Samk1710 requested a review from ziadhany January 12, 2026 14:23
@Samk1710
Copy link
Contributor Author

Samk1710 commented Jan 13, 2026

@Samk1710, could you please also fix the CI ?

Hey @ziadhany could you kindly run the checks. I have fixed the import ordering. Thanks.

ziadhany
ziadhany requested changes Jan 16, 2026
View reviewed changes
Copy link
Collaborator

@ziadhany ziadhany left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Samk1710 , The code looks good. I think we just need some refinement of the package URL and the affected and fixed versions.

@Samk1710
Copy link
Contributor Author

Samk1710 commented Jan 21, 2026

Hey @ziadhany

I have rectified the PURL. Also added more data to test each OS type with their respective PURLs.
After some digging in I also found the documentation for statuses and also implemented them.
Please see #2104 (comment)

Kindly review the changes when you have time. Thanks.

@Samk1710 Samk1710 requested a review from ziadhany January 22, 2026 18:03
ziadhany
ziadhany reviewed Jan 26, 2026
View reviewed changes
@Samk1710
Copy link
Contributor Author

Samk1710 commented Jan 26, 2026

Hey @ziadhany
As per discussions in the weekly meet, I have implemented the Impact Packages and also mapped the version range.
Kindly take a look at them and let me know if anything has to be improved. Please review when time. Thanks.

@Samk1710 Samk1710 requested a review from ziadhany January 26, 2026 19:45
@Samk1710 Samk1710 force-pushed the add-tuxcare-importer branch from 0f27746 to 7d47d46 Compare January 27, 2026 16:24
ziadhany
ziadhany requested changes Feb 2, 2026
View reviewed changes
Copy link
Collaborator

@ziadhany ziadhany left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The code looks good, just a few nits.

vulnerabilities/pipelines/v2_importers/tuxcare_importer.py Outdated
)
)

if severity and score and not severity_added:
Copy link
Collaborator

@ziadhany ziadhany Feb 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is the use of the severity_added variable? Why aren’t severity and score enough to add severity if it exists?

Copy link
Contributor Author

@Samk1710 Samk1710 Feb 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Each CVE has only one severity score shared across all packages/distributions for that CVE, so we only want to add the severity once per advisory.
See: https://cve.tuxcare.com/els/cve?cve=CVE-2023-52922&os=&project=&version=&status=&after=&before=&orderBy=updated-desc

I have added a minor refactor and used if severity and score and not severities instead of the boolean.

@Samk1710 Samk1710 force-pushed the add-tuxcare-importer branch from e4e1684 to 66be491 Compare February 2, 2026 22:24
@Samk1710
Copy link
Contributor Author

Samk1710 commented Feb 2, 2026

The code looks good, just a few nits.

Thanks @ziadhany
I’ve addressed the review comments and pushed the latest changes.
Please let me know if anything else needs adjustment.

@Samk1710 Samk1710 requested a review from ziadhany February 5, 2026 09:15
@Samk1710
Add V2 Importer for Tuxcare
d47224e 
Signed-off-by: Sampurna Pyne <sampurnapyne1710@gmail.com>
@Samk1710
Refactor as per review
0d410f5 
Signed-off-by: Sampurna Pyne <sampurnapyne1710@gmail.com>
@Samk1710
Refactor to PURL qualifier
89bf6d8 
Signed-off-by: Sampurna Pyne <sampurnapyne1710@gmail.com>
@Samk1710
Codestyle fix
4b52cda 
Signed-off-by: Sampurna Pyne <sampurnapyne1710@gmail.com>
@Samk1710
Refactor PURL and fix type-hinting
c502f59 
Signed-off-by: Sampurna Pyne <sampurnapyne1710@gmail.com>
@Samk1710
Fix import ordering
e61edff 
Signed-off-by: Sampurna Pyne <sampurnapyne1710@gmail.com>
@Samk1710
Refactor PURL and status handling
9137d50 
Signed-off-by: Sampurna Pyne <sampurnapyne1710@gmail.com>
@Samk1710
Implement impact packages and specific version with univers
8d4b208 
Signed-off-by: Sampurna Pyne <sampurnapyne1710@gmail.com>
@Samk1710
Add docstrings and use pipeline logger
9597abf 
Signed-off-by: Sampurna Pyne <sampurnapyne1710@gmail.com>
@Samk1710 Samk1710 force-pushed the add-tuxcare-importer branch from 66be491 to 9597abf Compare February 9, 2026 09:57
@Samk1710
Copy link
Contributor Author

Samk1710 commented Feb 19, 2026

Hey @ziadhany. Could you kindly have a look at the changes when time. Thanks.

ziadhany
ziadhany requested changes Feb 21, 2026
View reviewed changes
Copy link
Collaborator

@ziadhany ziadhany left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Samk1710, just a few nits to improve code quality and update the importer to use AdvisoryDataV2. Overall, the code looks good.

vulnerabilities/pipelines/v2_importers/tuxcare_importer.py
self.log(f"Skipping {cve_id} - no valid affected packages")
continue

yield AdvisoryData(
Copy link
Collaborator

@ziadhany ziadhany Feb 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
yield AdvisoryData(
yield AdvisoryDataV2(

vulnerabilities/pipelines/v2_importers/tuxcare_importer.py
type=pkg_type, namespace=namespace, name=project_name, qualifiers=qualifiers
)

def collect_advisories(self) -> Iterable[AdvisoryData]:
Copy link
Collaborator

@ziadhany ziadhany Feb 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
def collect_advisories(self) -> Iterable[AdvisoryData]:
def collect_advisories(self) -> Iterable[AdvisoryDataV2]:

vulnerabilities/pipelines/v2_importers/tuxcare_importer.py
@classmethod
def steps(cls):
return (
cls.fetch,
Copy link
Collaborator

@ziadhany ziadhany Feb 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
cls.fetch,
cls.fetch,
cls.group_records_by_cve,

vulnerabilities/pipelines/v2_importers/tuxcare_importer.py
self.log(f"Fetching `{url}`")
response = fetch_response(url)
self.response = response.json() if response else []
self._grouped = self._group_records_by_cve()
Copy link
Collaborator

@ziadhany ziadhany Feb 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The fetch function should only be used for fetching. It is wrong to run any other function in it, such as group_records_by_cve.

Suggested change
self._grouped = self._group_records_by_cve()

vulnerabilities/pipelines/v2_importers/tuxcare_importer.py
self.response = response.json() if response else []
self._grouped = self._group_records_by_cve()

def _group_records_by_cve(self) -> dict:
Copy link
Collaborator

@ziadhany ziadhany Feb 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
def _group_records_by_cve(self) -> dict:
def group_records_by_cve(self):

vulnerabilities/pipelines/v2_importers/tuxcare_importer.py
return grouped

def advisories_count(self) -> int:
return len(self._grouped)
Copy link
Collaborator

@ziadhany ziadhany Feb 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
return len(self._grouped)
return len(self.grouped_cve)

vulnerabilities/pipelines/v2_importers/tuxcare_importer.py
f"(skipped {total_skipped:,d}: {skipped_invalid:,d} invalid, "
f"{skipped_non_affected:,d} non-affected)"
)
return grouped
Copy link
Collaborator

@ziadhany ziadhany Feb 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
return grouped

vulnerabilities/pipelines/v2_importers/tuxcare_importer.py
"""
A single CVE can appear in multiple records across different operating systems, distributions, or package versions. This method groups all records with the same CVE together and skips entries that are invalid or marked as not affected. The result is a dictionary keyed by CVE ID, with each value containing the related records.
"""
grouped = {}
Copy link
Collaborator

@ziadhany ziadhany Feb 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
grouped = {}
self.grouped_cve = {}

Copy link
Collaborator

@ziadhany ziadhany Feb 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

also, please use a more descriptive and meaningful name for this variable.
ex: cve_to_records

vulnerabilities/pipelines/v2_importers/tuxcare_importer.py
Comment on lines +31 to +36
VERSION_RANGE_BY_PURL_TYPE = {
"rpm": RANGE_CLASS_BY_SCHEMES["rpm"],
"deb": RANGE_CLASS_BY_SCHEMES["deb"],
"apk": AlpineLinuxVersionRange,
"generic": RANGE_CLASS_BY_SCHEMES["generic"],
}
Copy link
Collaborator

@ziadhany ziadhany Feb 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why this ?

Suggested change
VERSION_RANGE_BY_PURL_TYPE = {
"rpm": RANGE_CLASS_BY_SCHEMES["rpm"],
"deb": RANGE_CLASS_BY_SCHEMES["deb"],
"apk": AlpineLinuxVersionRange,
"generic": RANGE_CLASS_BY_SCHEMES["generic"],
}
from univers.version_range import RANGE_CLASS_BY_SCHEMES

vulnerabilities/pipelines/v2_importers/tuxcare_importer.py

return PackageURL(
type=pkg_type, namespace=namespace, name=project_name, qualifiers=qualifiers
)
Copy link
Collaborator

@ziadhany ziadhany Feb 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add a unit test to cover this function.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ziadhany ziadhany ziadhany requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Samk1710 @ziadhany