Skip to content

Feat/rootio provider #914

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Feat/rootio provider #914

wants to merge 5 commits into from

Conversation

@chait-slim
Copy link

@chait-slim chait-slim commented Nov 3, 2025

No description provided.

shakedembo and others added 4 commits August 28, 2025 12:22
@shakedembo
Add rootio provider for Rooi.io CVE feed
5dcec5d 
* Added following the existing directory structure a provider folder for rootio plus a provider class and a parser
* Added to the global cli config the rootio provider config mapping
* Added the rootio provider to the mapping in the global provider initialization
* Added the appropriate configuration for testing the new provider with a unit test

Signed-off-by: Shaked Dembo <[email protected]>
@shakedembo
Updated readme with root
d623637 
* Added root api for cve_feed as supported data sources
* Updated the output for vunnel list (noticed a drift with other ecosystems so I updated it to the latest)

Signed-off-by: Shaked Dembo <[email protected]>
@shakedembo
Fixed the linter issues by running uv run ruff check --fix
12819d5 
Signed-off-by: Shaked Dembo <[email protected]>
@chait-slim
feat: emit ROOTIO_UNAFFECTED markers for Root.io
9efe013 
  patched packages

  - Add ROOTIO_UNAFFECTED marker emission for packages with .root.io
  version suffix
  - Include vulnerable range constraint to exclude Root.io patched
  versions
  - Support both OS packages (Alpine, Debian, Ubuntu) and language
  packages (Python)
  - Add comprehensive unit tests for the parser modifications

  This prevents false positive vulnerability reports for packages that
  have been
  patched by Root.io security team.

Signed-off-by: Chai Tadmor <[email protected]>
@chait-slim chait-slim force-pushed the feat/rootio-provider branch from fc331e6 to 9efe013 Compare November 4, 2025 07:57
@chait-slim chait-slim mentioned this pull request Nov 4, 2025
Open
willmurphyscode
willmurphyscode reviewed Nov 13, 2025
View reviewed changes
src/vunnel/providers/rootio/parser.py
if not fixed_versions:
cve_record["Vulnerability"]["FixedIn"].append({
"Name": package_name,
"Version": "", # Empty version indicates no fix available
Copy link
Contributor

@willmurphyscode willmurphyscode Nov 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought we had discussed at #863 (comment) that this vulnerability feed only supports records of fixes? Should this code ever be reachable?

willmurphyscode
willmurphyscode reviewed Nov 13, 2025
View reviewed changes
tests/unit/providers/rootio/test_rootio.py Outdated
namespace = data["Vulnerability"].get("NamespaceName", "")
if namespace == "rootio:language:python":
for fixed_in in data["Vulnerability"].get("FixedIn", []):
if fixed_in.get("Version") == "ROOTIO_UNAFFECTED":
Copy link
Contributor

@willmurphyscode willmurphyscode Nov 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please don't use magic / sentinel values like this. You want the vunnel to emit an actual version at which the vulnerability was fixed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@willmurphyscode willmurphyscode willmurphyscode left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@chait-slim @willmurphyscode @shakedembo