fleet/cmd/osv-processor/transforms.go

package main

// transformVuln applies transformations and filters to OSV vulnerability data.
func transformVuln(packageName, cveID string, vuln *ProcessedVuln) (packages []string, modifiedVuln *ProcessedVuln) {
	// To completely ignore a CVE definition return nil
	// if cveID == "CVE-YYYY-XXXXX" {
	//     return nil, nil
	// }

	// Default: include the original package
	packages = []string{packageName}

	// Package expansion rules: Add related packages that should also get this CVE

	// Emacs CVEs (CVE-2024-39331, CVE-2024-53920, CVE-2025-1244, etc.)
	// Emacs vulnerabilities are in the Emacs Lisp runtime/interpreter shared across all packages.
	if packageName == "emacs" {
		packages = append(packages, "emacs-common", "emacs-el")
	}

	// CVE-specific modifications: modify vulnerability details for specific CVEs
	// if cveID == "CVE-YYYY-XXXXX" {
	//     modified := *vuln // Copy the vulnerability
	//     modified.Fixed = "corrected-version"
	//     return packages, &modified
	// }

	// If the vulnerability requires no modifications return original
	return packages, nil
}
OSV artifact generation for use in vulnerabilities repository (#42203) Related issue: Resolves #41571 Full Artifacts: Ubuntu 14.04: 901 KB Ubuntu 16.04: 2.0 MB Ubuntu 18.04: 4.3 MB Ubuntu 20.04: 5.9 MB Ubuntu 22.04: 5.6 MB Ubuntu 24.04: 1.7 MB Ubuntu 24.10: 4.4 KB Ubuntu 25.04: 6.0 KB Ubuntu 25.10: 207 KB Total Size: All artifacts (full + deltas): 31 MB (was 54 MB) Full artifacts only: ~20 MB (was ~27 MB) Delta artifacts: ~11 MB (was ~27 MB) ## Testing - [x] Added/updated automated tests - [x] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * New Features * Added a vulnerability data processor that scans OSV JSON inputs, aggregates per-Ubuntu-version artifacts, supports inclusive/exclusive version filters, and can emit optional “today”/“yesterday” delta artifacts. * Added a repository sync-and-change-detection tool that generates de-duplicated lists of CVE-related files changed today and yesterday. * Processor expands certain package names (e.g., emacs) into additional package entries for broader coverage. <!-- end of auto-generated comment: release notes by coderabbit.ai --> 2026-03-25 18:02:26 +00:00			`package main`

			`// transformVuln applies transformations and filters to OSV vulnerability data.`
			`func transformVuln(packageName, cveID string, vuln ProcessedVuln) (packages []string, modifiedVuln ProcessedVuln) {`
			`// To completely ignore a CVE definition return nil`
			`// if cveID == "CVE-YYYY-XXXXX" {`
			`// return nil, nil`
			`// }`

			`// Default: include the original package`
			`packages = []string{packageName}`

			`// Package expansion rules: Add related packages that should also get this CVE`

			`// Emacs CVEs (CVE-2024-39331, CVE-2024-53920, CVE-2025-1244, etc.)`
			`// Emacs vulnerabilities are in the Emacs Lisp runtime/interpreter shared across all packages.`
			`if packageName == "emacs" {`
			`packages = append(packages, "emacs-common", "emacs-el")`
			`}`

			`// CVE-specific modifications: modify vulnerability details for specific CVEs`
			`// if cveID == "CVE-YYYY-XXXXX" {`
			`// modified := *vuln // Copy the vulnerability`
			`// modified.Fixed = "corrected-version"`
			`// return packages, &modified`
			`// }`

			`// If the vulnerability requires no modifications return original`
			`return packages, nil`
			`}`