Skip to content

Migrate Alpine importer to advisory V2 #2111

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ziadhany wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Migrate Alpine importer to advisory V2 #2111

ziadhany wants to merge 4 commits into from
+1,395 −0

Conversation

@ziadhany
Copy link
Collaborator

@ziadhany ziadhany commented Jan 8, 2026
edited
Loading

@ziadhany
Migrate Alpine importer to advisory V2
b9471ce 
Signed-off-by: ziad hany <ziadhany2016@gmail.com>
@ziadhany
Copy link
Collaborator Author

ziadhany commented Jan 8, 2026
edited
Loading 

INFO 2026-01-26 19:15:30.575619 UTC Pipeline [AlpineLinuxImporterPipeline] starting
INFO 2026-01-26 19:15:30.575748 UTC Step [collect_and_store_advisories] starting
Importing data using alpine_linux_importer_v2
INFO 2026-01-26 22:39:08.084020 UTC Successfully collected 108,252 advisories
INFO 2026-01-26 22:39:08.084139 UTC Step [collect_and_store_advisories] completed in 12218 seconds (3.4 hours)
INFO 2026-01-26 22:39:08.084171 UTC Pipeline completed in 12218 seconds (3.4 hours)


from vulnerabilities.models import AdvisoryV2
from django.db.models import Count
duplicates = (
    AdvisoryV2.objects
    .values('avid')
    .annotate(count=Count('id'))
    .filter(count__gt=1)
)
len(duplicates)
Out[2]: 0
AdvisoryV2.objects.count()
Out[3]: 108252

@ziadhany
Fix typo Alpine Linux importer pipeline inherits from VulnerableCodeB…
e51b3bb 
…aseImporterPipelineV2

Signed-off-by: ziad hany <ziadhany2016@gmail.com>
@ziadhany
Copy link
Collaborator Author

ziadhany commented Jan 15, 2026
edited
Loading

@TG1999 @pombredanne I have a question about Alpine migration. We are fetching one URL and processing the data without grouping by CVE.

The problem is that each URL reports a package version along with its fixed CVEs. How can we obtain a unique identifier for this importer? Is it a good idea to restructure the data and create a large mapping, using the CVE as the unique identifier?

Proposed structure:
CVE: [purl_1, purl_2, ...]

Example:
Package: aom

Sources:
https://secdb.alpinelinux.org/v3.22/main.json -> CVEs: "CVE-2021-30473", "CVE-2021-30474", "CVE-2021-30475"
https://secdb.alpinelinux.org/v3.21/main.json -> CVEs: "CVE-2021-30473", "CVE-2021-30474", "CVE-2021-30475"

@ziadhany
Update Alpine to avoid fetching the same URL links multiple times
34309ad 
Signed-off-by: ziad hany <ziadhany2016@gmail.com>
ziadhany
ziadhany commented Jan 26, 2026
View reviewed changes
vulnerabilities/pipelines/v2_importers/alpine_linux_importer.py Outdated
)

for cve in aliases:
advisory_id = f"{pkg_infos['name']}/{qualifiers['distroversion']}/{cve}"
Copy link
Collaborator Author

@ziadhany ziadhany Jan 26, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ex:

apache2/v3.20/2.4.26-r0/CVE-2017-7668

@ziadhany
Update alpine linux so for every vulnerability id AdvisoryData
eea5b1c 
Fix duplication on advisory_id

Signed-off-by: ziad hany <ziadhany2016@gmail.com>
keshav-space
keshav-space reviewed Jan 27, 2026
View reviewed changes
vulnerabilities/tests/pipelines/v2_importers/test_alpine_linux_importer_pipeline.py
Comment on lines +1007 to +1009
# these are the tests are not supported yet
# when we start supporting these version,
# they will be moved back to main test suite
Copy link
Member

@keshav-space keshav-space Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ziadhany do we have an issue for this? if not, please enter an issue.

Copy link
Collaborator Author

@ziadhany ziadhany Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@keshav-space Yes, I think we already have an issue for this.

see:

Copy link
Member

@keshav-space keshav-space Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ziadhany Great, let's also open an issue here in VulnerableCode to review Alpine pipeline once aboutcode-org/univers#59 is resolved.

Copy link
Collaborator Author

@ziadhany ziadhany Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay, I have created an issue in VulnerableCode:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@keshav-space keshav-space keshav-space left review comments

@TG1999 TG1999 Awaiting requested review from TG1999

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ziadhany @keshav-space