Fix NVD feed generation (#31258)

mostlikelee · web-flow · commit f4814f61436f · 2025-07-25T08:52:00.000-06:00
diff --git a/server/vulnerabilities/nvd/sync/cve_syncer.go b/server/vulnerabilities/nvd/sync/cve_syncer.go
@@ -159,23 +159,43 @@ func (s *CVE) removeLegacyFeeds() error {
 	return nil
 }
 
+func parseAndFormatForNVD(raw string) (string, error) {
+	raw = strings.TrimSpace(raw)
+
+	// Try parsing with timezone
+	if t, err := time.Parse(time.RFC3339Nano, raw); err == nil {
+		return t.UTC().Format("2006-01-02T15:04:05.000Z"), nil
+	}
+
+	// Try parsing without timezone
+	if t, err := time.Parse("2006-01-02T15:04:05.000", raw); err == nil {
+		return t.UTC().Format("2006-01-02T15:04:05.000Z"), nil
+	}
+
+	return "", fmt.Errorf("unrecognized timestamp format: %q", raw)
+}
+
 // update downloads all the new CVE updates since the last synchronization.
 func (s *CVE) update(ctx context.Context) error {
 	// Load the lastModStartDate from the previous synchronization.
 	lastModStartDate_, err := os.ReadFile(s.lastModStartDateFilePath())
 	if err != nil {
 		return err
 	}
-	lastModStartDate := string(lastModStartDate_)
+
+	lastModStartDate, err := parseAndFormatForNVD(string(lastModStartDate_))
+	if err != nil {
+		return fmt.Errorf("invalid last_mod_start_date.txt format: %w", err)
+	}
 
 	// Get the new CVE updates since the previous synchronization.
-	lastModStartDate, err = s.sync(ctx, &lastModStartDate)
+	newLastModStartDate, err := s.sync(ctx, &lastModStartDate)
 	if err != nil {
 		return err
 	}
 
 	// Update the lastModStartDate for the next synchronization.
-	if err := s.writeLastModStartDateFile(lastModStartDate); err != nil {
+	if err := s.writeLastModStartDateFile(newLastModStartDate); err != nil {
 		return err
 	}
 
@@ -312,14 +332,16 @@ func (s *CVE) updateVulnCheckYearFile(year int, cves []VulnCheckCVE, modCount, a
 
 // writeLastModStartDateFile writes the lastModStartDate to a file in the local DB directory.
 func (s *CVE) writeLastModStartDateFile(lastModStartDate string) error {
-	if err := os.WriteFile(
-		s.lastModStartDateFilePath(),
-		[]byte(lastModStartDate),
-		constant.DefaultWorldReadableFileMode,
-	); err != nil {
+	normalized, err := parseAndFormatForNVD(lastModStartDate)
+	if err != nil {
 		return err
 	}
-	return nil
+
+	return os.WriteFile(
+		s.lastModStartDateFilePath(),
+		[]byte(normalized),
+		constant.DefaultWorldReadableFileMode,
+	)
 }
 
 // httpClient wraps an http.Client to allow for debug and setting a request context.
@@ -374,7 +396,7 @@ func (s *CVE) sync(ctx context.Context, lastModStartDate *string) (newLastModSta
 		cvesByYear              = make(map[int][]nvdapi.CVEItem)
 		retryAttempts           = 0
 		lastModEndDate          *string
-		now                     = time.Now().UTC().Format("2006-01-02T15:04:05.000")
+		now                     = time.Now().UTC().Format("2006-01-02T15:04:05.000Z")
 		vulnerabilitiesReceived = 0
 	)
 	if lastModStartDate != nil {
