feat(ci): add euvd

MaineK00n · MaineK00n · commit af965e3e7a12 · 2025-11-12T05:57:50.000+09:00
diff --git a/.github/workflows/archive-raw.yml b/.github/workflows/archive-raw.yml
@@ -51,6 +51,7 @@ jobs:
           - "endoflife-date-products"
           - "erlang-ghsa"
           - "erlang-osv"
+          - "euvd"
           - "exploit-exploitdb"
           - "exploit-github"
           - "exploit-inthewild"
diff --git a/.github/workflows/archive.yml b/.github/workflows/archive.yml
@@ -53,6 +53,7 @@ on:
           - vuls-data-raw-endoflife-date-products
           - vuls-data-raw-erlang-ghsa
           - vuls-data-raw-erlang-osv
+          - vuls-data-raw-euvd
           - vuls-data-raw-exploit-exploitdb
           - vuls-data-raw-exploit-github
           - vuls-data-raw-exploit-inthewild
diff --git a/.github/workflows/backup-daily.yml b/.github/workflows/backup-daily.yml
@@ -76,6 +76,7 @@ jobs:
           - vuls-data-raw-epss
           - vuls-data-raw-erlang-ghsa
           - vuls-data-raw-erlang-osv
+          - vuls-data-raw-euvd
           - vuls-data-raw-exploit-exploitdb
           - vuls-data-raw-exploit-github
           - vuls-data-raw-exploit-inthewild
diff --git a/.github/workflows/backup-monthly.yml b/.github/workflows/backup-monthly.yml
@@ -76,6 +76,7 @@ jobs:
           - vuls-data-raw-epss
           - vuls-data-raw-erlang-ghsa
           - vuls-data-raw-erlang-osv
+          - vuls-data-raw-euvd
           - vuls-data-raw-exploit-exploitdb
           - vuls-data-raw-exploit-github
           - vuls-data-raw-exploit-inthewild
diff --git a/.github/workflows/backup-weekly.yml b/.github/workflows/backup-weekly.yml
@@ -76,6 +76,7 @@ jobs:
           - vuls-data-raw-epss
           - vuls-data-raw-erlang-ghsa
           - vuls-data-raw-erlang-osv
+          - vuls-data-raw-euvd
           - vuls-data-raw-exploit-exploitdb
           - vuls-data-raw-exploit-github
           - vuls-data-raw-exploit-inthewild
diff --git a/.github/workflows/fetch-all.yml b/.github/workflows/fetch-all.yml
@@ -170,77 +170,62 @@ jobs:
     with:
       target: ${{ matrix.target }}
 
-  fetch-nvd-api:
+  fetch-cisco-json:
+    name: Fetch vuls-data-raw-cisco-json
+    uses: ./.github/workflows/fetch-cisco-json.yml
+    secrets:
+      CISCO_CLIENT_KEY: ${{ secrets.CISCO_CLIENT_KEY }}
+      CISCO_CLIENT_SECRET: ${{ secrets.CISCO_CLIENT_SECRET }}
+
+  fetch-cisco-cvrf-or-csaf:
     name: Fetch vuls-data-raw-${{ matrix.target }}
+    if: ${{ success() || failure() }}
+    needs: fetch-cisco-json
     strategy:
       fail-fast: false
-      max-parallel: 1
       matrix:
         target:
-          - "nvd-api-cve"
-          - "nvd-api-cpe"
-          - "nvd-api-cpematch"
-    uses: ./.github/workflows/fetch-nvd-api.yml
+          - "cisco-cvrf"
+          - "cisco-csaf"
+    uses: ./.github/workflows/fetch-cisco-cvrf-or-csaf.yml
     with:
       target: ${{ matrix.target }}
-    secrets:
-      NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
 
-  fetch-redhat-package-manifest:
-    name: Fetch vuls-data-raw-redhat-package-manifest
-    uses: ./.github/workflows/fetch-redhat-package-manifest.yml
+  fetch-epss:
+    name: Fetch vuls-data-raw-epss
+    uses: ./.github/workflows/fetch-epss.yml
 
-  fetch-msuc:
-    name: Fetch vuls-data-raw-microsoft-msuc
-    uses: ./.github/workflows/fetch-msuc.yml
+  fetch-euvd:
+    name: Fetch vuls-data-raw-euvd
+    uses: ./.github/workflows/fetch-euvd.yml
 
   fetch-fedora:
     name: Fetch vuls-data-raw-fedora
     uses: ./.github/workflows/fetch-fedora.yml
 
-  fetch-epss:
-    name: Fetch vuls-data-raw-epss
-    uses: ./.github/workflows/fetch-epss.yml
-
   fetch-fortinet-cvrf:
     name: Fetch vuls-data-raw-fortinet-cvrf
     uses: ./.github/workflows/fetch-fortinet-cvrf.yml
 
-  fetch-vulncheck:
-    name: Fetch vuls-data-raw-${{ matrix.target }}
-    strategy:
-      fail-fast: false
-      matrix:
-        target:
-          - "vulncheck-kev"
-          - "vulncheck-nist-nvd"
-          - "vulncheck-nist-nvd2"
-    uses: ./.github/workflows/fetch-vulncheck.yml
-    with:
-      target: ${{ matrix.target }}
-    secrets:
-      VULNCHECK_API_KEY: ${{ secrets.VULNCHECK_API_KEY }}
-
-  fetch-cisco-json:
-    name: Fetch vuls-data-raw-cisco-json
-    uses: ./.github/workflows/fetch-cisco-json.yml
-    secrets:
-      CISCO_CLIENT_KEY: ${{ secrets.CISCO_CLIENT_KEY }}
-      CISCO_CLIENT_SECRET: ${{ secrets.CISCO_CLIENT_SECRET }}
+  fetch-msuc:
+    name: Fetch vuls-data-raw-microsoft-msuc
+    uses: ./.github/workflows/fetch-msuc.yml
 
-  fetch-cisco-cvrf-or-csaf:
+  fetch-nvd-api:
     name: Fetch vuls-data-raw-${{ matrix.target }}
-    if: ${{ success() || failure() }}
-    needs: fetch-cisco-json
     strategy:
       fail-fast: false
+      max-parallel: 1
       matrix:
         target:
-          - "cisco-cvrf"
-          - "cisco-csaf"
-    uses: ./.github/workflows/fetch-cisco-cvrf-or-csaf.yml
+          - "nvd-api-cve"
+          - "nvd-api-cpe"
+          - "nvd-api-cpematch"
+    uses: ./.github/workflows/fetch-nvd-api.yml
     with:
       target: ${{ matrix.target }}
+    secrets:
+      NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
 
   fetch-paloalto-json-or-csaf:
     name: Fetch vuls-data-raw-${{ matrix.target }}
@@ -256,6 +241,10 @@ jobs:
     with:
       target: ${{ matrix.target }}
 
+  fetch-redhat-package-manifest:
+    name: Fetch vuls-data-raw-redhat-package-manifest
+    uses: ./.github/workflows/fetch-redhat-package-manifest.yml
+
   fetch-variot:
     name: Fetch vuls-data-raw-${{ matrix.target }}
     strategy:
@@ -270,22 +259,39 @@ jobs:
     secrets:
       VARIOT_API_KEY: ${{ secrets.VARIOT_API_KEY }}
 
+  fetch-vulncheck:
+    name: Fetch vuls-data-raw-${{ matrix.target }}
+    strategy:
+      fail-fast: false
+      matrix:
+        target:
+          - "vulncheck-kev"
+          - "vulncheck-nist-nvd"
+          - "vulncheck-nist-nvd2"
+    uses: ./.github/workflows/fetch-vulncheck.yml
+    with:
+      target: ${{ matrix.target }}
+    secrets:
+      VULNCHECK_API_KEY: ${{ secrets.VULNCHECK_API_KEY }}
+
   check:
     name: Decide whether to Git GC
     if: ${{ success() || failure() }}
     needs:
       [
         fetch-main,
-        fetch-nvd-api,
-        fetch-msuc,
-        fetch-fedora,
-        fetch-epss,
-        fetch-fortinet-cvrf,
-        fetch-vulncheck,
         fetch-cisco-json,
         fetch-cisco-cvrf-or-csaf,
+        fetch-epss,
+        fetch-euvd,
+        fetch-fedora,
+        fetch-fortinet-cvrf,
+        fetch-nvd-api,
+        fetch-msuc,
         fetch-paloalto-json-or-csaf,
+        fetch-redhat-package-manifest,
         fetch-variot,
+        fetch-vulncheck,
       ]
     runs-on: ubuntu-latest
     outputs:
diff --git a/.github/workflows/fetch-euvd.yml b/.github/workflows/fetch-euvd.yml
@@ -0,0 +1,135 @@
+name: Fetch EUVD
+
+on:
+  workflow_call:
+  workflow_dispatch:
+
+jobs:
+  generate-year-month:
+    name: Generate year-month
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.generate.outputs.matrix }}
+    steps:
+      - name: Generate Year-Month
+        id: generate
+        run: |
+          current_year=$(date +%Y)
+          current_month=$(date +%m)
+
+          json="{\"include\":["
+
+          for year in $(seq 1999 $current_year); do
+            for month in $(seq -w 1 12); do
+              if [ "$year" -eq "$current_year" ] && [ "$month" -gt "$current_month" ]; then
+                break
+              fi
+              json="$json{\"year\":\"$year\",\"month\":\"$month\"},"
+            done
+          done
+
+          json="${json%,}]}"
+          echo "matrix=$json" >> $GITHUB_OUTPUT
+
+  fetch:
+    name: Fetch vuls-data-raw-euvd ${{ matrix.year }}-${{ matrix.month }}
+    runs-on: ubuntu-latest
+    needs: generate-year-month
+    strategy:
+      fail-fast: false
+      matrix: ${{ fromJson(needs.generate-year-month.outputs.matrix) }}
+    steps:
+      - name: Maximize build space
+        uses: easimon/maximize-build-space@v10
+        with:
+          root-reserve-mb: 32768
+          remove-dotnet: "true"
+          remove-android: "true"
+          remove-haskell: "true"
+          remove-codeql: "true"
+          remove-docker-images: "true"
+
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v5
+        with:
+          repository: MaineK00n/vuls-data-update
+          ref: main
+
+      - name: Set up Go 1.x
+        uses: actions/setup-go@v6
+        with:
+          go-version-file: "go.mod"
+
+      - name: Install vuls-data-update
+        run: go install ./cmd/vuls-data-update
+
+      - name: Fetch
+        run: |
+          mkdir vuls-data-raw-euvd
+          vuls-data-update fetch euvd --dir vuls-data-raw-euvd ${{ matrix.year }}-${{ matrix.month }} --retry 10
+
+      - name: Create tarball
+        run: tar --remove-files -acf vuls-data-raw-euvd.tar.zst vuls-data-raw-euvd || [[ $? == 1 ]]
+
+      - name: Push ghcr.io/vulsio/vuls-data-db:euvd-data-${{ matrix.year }}-${{ matrix.month }}
+        run: vuls-data-update dotgit registry push --force --token ${{ secrets.GITHUB_TOKEN }} ghcr.io/vulsio/vuls-data-db:euvd-data-${{ matrix.year }}-${{ matrix.month }} vuls-data-raw-euvd.tar.zst
+
+  commit:
+    name: Commit vuls-data-raw-euvd
+    runs-on: ubuntu-latest
+    if: ${{ success() || failure() }}
+    needs: [generate-year-month, fetch]
+    steps:
+      - name: Maximize build space
+        uses: easimon/maximize-build-space@v10
+        with:
+          root-reserve-mb: 32768
+          remove-dotnet: "true"
+          remove-android: "true"
+          remove-haskell: "true"
+          remove-codeql: "true"
+          remove-docker-images: "true"
+
+      - name: Set up Go 1.x
+        uses: actions/setup-go@v6
+        with:
+          go-version: "stable"
+
+      - name: Install vuls-data-update
+        run: go install github.com/MaineK00n/vuls-data-update/cmd/vuls-data-update@main
+
+      - name: Pull ghcr.io/${{ github.repository }}:vuls-data-raw-euvd
+        run: vuls-data-update dotgit pull --dir . --checkout main ghcr.io/${{ github.repository }}:vuls-data-raw-euvd
+
+      - name: Aggregate EUVD data
+        run: |
+          for ym in $(cat ${{ needs.generate-year-month.outputs.matrix }} | jq -r '.include[] | .year + "-" + .month'); do 
+            vuls-data-update dotgit pull --dir . --checkout "" ghcr.io/${{ github.repository }}:euvd-data-${ym}
+            if ls ghcr.io/${{ github.repository }}/euvd-data-${ym}/* >/dev/null 2>&1; then
+              mv ghcr.io/${{ github.repository }}/euvd-data-${ym}/* ghcr.io/${{ github.repository }}/vuls-data-raw-euvd/ 
+            fi
+            rmdir ghcr.io/${{ github.repository }}/euvd-data-${ym}
+          done
+
+      - name: Set Git config
+        run: |
+          if git -C ghcr.io/${{ github.repository }}/vuls-data-raw-euvd remote | grep -q "^origin$"; then
+            git -C ghcr.io/${{ github.repository }}/vuls-data-raw-euvd remote set-url origin ghcr.io/${{ github.repository }}:vuls-data-raw-euvd
+          else
+            git -C ghcr.io/${{ github.repository }}/vuls-data-raw-euvd remote add origin ghcr.io/${{ github.repository }}:vuls-data-raw-euvd
+          fi
+          git -C ghcr.io/${{ github.repository }}/vuls-data-raw-euvd config user.email "action@github.com"
+          git -C ghcr.io/${{ github.repository }}/vuls-data-raw-euvd config user.name "GitHub Action"
+
+      - name: Commit
+        run: |
+          if [[ -n $(git -C ghcr.io/${{ github.repository }}/vuls-data-raw-euvd status --porcelain) ]]; then
+            git -C ghcr.io/${{ github.repository }}/vuls-data-raw-euvd add .
+            git -C ghcr.io/${{ github.repository }}/vuls-data-raw-euvd commit -m "update" -m "GitHub Actions: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}/job/${{ job.check_run_id }}"
+          fi
+
+      - name: Create dotgit tarball
+        run: vuls-data-update dotgit compress ghcr.io/${{ github.repository }}/vuls-data-raw-euvd
+
+      - name: Push ghcr.io/${{ github.repository }}:vuls-data-raw-euvd
+        run: vuls-data-update dotgit registry push --force --token ${{ secrets.GITHUB_TOKEN }} ghcr.io/${{ github.repository }}:vuls-data-raw-euvd vuls-data-raw-euvd.tar.zst
diff --git a/.github/workflows/gc-raw.yml b/.github/workflows/gc-raw.yml
@@ -129,6 +129,9 @@ jobs:
           - tag: vuls-data-raw-erlang-osv
             pack-threads: 2
             pack-windowMemory: 4g
+          - tag: vuls-data-raw-euvd
+            pack-threads: 2
+            pack-windowMemory: 4g
           - tag: vuls-data-raw-exploit-exploitdb
             pack-threads: 2
             pack-windowMemory: 4g
diff --git a/.github/workflows/gc.yml b/.github/workflows/gc.yml
@@ -93,6 +93,7 @@ on:
           - vuls-data-raw-epss
           - vuls-data-raw-erlang-ghsa
           - vuls-data-raw-erlang-osv
+          - vuls-data-raw-euvd
           - vuls-data-raw-exploit-exploitdb
           - vuls-data-raw-exploit-github
           - vuls-data-raw-exploit-inthewild
diff --git a/.github/workflows/restore-all.yml b/.github/workflows/restore-all.yml
@@ -84,6 +84,7 @@ jobs:
           - vuls-data-raw-epss
           - vuls-data-raw-erlang-ghsa
           - vuls-data-raw-erlang-osv
+          - vuls-data-raw-euvd
           - vuls-data-raw-exploit-exploitdb
           - vuls-data-raw-exploit-github
           - vuls-data-raw-exploit-inthewild
