Add VMware Photon Importer

[Samk1710]

Addresses:

• Add vmware/photon/wiki/Security-Advisories vulnerabilities advisories #36

Data Source:

• https://packages.vmware.com/photon/photon_cve_metadata/

Importer Logs:

python manage.py import vmware_photon_importer_v2
Importing data using vmware_photon_importer_v2
INFO 2026-03-04 17:23:55.130041 UTC Pipeline [VmwarePhotonImporterPipeline] starting
INFO 2026-03-04 17:23:55.130320 UTC Step [fetch] starting
INFO 2026-03-04 17:23:55.130450 UTC Fetching `https://packages.vmware.com/photon/photon_cve_metadata/cve_data_photon1.0.json`
INFO 2026-03-04 17:23:55.433863 UTC Fetching `https://packages.vmware.com/photon/photon_cve_metadata/cve_data_photon2.0.json`
INFO 2026-03-04 17:23:56.639570 UTC Fetching `https://packages.vmware.com/photon/photon_cve_metadata/cve_data_photon3.0.json`
INFO 2026-03-04 17:23:57.536211 UTC Fetching `https://packages.vmware.com/photon/photon_cve_metadata/cve_data_photon4.0.json`
INFO 2026-03-04 17:23:58.438806 UTC Fetching `https://packages.vmware.com/photon/photon_cve_metadata/cve_data_photon5.0.json`
INFO 2026-03-04 17:23:58.860614 UTC Fetched 131,740 total records from 5 sources
INFO 2026-03-04 17:23:58.864502 UTC Step [fetch] completed in 4 seconds
INFO 2026-03-04 17:23:58.865357 UTC Step [group_records_by_cve] starting
INFO 2026-03-04 17:23:59.008181 UTC Grouped 131,740 records into 9,756 unique CVEs (skipped 27,050 non-affected)
INFO 2026-03-04 17:23:59.008502 UTC Step [group_records_by_cve] completed in 0 seconds
INFO 2026-03-04 17:23:59.008592 UTC Step [collect_and_store_advisories] starting
INFO 2026-03-04 17:23:59.008654 UTC Collecting 9,756 advisories
INFO 2026-03-04 17:24:49.480593 UTC Progress: 10% (976/9756) ETA: 454 seconds (7.6 minutes)
INFO 2026-03-04 17:25:48.235676 UTC Progress: 20% (1952/9756) ETA: 437 seconds (7.3 minutes)
INFO 2026-03-04 17:26:36.026585 UTC Progress: 30% (2927/9756) ETA: 366 seconds (6.1 minutes)
INFO 2026-03-04 17:27:54.725572 UTC Progress: 40% (3903/9756) ETA: 354 seconds (5.9 minutes)
INFO 2026-03-04 17:28:40.586061 UTC Progress: 50% (4878/9756) ETA: 282 seconds (4.7 minutes)
INFO 2026-03-04 17:30:35.500175 UTC Progress: 60% (5854/9756) ETA: 264 seconds (4.4 minutes)
INFO 2026-03-04 17:33:35.196096 UTC Progress: 70% (6830/9756) ETA: 247 seconds (4.1 minutes)
INFO 2026-03-04 17:35:05.602894 UTC Progress: 80% (7805/9756) ETA: 167 seconds (2.8 minutes)
INFO 2026-03-04 17:36:50.326030 UTC Progress: 90% (8781/9756) ETA: 86 seconds (1.4 minutes)
INFO 2026-03-04 17:38:17.253889 UTC Progress: 100% (9756/9756)
INFO 2026-03-04 17:38:17.281977 UTC Successfully collected 9,756 advisories
INFO 2026-03-04 17:38:17.282206 UTC Step [collect_and_store_advisories] completed in 858 seconds (14.3 minutes)
INFO 2026-03-04 17:38:17.282305 UTC Pipeline completed in 862 seconds (14.4 minutes)

[Samk1710]

After discussions in the community meeting, I moved forward with https://packages.vmware.com/photon/photon_cve_metadata/ as the data source.

cve_score is verified to be CVSS3 from the corresponding NVD entry, for example:
https://nvd.nist.gov/vuln/detail/CVE-2024-43853

[ziadhany]

@Samk1710, the code looks good.
See some comments below.

[Samk1710]

@ziadhany I have implemented the changes you suggested. Do have a look when time. Thanks.

[Samk1710]

@ziadhany Can you take a look at the changes and let me know if this PR need further modifications?

[ziadhany]

@Samk1710 The code looks good overall, just a few minor nits.

See the comments there.

[Samk1710]

@Samk1710 The code looks good overall, just a few minor nits.

See the comments there.

@ziadhany Thanks for the suggestions. I have implemented them.

[ziadhany]

@Samk1710 I think VMware updated the advisory data. See:
https://packages.broadcom.com/photon/photon_cve_metadata/cve/

[Samk1710]

@Samk1710 I think VMware updated the advisory data. See: https://packages.broadcom.com/photon/photon_cve_metadata/cve/

@ziadhany Yes, the schema and endpoint have some changes. Will have to adjust and update some parts. Will surely look into it after my exams :) Thanks.

[Samk1710]

https://packages.broadcom.com/photon/photon_cve_metadata/ gives similar data to the original source that we decided on.

[Samk1710]

@ziadhany I have updated the repo url to https://packages.broadcom.com/photon/photon_cve_metadata/

Importer Logs:

Importing data using vmware_photon_importer_v2
INFO 2026-06-30 11:23:27.402891 UTC Pipeline [VmwarePhotonImporterPipeline] starting
INFO 2026-06-30 11:23:27.403141 UTC Step [fetch] starting
INFO 2026-06-30 11:23:29.101845 UTC Fetching `https://packages.broadcom.com/photon/photon_cve_metadata/cve_data_photon1.0.json`
INFO 2026-06-30 11:23:36.955572 UTC Fetching `https://packages.broadcom.com/photon/photon_cve_metadata/cve_data_photon2.0.json`
INFO 2026-06-30 11:23:47.927925 UTC Fetching `https://packages.broadcom.com/photon/photon_cve_metadata/cve_data_photon3.0.json`
INFO 2026-06-30 11:24:00.948985 UTC Fetching `https://packages.broadcom.com/photon/photon_cve_metadata/cve_data_photon4.0.json`
INFO 2026-06-30 11:27:14.012766 UTC Fetching `https://packages.broadcom.com/photon/photon_cve_metadata/cve_data_photon5.0.json`
INFO 2026-06-30 11:28:50.936036 UTC Fetched 153,022 total records from 5 sources
INFO 2026-06-30 11:28:50.936743 UTC Step [fetch] completed in 324 seconds (5.4 minutes)
INFO 2026-06-30 11:28:50.936886 UTC Step [group_records_by_cve] starting
INFO 2026-06-30 11:28:50.979489 UTC Grouped 153,022 records into 13,070 unique CVEs (skipped 24,835 non-affected)
INFO 2026-06-30 11:28:50.979742 UTC Step [group_records_by_cve] completed in 0 seconds
INFO 2026-06-30 11:28:50.979806 UTC Step [collect_and_store_advisories] starting
INFO 2026-06-30 11:28:50.979853 UTC Collecting 13,070 advisories
INFO 2026-06-30 11:30:31.481724 UTC Progress: 10% (1307/13070) ETA: 905 seconds (15.1 minutes)
INFO 2026-06-30 11:32:57.313576 UTC Progress: 20% (2614/13070) ETA: 985 seconds (16.4 minutes)
INFO 2026-06-30 11:35:14.639208 UTC Progress: 30% (3921/13070) ETA: 895 seconds (14.9 minutes)
INFO 2026-06-30 11:39:27.026685 UTC Progress: 40% (5228/13070) ETA: 954 seconds (15.9 minutes)
INFO 2026-06-30 11:42:44.364362 UTC Progress: 50% (6535/13070) ETA: 833 seconds (13.9 minutes)
INFO 2026-06-30 11:47:28.058523 UTC Progress: 60% (7842/13070) ETA: 745 seconds (12.4 minutes)
INFO 2026-06-30 11:53:45.087944 UTC Progress: 70% (9149/13070) ETA: 640 seconds (10.7 minutes)
INFO 2026-06-30 11:59:18.455777 UTC Progress: 80% (10456/13070) ETA: 457 seconds (7.6 minutes)
INFO 2026-06-30 12:02:44.343716 UTC Progress: 90% (11763/13070) ETA: 226 seconds (3.8 minutes)
INFO 2026-06-30 12:06:20.678888 UTC Progress: 100% (13070/13070)
INFO 2026-06-30 12:06:20.741010 UTC Successfully collected 13,070 advisories
INFO 2026-06-30 12:06:20.741213 UTC Step [collect_and_store_advisories] completed in 2250 seconds (37.5 minutes)
INFO 2026-06-30 12:06:20.741309 UTC Pipeline completed in 2573 seconds (42.9 minutes)

Test Logs:

Found 1 test(s).
System check identified no issues (0 silenced).
INFO 2026-06-30 12:03:48.906316 UTC Fetching `https://packages.broadcom.com/photon/photon_cve_metadata/cve_data_photon4.0.json`
INFO 2026-06-30 12:03:48.906643 UTC Fetched 13 total records from 1 sources
INFO 2026-06-30 12:03:48.906764 UTC Grouped 13 records into 2 unique CVEs (skipped 1 non-affected)
.
----------------------------------------------------------------------
Ran 1 test in 0.004s

OK

Also see, versions 4 and 5 include BDSA in the "cve_id" field as well which is absurd. Although there are no other chnages, and this can be safely imported as well.

{
    "cve_id": "BDSA-2025-0719",
    "pkg": "krb5",
    "cve_score": 7.1,
    "aff_ver": "all versions before 1.17-15.ph4 are vulnerable",
    "res_ver": "1.17-15.ph4",
    "status": "Fixed"
  },
  {
    "cve_id": "BDSA-2025-0719",
    "pkg": "krb5-devel",
    "cve_score": 7.1,
    "aff_ver": "all versions before 1.17-15.ph4 are vulnerable",
    "res_ver": "1.17-15.ph4",
    "status": "Fixed"
  },

Do take a look when time and let me know if we need chnages.