fix(detector/vuls2): normalize Amazon Linux release in preConvert#2562
Merged
Conversation
Older vuls scanners stored Amazon Linux releases with a codename suffix (e.g. "2 (Karoo)", "2022 (Amazon Linux)") and Amazon Linux 1 as a date-style version (e.g. "2018.03"). preConvert passed these through unchanged, so the downstream ecosystem became "amazon:2 (Karoo)" or "amazon:2018" and failed to match the vuls2 DB. Normalize Amazon Linux releases to the canonical major version in preConvert so detection works for legacy JSON, and reduce "2023.3.20240312" to "2023" for consistency with the existing getAmazonLinuxVersion logic.
Contributor
There was a problem hiding this comment.
Pull request overview
This PR improves compatibility between legacy Vuls scan JSON and the vuls2 ecosystem by normalizing Amazon Linux Release values during preConvert, preventing mismatches like amazon:2 (Karoo) and amazon:2018 that don’t align with the DB’s expected canonical releases.
Changes:
- Normalize Amazon Linux releases in
toVuls2Releaseto a canonical major version (e.g.,2 (Karoo)→2,2018.03→1,2023.3.20240312→2023). - Add
Test_preConvertcoverage for Amazon Linux legacy/new-scanner release formats.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| detector/vuls2/vendor.go | Adds Amazon Linux release normalization logic in toVuls2Release to keep vuls2 releases canonical. |
| detector/vuls2/vuls2_test.go | Adds table-driven preConvert test cases covering multiple Amazon Linux release formats. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Collaborator
Author
setup$ mkdir -p results/2026-05-21T12-00-00+0900 \
&& git -C integration show 6fb9b2a:data/results/amazon_2.json > results/2026-05-21T12-00-00+0900/amazon_2.jsonbefore$ vuls report -refresh-cve 2026-05-21T12-00-00+0900
[May 21 12:04:45] INFO [localhost] vuls-0.39.2-48f8c7993dd0ee10273b510897e936d4553e4ae1-2026-05-20T02:25:17Z
...
[May 21 12:04:45] ERROR [localhost] Failed to detect Pkg CVE:
github.com/future-architect/vuls/detector.Detect
github.com/future-architect/vuls/detector/detector.go:54
- Failed to detect CVE with Vuls2:
github.com/future-architect/vuls/detector.DetectPkgCves
github.com/future-architect/vuls/detector/detector.go:306
- Failed to detect. err:
github.com/future-architect/vuls/detector/vuls2.Detect
github.com/future-architect/vuls/detector/vuls2/vuls2.go:89
- Failed to detect os packages. err:
github.com/future-architect/vuls/detector/vuls2.detect
github.com/future-architect/vuls/detector/vuls2/vuls2.go:218
- ecosystem not found
github.com/MaineK00n/vuls2/pkg/db/session/types.init
<autogenerated>:1
runtime.doInit1
runtime/proc.go:8103
runtime.doInit
runtime/proc.go:8070
runtime.main
runtime/proc.go:258
runtime.goexit
runtime/asm_amd64.s:1771
"amazon:2 (Karoo)" not found
...after$ vuls report -refresh-cve 2026-05-21T12-00-00+0900
[May 21 12:05:30] INFO [localhost] vuls-v0.39.2-build-20260521_120350_cfd7edd5
...
amazon_2 (amazon2 (Karoo))
==========================
Total: 4423 (Critical:29 High:3906 Medium:460 Low:28 ?:0)
4423/4423 Fixed, 2159 poc, 9 exploits, 23 kevs, uscert: 0, jpcert: 0 alerts
440 installed |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
2 (Karoo),2022 (Amazon Linux)) and Amazon Linux 1 as a date-style version (e.g.2018.03). When such legacy JSON was fed back throughreport,preConvertpassed the release through unchanged, so the downstream vuls2 ecosystem became e.g.amazon:2 (Karoo)oramazon:2018and failed to match the DB (amazon:2,amazon:1).toVuls2Releaseforconstant.Amazonnow normalizes to the canonical major version: strip the codename suffix viastrings.Fields(release)[0], return"1"for YYYY.MM date-style values (AL1), and otherwise reduce to the major component viastrings.Split(s, ".")[0]. Matches the existingconfig.getAmazonLinuxVersion/scanner/amazon.gopatterns.scanTypes.ScanResult.Releaseafter preConvert:"2 (Karoo)"→"2""2022 (Amazon Linux)"→"2022""2023.3.20240312"(new scanner) →"2023""2018.03"/"2017.09"→"1""2","2022","2023"(new scanner) → unchangedTest plan
go test ./detector/vuls2/...go vet ./...Test_preConvertcases for AL2/AL2022 (old codename suffix), AL2023 (new scanner with patch), AL1 (date-style), AL2 (new scanner)🤖 Generated with Claude Code