ci(extract,db): add fortinet-cvrf + fortinet-csaf#187
Merged
Conversation
…nted) Add the two new Fortinet extractors to the DB build, both rooted on the FG-IR PSIRT advisory: - db-nightly.mk: enable fortinet-cvrf and fortinet-csaf so the nightly DB carries Fortinet detection criteria. - db-main.mk: add them commented out — keep the production main (:0/:latest) DB unchanged until vuls is ready to consume them. Required for vuls's Fortinet CPE detection once it routes Fortinet through vuls2 (future-architect/vuls#2591). Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the DB build inputs to include two new Fortinet extracted data sources (fortinet-cvrf and fortinet-csaf), enabling them for the nightly DB build while keeping the main (production) DB build unchanged by leaving the entries commented out.
Changes:
- Enable
vuls-data-extracted-fortinet-cvrfandvuls-data-extracted-fortinet-csafindb-nightly.mk. - Add the same Fortinet DB-add lines to
db-main.mk, but commented out to avoid affecting:0/:latest.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| db-nightly.mk | Adds Fortinet extracted repos to the nightly DB build inputs. |
| db-main.mk | Adds (commented) Fortinet extracted repos to main DB build inputs for future enablement. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…ore/truncate The db-add lines alone are not enough — a new extracted source must also be listed in the surrounding CI workflows (mirrors the paloalto wiring in #182). The raw side (fetch-fortinet-csaf/cvrf, raw backup/gc/archive/restore) was already wired, so this only adds the extract/extracted side: - extract-all.yml / extract-main.yml: uncomment fortinet-csaf and fortinet-cvrf (fortinet-handmade stays commented). - backup-daily/monthly/weekly.yml, gc.yml, restore-all.yml, truncate.yml: add vuls-data-extracted-fortinet-csaf / -cvrf to the extracted matrices. - gc-extracted.yml: add the two extracted tags with the standard pack settings. - truncate-extracted.yml: add the bare fortinet-csaf / fortinet-cvrf names. Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
archive-raw.yml listed fortinet-csaf and fortinet-cvrf but not the bare "fortinet" raw source, which every other raw workflow (archive, gc, gc-raw, backup-*, restore-all) already includes. Add it for consistency. Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
Match the csaf-then-cvrf ordering used by the workflow / backup / gc / truncate lists in this PR (and alphabetical), so the db-add lists stay easy to diff and keep in sync. Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Add the two new Fortinet extractors —
fortinet-cvrfandfortinet-csaf— to the DB build, both rooted on the FG-IR PSIRT advisory.db-nightly.mk: enabled (active) so the nightly DB carries Fortinet detection criteria.db-main.mk: added commented out — the production main (:0/:latest) DB stays unchanged for now.Why
vuls is migrating Fortinet CPE detection from go-cve-dictionary to the vuls2 path (future-architect/vuls#2591), which reads this DB. Mirrors the Cisco (#184) / Palo Alto enablement.
Note
Dependencies, before this can build / be un-commented:
fortinet-csafand thefortinet-*cpecriterionRangeTypes come from it. The DB builder's vuls2 / vuls-data-update must support these range types (same constraint thepan-osrange introduced), otherwisedb addfails to unmarshal Fortinet ranges.vuls-data-extracted-fortinet-csaf/-cvrfartifacts must be populated for the build'sBRANCH.db-main.mklines until feat(detector): route Fortinet to vuls2 future-architect/vuls#2591 is merged & released, or:0/:latestconsumers on an older vuls2 will fail to read the Fortinet ranges.Kept as a draft until the above are in place.