feat(cron): dockerfile and cron job for CVEList conversion (#3906)

jess-lowe · web-flow · commit d0c40c2edba8 · 2025-09-11T12:13:22.000+10:00
merge this after #3905
diff --git a/deployment/build-and-stage.yaml b/deployment/build-and-stage.yaml
@@ -180,6 +180,20 @@ steps:
   args: ['push', '--all-tags', 'gcr.io/oss-vdb/combine-to-osv']
   waitFor: ['build-combine-to-osv', 'cloud-build-queue']
 
+- name: 'gcr.io/cloud-builders/docker'
+  entrypoint: 'bash'
+  args: ['-c', 'docker pull gcr.io/oss-vdb/cve5-to-osv:latest || exit 0']
+  id: 'pull-cve5-to-osv'
+  waitFor: ['setup']
+- name: gcr.io/cloud-builders/docker
+  args: ['build', '-t', 'gcr.io/oss-vdb/cve5-to-osv:latest', '-t', 'gcr.io/oss-vdb/cve5-to-osv:$COMMIT_SHA', '-f', 'cmd/cve-bulk-converter/Dockerfile', '--cache-from', 'gcr.io/oss-vdb/cve5-to-osv:latest', '--pull', '.']
+  dir: 'vulnfeeds'
+  id: 'build-cve5-to-osv'
+  waitFor: ['pull-cve5-to-osv']
+- name: gcr.io/cloud-builders/docker
+  args: ['push', '--all-tags', 'gcr.io/oss-vdb/cve5-to-osv']
+  waitFor: ['build-cve5-to-osv', 'cloud-build-queue']
+
 # Build/push indexer image
 - name: 'gcr.io/cloud-builders/docker'
   entrypoint: 'bash'
@@ -301,7 +315,8 @@ steps:
      cpe-repo-gen=gcr.io/oss-vdb/cpe-repo-gen:$COMMIT_SHA,\
      nvd-cve-osv=gcr.io/oss-vdb/nvd-cve-osv:$COMMIT_SHA,\
      nvd-mirror=gcr.io/oss-vdb/nvd-mirror:$COMMIT_SHA,\
-     recoverer=gcr.io/oss-vdb/recoverer:$COMMIT_SHA"
+     recoverer=gcr.io/oss-vdb/recoverer:$COMMIT_SHA,\
+     cve5-to-osv=gcr.io/oss-vdb/cve5-to-osv:$COMMIT_SHA"
   ]
   dir: deployment/clouddeploy/gke-workers
 
@@ -358,3 +373,4 @@ images:
 - 'gcr.io/oss-vdb-test/staging-api-test:$COMMIT_SHA'
 - 'gcr.io/oss-vdb-test/osv-linter:$COMMIT_SHA'
 - 'gcr.io/oss-vdb/recoverer:$COMMIT_SHA'
+- 'gcr.io/oss-vdb/cve5-to-osv:$COMMIT_SHA'
diff --git a/deployment/clouddeploy/gke-workers/environments/oss-vdb-test/cve5-to-osv.yaml b/deployment/clouddeploy/gke-workers/environments/oss-vdb-test/cve5-to-osv.yaml
@@ -0,0 +1,36 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: cve5-to-osv
+  labels:
+    cronLastSuccessfulTimeMins: "2160"
+spec:
+  timeZone: Australia/Sydney
+  schedule: "0 6,13 * * *"
+  concurrencyPolicy: Forbid
+  jobTemplate:
+    spec:
+      activeDeadlineSeconds: 86400
+      template:
+        spec:
+          containers:
+          - name: cve5-to-osv
+            image: cve5-to-osv
+            imagePullPolicy: Always
+            securityContext:
+              privileged: true
+            resources:
+              requests:
+                cpu: "1"
+                memory: "2G"
+              limits:
+                cpu: "1"
+                memory: "4G"
+            env:
+              - name: WORK_DIR
+                value: /tmp
+          restartPolicy: Never
+          volumes:
+            - name: "ssd"
+              hostPath:
+                path: "/mnt/disks/ssd0"
diff --git a/deployment/clouddeploy/gke-workers/environments/oss-vdb-test/kustomization.yaml b/deployment/clouddeploy/gke-workers/environments/oss-vdb-test/kustomization.yaml
@@ -2,6 +2,7 @@ resources:
 - ../../base
 - staging-api-test.yaml
 - osv-linter.yaml
+- cve5-to-osv.yaml
 patches:
 - path: workers.yaml
 - path: scaler.yaml
diff --git a/vulnfeeds/cmd/cve-bulk-converter/Dockerfile b/vulnfeeds/cmd/cve-bulk-converter/Dockerfile
@@ -0,0 +1,31 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FROM golang:1.25.0-alpine@sha256:f18a072054848d87a8077455f0ac8a25886f2397f88bfdd222d6fafbb5bba440 AS go_build
+
+WORKDIR /go/src
+
+COPY go.mod go.sum ./
+RUN go mod download && go mod verify
+
+COPY . .
+RUN CGO_ENABLED=0 go build -v -o /usr/local/bin ./cmd/cve-bulk-converter
+
+FROM gcr.io/google.com/cloudsdktool/google-cloud-cli:alpine@sha256:f2b7bf7556ac1d266c3b4563507d3c7aec1464ec3f6d3cbd114f01011d02f1c3
+RUN apk --no-cache add jq
+
+COPY --from=go_build /usr/local/bin/cve-bulk-converter ./usr/local/bin/cve-bulk-converter
+COPY --from=go_build /go/src/cmd/cve-bulk-converter/run-cvelist-converter.sh ./usr/local/bin/cve-bulk-converter
+
+CMD ["/usr/local/bin/run_cvelist-converter.sh"]
