Add photon advisory (#24)

* Add photon advisory * refactor(photon): rename * refactor(photon): update errors * test(photon): add require.NotNil * fix(photon): use pkg name as dir name * test(photon): add invalid photon_versions.json * test(photon): add invalid CVE-ID * test(photon): rename testdata file name * fix(photon): rename function name Co-authored-by: Teppei Fukuda <knqyf263@gmail.com>
2019-12-25 22:36:25 +09:00 · 2019-12-25 22:36:25 +09:00 · 69b1818a1c
commit 69b1818a1c
parent 280f2c7390
28 changed files with 550 additions and 1 deletions
--- a/.travis.yml
+++ b/.travis.yml
@ -20,6 +20,7 @@ stages:
  - 'Oracle Linux OVAL'
  - 'Red Hat OVAL'
  - 'SUSE CVRF'
+  - 'Photon CVE Advisory'
  - 'Red Hat Security Data API 2019-2020'
  - 'Red Hat Security Data API 2018'
  - 'Red Hat Security Data API 2017'
@ -79,6 +80,11 @@ jobs:
      script:
        - go run main.go -target suse-cvrf

+    - stage: 'Photon CVE Advisory'
+      if: type = cron
+      script:
+        - go run main.go -target photon
+
    # split RedHat job due to timeout
    - stage: 'Red Hat Security Data API 1996-2002'
      if: type = cron
--- a/main.go
+++ b/main.go
@ -20,6 +20,7 @@ import (
 	debianoval "github.com/aquasecurity/vuln-list-update/oval/debian"
 	oracleoval "github.com/aquasecurity/vuln-list-update/oval/oracle"
 	redhatoval "github.com/aquasecurity/vuln-list-update/oval/redhat"
+	"github.com/aquasecurity/vuln-list-update/photon"
 	"github.com/aquasecurity/vuln-list-update/redhat"
 	"github.com/aquasecurity/vuln-list-update/ubuntu"
 	"github.com/aquasecurity/vuln-list-update/utils"
@ -34,7 +35,7 @@ const (
 )

 var (
-	target = flag.String("target", "", "update target (nvd, alpine, redhat, redhat-oval, debian, debian-oval, ubuntu, amazon, oracle-oval, suse-cvrf)")
+	target = flag.String("target", "", "update target (nvd, alpine, redhat, redhat-oval, debian, debian-oval, ubuntu, amazon, oracle-oval, suse-cvrf, photon)")
 	years  = flag.String("years", "", "update years (only redhat)")
 )

@ -139,6 +140,12 @@ func run() error {
 			return xerrors.Errorf("error in SUSE CVRF update: %w", err)
 		}
 		commitMsg = "SUSE CVRF"
+	case "photon":
+		pc := photon.NewConfig()
+		if err := pc.Update(); err != nil {
+			return xerrors.Errorf("error in Photon update: %w", err)
+		}
+		commitMsg = "Photon Security Advisories"
 	default:
 		return xerrors.New("unknown target")
 	}
--- a/photon/photon.go
+++ b/photon/photon.go
@ -0,0 +1,106 @@
+package photon
+
+import (
+	"encoding/json"
+	"fmt"
+	"log"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/aquasecurity/vuln-list-update/utils"
+	"github.com/cheggaaa/pb"
+	"github.com/spf13/afero"
+	"golang.org/x/xerrors"
+)
+
+const (
+	advisoryURL    = "https://vmware.bintray.com/photon_cve_metadata/"
+	versionsFile   = "photon_versions.json"
+	advisoryFormat = "cve_data_photon%s.json"
+
+	photonDir = "photon"
+	retry     = 5
+)
+
+type Config struct {
+	VulnListDir string
+	URL         string
+	AppFs       afero.Fs
+	Retry       int
+}
+
+func NewConfig() Config {
+	return Config{
+		VulnListDir: utils.VulnListDir(),
+		URL:         advisoryURL,
+		AppFs:       afero.NewOsFs(),
+		Retry:       retry,
+	}
+}
+
+func (c Config) getPhotonVersion() ([]string, error) {
+	var versions Versions
+	res, err := utils.FetchURL(c.URL+versionsFile, "", c.Retry)
+	if err != nil {
+		return nil, xerrors.Errorf("failed to fetch Photon versions: %w", err)
+	}
+	if err := json.Unmarshal(res, &versions); err != nil {
+		return nil, xerrors.Errorf("failed to decode Photon versions: %w", err)
+	}
+
+	return versions.Branches, nil
+}
+
+func (c Config) Update() error {
+	log.Printf("Fetching Photon")
+
+	versions, err := c.getPhotonVersion()
+	if err != nil {
+		return xerrors.Errorf("failed to get Photon versions: %w", err)
+	}
+	for _, version := range versions {
+		res, err := utils.FetchURL(c.URL+fmt.Sprintf(advisoryFormat, version), "", c.Retry)
+		if err != nil {
+			return xerrors.Errorf("failed to fetch Photon advisory: %w", err)
+		}
+		var cves []PhotonCVE
+		if err := json.Unmarshal(res, &cves); err != nil {
+			return xerrors.Errorf("failed to unmarshal Photon advisory: %w", err)
+		}
+		dir := filepath.Join(photonDir, version)
+
+		bar := pb.StartNew(len(cves))
+		for _, def := range cves {
+			def.OSVersion = version
+			if err = c.saveCVEPerPkg(dir, def.Pkg, def.CveID, def); err != nil {
+				return xerrors.Errorf("failed to save CVE-ID per package name: %w", err)
+			}
+			bar.Increment()
+		}
+		bar.Finish()
+	}
+
+	return nil
+}
+
+func (c Config) saveCVEPerPkg(dirName, pkgName, cveID string, data interface{}) error {
+	s := strings.Split(cveID, "-")
+	if len(s) != 3 {
+		log.Printf("invalid CVE-ID: %s", cveID)
+		return xerrors.Errorf("invalid CVE-ID format: %s", cveID)
+	}
+
+	pkgDir := filepath.Join(c.VulnListDir, dirName, pkgName)
+	if err := c.AppFs.MkdirAll(pkgDir, os.ModePerm); err != nil {
+		return xerrors.Errorf("failed to create dir: %w", err)
+	}
+
+	filePath := filepath.Join(pkgDir, fmt.Sprintf("%s.json", cveID))
+
+	fs := utils.NewFs(c.AppFs)
+	if err := fs.WriteJSON(filePath, data); err != nil {
+		return xerrors.Errorf("failed to write file: %w", err)
+	}
+	return nil
+}
--- a/photon/photon_test.go
+++ b/photon/photon_test.go
@ -0,0 +1,181 @@
+package photon_test
+
+import (
+	"flag"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"testing"
+
+	"github.com/spf13/afero"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/aquasecurity/vuln-list-update/photon"
+)
+
+var update = flag.Bool("update", false, "update golden files")
+
+func TestConfig_Update(t *testing.T) {
+	testCases := []struct {
+		name             string
+		appFs            afero.Fs
+		bzip2FileNames   map[string]string
+		goldenFiles      map[string]string
+		expectedErrorMsg string
+	}{
+		{
+			name:  "positive test",
+			appFs: afero.NewMemMapFs(),
+			bzip2FileNames: map[string]string{
+				"/photon_cve_metadata/photon_versions.json":    "testdata/photon_versions.json",
+				"/photon_cve_metadata/cve_data_photon1.0.json": "testdata/cve_data_photon1.0.json",
+				"/photon_cve_metadata/cve_data_photon2.0.json": "testdata/cve_data_photon2.0.json",
+				"/photon_cve_metadata/cve_data_photon3.0.json": "testdata/cve_data_photon3.0.json",
+			},
+			goldenFiles: map[string]string{
+				"/tmp/photon/1.0/zlib/CVE-2016-9843.json":           "testdata/golden/CVE-2016-9843.json",
+				"/tmp/photon/1.0/zookeeper/CVE-2017-5637.json":      "testdata/golden/CVE-2017-5637.json",
+				"/tmp/photon/1.0/apache-tomcat/CVE-2017-12617.json": "testdata/golden/CVE-2017-12617.json",
+				"/tmp/photon/1.0/binutils/CVE-2018-10372.json":      "testdata/golden/CVE-2018-10372.json",
+				"/tmp/photon/1.0/binutils/CVE-2019-12972.json":      "testdata/golden/CVE-2019-12972.json",
+				"/tmp/photon/2.0/jq/CVE-2015-8863.json":             "testdata/golden/CVE-2015-8863.json",
+				"/tmp/photon/2.0/bash/CVE-2016-9401.json":           "testdata/golden/CVE-2016-9401.json",
+				"/tmp/photon/2.0/ansible/CVE-2017-7473.json":        "testdata/golden/CVE-2017-7473.json",
+				"/tmp/photon/2.0/ansible/CVE-2018-16876.json":       "testdata/golden/CVE-2018-16876.json",
+				"/tmp/photon/2.0/ansible/CVE-2019-10156.json":       "testdata/golden/CVE-2019-10156.json",
+				"/tmp/photon/3.0/ansible/CVE-2019-3828.json":        "testdata/golden/CVE-2019-3828.json",
+				"/tmp/photon/3.0/apache-tomcat/CVE-2019-0199.json":  "testdata/golden/CVE-2019-0199.json",
+				"/tmp/photon/3.0/apache-tomcat/CVE-2019-10072.json": "testdata/golden/CVE-2019-10072.json",
+				"/tmp/photon/3.0/binutils/CVE-2017-16826.json":      "testdata/golden/CVE-2017-16826.json",
+			},
+		},
+		{
+			name:  "invalid photon_versions.json",
+			appFs: afero.NewReadOnlyFs(afero.NewOsFs()),
+			bzip2FileNames: map[string]string{
+				"/photon_cve_metadata/photon_versions.json": "testdata/invalid_photon_versions.json",
+			},
+			expectedErrorMsg: "failed to decode Photon versions",
+		},
+		{
+			name:  "invalid filesystem write read only path",
+			appFs: afero.NewReadOnlyFs(afero.NewOsFs()),
+			bzip2FileNames: map[string]string{
+				"/photon_cve_metadata/photon_versions.json":    "testdata/photon_versions.json",
+				"/photon_cve_metadata/cve_data_photon1.0.json": "testdata/cve_data_photon1.0.json",
+				"/photon_cve_metadata/cve_data_photon2.0.json": "testdata/cve_data_photon2.0.json",
+				"/photon_cve_metadata/cve_data_photon3.0.json": "testdata/cve_data_photon3.0.json",
+			},
+			goldenFiles:      map[string]string{},
+			expectedErrorMsg: "failed to create dir: operation not permitted",
+		},
+		{
+			name:             "404",
+			appFs:            afero.NewMemMapFs(),
+			bzip2FileNames:   map[string]string{},
+			goldenFiles:      map[string]string{},
+			expectedErrorMsg: "failed to fetch Photon versions",
+		},
+		{
+			name:  "EOF file",
+			appFs: afero.NewMemMapFs(),
+			bzip2FileNames: map[string]string{
+				"/photon_cve_metadata/photon_versions.json":    "testdata/photon_versions.json",
+				"/photon_cve_metadata/cve_data_photon1.0.json": "testdata/invalid.txt",
+			},
+			goldenFiles:      map[string]string{},
+			expectedErrorMsg: "failed to unmarshal Photon advisory: unexpected end of JSON input",
+		},
+		{
+			name:  "invalid json format",
+			appFs: afero.NewMemMapFs(),
+			bzip2FileNames: map[string]string{
+				"/photon_cve_metadata/photon_versions.json":    "testdata/photon_versions.json",
+				"/photon_cve_metadata/cve_data_photon1.0.json": "testdata/cve_data_photon_invalid_format.json",
+			},
+			goldenFiles:      map[string]string{},
+			expectedErrorMsg: "failed to unmarshal Photon advisory: invalid character ']' after object key:value pair",
+		},
+		{
+			name:  "invalid CVE-ID",
+			appFs: afero.NewMemMapFs(),
+			bzip2FileNames: map[string]string{
+				"/photon_cve_metadata/photon_versions.json":    "testdata/photon_versions.json",
+				"/photon_cve_metadata/cve_data_photon1.0.json": "testdata/cve_data_photon1.0.json",
+				"/photon_cve_metadata/cve_data_photon2.0.json": "testdata/cve_data_photon2.0.json",
+				"/photon_cve_metadata/cve_data_photon3.0.json": "testdata/cve_data_photon3.0_invalid_cveid.json",
+			},
+			goldenFiles:      map[string]string{},
+			expectedErrorMsg: "invalid CVE-ID format",
+		},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				filePath, ok := tc.bzip2FileNames[r.URL.Path]
+				if !ok {
+					http.NotFound(w, r)
+					return
+				}
+				b, err := ioutil.ReadFile(filePath)
+				assert.NoError(t, err, tc.name)
+				_, err = w.Write(b)
+				assert.NoError(t, err, tc.name)
+			}))
+			defer ts.Close()
+			url := ts.URL + "/photon_cve_metadata/"
+			c := photon.Config{
+				VulnListDir: "/tmp",
+				URL:         url,
+				AppFs:       tc.appFs,
+				Retry:       0,
+			}
+			err := c.Update()
+			switch {
+			case tc.expectedErrorMsg != "":
+				require.NotNil(t, err, tc.name)
+				assert.Contains(t, err.Error(), tc.expectedErrorMsg, tc.name)
+				return
+			default:
+				assert.NoError(t, err, tc.name)
+			}
+
+			fileCount := 0
+			err = afero.Walk(c.AppFs, "/", func(path string, info os.FileInfo, err error) error {
+				if err != nil {
+					return err
+				}
+				if info.IsDir() {
+					return nil
+				}
+				fileCount += 1
+
+				actual, err := afero.ReadFile(c.AppFs, path)
+				assert.NoError(t, err, tc.name)
+
+				goldenPath, ok := tc.goldenFiles[path]
+				if !ok {
+					fmt.Println(path)
+				}
+				assert.True(t, ok, tc.name)
+
+				if *update {
+					err = ioutil.WriteFile(goldenPath, actual, 0666)
+					assert.NoError(t, err, tc.name)
+				}
+
+				expected, err := ioutil.ReadFile(goldenPath)
+				assert.NoError(t, err, tc.name)
+
+				assert.Equal(t, expected, actual, tc.name)
+
+				return nil
+			})
+			assert.Equal(t, len(tc.goldenFiles), fileCount, tc.name)
+			assert.NoError(t, err, tc.name)
+		})
+	}
+}
--- a/photon/testdata/EOF.txt
+++ b/photon/testdata/EOF.txt
--- a/photon/testdata/cve_data_photon1.0.json
+++ b/photon/testdata/cve_data_photon1.0.json
@ -0,0 +1,37 @@
+[
+  {
+    "cve_id": "CVE-2016-9843",
+    "pkg": "zlib",
+    "cve_score": 7.5,
+    "aff_ver": "all versions before 1.2.8-5.ph1 are vulnerable",
+    "res_ver": "1.2.8-5.ph1"
+  },
+  {
+    "cve_id": "CVE-2017-5637",
+    "pkg": "zookeeper",
+    "cve_score": 7.5,
+    "aff_ver": "all versions before 3.4.10-2.ph1 are vulnerable",
+    "res_ver": "3.4.10-2.ph1"
+  },
+  {
+    "cve_id": "CVE-2017-12617",
+    "pkg": "apache-tomcat",
+    "cve_score": 8.1,
+    "aff_ver": "all versions before 8.5.23-1.ph1 are vulnerable",
+    "res_ver": "8.5.23-1.ph1"
+  },
+  {
+    "cve_id": "CVE-2018-10372",
+    "pkg": "binutils",
+    "cve_score": 5.5,
+    "aff_ver": "all versions before 2.30-5.ph1 are vulnerable",
+    "res_ver": "2.30-5.ph1"
+  },
+  {
+    "cve_id": "CVE-2019-12972",
+    "pkg": "binutils",
+    "cve_score": 5.5,
+    "aff_ver": "all versions before 2.31-9.ph1 are vulnerable",
+    "res_ver": "2.31-9.ph1"
+  }
+]
--- a/photon/testdata/cve_data_photon2.0.json
+++ b/photon/testdata/cve_data_photon2.0.json
@ -0,0 +1,37 @@
+[
+  {
+    "cve_id": "CVE-2015-8863",
+    "pkg": "jq",
+    "cve_score": 9.8,
+    "aff_ver": "all versions before 1.5-3.ph2 are vulnerable",
+    "res_ver": "1.5-3.ph2"
+  },
+  {
+    "cve_id": "CVE-2016-9401",
+    "pkg": "bash",
+    "cve_score": 5.5,
+    "aff_ver": "all versions before 4.4.12-1.ph2 are vulnerable",
+    "res_ver": "4.4.12-1.ph2"
+  },
+  {
+    "cve_id": "CVE-2017-7473",
+    "pkg": "ansible",
+    "cve_score": 5,
+    "aff_ver": "all versions before 2.4.0.0-1.ph2 are vulnerable",
+    "res_ver": "2.4.0.0-1.ph2"
+  },
+  {
+    "cve_id": "CVE-2018-16876",
+    "pkg": "ansible",
+    "cve_score": 7.5,
+    "aff_ver": "all versions before 2.7.9-1.ph2 are vulnerable",
+    "res_ver": "2.7.9-1.ph2"
+  },
+  {
+    "cve_id": "CVE-2019-10156",
+    "pkg": "ansible",
+    "cve_score": 5.4,
+    "aff_ver": "all versions before 2.7.9-2.ph2 are vulnerable",
+    "res_ver": "2.7.9-2.ph2"
+  }
+]
--- a/photon/testdata/cve_data_photon3.0.json
+++ b/photon/testdata/cve_data_photon3.0.json
@ -0,0 +1,30 @@
+[
+  {
+    "cve_id": "CVE-2019-3828",
+    "pkg": "ansible",
+    "cve_score": 10,
+    "aff_ver": "all versions before 2.7.6-2.ph3 are vulnerable",
+    "res_ver": "2.7.6-2.ph3"
+  },
+  {
+    "cve_id": "CVE-2019-0199",
+    "pkg": "apache-tomcat",
+    "cve_score": 7.5,
+    "aff_ver": "all versions before 8.5.40-1.ph3 are vulnerable",
+    "res_ver": "8.5.40-1.ph3"
+  },
+  {
+    "cve_id": "CVE-2019-10072",
+    "pkg": "apache-tomcat",
+    "cve_score": 7.5,
+    "aff_ver": "all versions before 8.5.40-2.ph3 are vulnerable",
+    "res_ver": "8.5.40-2.ph3"
+  },
+  {
+    "cve_id": "CVE-2017-16826",
+    "pkg": "binutils",
+    "cve_score": 7.8,
+    "aff_ver": "all versions before 2.31.1-3.ph3 are vulnerable",
+    "res_ver": "2.31.1-3.ph3"
+  }
+]
--- a/photon/testdata/cve_data_photon3.0_invalid_cveid.json
+++ b/photon/testdata/cve_data_photon3.0_invalid_cveid.json
@ -0,0 +1,9 @@
+[
+  {
+    "cve_id": "CVE-2019-3828-0001",
+    "pkg": "ansible",
+    "cve_score": 10,
+    "aff_ver": "all versions before 2.7.6-2.ph3 are vulnerable",
+    "res_ver": "2.7.6-2.ph3"
+  }
+]
--- a/photon/testdata/cve_data_photon_invalid_format.json
+++ b/photon/testdata/cve_data_photon_invalid_format.json
@ -0,0 +1,8 @@
+[
+  {
+    "cve_id": "CVE-2016-9843",
+    "pkg": "zlib",
+    "cve_score": 7.5,
+    "aff_ver": "all versions before 1.2.8-5.ph1 are vulnerable",
+    "res_ver": "1.2.8-5.ph1"
+]
--- a/photon/testdata/golden/CVE-2015-8863.json
+++ b/photon/testdata/golden/CVE-2015-8863.json
@ -0,0 +1,8 @@
+{
+  "os_version": "2.0",
+  "cve_id": "CVE-2015-8863",
+  "pkg": "jq",
+  "cve_score": 9.8,
+  "aff_ver": "all versions before 1.5-3.ph2 are vulnerable",
+  "res_ver": "1.5-3.ph2"
+}
--- a/photon/testdata/golden/CVE-2016-9401.json
+++ b/photon/testdata/golden/CVE-2016-9401.json
@ -0,0 +1,8 @@
+{
+  "os_version": "2.0",
+  "cve_id": "CVE-2016-9401",
+  "pkg": "bash",
+  "cve_score": 5.5,
+  "aff_ver": "all versions before 4.4.12-1.ph2 are vulnerable",
+  "res_ver": "4.4.12-1.ph2"
+}
--- a/photon/testdata/golden/CVE-2016-9843.json
+++ b/photon/testdata/golden/CVE-2016-9843.json
@ -0,0 +1,8 @@
+{
+  "os_version": "1.0",
+  "cve_id": "CVE-2016-9843",
+  "pkg": "zlib",
+  "cve_score": 7.5,
+  "aff_ver": "all versions before 1.2.8-5.ph1 are vulnerable",
+  "res_ver": "1.2.8-5.ph1"
+}
--- a/photon/testdata/golden/CVE-2017-12617.json
+++ b/photon/testdata/golden/CVE-2017-12617.json
@ -0,0 +1,8 @@
+{
+  "os_version": "1.0",
+  "cve_id": "CVE-2017-12617",
+  "pkg": "apache-tomcat",
+  "cve_score": 8.1,
+  "aff_ver": "all versions before 8.5.23-1.ph1 are vulnerable",
+  "res_ver": "8.5.23-1.ph1"
+}
--- a/photon/testdata/golden/CVE-2017-16826.json
+++ b/photon/testdata/golden/CVE-2017-16826.json
@ -0,0 +1,8 @@
+{
+  "os_version": "3.0",
+  "cve_id": "CVE-2017-16826",
+  "pkg": "binutils",
+  "cve_score": 7.8,
+  "aff_ver": "all versions before 2.31.1-3.ph3 are vulnerable",
+  "res_ver": "2.31.1-3.ph3"
+}
--- a/photon/testdata/golden/CVE-2017-5637.json
+++ b/photon/testdata/golden/CVE-2017-5637.json
@ -0,0 +1,8 @@
+{
+  "os_version": "1.0",
+  "cve_id": "CVE-2017-5637",
+  "pkg": "zookeeper",
+  "cve_score": 7.5,
+  "aff_ver": "all versions before 3.4.10-2.ph1 are vulnerable",
+  "res_ver": "3.4.10-2.ph1"
+}
--- a/photon/testdata/golden/CVE-2017-7473.json
+++ b/photon/testdata/golden/CVE-2017-7473.json
@ -0,0 +1,8 @@
+{
+  "os_version": "2.0",
+  "cve_id": "CVE-2017-7473",
+  "pkg": "ansible",
+  "cve_score": 5,
+  "aff_ver": "all versions before 2.4.0.0-1.ph2 are vulnerable",
+  "res_ver": "2.4.0.0-1.ph2"
+}
--- a/photon/testdata/golden/CVE-2018-10372.json
+++ b/photon/testdata/golden/CVE-2018-10372.json
@ -0,0 +1,8 @@
+{
+  "os_version": "1.0",
+  "cve_id": "CVE-2018-10372",
+  "pkg": "binutils",
+  "cve_score": 5.5,
+  "aff_ver": "all versions before 2.30-5.ph1 are vulnerable",
+  "res_ver": "2.30-5.ph1"
+}
--- a/photon/testdata/golden/CVE-2018-16876.json
+++ b/photon/testdata/golden/CVE-2018-16876.json
@ -0,0 +1,8 @@
+{
+  "os_version": "2.0",
+  "cve_id": "CVE-2018-16876",
+  "pkg": "ansible",
+  "cve_score": 7.5,
+  "aff_ver": "all versions before 2.7.9-1.ph2 are vulnerable",
+  "res_ver": "2.7.9-1.ph2"
+}
--- a/photon/testdata/golden/CVE-2019-0199.json
+++ b/photon/testdata/golden/CVE-2019-0199.json
@ -0,0 +1,8 @@
+{
+  "os_version": "3.0",
+  "cve_id": "CVE-2019-0199",
+  "pkg": "apache-tomcat",
+  "cve_score": 7.5,
+  "aff_ver": "all versions before 8.5.40-1.ph3 are vulnerable",
+  "res_ver": "8.5.40-1.ph3"
+}
--- a/photon/testdata/golden/CVE-2019-10072.json
+++ b/photon/testdata/golden/CVE-2019-10072.json
@ -0,0 +1,8 @@
+{
+  "os_version": "3.0",
+  "cve_id": "CVE-2019-10072",
+  "pkg": "apache-tomcat",
+  "cve_score": 7.5,
+  "aff_ver": "all versions before 8.5.40-2.ph3 are vulnerable",
+  "res_ver": "8.5.40-2.ph3"
+}
--- a/photon/testdata/golden/CVE-2019-10156.json
+++ b/photon/testdata/golden/CVE-2019-10156.json
@ -0,0 +1,8 @@
+{
+  "os_version": "2.0",
+  "cve_id": "CVE-2019-10156",
+  "pkg": "ansible",
+  "cve_score": 5.4,
+  "aff_ver": "all versions before 2.7.9-2.ph2 are vulnerable",
+  "res_ver": "2.7.9-2.ph2"
+}
--- a/photon/testdata/golden/CVE-2019-12972.json
+++ b/photon/testdata/golden/CVE-2019-12972.json
@ -0,0 +1,8 @@
+{
+  "os_version": "1.0",
+  "cve_id": "CVE-2019-12972",
+  "pkg": "binutils",
+  "cve_score": 5.5,
+  "aff_ver": "all versions before 2.31-9.ph1 are vulnerable",
+  "res_ver": "2.31-9.ph1"
+}
--- a/photon/testdata/golden/CVE-2019-3828.json
+++ b/photon/testdata/golden/CVE-2019-3828.json
@ -0,0 +1,8 @@
+{
+  "os_version": "3.0",
+  "cve_id": "CVE-2019-3828",
+  "pkg": "ansible",
+  "cve_score": 10,
+  "aff_ver": "all versions before 2.7.6-2.ph3 are vulnerable",
+  "res_ver": "2.7.6-2.ph3"
+}
--- a/photon/testdata/invalid.txt
+++ b/photon/testdata/invalid.txt
--- a/photon/testdata/invalid_photon_versions.json
+++ b/photon/testdata/invalid_photon_versions.json
@ -0,0 +1 @@
+{invalid}
--- a/photon/testdata/photon_versions.json
+++ b/photon/testdata/photon_versions.json
@ -0,0 +1 @@
+{"branches": ["1.0", "2.0", "3.0"]}
--- a/photon/types.go
+++ b/photon/types.go
@ -0,0 +1,14 @@
+package photon
+
+type Versions struct {
+	Branches []string `json:"branches"`
+}
+
+type PhotonCVE struct {
+	OSVersion string  `json:"os_version"`
+	CveID     string  `json:"cve_id"`
+	Pkg       string  `json:"pkg"`
+	CveScore  float64 `json:"cve_score"`
+	AffVer    string  `json:"aff_ver"`
+	ResVer    string  `json:"res_ver"`
+}