Skip to content

feat: add Root app feed #376

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

feat: add Root app feed #376

wants to merge 5 commits into from

Conversation

@chait-slim
Copy link
Contributor

@chait-slim chait-slim commented Sep 12, 2025
edited
Loading

Summary

This PR adds support for Root.io application-level vulnerability feeds to vuln-list-update, extending the existing OS-level vulnerability tracking with language/framework-specific vulnerability data.

Changes Introduced

  1. New Application Feed Support
  • Added support for fetching application-level vulnerabilities from https://api.root.io/external/app_feed
  • Application feed covers language ecosystems like npm, pip, go, etc.
  • Data is saved to rootio/app/cve_feed.json for clear separation from OS data
  1. Existing OS Feed Integration
  • Maintains compatibility with the existing OS vulnerability feed at https://api.root.io/external/cve_feed
  • OS feed continues to be saved to rootio/cve_feed.json
  • Supports Alpine, Debian, Ubuntu, and other OS distributions
  1. Unified Data Structure

Both feeds use the same JSON structure:

  {
    "ecosystem": [
      {
        "distroversion": "version",
        "packages": [
          {
            "pkg": {
              "name": "package-name",
              "cves": {
                "CVE-XXXX-XXXXX": {
                  "vulnerable_ranges": ["<version"],
                  "fixed_versions": ["version"]
                }
              }
            }
          }
        ]
      }
    ]
  }
  1. Implementation Details
  • Modular Design: Used a feedInfo struct to define feed configurations, making it easy to add/modify feeds
  • Clean Separation: OS and application feeds are stored in separate locations for better organization
  • Future-Proof: Architecture supports the planned migration from cve_feed to separate os_feed and app_feed endpoints
  • Error Handling: Comprehensive error handling with clear error messages for debugging
  • Testing: Full test coverage for both feeds with various error scenarios

Directory Structure

After running the updater, the vulnerability data is organized as:

  vuln-list/
  └── rootio/
      ├── cve_feed.json     # OS package vulnerabilities
      └── app/
          └── cve_feed.json # Application package vulnerabilities

Testing

  • Tests verify correct fetching and parsing of both OS and app feeds
  • Error scenarios tested include invalid JSON, missing endpoints, and server errors
  • Tests ensure proper directory structure and file placement

This was referenced Sep 12, 2025
Open
Open
DmitriyLewen
DmitriyLewen reviewed Sep 18, 2025
View reviewed changes
rootio/rootio.go Outdated
Comment on lines 18 to 19
osFeedPath = "external/os_feed" // OS packages feed
appFeedPath = "external/app_feed" // Language/app packages feed
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How can I download the new files for testing?
Only https://api.root.io/external/cve_feed is available.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Youre right. Its being developed at the same time. I want to validate the PRs are accepted and I'll merge it on our side before merging the Trivy ones

@DmitriyLewen
Copy link
Contributor

And can you add the PR description, please?

@DmitriyLewen
refactor(rootio): simplify feed fetching and writing
cb04454 
- Replace []feedInfo with map[string]string (endpoint → subdir).
- Introduce feedFileName = "cve_feed.json" for consistency.
- Change fetchAndSaveFeed to use (apiPath, subdir) parameters.
- Always create target dir via os.MkdirAll(rootio/).
- Minor cleanups: consistent err assignment and options loop.
@DmitriyLewen
test(rootio): simplify logic
748aef8
@DmitriyLewen
Copy link
Contributor

hello @chait-slim
I refactor logic a little.

Can you re-check?

@chait-slim
Copy link
Contributor Author

chait-slim commented Sep 29, 2025
edited
Loading

hello @chait-slim I refactor logic a little.

Can you re-check?

Hi, I've rechecked. From my end its approved. I've updated the tests with the real use cases of how versioning will look like in the app feed. Tomorrow morning the new API will be running

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@DmitriyLewen DmitriyLewen Awaiting requested review from DmitriyLewen

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@chait-slim @DmitriyLewen