From dce3d1f4a709145592e5e808d33ab83c3a274a8e Mon Sep 17 00:00:00 2001
From: "Sascha L. Teichmann" <sascha.teichmann@intevation.de>
Date: Mon, 1 Aug 2022 06:46:05 +0200
Subject: [PATCH] load advisories via directory_urls

---
 cmd/csaf_checker/processor.go | 56 +++++++++++++++++++++++++++-------
 csaf/advisories.go            | 57 +++++++++++++++++++++++++++++------
 2 files changed, 93 insertions(+), 20 deletions(-)

diff --git a/cmd/csaf_checker/processor.go b/cmd/csaf_checker/processor.go
index e7acf35..49b134b 100644
--- a/cmd/csaf_checker/processor.go
+++ b/cmd/csaf_checker/processor.go
@@ -877,6 +877,16 @@ func (p *processor) processROLIEFeeds(domain string, feeds [][]csaf.Feed) error
 	return nil
 }
 
+// empty checks if list of strings contains at least one none empty string.
+func empty(arr []string) bool {
+	for _, s := range arr {
+		if s != "" {
+			return false
+		}
+	}
+	return true
+}
+
 func (p *processor) checkCSAFs(domain string) error {
 	// Check for ROLIE
 	rolie, err := p.expr.Eval("$.distributions[*].rolie.feeds", p.pmd)
@@ -898,22 +908,46 @@ func (p *processor) checkCSAFs(domain string) error {
 		}
 	}
 
-	// No rolie feeds
-	pmdURL, err := url.Parse(p.pmdURL)
+	// No rolie feeds -> try directory_urls.
+	directoryURLs, err := p.expr.Eval(
+		"$.distributions[*].directory_url", p.pmd)
+
+	var dirURLs []string
+
 	if err != nil {
-		return err
-	}
-	base, err := util.BaseURL(pmdURL)
-	if err != nil {
-		return err
+		p.badProviderMetadata.warn("extracting directory URLs failed: %v.", err)
+	} else {
+		var ok bool
+		dirURLs, ok = directoryURLs.([]string)
+		if !ok {
+			p.badProviderMetadata.warn("directory URLs are not strings.")
+		}
 	}
 
-	if err := p.checkIndex(base, indexMask); err != nil && err != errContinue {
-		return err
+	// Not found -> fall back to PMD url
+	if empty(dirURLs) {
+		pmdURL, err := url.Parse(p.pmdURL)
+		if err != nil {
+			return err
+		}
+		baseURL, err := util.BaseURL(pmdURL)
+		if err != nil {
+			return err
+		}
+		dirURLs = []string{baseURL}
 	}
 
-	if err := p.checkChanges(base, changesMask); err != nil && err != errContinue {
-		return err
+	for _, base := range dirURLs {
+		if base == "" {
+			continue
+		}
+		if err := p.checkIndex(base, indexMask); err != nil && err != errContinue {
+			return err
+		}
+
+		if err := p.checkChanges(base, changesMask); err != nil && err != errContinue {
+			return err
+		}
 	}
 
 	return nil
diff --git a/csaf/advisories.go b/csaf/advisories.go
index 1e0bdbe..84be1d9 100644
--- a/csaf/advisories.go
+++ b/csaf/advisories.go
@@ -96,6 +96,16 @@ func NewAdvisoryFileProcessor(
 	}
 }
 
+// empty checks if list of strings contains at least one none empty string.
+func empty(arr []string) bool {
+	for _, s := range arr {
+		if s != "" {
+			return false
+		}
+	}
+	return true
+}
+
 // Process extracts the adivisory filenames and passes them with
 // the corresponding label to fn.
 func (afp *AdvisoryFileProcessor) Process(
@@ -133,13 +143,44 @@ func (afp *AdvisoryFileProcessor) Process(
 		}
 	} else {
 		// No rolie feeds -> try to load files from index.txt
-		files, err := afp.loadIndex(lg)
+
+		directoryURLs, err := afp.expr.Eval(
+			"$.distributions[*].directory_url", afp.doc)
+
+		var dirURLs []string
+
 		if err != nil {
-			return err
+			lg("extracting directory URLs failed: %v\n", err)
+		} else {
+			var ok bool
+			dirURLs, ok = directoryURLs.([]string)
+			if !ok {
+				lg("directory_urls are not strings.\n")
+			}
 		}
-		// XXX: Is treating as white okay? better look into the advisories?
-		if err := fn(TLPLabelWhite, files); err != nil {
-			return err
+
+		// Not found -> fall back to PMD url
+		if empty(dirURLs) {
+			baseURL, err := util.BaseURL(afp.base)
+			if err != nil {
+				return err
+			}
+			dirURLs = []string{baseURL}
+		}
+
+		for _, base := range dirURLs {
+			if base == "" {
+				continue
+			}
+
+			files, err := afp.loadIndex(base, lg)
+			if err != nil {
+				return err
+			}
+			// XXX: Is treating as white okay? better look into the advisories?
+			if err := fn(TLPLabelWhite, files); err != nil {
+				return err
+			}
 		}
 	} // TODO: else scan directories?
 	return nil
@@ -148,12 +189,10 @@ func (afp *AdvisoryFileProcessor) Process(
 // loadIndex loads baseURL/index.txt and returns a list of files
 // prefixed by baseURL/.
 func (afp *AdvisoryFileProcessor) loadIndex(
+	baseURL string,
 	lg func(string, ...interface{}),
 ) ([]AdvisoryFile, error) {
-	baseURL, err := util.BaseURL(afp.base)
-	if err != nil {
-		return nil, err
-	}
+
 	base, err := url.Parse(baseURL)
 	if err != nil {
 		return nil, err