feat(vulnfeeds): write CVEs that are only Debian without package info for migration (#3985)

So that users aren't shocked by a missing CVE file when the Debian
decoupling happens, keep writing out the CVEs but not the pkgInfo
information for Debian

Author: jess-lowe

vulnfeeds/cmd/combine-to-osv/main.go

@@ -24,6 +24,7 @@ const (
 	defaultCVEListPath    = "."
 
 	alpineEcosystem          = "Alpine"
+	debianEcosystem          = "Debian"
 	alpineSecurityTrackerURL = "https://security.alpinelinux.org/vuln"
 )
 
@@ -166,6 +167,10 @@ func combineIntoOSV(loadedCves map[cves.CVEID]cves.Vulnerability, allParts map[c
 
 		addedAlpineURL := false
 		for _, pkgInfo := range allParts[cveID] {
+			// skip debian parts, but still write out the CVEs.
+			if strings.HasPrefix(pkgInfo.Ecosystem, debianEcosystem) {
+				continue
+			}
 			convertedCve.AddPkgInfo(pkgInfo)
 			if strings.HasPrefix(pkgInfo.Ecosystem, alpineEcosystem) && !addedAlpineURL {
 				addReference(string(cveID), alpineEcosystem, convertedCve)

vulnfeeds/cmd/combine-to-osv/main_test.go

@@ -38,7 +38,7 @@ func loadTestData2(cveName string) cves.Vulnerability {
 
 func TestLoadParts(t *testing.T) {
 	allParts, _ := loadParts("../../test_data/parts")
-	expectedPartCount := 15
+	expectedPartCount := 14
 	actualPartCount := len(allParts)
 
 	if actualPartCount != expectedPartCount {
@@ -86,15 +86,14 @@ func TestLoadParts(t *testing.T) {
 
 func TestCombineIntoOSV(t *testing.T) {
 	cveStuff := map[cves.CVEID]cves.Vulnerability{
-		"CVE-2022-33745":   loadTestData2("CVE-2022-33745"),
-		"CVE-2022-32746":   loadTestData2("CVE-2022-32746"),
-		"CVE-2018-1000500": loadTestData2("CVE-2018-1000500"),
+		"CVE-2022-33745": loadTestData2("CVE-2022-33745"),
+		"CVE-2022-32746": loadTestData2("CVE-2022-32746"),
 	}
 	allParts, cveModifiedTime := loadParts("../../test_data/parts")
 
 	combinedOSV := combineIntoOSV(cveStuff, allParts, "", cveModifiedTime)
 
-	expectedCombined := 3
+	expectedCombined := 2
 	actualCombined := len(combinedOSV)
 
 	if actualCombined != expectedCombined {
@@ -107,13 +106,6 @@ func TestCombineIntoOSV(t *testing.T) {
 
 		found := false
 		switch cve {
-		case "CVE-2018-1000500":
-			for _, reference := range combinedOSV[cve].References {
-				if reference.Type == "ADVISORY" &&
-					reference.URL == "https://security-tracker.debian.org/tracker/CVE-2018-1000500" {
-					t.Errorf("Found unexpected Debian advisory URL for %s", cve)
-				}
-			}
 		case "CVE-2022-33745":
 			for _, reference := range combinedOSV[cve].References {
 				if reference.Type == "ADVISORY" &&
@@ -129,7 +121,7 @@ func TestCombineIntoOSV(t *testing.T) {
 				}
 			}
 		}
-		if !found && cve != "CVE-2018-1000500" {
+		if !found {
 			t.Errorf("%s doesn't have all expected references", cve)
 		}
 	}