refactor(ci): extract shared exploitability enrichment helper (#95)

* refactor(ci): share exploitability enrichment script

* refactor(scripts): reuse shared exploitability enricher in local feed

scripts/ci/enrich_exploitability.sh

@@ -0,0 +1,263 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+usage() {
+  cat <<'EOF'
+Usage:
+  scripts/ci/enrich_exploitability.sh --mode single|batch --input <path> --output <path> [--cvss-vectors <path>] [--analyzer <path>]
+
+Options:
+  --mode           Processing mode: single advisory object or batch advisory array
+  --input          Input JSON path
+  --output         Output JSON path
+  --cvss-vectors   Optional JSON object mapping advisory id -> CVSS vector
+  --analyzer       Optional analyzer path (default: utils/analyze_exploitability.py)
+  --help           Show this help
+EOF
+}
+
+REPO_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+cd "$REPO_ROOT"
+
+MODE=""
+INPUT_PATH=""
+OUTPUT_PATH=""
+CVSS_VECTORS_PATH=""
+ANALYZER_PATH="utils/analyze_exploitability.py"
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --mode)
+      MODE="${2:-}"
+      shift 2
+      ;;
+    --input)
+      INPUT_PATH="${2:-}"
+      shift 2
+      ;;
+    --output)
+      OUTPUT_PATH="${2:-}"
+      shift 2
+      ;;
+    --cvss-vectors)
+      CVSS_VECTORS_PATH="${2:-}"
+      shift 2
+      ;;
+    --analyzer)
+      ANALYZER_PATH="${2:-}"
+      shift 2
+      ;;
+    --help|-h)
+      usage
+      exit 0
+      ;;
+    *)
+      echo "ERROR: Unknown argument: $1" >&2
+      usage >&2
+      exit 1
+      ;;
+  esac
+done
+
+if [[ "$MODE" != "single" && "$MODE" != "batch" ]]; then
+  echo "ERROR: --mode must be one of: single, batch" >&2
+  exit 1
+fi
+
+if [[ -z "$INPUT_PATH" || -z "$OUTPUT_PATH" ]]; then
+  echo "ERROR: --input and --output are required" >&2
+  exit 1
+fi
+
+if [[ ! -f "$INPUT_PATH" ]]; then
+  echo "ERROR: input file not found: $INPUT_PATH" >&2
+  exit 1
+fi
+
+if [[ ! -f "$ANALYZER_PATH" ]]; then
+  echo "ERROR: analyzer file not found: $ANALYZER_PATH" >&2
+  exit 1
+fi
+
+if [[ -n "$CVSS_VECTORS_PATH" && ! -f "$CVSS_VECTORS_PATH" ]]; then
+  echo "ERROR: --cvss-vectors file not found: $CVSS_VECTORS_PATH" >&2
+  exit 1
+fi
+
+if ! command -v jq >/dev/null 2>&1; then
+  echo "ERROR: jq is required" >&2
+  exit 1
+fi
+
+if command -v python >/dev/null 2>&1; then
+  PYTHON_BIN="python"
+elif command -v python3 >/dev/null 2>&1; then
+  PYTHON_BIN="python3"
+else
+  echo "ERROR: python or python3 is required" >&2
+  exit 1
+fi
+
+tmpdir="$(mktemp -d)"
+trap 'rm -rf "$tmpdir"' EXIT
+
+resolve_cvss_vector() {
+  local advisory_json="$1"
+  local advisory_id
+  advisory_id="$(echo "$advisory_json" | jq -r '.id // ""')"
+
+  if [[ -n "$CVSS_VECTORS_PATH" ]]; then
+    jq -r --arg id "$advisory_id" '.[$id] // ""' "$CVSS_VECTORS_PATH"
+  else
+    echo "$advisory_json" | jq -r '.cvss_vector // ""'
+  fi
+}
+
+severity_to_cvss() {
+  case "$1" in
+    critical) echo "9.5" ;;
+    high) echo "7.5" ;;
+    medium) echo "5.5" ;;
+    low) echo "3.0" ;;
+    *) echo "5.0" ;;
+  esac
+}
+
+build_analysis_input() {
+  local advisory_json="$1"
+  local mode="$2"
+  local cve_id cvss_score cvss_vector vuln_type description references severity
+
+  cve_id="$(echo "$advisory_json" | jq -r '.id // ""')"
+  vuln_type="$(echo "$advisory_json" | jq -r '.type // ""')"
+  description="$(echo "$advisory_json" | jq -r '.description // ""')"
+  references="$(echo "$advisory_json" | jq -c '.references // []')"
+  cvss_vector="$(resolve_cvss_vector "$advisory_json")"
+
+  if [[ "$mode" == "single" ]]; then
+    severity="$(echo "$advisory_json" | jq -r '.severity // "medium"')"
+    cvss_score="$(severity_to_cvss "$severity")"
+  else
+    cvss_score="$(echo "$advisory_json" | jq -r '.cvss_score // 0')"
+  fi
+
+  jq -n \
+    --arg cve_id "$cve_id" \
+    --argjson cvss_score "$cvss_score" \
+    --arg cvss_vector "$cvss_vector" \
+    --arg type "$vuln_type" \
+    --arg description "$description" \
+    --argjson references "$references" \
+    '{
+      cve_id: $cve_id,
+      cvss_score: $cvss_score,
+      cvss_vector: $cvss_vector,
+      type: $type,
+      description: $description,
+      references: $references
+    }'
+}
+
+run_analysis() {
+  local advisory_json="$1"
+  local mode="$2"
+  local output_file="$3"
+  local advisory_id analysis_input analysis
+
+  advisory_id="$(echo "$advisory_json" | jq -r '.id // "unknown"')"
+  analysis_input="$(build_analysis_input "$advisory_json" "$mode")"
+
+  if analysis="$(echo "$analysis_input" | "$PYTHON_BIN" "$ANALYZER_PATH" --json --check-exploits 2>/dev/null)"; then
+    echo "$analysis" > "$output_file"
+    return 0
+  fi
+
+  echo "::warning::Failed to analyze exploitability for $advisory_id, continuing without enrichment"
+  return 1
+}
+
+enrich_single() {
+  if ! jq -e 'type == "object"' "$INPUT_PATH" >/dev/null; then
+    echo "ERROR: single mode expects JSON object at $INPUT_PATH" >&2
+    exit 1
+  fi
+
+  local advisory analysis_file output_tmp
+  advisory="$(cat "$INPUT_PATH")"
+  analysis_file="$tmpdir/analysis_single.json"
+  output_tmp="$tmpdir/output_single.json"
+
+  if run_analysis "$advisory" "single" "$analysis_file"; then
+    jq --slurpfile analysis "$analysis_file" '
+      . + {
+        exploitability_score: $analysis[0].exploitability_score,
+        exploitability_rationale: $analysis[0].exploitability_rationale,
+        attack_vector_analysis: $analysis[0].attack_vector_analysis,
+        exploit_detection: $analysis[0].exploit_detection
+      }
+    ' "$INPUT_PATH" > "$output_tmp"
+  else
+    cp "$INPUT_PATH" "$output_tmp"
+  fi
+
+  mv "$output_tmp" "$OUTPUT_PATH"
+  echo "Exploitability enrichment complete (single): $OUTPUT_PATH"
+}
+
+enrich_batch() {
+  if ! jq -e 'type == "array"' "$INPUT_PATH" >/dev/null; then
+    echo "ERROR: batch mode expects JSON array at $INPUT_PATH" >&2
+    exit 1
+  fi
+
+  local analyzed_count failed_count index advisory analysis_file output_tmp analyses_json
+  analyzed_count=0
+  failed_count=0
+  index=0
+  analyses_json="$tmpdir/analyses.json"
+  output_tmp="$tmpdir/output_batch.json"
+
+  while IFS= read -r advisory; do
+    analysis_file="$tmpdir/analysis_${index}.json"
+    if run_analysis "$advisory" "batch" "$analysis_file"; then
+      analyzed_count=$((analyzed_count + 1))
+    else
+      failed_count=$((failed_count + 1))
+      rm -f "$analysis_file"
+    fi
+    index=$((index + 1))
+  done < <(jq -c '.[]' "$INPUT_PATH")
+
+  if ls "$tmpdir"/analysis_*.json >/dev/null 2>&1; then
+    jq -s '.' "$tmpdir"/analysis_*.json > "$analyses_json"
+  else
+    echo '[]' > "$analyses_json"
+  fi
+
+  jq --slurpfile analyses "$analyses_json" '
+    map(
+      . as $advisory |
+      ($analyses[0] | map(select(.cve_id == $advisory.id)) | first) as $analysis |
+      if $analysis then
+        $advisory + {
+          exploitability_score: $analysis.exploitability_score,
+          exploitability_rationale: $analysis.exploitability_rationale,
+          attack_vector_analysis: $analysis.attack_vector_analysis,
+          exploit_detection: $analysis.exploit_detection
+        }
+      else
+        $advisory
+      end
+    )
+  ' "$INPUT_PATH" > "$output_tmp"
+
+  mv "$output_tmp" "$OUTPUT_PATH"
+  echo "Exploitability enrichment complete (batch): $OUTPUT_PATH"
+  echo "Analyzed: $analyzed_count, failed: $failed_count"
+}
+
+if [[ "$MODE" == "single" ]]; then
+  enrich_single
+else
+  enrich_batch
+fi

scripts/populate-local-feed.sh

@@ -18,7 +18,7 @@ source "$SCRIPT_DIR/feed-utils.sh"
 init_feed_paths "$PROJECT_ROOT"
 KEYWORDS="OpenClaw clawdbot Moltbot NanoClaw WhatsApp-bot baileys"
 GITHUB_REF_PATTERN="github.com/openclaw/openclaw github.com/qwibitai/NanoClaw"
-ANALYZER="$PROJECT_ROOT/utils/analyze_exploitability.py"
+ENRICH_SCRIPT="$PROJECT_ROOT/scripts/ci/enrich_exploitability.sh"
 
 # Parse args
 DAYS_BACK=120
@@ -47,19 +47,9 @@ echo "Days back: $DAYS_BACK"
 echo "Force mode: $FORCE"
 echo ""
 
-# Verify exploitability analyzer prerequisites
-if ! command -v python3 &> /dev/null; then
-  echo "Error: python3 is required but not found in PATH"
-  exit 1
-fi
-
-if [ ! -f "$ANALYZER" ]; then
-  echo "Error: Exploitability analyzer not found: $ANALYZER"
-  exit 1
-fi
-
-if ! python3 "$ANALYZER" --help &> /dev/null; then
-  echo "Error: Exploitability analyzer failed to run. Check Python environment."
+# Verify enrichment helper exists (it validates Python/analyzer prerequisites internally).
+if [ ! -x "$ENRICH_SCRIPT" ]; then
+  echo "Error: Exploitability enrichment helper not found or not executable: $ENRICH_SCRIPT"
   exit 1
 fi
 
@@ -331,70 +321,11 @@ jq '
   }] | map({(.id): .cvss_vector}) | add
 ' "$TEMP_DIR/filtered_cves.json" > "$TEMP_DIR/cvss_vectors.json"
 
-ANALYZED_COUNT=0
-FAILED_ANALYSIS=0
-
-while IFS= read -r advisory; do
-  CVE_ID=$(echo "$advisory" | jq -r '.id')
-  CVSS_SCORE=$(echo "$advisory" | jq -r '.cvss_score // 0')
-  CVSS_VECTOR=$(jq -r --arg id "$CVE_ID" '.[$id] // ""' "$TEMP_DIR/cvss_vectors.json")
-  VULN_TYPE=$(echo "$advisory" | jq -r '.type // ""')
-  DESCRIPTION=$(echo "$advisory" | jq -r '.description // ""')
-  REFERENCES=$(echo "$advisory" | jq -c '.references // []')
-
-  INPUT_JSON=$(jq -n \
-    --arg cve_id "$CVE_ID" \
-    --argjson cvss_score "$CVSS_SCORE" \
-    --arg cvss_vector "$CVSS_VECTOR" \
-    --arg type "$VULN_TYPE" \
-    --arg description "$DESCRIPTION" \
-    --argjson references "$REFERENCES" \
-    '{
-      cve_id: $cve_id,
-      cvss_score: $cvss_score,
-      cvss_vector: $cvss_vector,
-      type: $type,
-      description: $description,
-      references: $references
-    }')
-
-  if ANALYSIS=$(echo "$INPUT_JSON" | python3 "$ANALYZER" --json --check-exploits 2>/dev/null); then
-    echo "$ANALYSIS" > "$TEMP_DIR/exploitability_${CVE_ID}.json"
-    SCORE=$(echo "$ANALYSIS" | jq -r '.exploitability_score // "unknown"')
-    echo "  ✓ $CVE_ID -> $SCORE"
-    ANALYZED_COUNT=$((ANALYZED_COUNT + 1))
-  else
-    echo "  ⚠ $CVE_ID analysis failed; keeping null exploitability fields"
-    FAILED_ANALYSIS=$((FAILED_ANALYSIS + 1))
-  fi
-done < <(jq -c '.[]' "$TEMP_DIR/new_advisories.json")
-
-if ls "$TEMP_DIR"/exploitability_*.json >/dev/null 2>&1; then
-  jq -s '.' "$TEMP_DIR"/exploitability_*.json > "$TEMP_DIR/exploitability_analyses.json"
-else
-  echo '[]' > "$TEMP_DIR/exploitability_analyses.json"
-fi
-
-jq --slurpfile analyses "$TEMP_DIR/exploitability_analyses.json" '
-  map(
-    . as $advisory |
-    ($analyses[0] | map(select(.cve_id == $advisory.id)) | first) as $analysis |
-    if $analysis then
-      $advisory + {
-        exploitability_score: $analysis.exploitability_score,
-        exploitability_rationale: $analysis.exploitability_rationale,
-        attack_vector_analysis: $analysis.attack_vector_analysis,
-        exploit_detection: $analysis.exploit_detection
-      }
-    else
-      $advisory
-    end
-  )
-' "$TEMP_DIR/new_advisories.json" > "$TEMP_DIR/new_advisories_enriched.json"
-
-mv "$TEMP_DIR/new_advisories_enriched.json" "$TEMP_DIR/new_advisories.json"
-
-echo "Exploitability analysis complete: $ANALYZED_COUNT analyzed, $FAILED_ANALYSIS failed"
+"$ENRICH_SCRIPT" \
+  --mode batch \
+  --input "$TEMP_DIR/new_advisories.json" \
+  --output "$TEMP_DIR/new_advisories.json" \
+  --cvss-vectors "$TEMP_DIR/cvss_vectors.json"
 
 echo ""
 echo "=== New Advisories ==="