1. Added database_specific.anchore.record_type = "advisory" in parser.py _normalize()

2. Added comprehensive tests to verify the metadata is set correctly
3. Updated all 5 snapshot fixtures with the new metadata

Signed-off-by: Chai Tadmor <[email protected]>

Author: Chai Tadmor

src/vunnel/providers/rootio/parser.py

@@ -104,6 +104,14 @@ def _normalize(self, vuln_entry: dict[str, Any]) -> tuple[str, str, dict[str, An
                 package["ecosystem"] = ecosystem[5:]  # Strip "Root:" prefix
                 self.logger.debug(f"normalized ecosystem: {ecosystem} -> {package['ecosystem']}")
 
+        # Set database_specific metadata to mark as advisory for grype-db
+        # This is critical for grype-db to emit unaffectedPackageHandles for the NAK pattern
+        if "database_specific" not in vuln_entry:
+            vuln_entry["database_specific"] = {}
+        if "anchore" not in vuln_entry["database_specific"]:
+            vuln_entry["database_specific"]["anchore"] = {}
+        vuln_entry["database_specific"]["anchore"]["record_type"] = "advisory"
+
         return vuln_id, vuln_schema, vuln_entry
 
     def get(self) -> Generator[tuple[str, str, dict[str, Any]]]:

tests/unit/providers/rootio/test-fixtures/snapshots/root-app-npm-cve-2022-25883.json

@@ -27,6 +27,9 @@
       "GHSA-c2qf-rxjj-qqgw"
     ],
     "database_specific": {
+      "anchore": {
+        "record_type": "advisory"
+      },
       "source": "Root"
     },
     "details": "Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.",

tests/unit/providers/rootio/test-fixtures/snapshots/root-app-pypi-cve-2025-30473.json

@@ -30,6 +30,11 @@
       "CVE-2025-30473",
       "GHSA-9wx4-h78v-vm56"
     ],
+    "database_specific": {
+      "anchore": {
+        "record_type": "advisory"
+      }
+    },
     "details": "The requests library is vulnerable to HTTP Header Injection via CRLF sequences.",
     "id": "ROOT-APP-PYPI-CVE-2025-30473",
     "modified": "2025-03-15T00:00:00Z",

tests/unit/providers/rootio/test-fixtures/snapshots/root-os-alpine-318-cve-2000-0548.json

@@ -29,6 +29,11 @@
     "aliases": [
       "CVE-2000-0548"
     ],
+    "database_specific": {
+      "anchore": {
+        "record_type": "advisory"
+      }
+    },
     "details": "Buffer overflow in util-linux allows local users to gain privileges.",
     "id": "ROOT-OS-ALPINE-318-CVE-2000-0548",
     "modified": "2024-01-15T00:00:00Z",

tests/unit/providers/rootio/test-fixtures/snapshots/root-os-debian-bookworm-cve-2025-53014.json

@@ -29,6 +29,11 @@
     "aliases": [
       "CVE-2025-53014"
     ],
+    "database_specific": {
+      "anchore": {
+        "record_type": "advisory"
+      }
+    },
     "details": "ImageMagick has a security vulnerability that allows remote code execution.",
     "id": "ROOT-OS-DEBIAN-bookworm-CVE-2025-53014",
     "modified": "2025-01-20T00:00:00Z",

tests/unit/providers/rootio/test-fixtures/snapshots/root-os-ubuntu-2004-cve-2024-12345.json

@@ -29,6 +29,11 @@
     "aliases": [
       "CVE-2024-12345"
     ],
+    "database_specific": {
+      "anchore": {
+        "record_type": "advisory"
+      }
+    },
     "details": "OpenSSL has a security vulnerability in Ubuntu 20.04.",
     "id": "ROOT-OS-UBUNTU-2004-CVE-2024-12345",
     "modified": "2024-11-15T00:00:00Z",

tests/unit/providers/rootio/test_rootio.py

@@ -82,7 +82,7 @@ def mock_http_get(url, logger, **kwargs):
 
 
 def test_parser_normalize_with_root_prefix(helpers, auto_fake_fixdate_finder, disable_get_requests, mocker):
-    """Test that parser strips 'Root:' prefix from ecosystem field."""
+    """Test that parser strips 'Root:' prefix from ecosystem field and sets advisory metadata."""
     workspace = helpers.provider_workspace_helper(name=Provider.name())
 
     # Create a mock OSV record with "Root:" prefix (as returned by actual API)
@@ -110,6 +110,42 @@ def test_parser_normalize_with_root_prefix(helpers, auto_fake_fixdate_finder, di
     assert schema_version == "1.6.0"
     assert normalized_record["affected"][0]["package"]["ecosystem"] == "Alpine:3.18"  # Should be stripped
 
+    # Verify database_specific metadata is set for advisory type
+    # This is critical for grype-db to emit unaffectedPackageHandles for NAK pattern
+    assert "database_specific" in normalized_record
+    assert "anchore" in normalized_record["database_specific"]
+    assert normalized_record["database_specific"]["anchore"]["record_type"] == "advisory"
+
+
+def test_parser_normalize_with_unaffected_records(helpers, auto_fake_fixdate_finder, disable_get_requests, mocker):
+    """Test that parser adds database_specific.anchore.record_type = advisory for unaffected packages."""
+    workspace = helpers.provider_workspace_helper(name=Provider.name())
+
+    # Create a mock OSV record WITHOUT database_specific field
+    mock_record = {
+        "schema_version": "1.6.0",
+        "id": "ROOT-OS-DEBIAN-bookworm-CVE-2025-53014",
+        "modified": "2025-01-10T10:00:00Z",
+        "published": "2025-01-05T08:00:00Z",
+        "affected": [
+            {
+                "package": {
+                    "ecosystem": "Debian:bookworm",
+                    "name": "rootio-openssl"
+                }
+            }
+        ]
+        # No database_specific field initially
+    }
+
+    parser = Parser(ws=workspace, logger=None)
+    vuln_id, schema_version, normalized_record = parser._normalize(mock_record)
+
+    # Verify database_specific metadata is added
+    assert "database_specific" in normalized_record
+    assert "anchore" in normalized_record["database_specific"]
+    assert normalized_record["database_specific"]["anchore"]["record_type"] == "advisory"
+
 
 @pytest.mark.parametrize(
     "schema_version,expected",