fleet/cmd/osv-processor/sync-and-detect-changes.sh

#!/usr/bin/env bash
# Sync Canonical OSV repository using shallow clone with rolling window
# Usage: ./sync-and-detect-changes.sh
#
# Outputs:
#   - Creates/updates ubuntu-security-notices directory (shallow clone)
#   - changed_files_today.txt and changed_files_yesterday.txt
#
# Exit codes:
#   0: Success
#   1: Error occurred

set -euo pipefail

# Configuration
REPO_URL="https://github.com/canonical/ubuntu-security-notices.git"
REPO_DIR="ubuntu-security-notices"
DAYS_TO_KEEP=3 # how much git history to keep

echo "=== OSV Repository Sync ==="
echo ""

if [ -d "$REPO_DIR/.git" ]; then
    echo "Repository exists, updating with rolling window..."
    cd "$REPO_DIR"

    git config core.sparseCheckout true
    echo "osv/" > .git/info/sparse-checkout

    OLD_SHA=$(git rev-parse HEAD)
    OLD_COUNT=$(git log --oneline | wc -l | xargs)

    git fetch --update-shallow --shallow-since="${DAYS_TO_KEEP} days ago" origin main

    NEW_SHA=$(git rev-parse origin/main)

    echo ""
    if [ "$OLD_SHA" = "$NEW_SHA" ]; then
        echo "No new commits (already at $NEW_SHA)"
    else
        echo "Updating: $OLD_SHA -> $NEW_SHA"
        git reset --hard origin/main
    fi

    NEW_COUNT=$(git log --oneline | wc -l | xargs)
    echo "History: $OLD_COUNT commits -> $NEW_COUNT commits"

    cd ..
else
    echo "Cloning repository (shallow since ${DAYS_TO_KEEP} days ago)..."

    mkdir -p "$REPO_DIR"
    cd "$REPO_DIR"
    git init --initial-branch=main
    git remote add origin "$REPO_URL"

    git config core.sparseCheckout true
    echo "osv/" > .git/info/sparse-checkout

    git fetch --shallow-since="${DAYS_TO_KEEP} days ago" origin main
    git checkout -b main --track origin/main

    COMMIT_SHA=$(git rev-parse HEAD)
    COMMIT_COUNT=$(git log --oneline | wc -l | xargs)
    cd ..

    echo ""
    echo "Cloned at: $COMMIT_SHA"
fi

cd "$REPO_DIR"

# Get files changed today (since midnight UTC today)
TODAY_UTC=$(date -u +%Y-%m-%d)
git log --since="${TODAY_UTC}T00:00:00Z" --name-only --pretty="" -- osv/cve \
    | sed '/^$/d' | sort -u > "../changed_files_today.txt"

# Get files changed yesterday (from midnight yesterday to midnight today UTC)
YESTERDAY_UTC=$(date -u -v-1d +%Y-%m-%d 2>/dev/null || date -u -d "yesterday" +%Y-%m-%d)
git log --since="${YESTERDAY_UTC}T00:00:00Z" --until="${TODAY_UTC}T00:00:00Z" --name-only --pretty="" -- osv/cve \
    | sed '/^$/d' | sort -u > "../changed_files_yesterday.txt"

TODAY_COUNT=$(wc -l < "../changed_files_today.txt" | xargs)
YESTERDAY_COUNT=$(wc -l < "../changed_files_yesterday.txt" | xargs)
cd ..

echo "Today: $TODAY_COUNT CVE files changed"
echo "Yesterday: $YESTERDAY_COUNT CVE files changed"

echo ""
echo "Sync Complete"
cd "$REPO_DIR"
FINAL_SHA=$(git rev-parse HEAD)
FINAL_COUNT=$(git log --oneline | wc -l | xargs)
cd ..

du -sh "$REPO_DIR" | awk '{print "Size: " $1}'
echo "REPO_SHA=$FINAL_SHA"
echo "REPO_COMMITS=$FINAL_COUNT"
echo "OSV_DIR=$REPO_DIR/osv/cve"
echo "CHANGED_FILES_TODAY=changed_files_today.txt"
echo "CHANGED_FILES_YESTERDAY=changed_files_yesterday.txt"
echo "TODAY_COUNT=$TODAY_COUNT"
echo "YESTERDAY_COUNT=$YESTERDAY_COUNT"

exit 0
OSV artifact generation for use in vulnerabilities repository (#42203) Related issue: Resolves #41571 Full Artifacts: Ubuntu 14.04: 901 KB Ubuntu 16.04: 2.0 MB Ubuntu 18.04: 4.3 MB Ubuntu 20.04: 5.9 MB Ubuntu 22.04: 5.6 MB Ubuntu 24.04: 1.7 MB Ubuntu 24.10: 4.4 KB Ubuntu 25.04: 6.0 KB Ubuntu 25.10: 207 KB Total Size: All artifacts (full + deltas): 31 MB (was 54 MB) Full artifacts only: ~20 MB (was ~27 MB) Delta artifacts: ~11 MB (was ~27 MB) ## Testing - [x] Added/updated automated tests - [x] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * New Features * Added a vulnerability data processor that scans OSV JSON inputs, aggregates per-Ubuntu-version artifacts, supports inclusive/exclusive version filters, and can emit optional “today”/“yesterday” delta artifacts. * Added a repository sync-and-change-detection tool that generates de-duplicated lists of CVE-related files changed today and yesterday. * Processor expands certain package names (e.g., emacs) into additional package entries for broader coverage. <!-- end of auto-generated comment: release notes by coderabbit.ai --> 2026-03-25 18:02:26 +00:00			`#!/usr/bin/env bash`
			`# Sync Canonical OSV repository using shallow clone with rolling window`
			`# Usage: ./sync-and-detect-changes.sh`
			`#`
			`# Outputs:`
			`# - Creates/updates ubuntu-security-notices directory (shallow clone)`
			`# - changed_files_today.txt and changed_files_yesterday.txt`
			`#`
			`# Exit codes:`
			`# 0: Success`
			`# 1: Error occurred`

			`set -euo pipefail`

			`# Configuration`
			`REPO_URL="https://github.com/canonical/ubuntu-security-notices.git"`
			`REPO_DIR="ubuntu-security-notices"`
			`DAYS_TO_KEEP=3 # how much git history to keep`

			`echo "=== OSV Repository Sync ==="`
			`echo ""`

			`if [ -d "$REPO_DIR/.git" ]; then`
			`echo "Repository exists, updating with rolling window..."`
			`cd "$REPO_DIR"`

			`git config core.sparseCheckout true`
			`echo "osv/" > .git/info/sparse-checkout`

			`OLD_SHA=$(git rev-parse HEAD)`
			`OLD_COUNT=$(git log --oneline \| wc -l \| xargs)`

			`git fetch --update-shallow --shallow-since="${DAYS_TO_KEEP} days ago" origin main`

			`NEW_SHA=$(git rev-parse origin/main)`

			`echo ""`
			`if [ "$OLD_SHA" = "$NEW_SHA" ]; then`
			`echo "No new commits (already at $NEW_SHA)"`
			`else`
			`echo "Updating: $OLD_SHA -> $NEW_SHA"`
			`git reset --hard origin/main`
			`fi`

			`NEW_COUNT=$(git log --oneline \| wc -l \| xargs)`
			`echo "History: $OLD_COUNT commits -> $NEW_COUNT commits"`

			`cd ..`
			`else`
			`echo "Cloning repository (shallow since ${DAYS_TO_KEEP} days ago)..."`

			`mkdir -p "$REPO_DIR"`
			`cd "$REPO_DIR"`
			`git init --initial-branch=main`
			`git remote add origin "$REPO_URL"`

			`git config core.sparseCheckout true`
			`echo "osv/" > .git/info/sparse-checkout`

			`git fetch --shallow-since="${DAYS_TO_KEEP} days ago" origin main`
			`git checkout -b main --track origin/main`

			`COMMIT_SHA=$(git rev-parse HEAD)`
			`COMMIT_COUNT=$(git log --oneline \| wc -l \| xargs)`
			`cd ..`

			`echo ""`
			`echo "Cloned at: $COMMIT_SHA"`
			`fi`

			`cd "$REPO_DIR"`

			`# Get files changed today (since midnight UTC today)`
			`TODAY_UTC=$(date -u +%Y-%m-%d)`
			`git log --since="${TODAY_UTC}T00:00:00Z" --name-only --pretty="" -- osv/cve \`
			`\| sed '/^$/d' \| sort -u > "../changed_files_today.txt"`

			`# Get files changed yesterday (from midnight yesterday to midnight today UTC)`
			`YESTERDAY_UTC=$(date -u -v-1d +%Y-%m-%d 2>/dev/null \|\| date -u -d "yesterday" +%Y-%m-%d)`
			`git log --since="${YESTERDAY_UTC}T00:00:00Z" --until="${TODAY_UTC}T00:00:00Z" --name-only --pretty="" -- osv/cve \`
			`\| sed '/^$/d' \| sort -u > "../changed_files_yesterday.txt"`

			`TODAY_COUNT=$(wc -l < "../changed_files_today.txt" \| xargs)`
			`YESTERDAY_COUNT=$(wc -l < "../changed_files_yesterday.txt" \| xargs)`
			`cd ..`

			`echo "Today: $TODAY_COUNT CVE files changed"`
			`echo "Yesterday: $YESTERDAY_COUNT CVE files changed"`

			`echo ""`
			`echo "Sync Complete"`
			`cd "$REPO_DIR"`
			`FINAL_SHA=$(git rev-parse HEAD)`
			`FINAL_COUNT=$(git log --oneline \| wc -l \| xargs)`
			`cd ..`

			`du -sh "$REPO_DIR" \| awk '{print "Size: " $1}'`
			`echo "REPO_SHA=$FINAL_SHA"`
			`echo "REPO_COMMITS=$FINAL_COUNT"`
			`echo "OSV_DIR=$REPO_DIR/osv/cve"`
			`echo "CHANGED_FILES_TODAY=changed_files_today.txt"`
			`echo "CHANGED_FILES_YESTERDAY=changed_files_yesterday.txt"`
			`echo "TODAY_COUNT=$TODAY_COUNT"`
			`echo "YESTERDAY_COUNT=$YESTERDAY_COUNT"`

			`exit 0`