feat: add check-advisories to check BRSA fields

[piyush-jena]

Description of changes:
Add check-advisories task

• Validate CVE ID/GHSA ID in the Rust crate. Moves implementation of this (twoliter: add check-advisories task to lint BRSAs #467) into the Rust crate.
• Validate BRSA's package-metadata and make sure the included package is at a higher version.

How it works?
We implement a advisory-checker rust crate that takes 2 arguments - The rpmspec file and advisories directory. The binary is called during build by the upper level build.Dockerfile. Since, its already in the sdk context and the rpm macros are loaded, we can use rpmspec and rpm --eval macros to extract package name and versions. We deserialize the advisory files to extract the expected version and then compare using rpm.vercmp to evaluate if we are in a newer version.

Testing done:
Cropping output for brevity.

Testing it on bottlerocket-core-kit. I introduced 2 errors to test different cases. I created a sub-package BRSA with wrong epoch which got flagged. A different package with wrong version also got flagged.

[fedora@ip-172-31-57-102 bottlerocket-core-kit]$ PACKAGE="amazon-ssm-agent" make twoliter build-package
Found Twoliter v0.13.0 installed.
Skipping installation.
[2025-12-11T22:26:32Z INFO  twoliter::project::lock] Resolving project references to check against lock file
[2025-12-11T22:26:32Z INFO  twoliter::project::lock::image] Resolving dependency image dependency 
 **********************************************
[cargo-make] INFO - Running Task: validate-kits
[cargo-make] INFO - Running Task: build-package
   Compiling amazon-ssm-agent v0.1.0 (/home/fedora/Repositories/myrepos/bottlerocket-core-kit/packages/amazon-ssm-agent)
error: failed to run custom build command for `amazon-ssm-agent v0.1.0 (/home/fedora/Repositories/myrepos/bottlerocket-core-kit/packages/amazon-ssm-agent)`
***********************************************
  #11 [rpmbuild 5/7] RUN --mount=source=advisories,target=/home/builder/advisories     --mount=target=/host     /host/build/tools/advisory-checker --spec-file rpmbuild/SPECS/amazon-ssm-agent.spec --advisories-dir /home/builder/advisories/
  #11 0.337 Error: 1 Advisory violations found.
  #11 0.337 
  #11 0.337 Advisory violations found: 
  #11 0.337  BRSA ID: BRSA-hc1ikaaaqfgw
  #11 0.337  package name: amazon-ssm-agent-plugin
  #11 0.337  package version: 0:3.3.3185.0
  #11 0.337  min expected version: 1:3.3.2746.0
  #11 ERROR: process "/bin/sh -c /host/build/tools/advisory-checker --spec-file rpmbuild/SPECS/${PACKAGE}.spec --advisories-dir /home/builder/advisories/" did not complete successfully: exit code: 1
  ------
   > [rpmbuild 5/7] RUN --mount=source=advisories,target=/home/builder/advisories     --mount=target=/host     /host/build/tools/advisory-checker --spec-file rpmbuild/SPECS/amazon-ssm-agent.spec --advisories-dir /home/builder/advisories/:
  0.337 Error: 1 Advisory violations found.
  0.337 
  0.337 Advisory violations found: 
  0.337  BRSA ID: BRSA-hc1ikaaaqfgw
  0.337  package name: amazon-ssm-agent-plugin
  0.337  package version: 0:3.3.3185.0
  0.337  min expected version: 1:3.3.2746.0
 **********************************************
  --- stderr
  Failed to execute command: 'docker build /home/fedora/Repositories/myrepos/bottlerocket-core-kit --target package --tag buildsys-pkg-iputils-x86_64-d06f4eb4ccb3 --network host --file /home/fedora/Repositories/myrepos/bottlerocket-core-kit/build/tools/build.Dockerfile --no-cache-filter rpmbuild,kitbuild,repobuild,imgbuild,migrationbuild,kmodkitbuild,imgrepack --build-arg BYPASS_SOCKET=buildsys-pkg-iputils-x86_64-d06f4eb4ccb3-bypass --build-arg BUILDER_UID=1000 --build-arg KIT_DEPENDENCIES= --build-arg EXTERNAL_KIT_DEPENDENCIES= --build-arg PACKAGE=iputils --build-arg PACKAGE_DEPENDENCIES=glibc libattr libcap --build-arg BUILD_ID=9b3a8b3a-dirty --build-arg BUILD_ID_TIMESTAMP=1764962845 --build-arg ARCH=x86_64 --build-arg GOARCH=amd64 --build-arg SDK=public.ecr.aws/bottlerocket/bottlerocket-sdk:v0.65.1 --build-arg NOCACHE=257869799141623177217469531688013417160 --build-arg TOKEN=d06f4eb4ccb3 --build-arg OUTPUT_SOCKET=buildsys-output-d06f4eb4ccb3-257869799141623177217469531688013417160 --build-arg BUILDKIT_DOCKERFILE_CHECK=skip=InvalidDefaultArgInFrom,SecretsUsedInArgOrEnv'
Error while executing command, exit code: 101
Error: Command was unsuccessful, exit code 105
make: *** [Makefile:65: twoliter] Error 1

Testing it on bottlerocket-kernel-kit.

[fedora@ip-172-31-57-102 bottlerocket-kernel-kit]$ make ARCH=x86_64
 **********************************************
[cargo-make] INFO - Running Task: validate-kits
[cargo-make] INFO - Running Task: build-kit
    Finished `dev` profile [unoptimized + debuginfo] target(s) in 0.04s
[cargo-make] INFO - Build Done in 0.83 seconds.

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

[jmt-lab]

LGTM

[piyush-jena]

Fixed some of the comments above.

[piyush-jena]

Resolved all comments.

[cbgbt]

I had to fix the advisories in the earlier versions because they didn't have patched-epoch field. We can plan on either defaulting to 0 here or add those fields in the advisories.

Zero as a default should be OK. RPM treats unspecified as 0.

I noticed that bottlerocket-core-kit/advisories/2.1.0/BRSA-1j0o73qa.toml has an odd patched version:

patched-version = "kernel-5.15.160-104.158.amzn2"

I suppose this just shows up as a warning? What should happen here?

[piyush-jena]

I had to fix the advisories in the earlier versions because they didn't have patched-epoch field. We can plan on either defaulting to 0 here or add those fields in the advisories.

Zero as a default should be OK. RPM treats unspecified as 0.

I noticed that bottlerocket-core-kit/advisories/2.1.0/BRSA-1j0o73qa.toml has an odd patched version:

patched-version = "kernel-5.15.160-104.158.amzn2"

I suppose this just shows up as a warning? What should happen here?

@cbgbt

1. Yeah I used default so that I don't have to fix the old advisories.

2. Because the corresponding package is not present, we just emit a warning like this

Checking advisory: advisories/2.1.0/BRSA-1j0o73qa.toml
  WARNING: Package kernel-5.15 could not be found.

[piyush-jena]

Fixed all comments.

[cbgbt]

Do we still need changes to Makefile.toml to ensure that these get run during a kit build? Maybe I missed it, but I'm not seeing how this gets invoked.

[cbgbt]

Should it be an error if we can't extract RPM metadata?

[piyush-jena]

There are 2 sources of error.

1. rpmspec command fails - this means its a malformed spec file and build would fail later.
2. output doesn't have 3 parts: name, epoch, version - I couldn't get it to fail on a valid spec file. If epoch is not present then the value is (none). Name and version are mandatory fields and would just cause command failure above.

[cbgbt]

Can we get an integration test with edge cases for this? We have other integration tests in twoliter that build kits. This logic seems correct, but it's pretty hard to know without tests.

[piyush-jena]

@cbgbt

Do we still need changes to Makefile.toml to ensure that these get run during a kit build? Maybe I missed it, but I'm not seeing how this gets invoked.

This runs as part of the make twoliter build-package so we don't need to make any changes. A bad advisory would show up as build failure with error messages like shown above in the Description.

[bcressey]

Better to run this before the package build.

[piyush-jena]

I placed it before the rpmbuild but after we put the sources and macros in the right place. Should I move this before that and add the line for copying macros into this?

[ginglis13]

I don't think this will this work for custom kits that may not include an advisories directory. Probably safer to mark as not required in the mount args and check for existence of the advisories dir:

Suggested change

	RUN --mount=source=advisories,target=/home/builder/advisories \
	--mount=target=/host \
	/host/build/tools/advisory-checker --spec-file rpmbuild/SPECS/${PACKAGE}.spec --advisories-dir /home/builder/advisories/
	RUN --mount=source=advisories,target=/home/builder/advisories,required=false \
	--mount=target=/host \
	if [ -d /home/builder/advisories ]; then \
	/host/build/tools/advisory-checker --spec-file rpmbuild/SPECS/${PACKAGE}.spec --advisories-dir /home/builder/advisories/ \
	fi

Alternatively, could just set required=false in the mount args and in your advisory-checker binary, throw a warning if the dir doesn't exist and move on.

I'd also advocate for unit/integration testing for this case.