Skip to content

ROX-34928: Wire CISA KEV exploit data through converters#21751

Draft
ajheflin wants to merge 2 commits into
rox-34928/proto-changesfrom
rox-34928/converter-wiring
Draft

ROX-34928: Wire CISA KEV exploit data through converters#21751
ajheflin wants to merge 2 commits into
rox-34928/proto-changesfrom
rox-34928/converter-wiring

Conversation

@ajheflin

Copy link
Copy Markdown
Contributor

Description

Wire CISA KEV exploit data from Scanner V4 through Central's converter layers. PR 2/3 in a stack.

  • Add exploit() converter function in pkg/scanners/scannerv4/convert.go (maps CISAExploitstorage.Exploit, intentionally omits catalog_version)
  • Add cisaKevExploit()/cisaKevEnabled() feature-flag-gated helpers
  • Wire into buildEmbeddedVulnerability() and mergeScoringFields()
  • Propagate exploit field in central/cve/converter/utils/ (both v1 and v2 converter paths)
  • Add unit tests for the exploit converter and update existing round-trip tests

Follows the EPSS pattern exactly. Gated behind ROX_CISA_KEV feature flag.

Stack: [Proto changes] → 2/3 — Converter wiring → [Reporting + GraphQL]

Depends on: #21750

User-facing documentation

Testing and quality

  • the change is production ready: the change is GA, or otherwise the functionality is gated by a feature flag
  • CI results are inspected

Automated testing

  • added unit tests
  • modified existing tests

How I validated my change

  • TestExploit — 3 cases: full data, known ransomware, nil input
  • TestImageCVEV2ToEmbeddedCVEs / TestEmbeddedCVEToImageCVEV2 — updated round-trip tests with exploit data
  • All tests pass: go test ./pkg/scanners/scannerv4/ ./central/cve/converter/utils/ -count=1

ajheflin added 2 commits July 14, 2026 15:21
Wire Scanner V4 CISAExploit data into storage.Exploit and the cisa_kev
boolean in buildEmbeddedVulnerability and mergeScoringFields. Gated
behind the ROX_CISA_KEV feature flag. catalog_version is intentionally
not stored — it is scanner metadata.

Partially generated by AI.
Add exploit field propagation in both directions between
EmbeddedVulnerability and ImageCVE/ImageCVEV2, following the EPSS
pattern.

Partially generated by AI.
@openshift-ci

openshift-ci Bot commented Jul 14, 2026

Copy link
Copy Markdown

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@github-actions

Copy link
Copy Markdown
Contributor

🚀 Build Images Ready

Images are ready for commit 11d5bc8. To use with deploy scripts:

export MAIN_IMAGE_TAG=4.12.x-495-g11d5bc8b4f

1 similar comment
@github-actions

Copy link
Copy Markdown
Contributor

🚀 Build Images Ready

Images are ready for commit 11d5bc8. To use with deploy scripts:

export MAIN_IMAGE_TAG=4.12.x-495-g11d5bc8b4f

@ajheflin

Copy link
Copy Markdown
Contributor Author

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant