From 67f67df9c68caca5032d5cc1c2f46fadd61f5a64 Mon Sep 17 00:00:00 2001
From: Jess Lowe <jesslowe@google.com>
Date: Tue, 10 Feb 2026 04:29:19 +0000
Subject: [PATCH] Convert the CNA Allowlist into a denylist. All CNAs in the
 denylist have never successfully converted any ranges to commits

---
 .../cve/cve5/bulk-converter/cna_allowlist.txt |   5 -
 .../cve/cve5/bulk-converter/cna_denylist.txt  | 272 ++++++++++++++++++
 .../cve/cve5/bulk-converter/main.go           |  14 +-
 3 files changed, 279 insertions(+), 12 deletions(-)
 delete mode 100644 vulnfeeds/cmd/converters/cve/cve5/bulk-converter/cna_allowlist.txt
 create mode 100644 vulnfeeds/cmd/converters/cve/cve5/bulk-converter/cna_denylist.txt

diff --git a/vulnfeeds/cmd/converters/cve/cve5/bulk-converter/cna_allowlist.txt b/vulnfeeds/cmd/converters/cve/cve5/bulk-converter/cna_allowlist.txt
deleted file mode 100644
index 85d9097cf67..00000000000
--- a/vulnfeeds/cmd/converters/cve/cve5/bulk-converter/cna_allowlist.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Linux
-GitHub_M
-GitLab
-Centreon
-@huntrdev
\ No newline at end of file
diff --git a/vulnfeeds/cmd/converters/cve/cve5/bulk-converter/cna_denylist.txt b/vulnfeeds/cmd/converters/cve/cve5/bulk-converter/cna_denylist.txt
new file mode 100644
index 00000000000..148a9030fe1
--- /dev/null
+++ b/vulnfeeds/cmd/converters/cve/cve5/bulk-converter/cna_denylist.txt
@@ -0,0 +1,272 @@
+1E
+3DS
+42Gears
+9front
+ABB
+Absolute
+Acronis
+airbus
+AlgoSec
+AMD
+AMI
+AppCheck
+apple
+arcinfo
+Arista
+Arm
+Armis
+ARTICA
+ASR
+ASUS
+ASUSTOR1
+ATIS
+atlassian
+avaya
+Axis
+AxxonSoft
+B.Braun
+Baicells
+Baidu
+Baxter
+BD
+BECLS
+bizerba
+blackberry
+BlackDuck
+BLSOPS
+bosch
+brocade
+BT
+Bugcrowd
+ca
+Canon
+Canon_EMEA
+Carrier
+Cato
+CERT-In
+CERTVDE
+checkpoint
+ChromeOS
+Ciena
+cisco
+Citrix
+ConnectWise
+CoolKit
+crafter
+Crestron
+CrowdStrike
+CSA
+CSW
+Cybellum
+CyberDanube
+dahua
+Danfoss
+Delinea
+dell
+Deltaww
+DEVOLUTIONS
+Digi
+Document Fdn.
+Dragos
+Dremio
+Eaton
+EDB
+Edgewatch
+ELAN
+ENISA
+Esri
+ExtremeNetworks
+F-SecureUS
+f5
+Fidelis
+flexera
+forcepoint
+Forescout
+ForgeRock
+fortinet
+Fortra
+freebsd
+FSI
+FSOFT
+Gallagher
+GandC
+GE GP
+GE_Vernova
+GEHC
+Genetec
+GitHub_P
+google_android
+Google_Devices
+GoogleCloud
+GreenRocketSecurity
+Halborn
+Hanwha_Vision
+HCL
+hikvision
+Hillstone
+Hitachi
+Hitachi Energy
+HITVAN
+Honeywell
+Honor
+hp
+hpe
+huawei
+Huntress
+HW
+HYPR
+ibm
+ICT
+IDEMIA
+Illumio
+imaginationtech
+iManage
+INCD
+Insyde
+intel
+isc
+ivanti
+JAMF
+Jaspersoft
+jci
+jenkins
+Joomla
+juniper
+Kaspersky
+KNIME
+krcert
+larry_cashdollar
+lenovo
+Lexmark
+LGE
+libreswan
+Liferay
+Logitech
+M-Files Corporation
+ManageEngine
+MediaTek
+Medtronic
+Meta
+microfocus
+microsoft
+Milestone
+MIM
+Mirantis
+Mitsubishi
+MON-CSIRT
+Moxa
+N-able
+naver
+NCSC-NL
+NEC
+Netskope
+NI
+NLnet Labs
+NLOK
+Nokia
+NX
+OB
+Octopus
+ODA
+odoo
+Okta
+Omnissa
+OMRON
+openam-jp
+OpenBMC
+OpenCloudOS
+openEuler
+OpenHarmony
+OpenText
+OPPO
+OTRS
+Palantir
+Panasonic Corporation
+Panasonic_Holdings_Corporation
+PandoraFMS
+PaperCut
+Payara
+Pega
+Perforce
+Philips
+Phoenix
+Ping Identity
+PlexTrac
+Profelis
+Profisee
+Proofpoint
+puppet
+PureStorage
+qnap
+qualcomm
+Qualys
+Roche
+Rockwell
+RTI
+S21sec
+SailPoint
+Salesforce
+Samsung Mobile
+SamsungMobile
+Saviynt
+schneider
+Seagate
+Secomea
+Securifera
+securin
+SEL
+ShopBeat
+SICK AG
+siemens
+SK-CERT
+Snow
+Softing
+SoftIron
+SolarWinds
+Solidigm
+sonicwall
+Sophos
+Splunk
+SRA
+StrongDM
+Supermicro
+SWI
+symantec
+Synaptics
+synology
+TECNOMobile
+THA-PSIRT
+TianoCore
+tibco
+tlt_net
+Toreon
+Toshiba
+TPLink
+TQtC
+trendmicro
+Tribe29
+TRO
+TV
+twcert
+TXOne
+Unisoc
+upKeeper
+Vivo
+WatchGuard
+WDC PSIRT
+wikimedia-foundation
+WindRiver
+Wiz
+WSO2
+XEN
+Xerox
+XI
+Xiaomi
+yandex
+YokogawaGroup
+Zabbix
+Zohocorp
+Zoom
+Zscaler
+zte
+Zyxel
\ No newline at end of file
diff --git a/vulnfeeds/cmd/converters/cve/cve5/bulk-converter/main.go b/vulnfeeds/cmd/converters/cve/cve5/bulk-converter/main.go
index 9ffa22f97af..0dd3543aff7 100644
--- a/vulnfeeds/cmd/converters/cve/cve5/bulk-converter/main.go
+++ b/vulnfeeds/cmd/converters/cve/cve5/bulk-converter/main.go
@@ -25,12 +25,12 @@ var (
 	localOutputDir = flag.String("out-dir", "cvelist2osv", "Path to output results.")
 	startYear      = flag.String("start-year", "2022", "The first in scope year to process.")
 	workers        = flag.Int("workers", 30, "The number of concurrent workers to use for processing CVEs.")
-	cnaAllowList   = flag.String("cnas-allowlist", "", "A comma-separated list of CNAs to process. If not provided, defaults to cna_allowlist.txt.")
+	cnaDenyList    = flag.String("cna-denylist", "", "A comma-separated list of CNAs to skip. If not provided, defaults to cna_denylist.txt.")
 	rejectFailed   = flag.Bool("reject-failed", false, "If set, OSV records with a failed conversion outcome will not be generated.")
 )
 
-//go:embed cna_allowlist.txt
-var cnaAllowlistData []byte
+//go:embed cna_denylist.txt
+var cnaDenylistData []byte
 
 func main() {
 	flag.Parse()
@@ -44,10 +44,10 @@ func main() {
 	jobs := make(chan string)
 	var wg sync.WaitGroup
 	var cnaList []string
-	if *cnaAllowList != "" {
-		cnaList = strings.Split(*cnaAllowList, ",")
+	if *cnaDenyList != "" {
+		cnaList = strings.Split(*cnaDenyList, ",")
 	} else {
-		for _, cna := range strings.Split(string(cnaAllowlistData), "\n") {
+		for _, cna := range strings.Split(string(cnaDenylistData), "\n") {
 			cna = strings.TrimSpace(cna)
 			if cna != "" {
 				cnaList = append(cnaList, cna)
@@ -112,7 +112,7 @@ func worker(wg *sync.WaitGroup, jobs <-chan string, outDir string, cnas []string
 			continue
 		}
 
-		if !slices.Contains(cnas, cve.Metadata.AssignerShortName) || cve.Metadata.State != "PUBLISHED" {
+		if slices.Contains(cnas, cve.Metadata.AssignerShortName) || cve.Metadata.State != "PUBLISHED" {
 			continue
 		}
 		cveID := cve.Metadata.CVEID