Add V2 Importer for Tuxcare advisories #2104

Samk1710 · Jan 4, 2026

Addresses Issue:

Import data from Tuxcare #2004

Data Source: https://cve.tuxcare.com/els/download-json?orderBy=updated-desc

Importer Log Excerpt:

Importing data using tuxcare_importer_v2
INFO 2026-01-26 19:49:29.721368 UTC Pipeline [TuxCareImporterPipeline] starting
INFO 2026-01-26 19:49:29.721706 UTC Step [fetch] starting
INFO 2026-01-26 19:49:29.721766 UTC Fetching `https://cve.tuxcare.com/els/download-json?orderBy=updated-desc`
INFO 2026-01-26 19:51:10.961749 UTC Grouped 66,363 records into 9,649 unique CVEs (skipped 11,023: 0 invalid, 11,023 non-affected)
INFO 2026-01-26 19:51:10.963427 UTC Step [fetch] completed in 101 seconds (1.7 minutes)
INFO 2026-01-26 19:51:10.963586 UTC Step [collect_and_store_advisories] starting
INFO 2026-01-26 19:51:10.963635 UTC Collecting 9,649 advisories
INFO 2026-01-26 19:51:19.935667 UTC Progress: 10% (965/9649) ETA: 81 seconds (1.4 minutes)
INFO 2026-01-26 19:51:27.608222 UTC Progress: 20% (1930/9649) ETA: 67 seconds (1.1 minutes)
INFO 2026-01-26 19:51:36.572045 UTC Progress: 30% (2895/9649) ETA: 60 seconds
INFO 2026-01-26 19:51:45.463802 UTC Progress: 40% (3860/9649) ETA: 52 seconds
INFO 2026-01-26 19:51:54.916604 UTC Progress: 50% (4825/9649) ETA: 44 seconds
INFO 2026-01-26 19:52:02.836165 UTC Progress: 60% (5790/9649) ETA: 35 seconds
INFO 2026-01-26 19:52:11.500848 UTC Progress: 70% (6755/9649) ETA: 26 seconds
INFO 2026-01-26 19:52:20.017145 UTC Progress: 80% (7720/9649) ETA: 17 seconds
INFO 2026-01-26 19:52:28.159588 UTC Progress: 90% (8685/9649) ETA: 9 seconds
INFO 2026-01-26 19:52:35.721813 UTC Progress: 100% (9649/9649)
INFO 2026-01-26 19:52:35.729484 UTC Successfully collected 9,649 advisories
INFO 2026-01-26 19:52:35.729635 UTC Step [collect_and_store_advisories] completed in 85 seconds (1.4 minutes)
INFO 2026-01-26 19:52:35.729686 UTC Pipeline completed in 186 seconds (3.1 minutes)

ziadhany

@Samk1710 Thanks , see feedback and suggestions below

vulnerabilities/pipelines/v2_importers/tuxcare_importer.py

vulnerabilities/tests/pipelines/v2_importers/test_tuxcare_importer_v2.py

vulnerabilities/pipelines/v2_importers/tuxcare_importer.py

Samk1710 · Jan 7, 2026

@ziadhany Thanks for your review.
I have updated the code as per your suggestion and feedback. Requesting a re-review. Thanks again!

vulnerabilities/pipelines/v2_importers/tuxcare_importer.py

ziadhany · Jan 8, 2026

@Samk1710, could you please also fix the CI ?

Samk1710 · Jan 10, 2026

Hey @ziadhany
I have updated the implementation as per your review and suggestion of os_name qualifier. Do let me know if it aligns with what you had in mind. Thanks !

vulnerabilities/pipelines/v2_importers/tuxcare_importer.py

Samk1710 · Jan 12, 2026

Hey @ziadhany
I have refactored the purl as per your suggestion and pushed. Thanks for the guidance :)

Samk1710 · Jan 13, 2026

@Samk1710, could you please also fix the CI ?

Hey @ziadhany could you kindly run the checks. I have fixed the import ordering. Thanks.

ziadhany

@Samk1710 , The code looks good. I think we just need some refinement of the package URL and the affected and fixed versions.

vulnerabilities/pipelines/v2_importers/tuxcare_importer.py

Samk1710 · Jan 21, 2026

Hey @ziadhany

I have rectified the PURL. Also added more data to test each OS type with their respective PURLs.
After some digging in I also found the documentation for statuses and also implemented them.
Please see #2104 (comment)

Kindly review the changes when you have time. Thanks.

ziadhany · Jan 26, 2026

vulnerabilities/pipelines/v2_importers/tuxcare_importer.py

+            try:
+                version_range = GenericVersionRange.from_versions([version])
+            except ValueError as e:
+                logger.warning(f"Failed to parse version {version} for {cve_id}: {e}")
+                continue


VersionRange should also be mapped correctly.

see:
https://github.com/aboutcode-org/univers/blob/main/src/univers/version_range.py#L1429

VersionRange should also be mapped correctly.

see: https://github.com/aboutcode-org/univers/blob/main/src/univers/version_range.py#L1429

Implemented

Samk1710 · Jan 26, 2026

Hey @ziadhany
As per discussions in the weekly meet, I have implemented the Impact Packages and also mapped the version range.
Kindly take a look at them and let me know if anything has to be improved. Please review when time. Thanks.

Signed-off-by: Sampurna Pyne <sampurnapyne1710@gmail.com>

ziadhany

The code looks good, just a few nits.

ziadhany · Feb 2, 2026

vulnerabilities/pipelines/v2_importers/tuxcare_importer.py

+    "deb": DebianVersionRange,
+    "apk": AlpineLinuxVersionRange,
+    "generic": GenericVersionRange,
+}


Please avoid code duplication, you can import this from the univers library.
from univers.version_range import RANGE_CLASS_BY_SCHEMES

ziadhany · Feb 2, 2026

vulnerabilities/pipelines/v2_importers/tuxcare_importer.py

+        self.response = response.json() if response else []
+        self._grouped = self._group_records_by_cve()
+
+    def _group_records_by_cve(self) -> dict:


please add some docs

ziadhany · Feb 2, 2026

vulnerabilities/pipelines/v2_importers/tuxcare_importer.py

+
+        for record in self.response:
+            cve_id = record.get("cve", "").strip()
+            if not cve_id or not cve_id.startswith("CVE-"):


Do we have an example of a cve field that doesn’t start with CVE? We shouldn’t consider this invalid.

ziadhany · Feb 2, 2026

vulnerabilities/pipelines/v2_importers/tuxcare_importer.py

+                    )
+                )
+
+                if severity and score and not severity_added:


What is the use of the severity_added variable? Why aren’t severity and score enough to add severity if it exists?

ziadhany · Feb 2, 2026

vulnerabilities/pipelines/v2_importers/tuxcare_importer.py

+from vulnerabilities.severity_systems import GENERIC
+from vulnerabilities.utils import fetch_response
+
+logger = logging.getLogger(__name__)


Suggested change

logger = logging.getLogger(__name__)

we can use the pipeline logger

ziadhany · Feb 2, 2026

vulnerabilities/pipelines/v2_importers/tuxcare_importer.py

+        for record in self.response:
+            cve_id = record.get("cve", "").strip()
+            if not cve_id or not cve_id.startswith("CVE-"):
+                logger.warning(f"Skipping invalid CVE ID: {cve_id}")


Suggested change

logger.warning(f"Skipping invalid CVE ID: {cve_id}")

self.log(f"Skipping invalid CVE ID: {cve_id}")

ziadhany · Feb 2, 2026

vulnerabilities/pipelines/v2_importers/tuxcare_importer.py

+                continue
+
+            if status not in AFFECTED_STATUSES and status not in FIXED_STATUSES:
+                logger.warning(f"Skipping {cve_id}: unrecognized status '{status}'")


Suggested change

logger.warning(f"Skipping {cve_id}: unrecognized status '{status}'")

self.log(f"Skipping {cve_id}: unrecognized status '{status}'")

ziadhany · Feb 2, 2026

vulnerabilities/pipelines/v2_importers/tuxcare_importer.py

+            status = record.get("status", "").strip()
+
+            if not all([os_name, project_name, version, status]):
+                logger.warning(f"Skipping {cve_id}: missing required fields")


Suggested change

logger.warning(f"Skipping {cve_id}: missing required fields")

self.log(f"Skipping {cve_id}: missing required fields")

ziadhany self-requested a review January 5, 2026 10:22

ziadhany requested changes Jan 7, 2026

View reviewed changes

Samk1710 requested a review from ziadhany January 7, 2026 21:18

ziadhany reviewed Jan 8, 2026

View reviewed changes

vulnerabilities/pipelines/v2_importers/tuxcare_importer.py Outdated Show resolved Hide resolved

Samk1710 requested a review from ziadhany January 10, 2026 00:03

ziadhany requested changes Jan 12, 2026

View reviewed changes

vulnerabilities/pipelines/v2_importers/tuxcare_importer.py Outdated Show resolved Hide resolved

Samk1710 requested a review from ziadhany January 12, 2026 14:23

ziadhany requested changes Jan 16, 2026

View reviewed changes

Samk1710 requested a review from ziadhany January 22, 2026 18:03

ziadhany reviewed Jan 26, 2026

View reviewed changes

Samk1710 requested a review from ziadhany January 26, 2026 19:45

Samk1710 added 8 commits January 27, 2026 21:46

Add V2 Importer for Tuxcare

9244782

Signed-off-by: Sampurna Pyne <sampurnapyne1710@gmail.com>

Refactor as per review

84c3f40

Signed-off-by: Sampurna Pyne <sampurnapyne1710@gmail.com>

Refactor to PURL qualifier

0c54f35

Signed-off-by: Sampurna Pyne <sampurnapyne1710@gmail.com>

Codestyle fix

1b3f4f4

Signed-off-by: Sampurna Pyne <sampurnapyne1710@gmail.com>

Refactor PURL and fix type-hinting

8134ec4

Signed-off-by: Sampurna Pyne <sampurnapyne1710@gmail.com>

Fix import ordering

27d102d

Signed-off-by: Sampurna Pyne <sampurnapyne1710@gmail.com>

Refactor PURL and status handling

c6a87b7

Signed-off-by: Sampurna Pyne <sampurnapyne1710@gmail.com>

Implement impact packages and specific version with univers

7d47d46

Signed-off-by: Sampurna Pyne <sampurnapyne1710@gmail.com>

Samk1710 force-pushed the add-tuxcare-importer branch from 0f27746 to 7d47d46 Compare January 27, 2026 16:24

Merge branch 'main' into add-tuxcare-importer

e4e1684

ziadhany requested changes Feb 2, 2026

View reviewed changes

	logger.warning(f"Skipping invalid CVE ID: {cve_id}")
	self.log(f"Skipping invalid CVE ID: {cve_id}")

	logger.warning(f"Skipping {cve_id}: unrecognized status '{status}'")
	self.log(f"Skipping {cve_id}: unrecognized status '{status}'")

	logger.warning(f"Skipping {cve_id}: missing required fields")
	self.log(f"Skipping {cve_id}: missing required fields")

Search code, repositories, users, issues, pull requests...

Uh oh!

Add V2 Importer for Tuxcare advisories #2104

Are you sure you want to change the base?

Add V2 Importer for Tuxcare advisories #2104

Conversation

Samk1710 commented Jan 4, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

ziadhany left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Samk1710 commented Jan 7, 2026

Uh oh!

Uh oh!

ziadhany commented Jan 8, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Samk1710 commented Jan 10, 2026

Uh oh!

Uh oh!

Samk1710 commented Jan 12, 2026

Uh oh!

Samk1710 commented Jan 13, 2026

Uh oh!

ziadhany left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Samk1710 commented Jan 21, 2026

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Samk1710 commented Jan 26, 2026

Uh oh!

ziadhany left a comment

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Samk1710 commented Jan 4, 2026 •

edited

Loading

ziadhany commented Jan 8, 2026 •

edited

Loading