feat(rocky): support Rocky Linux (#107)

2022-01-18 22:45:06 +09:00 · 2022-01-18 22:45:06 +09:00 · 4d919c3b2a
commit 4d919c3b2a
parent 9b3980a85f
11 changed files with 749 additions and 0 deletions
--- a/.github/workflows/update.yml
+++ b/.github/workflows/update.yml
@ -91,6 +91,10 @@ jobs:
      name: AlmaLinux Security Advisory
      run: ./vuln-list-update -target alma

+    - if: always()
+      name: Rocky Linux Security Advisory
+      run: ./vuln-list-update -target rocky
+
    - if: always()
      name: OSV Database
      run: ./vuln-list-update -target osv
--- a/main.go
+++ b/main.go
@ -31,6 +31,7 @@ import (
 	"github.com/aquasecurity/vuln-list-update/photon"
 	redhatoval "github.com/aquasecurity/vuln-list-update/redhat/oval"
 	"github.com/aquasecurity/vuln-list-update/redhat/securitydataapi"
+	"github.com/aquasecurity/vuln-list-update/rocky"
 	susecvrf "github.com/aquasecurity/vuln-list-update/suse/cvrf"
 	"github.com/aquasecurity/vuln-list-update/ubuntu"
 	"github.com/aquasecurity/vuln-list-update/utils"
@ -195,6 +196,12 @@ func run() error {
 			return xerrors.Errorf("AlmaLinux update error: %w", err)
 		}
 		commitMsg = "AlmaLinux Security Advisory"
+	case "rocky":
+		rc := rocky.NewConfig()
+		if err := rc.Update(); err != nil {
+			return xerrors.Errorf("Rocky Linux update error: %w", err)
+		}
+		commitMsg = "Rocky Linux Security Advisory"
 	case "osv":
 		p := osv.NewOsv()
 		if err := p.Update(); err != nil {
--- a/rocky/rocky.go
+++ b/rocky/rocky.go
@ -0,0 +1,251 @@
+package rocky
+
+import (
+	"bytes"
+	"compress/gzip"
+	"encoding/xml"
+	"fmt"
+	"log"
+	"net/url"
+	"os"
+	"path"
+	"path/filepath"
+	"strings"
+
+	"github.com/aquasecurity/vuln-list-update/utils"
+	"github.com/cheggaaa/pb/v3"
+	"golang.org/x/xerrors"
+)
+
+const (
+	retry    = 3
+	rockyDir = "rocky"
+)
+
+var (
+	urlFormat       = "https://download.rockylinux.org/pub/rocky/%s/%s/%s/os/"
+	defaultReleases = []string{"8"}
+	defaultRepos    = []string{"BaseOS", "AppStream", "extras"}
+	defaultArches   = []string{"x86_64", "aarch64"}
+)
+
+// RepoMd has repomd data
+type RepoMd struct {
+	RepoList []Repo `xml:"data"`
+}
+
+// Repo has a repo data
+type Repo struct {
+	Type     string   `xml:"type,attr"`
+	Location Location `xml:"location"`
+}
+
+// Location has a location of repomd
+type Location struct {
+	Href string `xml:"href,attr"`
+}
+
+// UpdateInfo has a list
+type UpdateInfo struct {
+	RLSAList []RLSA `xml:"update"`
+}
+
+// RLSA has detailed data of RLSA
+type RLSA struct {
+	ID          string      `xml:"id" json:"id,omitempty"`
+	Title       string      `xml:"title" json:"title,omitempty"`
+	Issued      Date        `xml:"issued" json:"issued,omitempty"`
+	Updated     Date        `xml:"updated" json:"updated,omitempty"`
+	Severity    string      `xml:"severity" json:"severity,omitempty"`
+	Description string      `xml:"description" json:"description,omitempty"`
+	Packages    []Package   `xml:"pkglist>collection>package" json:"packages,omitempty"`
+	References  []Reference `xml:"references>reference" json:"references,omitempty"`
+	CveIDs      []string    `json:"cveids,omitempty"`
+}
+
+// Date has time information
+type Date struct {
+	Date string `xml:"date,attr" json:"date,omitempty"`
+}
+
+// Reference has reference information
+type Reference struct {
+	Href  string `xml:"href,attr" json:"href,omitempty"`
+	ID    string `xml:"id,attr" json:"id,omitempty"`
+	Title string `xml:"title,attr" json:"title,omitempty"`
+	Type  string `xml:"type,attr" json:"type,omitempty"`
+}
+
+// Package has affected package information
+type Package struct {
+	Name     string `xml:"name,attr" json:"name,omitempty"`
+	Epoch    string `xml:"epoch,attr" json:"epoch,omitempty"`
+	Version  string `xml:"version,attr" json:"version,omitempty"`
+	Release  string `xml:"release,attr" json:"release,omitempty"`
+	Arch     string `xml:"arch,attr" json:"arch,omitempty"`
+	Filename string `xml:"filename" json:"filename,omitempty"`
+}
+
+type options struct {
+	url      string
+	dir      string
+	retry    int
+	releases []string
+	repos    []string
+	arches   []string
+}
+
+type option func(*options)
+
+func With(url, dir string, retry int, releases, repos, arches []string) option {
+	return func(opts *options) {
+		opts.url = url
+		opts.dir = dir
+		opts.retry = retry
+		opts.releases = releases
+		opts.repos = repos
+		opts.arches = arches
+	}
+}
+
+type Config struct {
+	*options
+}
+
+func NewConfig(opts ...option) Config {
+	o := &options{
+		url:      urlFormat,
+		dir:      filepath.Join(utils.VulnListDir(), rockyDir),
+		retry:    retry,
+		releases: defaultReleases,
+		repos:    defaultRepos,
+		arches:   defaultArches,
+	}
+	for _, opt := range opts {
+		opt(o)
+	}
+
+	return Config{
+		options: o,
+	}
+}
+
+func (c Config) Update() error {
+	for _, release := range c.releases {
+		for _, repo := range c.repos {
+			for _, arch := range c.arches {
+				log.Printf("Fetching Rocky Linux %s %s %s data...", release, repo, arch)
+				if err := c.update(release, repo, arch); err != nil {
+					return xerrors.Errorf("failed to update security advisories of Rocky Linux %s %s %s: %w", release, repo, arch, err)
+				}
+			}
+		}
+	}
+	return nil
+}
+
+func (c Config) update(release, repo, arch string) error {
+	dirPath := filepath.Join(c.dir, release, repo, arch)
+	log.Printf("Remove Rocky Linux %s %s %s directory %s", release, repo, arch, dirPath)
+	if err := os.RemoveAll(dirPath); err != nil {
+		return xerrors.Errorf("failed to remove Rocky Linux %s %s %s directory: %w", release, repo, arch, err)
+	}
+	if err := os.MkdirAll(dirPath, os.ModePerm); err != nil {
+		return xerrors.Errorf("failed to mkdir: %w", err)
+	}
+
+	u, err := url.Parse(fmt.Sprintf(c.url, release, repo, arch))
+	if err != nil {
+		return xerrors.Errorf("failed to parse root url: %w", err)
+	}
+	rootPath := u.Path
+	u.Path = path.Join(rootPath, "repodata/repomd.xml")
+	updateInfoPath, err := c.fetchUpdateInfoPath(u.String())
+	if err != nil {
+		return xerrors.Errorf("failed to fetch updateInfo path from repomd.xml: %w", err)
+	}
+	u.Path = path.Join(rootPath, updateInfoPath)
+	uinfo, err := c.fetchUpdateInfo(u.String())
+	if err != nil {
+		return xerrors.Errorf("failed to fetch updateInfo: %w", err)
+	}
+
+	secErrata := map[string][]RLSA{}
+	for _, rlsa := range uinfo.RLSAList {
+		if !strings.HasPrefix(rlsa.ID, "RLSA-") {
+			continue
+		}
+		y := strings.Split(strings.TrimPrefix(rlsa.ID, "RLSA-"), ":")[0]
+		secErrata[y] = append(secErrata[y], rlsa)
+	}
+
+	for year, errata := range secErrata {
+		log.Printf("Write Errata for Rocky Linux %s %s %s %s", release, repo, arch, year)
+
+		if err := os.MkdirAll(filepath.Join(dirPath, year), os.ModePerm); err != nil {
+			return xerrors.Errorf("failed to mkdir: %w", err)
+		}
+
+		bar := pb.StartNew(len(errata))
+		for _, erratum := range errata {
+			jsonPath := filepath.Join(dirPath, year, fmt.Sprintf("%s.json", erratum.ID))
+			if err := utils.Write(jsonPath, erratum); err != nil {
+				return xerrors.Errorf("failed to write Rocky Linux CVE details: %w", err)
+			}
+			bar.Increment()
+		}
+		bar.Finish()
+	}
+
+	return nil
+}
+
+func (c Config) fetchUpdateInfoPath(repomdURL string) (updateInfoPath string, err error) {
+	res, err := utils.FetchURL(repomdURL, "", c.retry)
+	if err != nil {
+		return "", xerrors.Errorf("failed to fetch %s: %w", repomdURL, err)
+	}
+
+	var repoMd RepoMd
+	if err := xml.NewDecoder(bytes.NewBuffer(res)).Decode(&repoMd); err != nil {
+		return "", xerrors.Errorf("failed to decode repomd.xml: %w", err)
+	}
+
+	for _, repo := range repoMd.RepoList {
+		if repo.Type == "updateinfo" {
+			updateInfoPath = repo.Location.Href
+			break
+		}
+	}
+	if updateInfoPath == "" {
+		return "", xerrors.New("no updateinfo field in the repomd")
+	}
+	return updateInfoPath, nil
+}
+
+func (c Config) fetchUpdateInfo(url string) (*UpdateInfo, error) {
+	res, err := utils.FetchURL(url, "", c.retry)
+	if err != nil {
+		return nil, xerrors.Errorf("failed to fetch updateInfo: %w", err)
+	}
+	r, err := gzip.NewReader(bytes.NewBuffer(res))
+	if err != nil {
+		return nil, xerrors.Errorf("failed to decompress updateInfo: %w", err)
+	}
+	defer r.Close()
+
+	var updateInfo UpdateInfo
+	if err := xml.NewDecoder(r).Decode(&updateInfo); err != nil {
+		return nil, err
+	}
+	for i, alas := range updateInfo.RLSAList {
+		var cveIDs []string
+		for _, ref := range alas.References {
+			if ref.Type == "cve" {
+				cveIDs = append(cveIDs, ref.ID)
+			}
+		}
+		updateInfo.RLSAList[i].CveIDs = cveIDs
+	}
+	return &updateInfo, nil
+}
--- a/rocky/rocky_test.go
+++ b/rocky/rocky_test.go
@ -0,0 +1,74 @@
+package rocky_test
+
+import (
+	"errors"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/aquasecurity/vuln-list-update/rocky"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"golang.org/x/xerrors"
+)
+
+func Test_Update(t *testing.T) {
+	tests := []struct {
+		name          string
+		rootDir       string
+		expectedError error
+	}{
+		{
+			name:          "happy path",
+			rootDir:       "testdata/fixtures/happy",
+			expectedError: nil,
+		},
+		{
+			name:          "bad repomd response",
+			rootDir:       "testdata/fixtures/repomd_invalid",
+			expectedError: xerrors.Errorf("failed to update security advisories of Rocky Linux 8 BaseOS x86_64: %w", errors.New("failed to fetch updateInfo path from repomd.xml")),
+		},
+		{
+			name:          "bad updateInfo response",
+			rootDir:       "testdata/fixtures/updateinfo_invalid",
+			expectedError: xerrors.Errorf("failed to update security advisories of Rocky Linux 8 BaseOS x86_64: %w", errors.New("failed to fetch updateInfo")),
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			tsUpdateInfoURL := httptest.NewServer(http.StripPrefix("/pub/rocky/8/BaseOS/x86_64/os/repodata/", http.FileServer(http.Dir(tt.rootDir))))
+			defer tsUpdateInfoURL.Close()
+
+			dir := t.TempDir()
+			rc := rocky.NewConfig(rocky.With(tsUpdateInfoURL.URL+"/pub/rocky/%s/%s/%s/os/", dir, 0, []string{"8"}, []string{"BaseOS"}, []string{"x86_64"}))
+			if err := rc.Update(); tt.expectedError != nil {
+				require.Error(t, err)
+				assert.Contains(t, err.Error(), tt.expectedError.Error())
+				return
+			}
+
+			err := filepath.Walk(dir, func(path string, info os.FileInfo, errfp error) error {
+				if errfp != nil {
+					return errfp
+				}
+				if info.IsDir() {
+					return nil
+				}
+
+				dir, file := filepath.Split(path)
+				want, err := os.ReadFile(filepath.Join("testdata", "golden", filepath.Base(dir), file))
+				assert.NoError(t, err, "failed to open the golden file")
+
+				got, err := os.ReadFile(path)
+				assert.NoError(t, err, "failed to open the result file")
+
+				assert.JSONEq(t, string(want), string(got))
+
+				return nil
+			})
+			assert.Nil(t, err, "filepath walk error")
+		})
+	}
+}
--- a/rocky/testdata/fixtures/happy/repomd.xml
+++ b/rocky/testdata/fixtures/happy/repomd.xml
@ -0,0 +1,77 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<repomd xmlns="http://linux.duke.edu/metadata/repo" xmlns:rpm="http://linux.duke.edu/metadata/rpm">
+  <revision>8.4</revision>
+  <tags>
+    <distro cpeid="cpe:/o:rocky:rocky:8">Rocky Linux 8</distro>
+  </tags>
+  <data type="primary">
+    <checksum type="sha256">9d25370cf8f2bdf046145fa51ef3d0229ecc6862cbe35281a70184cc39089f54</checksum>
+    <open-checksum type="sha256">554780b39c8a31f3b92eb2356f38099bd6135834c51542c8ffb889aa6d37c1a0</open-checksum>
+    <location href="repodata/9d25370cf8f2bdf046145fa51ef3d0229ecc6862cbe35281a70184cc39089f54-primary.xml.gz"/>
+    <timestamp>1632166291</timestamp>
+    <size>4136440</size>
+    <open-size>29944727</open-size>
+  </data>
+  <data type="filelists">
+    <checksum type="sha256">3f9875964fcb58abd0c3b88ae317450d124020d81e873f1db05c695e84fc1c3b</checksum>
+    <open-checksum type="sha256">483a4f0494e31ae0d100714ddae8eab680c408ff354979636d7bec849c1b6e4d</open-checksum>
+    <location href="repodata/3f9875964fcb58abd0c3b88ae317450d124020d81e873f1db05c695e84fc1c3b-filelists.xml.gz"/>
+    <timestamp>1632166291</timestamp>
+    <size>3284862</size>
+    <open-size>45704869</open-size>
+  </data>
+  <data type="other">
+    <checksum type="sha256">201204bd642f240caaa2d8cd8b8fcf0bf0071fdf7ba67c68b79c209163995057</checksum>
+    <open-checksum type="sha256">ab9351e393e2f08997754411263a7b51114209668d453a62ad998981789c091d</open-checksum>
+    <location href="repodata/201204bd642f240caaa2d8cd8b8fcf0bf0071fdf7ba67c68b79c209163995057-other.xml.gz"/>
+    <timestamp>1632166291</timestamp>
+    <size>621783</size>
+    <open-size>6152523</open-size>
+  </data>
+  <data type="primary_db">
+    <checksum type="sha256">2e35bd95b02d3bf3d99b82f3bbb6b0381f55b671226771d9d7db975b5d0f205b</checksum>
+    <open-checksum type="sha256">b1af8fb023566905067e07bfcffed71ce73ebc6e4ed0af2a010ac7ea6bbfbefa</open-checksum>
+    <location href="repodata/2e35bd95b02d3bf3d99b82f3bbb6b0381f55b671226771d9d7db975b5d0f205b-primary.sqlite.xz"/>
+    <timestamp>1632166306</timestamp>
+    <size>3599636</size>
+    <open-size>34222080</open-size>
+  </data>
+  <data type="filelists_db">
+    <checksum type="sha256">06510a9c700387c4c670654f6440386d6e91e0628116492a4a38228f67ec4d61</checksum>
+    <open-checksum type="sha256">19df9e2e5a6e66214ddf95569d50ce1c73cfed99c109e453b043a68b8609fd95</open-checksum>
+    <location href="repodata/06510a9c700387c4c670654f6440386d6e91e0628116492a4a38228f67ec4d61-filelists.sqlite.xz"/>
+    <timestamp>1632166298</timestamp>
+    <size>2665240</size>
+    <open-size>24879104</open-size>
+  </data>
+  <data type="other_db">
+    <checksum type="sha256">dddb998b6aca861c3b0724e13ee6f99a74e516b659299ec47c682a08f414cf25</checksum>
+    <open-checksum type="sha256">46d0a6ae8562e93c729361fa1b28ccf10d26bed3d9d2ff1e464ff807b6201688</open-checksum>
+    <location href="repodata/dddb998b6aca861c3b0724e13ee6f99a74e516b659299ec47c682a08f414cf25-other.sqlite.xz"/>
+    <timestamp>1632166293</timestamp>
+    <size>423132</size>
+    <open-size>6062080</open-size>
+  </data>
+  <data type="group">
+    <checksum type="sha256">5eedac6f334681aa51e154d77025db287c33ce1491b14368be9b477ff8208152</checksum>
+    <location href="repodata/5eedac6f334681aa51e154d77025db287c33ce1491b14368be9b477ff8208152-comps-BaseOS.x86_64.xml"/>
+    <timestamp>1632166276</timestamp>
+    <size>297208</size>
+  </data>
+  <data type="group_xz">
+    <checksum type="sha256">32e04847f7cc2872db5ac9e92ea540ef2a7999d1c2be0c8c3d47a359b3e2d613</checksum>
+    <open-checksum type="sha256">5eedac6f334681aa51e154d77025db287c33ce1491b14368be9b477ff8208152</open-checksum>
+    <location href="repodata/32e04847f7cc2872db5ac9e92ea540ef2a7999d1c2be0c8c3d47a359b3e2d613-comps-BaseOS.x86_64.xml.xz"/>
+    <timestamp>1632166291</timestamp>
+    <size>56668</size>
+    <open-size>297208</open-size>
+  </data>
+  <data type="updateinfo">
+    <checksum type="sha256">c14b2249cc128fa8c565d0b79986daffc4e1c0a430c84a3ebccc1a016d59bda1</checksum>
+    <open-checksum type="sha256">3655bacbf1e119d2fd5d27c25acc98a5f8e27ba64d9b86c6b181c20e67b0f7e7</open-checksum>
+    <location href="repodata/updateinfo.xml.gz"/>
+    <timestamp>1632172541</timestamp>
+    <size>24366</size>
+    <open-size>184021</open-size>
+  </data>
+</repomd>
--- a/rocky/testdata/fixtures/happy/updateinfo.xml.gz
+++ b/rocky/testdata/fixtures/happy/updateinfo.xml.gz
--- a/rocky/testdata/fixtures/repomd_invalid/repomd.xml
+++ b/rocky/testdata/fixtures/repomd_invalid/repomd.xml
@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<repomd xmlns="http://linux.duke.edu/metadata/repo" xmlns:rpm="http://linux.duke.edu/metadata/rpm">
+</repomd>
--- a/rocky/testdata/fixtures/updateinfo_invalid/repomd.xml
+++ b/rocky/testdata/fixtures/updateinfo_invalid/repomd.xml
@ -0,0 +1,77 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<repomd xmlns="http://linux.duke.edu/metadata/repo" xmlns:rpm="http://linux.duke.edu/metadata/rpm">
+  <revision>8.4</revision>
+  <tags>
+    <distro cpeid="cpe:/o:rocky:rocky:8">Rocky Linux 8</distro>
+  </tags>
+  <data type="primary">
+    <checksum type="sha256">9d25370cf8f2bdf046145fa51ef3d0229ecc6862cbe35281a70184cc39089f54</checksum>
+    <open-checksum type="sha256">554780b39c8a31f3b92eb2356f38099bd6135834c51542c8ffb889aa6d37c1a0</open-checksum>
+    <location href="repodata/9d25370cf8f2bdf046145fa51ef3d0229ecc6862cbe35281a70184cc39089f54-primary.xml.gz"/>
+    <timestamp>1632166291</timestamp>
+    <size>4136440</size>
+    <open-size>29944727</open-size>
+  </data>
+  <data type="filelists">
+    <checksum type="sha256">3f9875964fcb58abd0c3b88ae317450d124020d81e873f1db05c695e84fc1c3b</checksum>
+    <open-checksum type="sha256">483a4f0494e31ae0d100714ddae8eab680c408ff354979636d7bec849c1b6e4d</open-checksum>
+    <location href="repodata/3f9875964fcb58abd0c3b88ae317450d124020d81e873f1db05c695e84fc1c3b-filelists.xml.gz"/>
+    <timestamp>1632166291</timestamp>
+    <size>3284862</size>
+    <open-size>45704869</open-size>
+  </data>
+  <data type="other">
+    <checksum type="sha256">201204bd642f240caaa2d8cd8b8fcf0bf0071fdf7ba67c68b79c209163995057</checksum>
+    <open-checksum type="sha256">ab9351e393e2f08997754411263a7b51114209668d453a62ad998981789c091d</open-checksum>
+    <location href="repodata/201204bd642f240caaa2d8cd8b8fcf0bf0071fdf7ba67c68b79c209163995057-other.xml.gz"/>
+    <timestamp>1632166291</timestamp>
+    <size>621783</size>
+    <open-size>6152523</open-size>
+  </data>
+  <data type="primary_db">
+    <checksum type="sha256">2e35bd95b02d3bf3d99b82f3bbb6b0381f55b671226771d9d7db975b5d0f205b</checksum>
+    <open-checksum type="sha256">b1af8fb023566905067e07bfcffed71ce73ebc6e4ed0af2a010ac7ea6bbfbefa</open-checksum>
+    <location href="repodata/2e35bd95b02d3bf3d99b82f3bbb6b0381f55b671226771d9d7db975b5d0f205b-primary.sqlite.xz"/>
+    <timestamp>1632166306</timestamp>
+    <size>3599636</size>
+    <open-size>34222080</open-size>
+  </data>
+  <data type="filelists_db">
+    <checksum type="sha256">06510a9c700387c4c670654f6440386d6e91e0628116492a4a38228f67ec4d61</checksum>
+    <open-checksum type="sha256">19df9e2e5a6e66214ddf95569d50ce1c73cfed99c109e453b043a68b8609fd95</open-checksum>
+    <location href="repodata/06510a9c700387c4c670654f6440386d6e91e0628116492a4a38228f67ec4d61-filelists.sqlite.xz"/>
+    <timestamp>1632166298</timestamp>
+    <size>2665240</size>
+    <open-size>24879104</open-size>
+  </data>
+  <data type="other_db">
+    <checksum type="sha256">dddb998b6aca861c3b0724e13ee6f99a74e516b659299ec47c682a08f414cf25</checksum>
+    <open-checksum type="sha256">46d0a6ae8562e93c729361fa1b28ccf10d26bed3d9d2ff1e464ff807b6201688</open-checksum>
+    <location href="repodata/dddb998b6aca861c3b0724e13ee6f99a74e516b659299ec47c682a08f414cf25-other.sqlite.xz"/>
+    <timestamp>1632166293</timestamp>
+    <size>423132</size>
+    <open-size>6062080</open-size>
+  </data>
+  <data type="group">
+    <checksum type="sha256">5eedac6f334681aa51e154d77025db287c33ce1491b14368be9b477ff8208152</checksum>
+    <location href="repodata/5eedac6f334681aa51e154d77025db287c33ce1491b14368be9b477ff8208152-comps-BaseOS.x86_64.xml"/>
+    <timestamp>1632166276</timestamp>
+    <size>297208</size>
+  </data>
+  <data type="group_xz">
+    <checksum type="sha256">32e04847f7cc2872db5ac9e92ea540ef2a7999d1c2be0c8c3d47a359b3e2d613</checksum>
+    <open-checksum type="sha256">5eedac6f334681aa51e154d77025db287c33ce1491b14368be9b477ff8208152</open-checksum>
+    <location href="repodata/32e04847f7cc2872db5ac9e92ea540ef2a7999d1c2be0c8c3d47a359b3e2d613-comps-BaseOS.x86_64.xml.xz"/>
+    <timestamp>1632166291</timestamp>
+    <size>56668</size>
+    <open-size>297208</open-size>
+  </data>
+  <data type="updateinfo">
+    <checksum type="sha256">c14b2249cc128fa8c565d0b79986daffc4e1c0a430c84a3ebccc1a016d59bda1</checksum>
+    <open-checksum type="sha256">3655bacbf1e119d2fd5d27c25acc98a5f8e27ba64d9b86c6b181c20e67b0f7e7</open-checksum>
+    <location href="repodata/updateinfo.xml.gz"/>
+    <timestamp>1632172541</timestamp>
+    <size>24366</size>
+    <open-size>184021</open-size>
+  </data>
+</repomd>
--- a/rocky/testdata/fixtures/updateinfo_invalid/updateinfo.xml.gz
+++ b/rocky/testdata/fixtures/updateinfo_invalid/updateinfo.xml.gz
--- a/rocky/testdata/golden/2021/RLSA-2021:2575.json
+++ b/rocky/testdata/golden/2021/RLSA-2021:2575.json
@ -0,0 +1,65 @@
+{
+  "id": "RLSA-2021:2575",
+  "title": "Moderate: lz4 security update",
+  "issued": {
+    "date": "2021-07-22 03:13:55"
+  },
+  "updated": {
+    "date": "2021-06-29 00:00:00"
+  },
+  "severity": "Moderate",
+  "description": "For more information visit https://errata.rockylinux.org/RLSA-2021:2575",
+  "packages": [
+    {
+      "name": "lz4-libs",
+      "epoch": "0",
+      "version": "1.8.3",
+      "release": "3.el8_4",
+      "arch": "i686",
+      "filename": "lz4-libs-1.8.3-3.el8_4.i686.rpm"
+    },
+    {
+      "name": "lz4-libs",
+      "epoch": "0",
+      "version": "1.8.3",
+      "release": "3.el8_4",
+      "arch": "x86_64",
+      "filename": "lz4-libs-1.8.3-3.el8_4.x86_64.rpm"
+    },
+    {
+      "name": "lz4-devel",
+      "epoch": "0",
+      "version": "1.8.3",
+      "release": "3.el8_4",
+      "arch": "x86_64",
+      "filename": "lz4-devel-1.8.3-3.el8_4.x86_64.rpm"
+    },
+    {
+      "name": "lz4-devel",
+      "epoch": "0",
+      "version": "1.8.3",
+      "release": "3.el8_4",
+      "arch": "i686",
+      "filename": "lz4-devel-1.8.3-3.el8_4.i686.rpm"
+    },
+    {
+      "name": "lz4",
+      "epoch": "0",
+      "version": "1.8.3",
+      "release": "3.el8_4",
+      "arch": "x86_64",
+      "filename": "lz4-1.8.3-3.el8_4.x86_64.rpm"
+    }
+  ],
+  "references": [
+    {
+      "href": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-3520.json",
+      "id": "CVE-2021-3520",
+      "title": "Update information for CVE-2021-3520 is retrieved from Red Hat",
+      "type": "cve"
+    }
+  ],
+  "cveids": [
+    "CVE-2021-3520"
+  ]
+}
--- a/rocky/testdata/golden/2021/RLSA-2021:3057.json
+++ b/rocky/testdata/golden/2021/RLSA-2021:3057.json
@ -0,0 +1,191 @@
+{
+  "id": "RLSA-2021:3057",
+  "title": "Important: kernel security, bug fix, and enhancement update",
+  "issued": {
+    "date": "2021-08-12 21:14:23"
+  },
+  "updated": {
+    "date": "2021-08-10 00:00:00"
+  },
+  "severity": "Important",
+  "description": "For more information visit https://errata.rockylinux.org/RLSA-2021:3057",
+  "packages": [
+    {
+      "name": "kernel-tools",
+      "epoch": "0",
+      "version": "4.18.0",
+      "release": "305.12.1.el8_4",
+      "arch": "x86_64",
+      "filename": "kernel-tools-4.18.0-305.12.1.el8_4.x86_64.rpm"
+    },
+    {
+      "name": "kernel",
+      "epoch": "0",
+      "version": "4.18.0",
+      "release": "305.12.1.el8_4",
+      "arch": "x86_64",
+      "filename": "kernel-4.18.0-305.12.1.el8_4.x86_64.rpm"
+    },
+    {
+      "name": "kernel-debug-modules",
+      "epoch": "0",
+      "version": "4.18.0",
+      "release": "305.12.1.el8_4",
+      "arch": "x86_64",
+      "filename": "kernel-debug-modules-4.18.0-305.12.1.el8_4.x86_64.rpm"
+    },
+    {
+      "name": "bpftool",
+      "epoch": "0",
+      "version": "4.18.0",
+      "release": "305.12.1.el8_4",
+      "arch": "x86_64",
+      "filename": "bpftool-4.18.0-305.12.1.el8_4.x86_64.rpm"
+    },
+    {
+      "name": "kernel-debug-core",
+      "epoch": "0",
+      "version": "4.18.0",
+      "release": "305.12.1.el8_4",
+      "arch": "x86_64",
+      "filename": "kernel-debug-core-4.18.0-305.12.1.el8_4.x86_64.rpm"
+    },
+    {
+      "name": "kernel-abi-stablelists",
+      "epoch": "0",
+      "version": "4.18.0",
+      "release": "305.12.1.el8_4",
+      "arch": "noarch",
+      "filename": "kernel-abi-stablelists-4.18.0-305.12.1.el8_4.noarch.rpm"
+    },
+    {
+      "name": "kernel-debug",
+      "epoch": "0",
+      "version": "4.18.0",
+      "release": "305.12.1.el8_4",
+      "arch": "x86_64",
+      "filename": "kernel-debug-4.18.0-305.12.1.el8_4.x86_64.rpm"
+    },
+    {
+      "name": "kernel-headers",
+      "epoch": "0",
+      "version": "4.18.0",
+      "release": "305.12.1.el8_4",
+      "arch": "x86_64",
+      "filename": "kernel-headers-4.18.0-305.12.1.el8_4.x86_64.rpm"
+    },
+    {
+      "name": "kernel-debug-modules-extra",
+      "epoch": "0",
+      "version": "4.18.0",
+      "release": "305.12.1.el8_4",
+      "arch": "x86_64",
+      "filename": "kernel-debug-modules-extra-4.18.0-305.12.1.el8_4.x86_64.rpm"
+    },
+    {
+      "name": "kernel-core",
+      "epoch": "0",
+      "version": "4.18.0",
+      "release": "305.12.1.el8_4",
+      "arch": "x86_64",
+      "filename": "kernel-core-4.18.0-305.12.1.el8_4.x86_64.rpm"
+    },
+    {
+      "name": "kernel-debug-devel",
+      "epoch": "0",
+      "version": "4.18.0",
+      "release": "305.12.1.el8_4",
+      "arch": "x86_64",
+      "filename": "kernel-debug-devel-4.18.0-305.12.1.el8_4.x86_64.rpm"
+    },
+    {
+      "name": "kernel-modules",
+      "epoch": "0",
+      "version": "4.18.0",
+      "release": "305.12.1.el8_4",
+      "arch": "x86_64",
+      "filename": "kernel-modules-4.18.0-305.12.1.el8_4.x86_64.rpm"
+    },
+    {
+      "name": "perf",
+      "epoch": "0",
+      "version": "4.18.0",
+      "release": "305.12.1.el8_4",
+      "arch": "x86_64",
+      "filename": "perf-4.18.0-305.12.1.el8_4.x86_64.rpm"
+    },
+    {
+      "name": "kernel-tools-libs",
+      "epoch": "0",
+      "version": "4.18.0",
+      "release": "305.12.1.el8_4",
+      "arch": "x86_64",
+      "filename": "kernel-tools-libs-4.18.0-305.12.1.el8_4.x86_64.rpm"
+    },
+    {
+      "name": "kernel-cross-headers",
+      "epoch": "0",
+      "version": "4.18.0",
+      "release": "305.12.1.el8_4",
+      "arch": "x86_64",
+      "filename": "kernel-cross-headers-4.18.0-305.12.1.el8_4.x86_64.rpm"
+    },
+    {
+      "name": "kernel-modules-extra",
+      "epoch": "0",
+      "version": "4.18.0",
+      "release": "305.12.1.el8_4",
+      "arch": "x86_64",
+      "filename": "kernel-modules-extra-4.18.0-305.12.1.el8_4.x86_64.rpm"
+    },
+    {
+      "name": "kernel-devel",
+      "epoch": "0",
+      "version": "4.18.0",
+      "release": "305.12.1.el8_4",
+      "arch": "x86_64",
+      "filename": "kernel-devel-4.18.0-305.12.1.el8_4.x86_64.rpm"
+    },
+    {
+      "name": "python3-perf",
+      "epoch": "0",
+      "version": "4.18.0",
+      "release": "305.12.1.el8_4",
+      "arch": "x86_64",
+      "filename": "python3-perf-4.18.0-305.12.1.el8_4.x86_64.rpm"
+    },
+    {
+      "name": "kernel-doc",
+      "epoch": "0",
+      "version": "4.18.0",
+      "release": "305.12.1.el8_4",
+      "arch": "noarch",
+      "filename": "kernel-doc-4.18.0-305.12.1.el8_4.noarch.rpm"
+    }
+  ],
+  "references": [
+    {
+      "href": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22543.json",
+      "id": "CVE-2021-22543",
+      "title": "Update information for CVE-2021-22543 is retrieved from Red Hat",
+      "type": "cve"
+    },
+    {
+      "href": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22555.json",
+      "id": "CVE-2021-22555",
+      "title": "Update information for CVE-2021-22555 is retrieved from Red Hat",
+      "type": "cve"
+    },
+    {
+      "href": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-3609.json",
+      "id": "CVE-2021-3609",
+      "title": "Update information for CVE-2021-3609 is retrieved from Red Hat",
+      "type": "cve"
+    }
+  ],
+  "cveids": [
+    "CVE-2021-22543",
+    "CVE-2021-22555",
+    "CVE-2021-3609"
+  ]
+}