feat: add check-advisories to check BRSA fields

Signed-off-by: Piyush Jena <[email protected]>

Author: piyush-jena

Cargo.lock

@@ -21,6 +21,7 @@ members = [
     "tools/testsys-config",
     "tools/unplug",
     "tools/update-metadata",
+    "tools/advisory-parser",
 
     "twoliter",
     "twoliter/src/tool-crates/*",
@@ -54,6 +55,7 @@ pre-build = [
 ]
 
 [workspace.dependencies]
+advisory-parser = { version = "0.1", path = "tools/advisory-parser", artifact = [ "bin:advisory-parser" ] }
 amispec = { version = "0.1", path = "tools/amispec" }
 bottlerocket-types = { version = "0.0.16", git = "https://github.com/bottlerocket-os/bottlerocket-test-system", tag = "v0.0.16" }
 bottlerocket-variant = { version = "0.1", path = "tools/bottlerocket-variant" }
@@ -76,6 +78,7 @@ testsys-config = { version = "0.1", path = "tools/testsys-config" }
 testsys-model = { version = "0.0.16", git = "https://github.com/bottlerocket-os/bottlerocket-test-system", tag = "v0.0.16" }
 
 twoliter = { version = "0.13.0", path = "twoliter", artifact = [ "bin:twoliter" ] }
+twoliter-tool-advisory-parser = { version = "0.1", path = "twoliter/src/tool-crates/advisory-parser" }
 twoliter-tool-buildsys = { version = "0.1", path = "twoliter/src/tool-crates/buildsys" }
 twoliter-tool-embedded-bundle = { version = "0.1", path = "twoliter/src/tool-crates/embedded-bundle" }
 twoliter-tool-pipesys = { version = "0.1", path = "twoliter/src/tool-crates/pipesys" }

Cargo.toml

@@ -0,0 +1,14 @@
+[package]
+name = "advisory-parser"
+version = "0.1.0"
+edition = "2021"
+license = "Apache-2.0 OR MIT"
+
+[dependencies]
+regex = "1"
+serde = { workspace = true, features = ["derive"] }
+snafu.workspace = true
+toml.workspace = true
+
+[lints]
+workspace = true

tools/advisory-parser/Cargo.toml

@@ -0,0 +1,256 @@
+//! Advisory Parser parses Bottlerocket Security Advisory TOML files in bottlerocket kits
+//! and outputs the package metadata in a pipe-separated format. This tool is used by rpm2kit
+//! to validate the BRSA fields and the corresponding rpm included in the kit is higher than
+//! the expected version.
+
+mod models;
+
+use models::Advisory;
+use snafu::{ensure, ResultExt};
+use std::path::PathBuf;
+use std::{env, fs, process};
+
+fn run() -> Result<()> {
+    let args: Vec<String> = env::args().collect();
+    ensure!(args.len() == 2, error::UsageSnafu { program: &args[0] });
+
+    let path = PathBuf::from(&args[1]);
+    let content = fs::read_to_string(&path).context(error::ReadFileSnafu { path: &path })?;
+    let advisory: Advisory =
+        toml::from_str(&content).context(error::ParseAdvisorySnafu { path: &path })?;
+
+    // Output product information in pipe-separated format to be parsed in the script in rpm2kit
+    for product in advisory.advisory.products {
+        println!(
+            "{}|{}|{}",
+            product.package_name, product.patched_version, product.patched_epoch
+        );
+    }
+
+    Ok(())
+}
+
+fn main() {
+    if let Err(e) = run() {
+        eprintln!("{e}");
+        process::exit(1);
+    }
+}
+
+// =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=
+
+mod error {
+    use snafu::Snafu;
+    use std::path::PathBuf;
+
+    #[derive(Debug, Snafu)]
+    #[snafu(visibility(pub(super)))]
+    pub(super) enum Error {
+        #[snafu(display("Usage: {} <advisory-file>", program))]
+        Usage { program: String },
+
+        #[snafu(display("Failed to read '{}': {}", path.display(), source))]
+        ReadFile {
+            path: PathBuf,
+            source: std::io::Error,
+        },
+
+        #[snafu(display("Failed to parse advisory '{}': {}", path.display(), source))]
+        ParseAdvisory {
+            path: PathBuf,
+            source: toml::de::Error,
+        },
+    }
+}
+
+type Result<T> = std::result::Result<T, error::Error>;
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_valid_cve_formats() {
+        let valid_cves = vec![
+            "CVE-2024-0001",
+            "CVE-2024-1234",
+            "CVE-2024-12345",
+            "CVE-2025-472688",
+            "CVE-1999-0001",
+        ];
+
+        for cve in valid_cves {
+            let toml = format!(
+                r#"
+[advisory]
+id = "TEST-001"
+title = "Test Advisory"
+severity = "high"
+description = "Test description"
+cve = "{}"
+[[advisory.products]]
+package-name = "test"
+patched-version = "1.0"
+"#,
+                cve
+            );
+            assert!(
+                toml::from_str::<Advisory>(&toml).is_ok(),
+                "Failed to parse valid CVE: {}",
+                cve
+            );
+        }
+    }
+
+    #[test]
+    fn test_invalid_cve_formats() {
+        let invalid_cves = vec![
+            "CVE-2024-001",        // Too few digits
+            "CVE-2024-INVALID",    // Non-numeric
+            "CVE-24-1234",         // Year too short
+            "CVE-2024-0",          // Too few digits
+            "CVE–2024–1234",       // non-ascii characters
+            "CVE—2024—1234",       // non-ascii characters
+            "GHSA-xxxx-xxxx-xxxx", // Wrong format
+        ];
+
+        for cve in invalid_cves {
+            let toml = format!(
+                r#"
+[advisory]
+id = "TEST-001"
+title = "Test Advisory"
+severity = "high"
+description = "Test description"
+cve = "{}"
+[[advisory.products]]
+package-name = "test"
+patched-version = "1.0"
+"#,
+                cve
+            );
+            assert!(
+                toml::from_str::<Advisory>(&toml).is_err(),
+                "Should reject invalid CVE: {}",
+                cve
+            );
+        }
+    }
+
+    #[test]
+    fn test_valid_ghsa_formats() {
+        let valid_ghsas = vec![
+            "GHSA-23fg-6c23-wxrv",
+            "GHSA-2222-3333-4444",
+            "GHSA-cfgh-jmpq-rvwx",
+        ];
+
+        for ghsa in valid_ghsas {
+            let toml = format!(
+                r#"
+[advisory]
+id = "TEST-001"
+title = "Test Advisory"
+severity = "high"
+description = "Test description"
+ghsa = "{}"
+[[advisory.products]]
+package-name = "test"
+patched-version = "1.0"
+"#,
+                ghsa
+            );
+            assert!(
+                toml::from_str::<Advisory>(&toml).is_ok(),
+                "Failed to parse valid GHSA: {}",
+                ghsa
+            );
+        }
+    }
+
+    #[test]
+    fn test_invalid_ghsa_formats() {
+        let invalid_ghsas = vec![
+            "GHSA-xxxx-yyyy-zzzz",    // Invalid characters
+            "GHSA-123-456-789",       // Too short
+            "GHSA-12345-67890-12345", // Too long
+            "CVE-2024-1234",          // Wrong format
+        ];
+
+        for ghsa in invalid_ghsas {
+            let toml = format!(
+                r#"
+[advisory]
+id = "TEST-001"
+title = "Test Advisory"
+severity = "high"
+description = "Test description"
+ghsa = "{}"
+[[advisory.products]]
+package-name = "test"
+patched-version = "1.0"
+"#,
+                ghsa
+            );
+            assert!(
+                toml::from_str::<Advisory>(&toml).is_err(),
+                "Should reject invalid GHSA: {}",
+                ghsa
+            );
+        }
+    }
+
+    #[test]
+    fn test_complete_advisory() {
+        let toml = r#"
+[advisory]
+id = "BRSA-test123"
+title = "Test Advisory"
+cve = "CVE-2025-12345"
+ghsa = "GHSA-23fg-6c23-wxrv"
+severity = "high"
+description = "Test description"
+
+[[advisory.products]]
+package-name = "test-package"
+patched-version = "1.2.3"
+patched-epoch = "1"
+
+[[advisory.products]]
+package-name = "another-package"
+patched-version = "2.0.0"
+"#;
+
+        let advisory: Advisory = toml::from_str(toml).expect("Failed to parse complete advisory");
+        assert_eq!(advisory.advisory.id, "BRSA-test123");
+        assert_eq!(advisory.advisory.cve, Some("CVE-2025-12345".to_string()));
+        assert_eq!(
+            advisory.advisory.ghsa,
+            Some("GHSA-23fg-6c23-wxrv".to_string())
+        );
+        assert_eq!(advisory.advisory.products.len(), 2);
+        assert_eq!(advisory.advisory.products[0].package_name, "test-package");
+        assert_eq!(advisory.advisory.products[0].patched_epoch, "1");
+        assert_eq!(advisory.advisory.products[1].patched_epoch, "0");
+    }
+
+    #[test]
+    fn test_missing_cve_and_ghsa() {
+        let toml = r#"
+[advisory]
+id = "TEST-001"
+title = "Test Advisory"
+severity = "high"
+description = "Test description"
+[[advisory.products]]
+package-name = "test"
+patched-version = "1.0"
+"#;
+
+        let result = toml::from_str::<Advisory>(toml);
+        assert!(
+            result.is_err(),
+            "Should reject advisory without CVE or GHSA"
+        );
+    }
+}