fix: skip UNK-* and Re cves (#383)

DmitriyLewen · Copilot · web-flow · commit b94f157dd356 · 2025-10-30T16:10:11.000+06:00
Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;
diff --git a/photon/photon.go b/photon/photon.go
@@ -87,12 +87,22 @@ func (c Config) Update() error {
 	return nil
 }
 
-func (c Config) saveCVEPerPkg(dirName, pkgName, cveID string, data interface{}) error {
+func (c Config) saveCVEPerPkg(dirName, pkgName, cveID string, cve PhotonCVE) error {
 	if cveID == "" {
 		log.Printf("CVE-ID is empty")
 		return nil
 	}
 
+	// Only skip unknown CVE entries (IDs starting with "UNK-" or "Re") that lack version information.
+	// Valid CVEs (e.g., "CVE-...") with both ResVer and AffVer as "NA" are still saved,
+	// as their status (e.g., "Not Affected") may be meaningful for reporting.
+	if (strings.HasPrefix(cveID, "UNK-") || cveID == "Re") &&
+		(cve.ResVer == "" || cve.ResVer == "NA") &&
+		(cve.AffVer == "" || cve.AffVer == "NA") {
+		log.Printf("Skip unknown CVE entry: %s", cveID)
+		return nil
+	}
+
 	s := strings.Split(cveID, "-")
 	if len(s) != 3 {
 		log.Printf("invalid CVE-ID: %s", cveID)
@@ -101,7 +111,7 @@ func (c Config) saveCVEPerPkg(dirName, pkgName, cveID string, data interface{})
 
 	pkgDir := filepath.Join(c.VulnListDir, dirName, pkgName)
 	fileName := fmt.Sprintf("%s.json", cveID)
-	if err := utils.WriteJSON(c.AppFs, pkgDir, fileName, data); err != nil {
+	if err := utils.WriteJSON(c.AppFs, pkgDir, fileName, cve); err != nil {
 		return xerrors.Errorf("failed to write file: %w", err)
 	}
 	return nil
diff --git a/photon/photon_test.go b/photon/photon_test.go
@@ -49,6 +49,7 @@ func TestConfig_Update(t *testing.T) {
 				"/tmp/photon/3.0/apache-tomcat/CVE-2019-0199.json":  "testdata/golden/CVE-2019-0199.json",
 				"/tmp/photon/3.0/apache-tomcat/CVE-2019-10072.json": "testdata/golden/CVE-2019-10072.json",
 				"/tmp/photon/3.0/binutils/CVE-2017-16826.json":      "testdata/golden/CVE-2017-16826.json",
+				"/tmp/photon/3.0/curl/CVE-2025-0725.json":           "testdata/golden/CVE-2025-0725.json",
 			},
 		},
 		{
@@ -127,6 +128,7 @@ func TestConfig_Update(t *testing.T) {
 				"/tmp/photon/3.0/apache-tomcat/CVE-2019-0199.json":  "testdata/golden/CVE-2019-0199.json",
 				"/tmp/photon/3.0/apache-tomcat/CVE-2019-10072.json": "testdata/golden/CVE-2019-10072.json",
 				"/tmp/photon/3.0/binutils/CVE-2017-16826.json":      "testdata/golden/CVE-2017-16826.json",
+				"/tmp/photon/3.0/curl/CVE-2025-0725.json":           "testdata/golden/CVE-2025-0725.json",
 			},
 		},
 	}
diff --git a/photon/testdata/cve_data_photon3.0.json b/photon/testdata/cve_data_photon3.0.json
@@ -26,5 +26,21 @@
     "cve_score": 7.8,
     "aff_ver": "all versions before 2.31.1-3.ph3 are vulnerable",
     "res_ver": "2.31.1-3.ph3"
+  },
+  {
+    "cve_id": "UNK-1",
+    "pkg": "curl-libs",
+    "cve_score": 6.7,
+    "aff_ver": "NA",
+    "res_ver": "NA",
+    "status": "Not Affected"
+  },
+  {
+    "cve_id": "CVE-2025-0725",
+    "pkg": "curl",
+    "cve_score": 7.3,
+    "aff_ver": "NA",
+    "res_ver": "NA",
+    "status": "Not Affected"
   }
 ]
diff --git a/photon/testdata/golden/CVE-2025-0725.json b/photon/testdata/golden/CVE-2025-0725.json
@@ -0,0 +1,8 @@
+{
+  "os_version": "3.0",
+  "cve_id": "CVE-2025-0725",
+  "pkg": "curl",
+  "cve_score": 7.3,
+  "aff_ver": "NA",
+  "res_ver": "NA"
+}
