CSAF Importer never completes task

[gildub]

Afer activating the default importer for Red Hat CSAF vulnerabilities are fetched and added by the walker.

Meanwhile 100% is never achieved because of a failing fetch at some point of time.

So the importer is interrupted and restarts from the beginning.

Initial investigation shows the csaf walker try to retrieve a file that doesn't exist.
The failure is propagated back to the importer which restarts the importing from the beginning.

[ctron]

Yes, that's a problem with Red Hat's data. Its tracked under https://issues.redhat.com/browse/SECDATA-1169 and others.

[helio-frota]

🤔 did you know if those issues can try to help or are related with some side-issues of this ?

https://github.com/scm-rs/csaf-walker/issues

429 and 404 ?

[ctron]

Handling the 429 could help handling rate limiting more gracefully.

The 404 issue is about being able to handle the situation and have CSAF walker tools be able to deal with this. Most notably: flagging this in the report. However, as a consumer, there's not way to deal with a 404. As the "trusted provider" announced a file it doesn't have,. Not having an announced file is a problem, as you might miss out on an important advisory.

[gildub]

@ctron, would the following provide a valid workaround : create a clone by crawling the RH CSAFs and have CSAF walks such clone ?

[ctron]

Manipulating a CSAF trusted provider source in that way seems odd. I think RH needs to fix this, and to my understanding is working on this.

[gildub]

@ctron, I understand the long term solution is a fix at the source of the data, in the meantime I'm looking for a workaround.

[ctron]

To my understanding of https://issues.redhat.com/browse/SECDATA-1169, this issue should now be fixed at the source.