gnezim/clawsec
1
0
Fork 0
mirror of https://github.com/prompt-security/clawsec.git synced 2026-06-13 05:28:02 +03:00
Code Issues Packages Projects Releases Wiki Activity

fix(nvd): support full CVE rebuild without arg overflow (#204)

Browse Source 
* fix(nvd): add hermes query specs to feed polling

* fix(nvd): derive platform fallback from matched targets

* fix(nvd): avoid arg overflow on full cve rescan

* fix(feed): add other platform filter for nonstandard slugs

* refactor(feed): centralize advisory platform badge mapping

* fix(feed): share platform normalization and fix tab callback typing

* refactor(feed): simplify platform descriptor fallback
This commit is contained in:
davida-ps
2026-04-22 13:58:34 +03:00
committed by GitHub
parent c54f09c3a4
commit 1efb813ed4
8 changed files with 200 additions and 46 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/poll-nvd-cves.yml
+37 -15
View File
@@ -436,14 +436,21 @@ jobs:
end
);
def preferred_description:
(
(.cve.descriptions[]? | select(.lang == "en") | .value)
// .cve.descriptions[0]?.value
// "No description provided by NVD."
);
[.[] | {
id: .cve.id,
severity: (get_cvss_score | map_severity),
type: nvd_category_name,
nvd_category_id: nvd_category_raw,
cvss_score: get_cvss_score,
description: (.cve.descriptions[] | select(.lang == "en") | .value),
title: (.cve.descriptions[] | select(.lang == "en") | .value | .[0:100] + (if length > 100 then "..." else "" end)),
description: preferred_description,
title: (preferred_description | .[0:100] + (if length > 100 then "..." else "" end)),
affected: normalized_affected,
platforms: normalized_platforms,
references: [.cve.references[]?.url // empty] | unique | .[0:3],
@@ -516,16 +523,16 @@ jobs:
- name: Transform CVEs to advisories
id: transform
run: |
# Read existing IDs into a jq-friendly format
# Read existing IDs into a jq-friendly file for jq (avoids huge CLI args on full scans).
if [ "${{ inputs.force_full_scan }}" = "true" ]; then
echo "Full scan mode enabled: rebuilding CVE advisories from scratch."
EXISTING_IDS='[]'
echo '[]' > tmp/existing_ids.json
else
EXISTING_IDS=$(cat tmp/existing_ids.txt | jq -R -s 'split("\n") | map(select(length > 0))')
jq -R -s 'split("\n") | map(select(length > 0))' < tmp/existing_ids.txt > tmp/existing_ids.json
fi
# Transform NVD CVEs to our advisory format
jq --argjson existing "$EXISTING_IDS" '
jq --slurpfile existing tmp/existing_ids.json '
def map_severity:
if . == null then "medium"
elif . >= 9.0 then "critical"
@@ -669,15 +676,22 @@ jobs:
end
);
def preferred_description:
(
(.cve.descriptions[]? | select(.lang == "en") | .value)
// .cve.descriptions[0]?.value
// "No description provided by NVD."
);
[.[] |
select(.cve.id as $id | $existing | index($id) | not) |
select(.cve.id as $id | (($existing[0] // []) | index($id) | not)) |
{
id: .cve.id,
severity: (get_cvss_score | map_severity),
type: nvd_category_name,
nvd_category_id: nvd_category_raw,
title: (.cve.descriptions[] | select(.lang == "en") | .value | .[0:100] + (if length > 100 then "..." else "" end)),
description: (.cve.descriptions[] | select(.lang == "en") | .value),
title: (preferred_description | .[0:100] + (if length > 100 then "..." else "" end)),
description: preferred_description,
affected: normalized_affected,
platforms: normalized_platforms,
action: "Review and update affected components. See NVD for remediation details.",
@@ -695,6 +709,14 @@ jobs:
echo "New advisories to add: $NEW_COUNT"
echo "new_count=$NEW_COUNT" >> $GITHUB_OUTPUT
if [ "${{ inputs.force_full_scan }}" = "true" ]; then
FILTERED_COUNT="${{ steps.process.outputs.filtered_count }}"
if [ "$NEW_COUNT" -ne "$FILTERED_COUNT" ]; then
echo "::error::Full scan transform mismatch: filtered CVEs=$FILTERED_COUNT transformed advisories=$NEW_COUNT"
exit 1
fi
fi
if [ "$NEW_COUNT" -gt 0 ]; then
echo "=== New advisories ==="
jq '.[].id' tmp/new_advisories.json
@@ -747,11 +769,11 @@ jobs:
if [ -f "$FEED_PATH" ] && [ "$FORCE_FULL_SCAN" = "true" ]; then
# Full scan mode: replace all CVE advisories with rebuilt set and keep non-CVE entries.
jq --argjson rebuilt "$(cat tmp/new_advisories.json)" --arg now "$NOW" '
jq --slurpfile rebuilt tmp/new_advisories.json --arg now "$NOW" '
.updated = $now |
.advisories = (
((.advisories // []) | map(select((.id // "") | startswith("CVE-") | not)))
+ $rebuilt
+ ($rebuilt[0] // [])
| sort_by(.published)
| reverse
)
@@ -773,16 +795,16 @@ jobs:
' "$FEED_PATH" > tmp/feed_with_updates.json
# Step 2: Add new advisories
jq --argjson new "$(cat tmp/new_advisories.json)" --arg now "$NOW" '
jq --slurpfile new tmp/new_advisories.json --arg now "$NOW" '
.updated = $now |
.advisories = (.advisories + $new | sort_by(.published) | reverse)
.advisories = (.advisories + ($new[0] // []) | sort_by(.published) | reverse)
' tmp/feed_with_updates.json > tmp/updated_feed.json
else
jq -n --argjson advisories "$(cat tmp/new_advisories.json)" --arg now "$NOW" '{
jq -n --slurpfile advisories tmp/new_advisories.json --arg now "$NOW" '{
version: "1.0.0",
updated: $now,
description: "Community-driven security advisory feed for ClawSec",
advisories: ($advisories | sort_by(.published) | reverse)
advisories: (($advisories[0] // []) | sort_by(.published) | reverse)
}' > tmp/updated_feed.json
fi
components/AdvisoryCard.tsx
+13
View File
@@ -2,6 +2,7 @@ import React from 'react';
import { Link } from 'react-router-dom';
import { ExternalLink, Github } from 'lucide-react';
import { Advisory } from '../types';
import { AdvisoryPlatformBadge } from './AdvisoryPlatformBadge';
interface AdvisoryCardProps {
advisory: Advisory;
@@ -66,6 +67,18 @@ export const AdvisoryCard: React.FC<AdvisoryCardProps> = ({ advisory, formatDate
</h3>
<p className="text-sm text-gray-400 line-clamp-3 mb-3">{advisory.title}</p>
{advisory.platforms && advisory.platforms.length > 0 && (
<div className="mb-3 flex flex-wrap gap-1.5">
{advisory.platforms.map((platform) => (
<AdvisoryPlatformBadge
key={`${advisory.id}-${platform}`}
platform={platform}
className="text-[11px] px-2 py-0.5 rounded"
/>
))}
</div>
)}
{/* External link - stop propagation to allow clicking without navigating to detail */}
{isCommunityReport && advisory.github_issue_url ? (
<span
components/AdvisoryPlatformBadge.tsx
+19
View File
@@ -0,0 +1,19 @@
import React from 'react';
import { getPlatformDescriptor } from '../utils/advisoryPlatforms';
interface AdvisoryPlatformBadgeProps {
platform: string;
className?: string;
}
export const AdvisoryPlatformBadge: React.FC<AdvisoryPlatformBadgeProps> = ({
platform,
className,
}) => {
const { label, classes } = getPlatformDescriptor(platform);
const badgeClasses = ['uppercase tracking-wide', classes, className]
.filter(Boolean)
.join(' ');
return <span className={badgeClasses}>{label}</span>;
};
pages/AdvisoryDetail.tsx
+15
View File
@@ -1,8 +1,10 @@
import React, { useState, useEffect } from 'react';
import { useParams, Link } from 'react-router-dom';
import { ArrowLeft, ExternalLink, Shield, AlertTriangle, Github, User, Bot } from 'lucide-react';
import { AdvisoryPlatformBadge } from '../components/AdvisoryPlatformBadge';
import { Footer } from '../components/Footer';
import { Advisory, AdvisoryFeed } from '../types';
import { getPlatformDescriptor } from '../utils/advisoryPlatforms';
import {
ADVISORY_FEED_URL,
LEGACY_ADVISORY_FEED_URL,
@@ -154,6 +156,13 @@ export const AdvisoryDetail: React.FC = () => {
<span className="text-sm text-gray-500">
Published {formatDate(advisory.published)}
</span>
{advisory.platforms?.map((platform) => (
<AdvisoryPlatformBadge
key={`${advisory.id}-platform-${platform}`}
platform={platform}
className="text-xs px-2 py-1 rounded"
/>
))}
</div>
<h1 className="text-3xl font-bold text-white">{advisory.id}</h1>
@@ -259,6 +268,12 @@ export const AdvisoryDetail: React.FC = () => {
<dt className="text-gray-500 mb-1">Published</dt>
<dd className="text-white">{formatDate(advisory.published)}</dd>
</div>
{advisory.platforms && advisory.platforms.length > 0 && (
<div className="flex justify-between md:block">
<dt className="text-gray-500 mb-1">Platforms</dt>
<dd className="text-white">{advisory.platforms.map((platform) => getPlatformDescriptor(platform).label).join(', ')}</dd>
</div>
)}
{/* Reporter info - subtle display for community reports */}
{advisory.reporter && (
<>
pages/FeedSetup.tsx
+50 -17
View File
@@ -3,7 +3,8 @@ import { Rss, RefreshCw, Loader2, AlertTriangle, ChevronLeft, ChevronRight, Down
import { Link } from 'react-router-dom';
import { Footer } from '../components/Footer';
import { AdvisoryCard } from '../components/AdvisoryCard';
import { Advisory, AdvisoryFeed } from '../types';
import { Advisory, AdvisoryFeed, AdvisoryPlatformFilter } from '../types';
import { isCorePlatformSlug, normalizePlatformSlug } from '../utils/advisoryPlatforms';
import {
ADVISORY_FEED_URL,
LEGACY_ADVISORY_FEED_URL,
@@ -12,25 +13,34 @@ import {
const ITEMS_PER_PAGE = 9;
type SeverityFilter = 'all' | Advisory['severity'];
type FilterTabOption<T extends string> = { value: T; label: string; active: string; inactive: string };
const SEVERITY_TABS = [
{ value: 'all', label: 'All', active: 'bg-clawd-accent text-white', inactive: 'bg-clawd-800 text-gray-400 border border-clawd-700 hover:border-clawd-accent/50' },
{ value: 'critical', label: 'Critical', active: 'bg-red-500/20 text-red-400 border-2 border-red-400', inactive: 'bg-clawd-800 text-gray-400 border border-clawd-700 hover:border-red-400/50' },
{ value: 'high', label: 'High', active: 'bg-orange-500/20 text-orange-400 border-2 border-orange-400', inactive: 'bg-clawd-800 text-gray-400 border border-clawd-700 hover:border-orange-400/50' },
{ value: 'medium', label: 'Medium', active: 'bg-yellow-500/20 text-yellow-400 border-2 border-yellow-400', inactive: 'bg-clawd-800 text-gray-400 border border-clawd-700 hover:border-yellow-400/50' },
{ value: 'low', label: 'Low', active: 'bg-blue-500/20 text-blue-400 border-2 border-blue-400', inactive: 'bg-clawd-800 text-gray-400 border border-clawd-700 hover:border-blue-400/50' },
] as const;
] as const satisfies ReadonlyArray<FilterTabOption<SeverityFilter>>;
const PLATFORM_TABS = [
{ value: 'all', label: 'All Platforms', active: 'bg-clawd-accent text-white', inactive: 'bg-clawd-800 text-gray-400 border border-clawd-700 hover:border-clawd-accent/50' },
{ value: 'openclaw', label: 'OpenClaw', active: 'bg-clawd-accent/20 text-clawd-accent border-2 border-clawd-accent', inactive: 'bg-clawd-800 text-gray-400 border border-clawd-700 hover:border-clawd-accent/50' },
{ value: 'nanoclaw', label: 'NanoClaw', active: 'bg-clawd-secondary/20 text-clawd-secondary border-2 border-clawd-secondary', inactive: 'bg-clawd-800 text-gray-400 border border-clawd-700 hover:border-clawd-secondary/50' },
] as const;
{ value: 'hermes', label: 'Hermes', active: 'bg-emerald-500/20 text-emerald-300 border-2 border-emerald-400', inactive: 'bg-clawd-800 text-gray-400 border border-clawd-700 hover:border-emerald-400/50' },
{ value: 'other', label: 'Other', active: 'bg-clawd-600/40 text-gray-100 border-2 border-clawd-500', inactive: 'bg-clawd-800 text-gray-400 border border-clawd-700 hover:border-clawd-500/50' },
] as const satisfies ReadonlyArray<FilterTabOption<AdvisoryPlatformFilter>>;
const FilterTabs: React.FC<{
tabs: ReadonlyArray<{ value: string; label: string; active: string; inactive: string }>;
selected: string;
onSelect: (value: string) => void;
}> = ({ tabs, selected, onSelect }) => (
const FilterTabs = <T extends string,>({
tabs,
selected,
onSelect,
}: {
tabs: ReadonlyArray<FilterTabOption<T>>;
selected: T;
onSelect: (value: T) => void;
}) => (
<div className="flex flex-wrap justify-center gap-3 mb-8">
{tabs.map(({ value, label, active, inactive }) => (
<button
@@ -52,8 +62,8 @@ export const FeedSetup: React.FC = () => {
const [error, setError] = useState<string | null>(null);
const [lastUpdated, setLastUpdated] = useState<string | null>(null);
const [currentPage, setCurrentPage] = useState(1);
const [selectedSeverity, setSelectedSeverity] = useState<string>('all');
const [selectedPlatform, setSelectedPlatform] = useState<string>('all');
const [selectedSeverity, setSelectedSeverity] = useState<SeverityFilter>('all');
const [selectedPlatform, setSelectedPlatform] = useState<AdvisoryPlatformFilter>('all');
useEffect(() => {
const fetchAdvisories = async () => {
@@ -92,10 +102,25 @@ export const FeedSetup: React.FC = () => {
}, []);
const filteredAdvisories = useMemo(
() => advisories.filter((a) =>
(selectedSeverity === 'all' || a.severity === selectedSeverity) &&
(selectedPlatform === 'all' || !a.platforms?.length || a.platforms.includes(selectedPlatform))
),
() => advisories.filter((a) => {
if (selectedSeverity !== 'all' && a.severity !== selectedSeverity) {
return false;
}
if (selectedPlatform === 'all') {
return true;
}
const advisoryPlatforms = (a.platforms ?? [])
.map(normalizePlatformSlug)
.filter(Boolean);
if (selectedPlatform === 'other') {
return advisoryPlatforms.some((platform) => !isCorePlatformSlug(platform));
}
return advisoryPlatforms.length === 0 || advisoryPlatforms.includes(selectedPlatform);
}),
[advisories, selectedSeverity, selectedPlatform],
);
@@ -132,7 +157,7 @@ export const FeedSetup: React.FC = () => {
<h1 className="text-3xl md:text-4xl text-white">Security Hardening Feed</h1>
<p className="text-gray-400 max-w-2xl mx-auto">
A continuous stream of security advisories from NVD CVE data and staff-approved community reports.
This feed is automatically updated with OpenClaw and NanoClaw-related vulnerabilities and verified security incidents.
This feed is automatically updated with OpenClaw, NanoClaw, and Hermes-related vulnerabilities and verified security incidents.
</p>
{lastUpdated && (
<p className="text-xs text-gray-500">
@@ -142,8 +167,16 @@ export const FeedSetup: React.FC = () => {
</section>
<section>
<FilterTabs tabs={SEVERITY_TABS} selected={selectedSeverity} onSelect={setSelectedSeverity} />
<FilterTabs tabs={PLATFORM_TABS} selected={selectedPlatform} onSelect={setSelectedPlatform} />
<FilterTabs
tabs={SEVERITY_TABS}
selected={selectedSeverity}
onSelect={(value) => setSelectedSeverity(value as SeverityFilter)}
/>
<FilterTabs
tabs={PLATFORM_TABS}
selected={selectedPlatform}
onSelect={(value) => setSelectedPlatform(value as AdvisoryPlatformFilter)}
/>
{loading ? (
<div className="flex items-center justify-center py-12">
scripts/populate-local-feed.sh
+24 -13
View File
@@ -158,17 +158,16 @@ echo "Filtered CVEs (matching criteria): $FILTERED"
# Get existing advisory IDs (unless force mode)
if [ "$FORCE" = "true" ]; then
echo "Force mode: ignoring existing advisory IDs during transform"
EXISTING_IDS=""
echo '[]' > "$TEMP_DIR/existing_ids.json"
elif [ -f "$FEED_PATH" ]; then
EXISTING_IDS=$(jq -r '.advisories[]?.id // empty' "$FEED_PATH" | sort -u)
jq -r '.advisories[]?.id // empty' "$FEED_PATH" | sort -u | \
jq -R -s 'split("\n") | map(select(length > 0))' > "$TEMP_DIR/existing_ids.json"
else
EXISTING_IDS=""
echo '[]' > "$TEMP_DIR/existing_ids.json"
fi
# Transform CVEs to our advisory format (same logic as pipeline)
EXISTING_JSON=$(echo "$EXISTING_IDS" | jq -R -s 'split("\n") | map(select(length > 0))')
jq --argjson existing "$EXISTING_JSON" '
jq --slurpfile existing "$TEMP_DIR/existing_ids.json" '
def map_severity:
if . == null then "medium"
elif . >= 9.0 then "critical"
@@ -309,15 +308,22 @@ jq --argjson existing "$EXISTING_JSON" '
end
);
def preferred_description:
(
(.cve.descriptions[]? | select(.lang == "en") | .value)
// .cve.descriptions[0]?.value
// "No description provided by NVD."
);
[.[] |
select(.cve.id as $id | $existing | index($id) | not) |
select(.cve.id as $id | (($existing[0] // []) | index($id) | not)) |
{
id: .cve.id,
severity: (get_cvss_score | map_severity),
type: nvd_category_name,
nvd_category_id: nvd_category_raw,
title: (.cve.descriptions[] | select(.lang == "en") | .value | .[0:100] + (if length > 100 then "..." else "" end)),
description: (.cve.descriptions[] | select(.lang == "en") | .value),
title: (preferred_description | .[0:100] + (if length > 100 then "..." else "" end)),
description: preferred_description,
affected: normalized_affected,
platforms: normalized_platforms,
action: "Review and update affected components. See NVD for remediation details.",
@@ -334,6 +340,11 @@ jq --argjson existing "$EXISTING_JSON" '
NEW_COUNT=$(jq 'length' "$TEMP_DIR/new_advisories.json")
echo "New advisories to add: $NEW_COUNT"
if [ "$FORCE" = "true" ] && [ "$NEW_COUNT" -ne "$FILTERED" ]; then
echo "Error: full rebuild transform mismatch (filtered=$FILTERED, transformed=$NEW_COUNT)"
exit 1
fi
if [ "$NEW_COUNT" -eq 0 ]; then
echo ""
echo "No new CVEs found. Feed is up to date."
@@ -374,11 +385,11 @@ NOW=$(date -u +%Y-%m-%dT%H:%M:%SZ)
# Merge new advisories into existing feed
if [ -f "$FEED_PATH" ]; then
jq --argjson new "$(cat "$TEMP_DIR/new_advisories.json")" --arg now "$NOW" '
jq --slurpfile new "$TEMP_DIR/new_advisories.json" --arg now "$NOW" '
.updated = $now |
# Merge by advisory ID so force mode can refresh existing CVEs without duplicates
.advisories = (
reduce (.advisories + $new)[] as $adv
reduce ((.advisories // []) + ($new[0] // []))[] as $adv
({};
if ($adv.id // "") == "" then
.
@@ -392,11 +403,11 @@ if [ -f "$FEED_PATH" ]; then
)
' "$FEED_PATH" > "$TEMP_DIR/updated_feed.json"
else
jq -n --argjson advisories "$(cat "$TEMP_DIR/new_advisories.json")" --arg now "$NOW" '{
jq -n --slurpfile advisories "$TEMP_DIR/new_advisories.json" --arg now "$NOW" '{
version: "1.0.0",
updated: $now,
description: "Community-driven security advisory feed for ClawSec. Automatically updated with OpenClaw, NanoClaw, and Hermes-related CVEs from NVD.",
advisories: ($advisories | sort_by(.published) | reverse)
advisories: (($advisories[0] // []) | sort_by(.published) | reverse)
}' > "$TEMP_DIR/updated_feed.json"
fi
types.ts
+6 -1
View File
@@ -28,6 +28,11 @@ export type AdvisoryType =
// Keep this open for new categories without requiring type updates.
| string;
export const CORE_PLATFORM_SLUGS = ['openclaw', 'nanoclaw', 'hermes'] as const;
export type CorePlatformSlug = (typeof CORE_PLATFORM_SLUGS)[number];
export type AdvisoryPlatformSlug = CorePlatformSlug | (string & {});
export type AdvisoryPlatformFilter = 'all' | CorePlatformSlug | 'other';
// Full advisory type from NVD CVE feed or community reports
export interface Advisory {
id: string;
@@ -41,7 +46,7 @@ export interface Advisory {
references?: string[];
cvss_score?: number | null;
nvd_url?: string;
platforms?: string[];
platforms?: AdvisoryPlatformSlug[];
// Community report fields (source defaults to "Prompt Security Staff" when absent)
source?: string;
github_issue_url?: string;
utils/advisoryPlatforms.ts
+36
View File
@@ -0,0 +1,36 @@
import { CORE_PLATFORM_SLUGS } from '../types';
export interface PlatformDescriptor {
label: string;
classes: string;
}
export const normalizePlatformSlug = (platform: string) => platform.trim().toLowerCase();
const PLATFORM_DESCRIPTOR_BY_SLUG: Record<string, PlatformDescriptor> = {
openclaw: {
label: 'OpenClaw',
classes: 'bg-clawd-accent/20 text-clawd-accent border border-clawd-accent/40',
},
nanoclaw: {
label: 'NanoClaw',
classes: 'bg-clawd-secondary/20 text-clawd-secondary border border-clawd-secondary/40',
},
hermes: {
label: 'Hermes',
classes: 'bg-emerald-500/20 text-emerald-300 border border-emerald-400/40',
},
};
const CORE_PLATFORM_SET = new Set<string>(CORE_PLATFORM_SLUGS);
export const isCorePlatformSlug = (platform: string) =>
CORE_PLATFORM_SET.has(normalizePlatformSlug(platform));
export const getPlatformDescriptor = (platform: string): PlatformDescriptor => {
const normalized = normalizePlatformSlug(platform);
return PLATFORM_DESCRIPTOR_BY_SLUG[normalized] ?? {
label: platform.trim() || platform,
classes: 'bg-clawd-700 text-gray-300 border border-clawd-600',
};
};