feat: move Vanir signature generation to a cron job

Makefile

@@ -28,6 +28,9 @@ importer-tests:
 recoverer-tests:
 	cd gcp/workers/recoverer && ./run_tests.sh
 
+vanir-signatures-tests:
+	cd gcp/workers/vanir_signatures && ./run_tests.sh
+
 website-tests:
 	cd gcp/website && ./run_tests.sh
 

deployment/build-and-stage.yaml

@@ -216,6 +216,16 @@ steps:
   args: ['push', '--all-tags', 'gcr.io/oss-vdb-test/osv-linter']
   waitFor: ['build-osv-linter', 'cloud-build-queue']
 
+# Build/push vanir-signatures images to gcr.io/oss-vdb.
+- name: gcr.io/cloud-builders/docker
+  args: ['build', '-t', 'gcr.io/oss-vdb/vanir-signatures:latest', '-t', 'gcr.io/oss-vdb/vanir-signatures:$COMMIT_SHA', '.']
+  dir: 'gcp/workers/vanir_signatures'
+  id: 'build-vanir-signatures'
+  waitFor: ['build-worker']
+- name: gcr.io/cloud-builders/docker
+  args: ['push', '--all-tags', 'gcr.io/oss-vdb/vanir-signatures']
+  waitFor: ['build-vanir-signatures', 'cloud-build-queue']
+
 # Build/push cron job images.
 - name: gcr.io/cloud-builders/docker
   args: ['build', '-t', 'gcr.io/oss-vdb/cron:latest', '-t', 'gcr.io/oss-vdb/cron:$COMMIT_SHA', '.']
@@ -432,6 +442,7 @@ steps:
      relations=gcr.io/oss-vdb/relations:$COMMIT_SHA,\
      generatesitemap=gcr.io/oss-vdb/generatesitemap:$COMMIT_SHA,\
      gitter=gcr.io/oss-vdb/gitter:$COMMIT_SHA,\
+     vanir-signatures=gcr.io/oss-vdb/vanir-signatures:$COMMIT_SHA,\
      cron=gcr.io/oss-vdb/cron:$COMMIT_SHA"
   ]
   dir: deployment/clouddeploy/gke-workers
@@ -496,3 +507,4 @@ images:
 - 'gcr.io/oss-vdb/oss-fuzz-importer:$COMMIT_SHA'
 - 'gcr.io/oss-vdb/generatesitemap:$COMMIT_SHA'
 - 'gcr.io/oss-vdb/gitter:$COMMIT_SHA'
+- 'gcr.io/oss-vdb/vanir-signatures:$COMMIT_SHA'

deployment/clouddeploy/gke-workers/base/kustomization.yaml

@@ -30,4 +30,5 @@ resources:
 - record-checker.yaml
 - cve5-to-osv.yaml
 - custommetrics.yaml
+- vanir-signatures.yaml
 

deployment/clouddeploy/gke-workers/base/vanir-signatures.yaml

@@ -0,0 +1,26 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: vanir-signatures
+  labels:
+    cronLastSuccessfulTimeMins: "60"
+spec:
+  schedule: "0 9 * * *"
+  timeZone: "Australia/Sydney"
+  concurrencyPolicy: Forbid
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+          - name: vanir-signatures
+            image: vanir-signatures
+            imagePullPolicy: Always
+            resources:
+              requests:
+                cpu: "1"
+                memory: "10G"
+              limits:
+                cpu: "1"
+                memory: "13G"
+          restartPolicy: Never

deployment/clouddeploy/gke-workers/environments/oss-vdb-test/kustomization.yaml

@@ -26,3 +26,4 @@ patches:
 - path: record-checker.yaml
 - path: custommetrics.yaml
 - path: gitter.yaml
+- path: vanir-signatures.yaml

deployment/clouddeploy/gke-workers/environments/oss-vdb-test/vanir-signatures.yaml

@@ -0,0 +1,16 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: vanir-signatures
+spec:
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+          - name: vanir-signatures
+            env:
+              - name: GOOGLE_CLOUD_PROJECT
+                value: oss-vdb-test
+              - name: OSV_VULNERABILITIES_BUCKET
+                value: osv-test-vulnerabilities

deployment/clouddeploy/gke-workers/environments/oss-vdb/kustomization.yaml

@@ -23,4 +23,5 @@ patches:
 - path: cve5-to-osv.yaml
 - path: custommetrics.yaml
 - path: gitter.yaml
+- path: vanir-signatures.yaml
 

deployment/clouddeploy/gke-workers/environments/oss-vdb/vanir-signatures.yaml

@@ -0,0 +1,16 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: vanir-signatures
+spec:
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+          - name: vanir-signatures
+            env:
+              - name: GOOGLE_CLOUD_PROJECT
+                value: oss-vdb
+              - name: OSV_VULNERABILITIES_BUCKET
+                value: osv-vulnerabilities

gcp/workers/cloudbuild.yaml

@@ -62,6 +62,14 @@ steps:
     - GITTER_PORT=8891
   waitFor: ['init', 'sync']
 
+- name: 'gcr.io/oss-vdb/ci'
+  id: 'vanir-signatures-tests'
+  dir: gcp/workers/vanir_signatures
+  args: ['bash', '-ex', 'run_tests.sh']
+  env:
+    - DATASTORE_EMULATOR_PORT=8006
+  waitFor: ['init', 'sync']
+
 timeout: 7200s
 options:
   machineType: E2_HIGHCPU_8

gcp/workers/oss_fuzz_worker/worker.py

@@ -32,7 +32,6 @@
 from google.cloud import pubsub_v1
 from google.cloud import storage
 from google.cloud.storage import retry
-from google.protobuf import json_format
 
 sys.path.append(os.path.dirname(os.path.realpath(__file__)))
 import osv
@@ -42,8 +41,6 @@
 from osv import vulnerability_pb2
 import oss_fuzz
 
-from vanir import vulnerability_manager
-
 DEFAULT_WORK_DIR = '/work'
 OSS_FUZZ_GIT_URL = 'https://github.com/google/oss-fuzz.git'
 TASK_SUBSCRIPTION = 'oss-fuzz-tasks'
@@ -499,43 +496,6 @@ def _analyze_vulnerability(self, source_repo, repo, vulnerability, path,
                     vulnerability.id)
     raise UpdateConflictError
 
-  def _generate_vanir_signatures(self, vulnerability):
-    """Generates Vanir signatures for a vulnerability."""
-    if not any(r.type == vulnerability_pb2.Range.GIT
-               for affected in vulnerability.affected
-               for r in affected.ranges):
-      logging.info(
-          'Skipping Vanir signature generation for %s as it has no '
-          'GIT affected ranges.', vulnerability.id)
-      return vulnerability
-    if any(affected.package.name == "Kernel" and
-           affected.package.ecosystem == "Linux"
-           for affected in vulnerability.affected):
-      logging.info(
-          'Skipping Vanir signature generation for %s as it is a '
-          'Kernel vulnerability.', vulnerability.id)
-      return vulnerability
-
-    logging.info('Generating Vanir signatures for %s', vulnerability.id)
-    try:
-      vuln_manager = vulnerability_manager.generate_from_json_string(
-          content=json.dumps([
-              json_format.MessageToDict(
-                  vulnerability, preserving_proto_field_name=True)
-          ]),)
-      vuln_manager.generate_signatures()
-
-      if not vuln_manager.vulnerabilities:
-        logging.warning('Vanir signature generation resulted in no '
-                        'vulnerabilities.')
-        return vulnerability
-
-      return vuln_manager.vulnerabilities[0].to_proto()
-    except Exception:
-      logging.exception('Failed to generate Vanir signatures for %s',
-                        vulnerability.id)
-      return vulnerability
-
   def _do_update(self, source_repo, repo, vulnerability, relative_path,
                  original_sha256):
     """Process updates on a vulnerability."""
@@ -552,7 +512,6 @@ def _do_update(self, source_repo, repo, vulnerability, relative_path,
     orig_modified_date = vulnerability.modified.ToDatetime(datetime.UTC)
 
     # Fully enrich the vulnerability object in memory.
-    vulnerability = self._generate_vanir_signatures(vulnerability)
     try:
       result = self._analyze_vulnerability(source_repo, repo, vulnerability,
                                            relative_path, original_sha256)

gcp/workers/vanir_signatures/Dockerfile

@@ -0,0 +1,19 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FROM gcr.io/oss-vdb/worker
+
+COPY vanir_signatures.py /usr/local/bin/vanir_signatures.py
+RUN chmod 755 /usr/local/bin/vanir_signatures.py
+ENTRYPOINT ["vanir_signatures.py"]

gcp/workers/vanir_signatures/run_tests.sh

@@ -0,0 +1,22 @@
+#!/bin/bash -ex
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+cd ../worker
+
+# Install dependencies only if not running in Cloud Build
+if [ -z "$CLOUDBUILD" ]; then
+  poetry sync
+fi
+poetry run python ../vanir_signatures/vanir_signatures_test.py