feat: add Root app feed

[chait-slim]

Summary

This PR adds support for Root.io application-level vulnerability feeds to vuln-list-update, extending the existing OS-level vulnerability tracking with language/framework-specific vulnerability data.

Changes Introduced

1. New Application Feed Support

• Added support for fetching application-level vulnerabilities from https://api.root.io/external/app_feed
• Application feed covers language ecosystems like npm, pip, go, etc.
• Data is saved to rootio/app/cve_feed.json for clear separation from OS data

2. Existing OS Feed Integration

• Maintains compatibility with the existing OS vulnerability feed at https://api.root.io/external/cve_feed
• OS feed continues to be saved to rootio/cve_feed.json
• Supports Alpine, Debian, Ubuntu, and other OS distributions

3. Unified Data Structure

Both feeds use the same JSON structure:

  {
    "ecosystem": [
      {
        "distroversion": "version",
        "packages": [
          {
            "pkg": {
              "name": "package-name",
              "cves": {
                "CVE-XXXX-XXXXX": {
                  "vulnerable_ranges": ["<version"],
                  "fixed_versions": ["version"]
                }
              }
            }
          }
        ]
      }
    ]
  }

4. Implementation Details

• Modular Design: Used a feedInfo struct to define feed configurations, making it easy to add/modify feeds
• Clean Separation: OS and application feeds are stored in separate locations for better organization
• Future-Proof: Architecture supports the planned migration from cve_feed to separate os_feed and app_feed endpoints
• Error Handling: Comprehensive error handling with clear error messages for debugging
• Testing: Full test coverage for both feeds with various error scenarios

Directory Structure

After running the updater, the vulnerability data is organized as:

  vuln-list/
  └── rootio/
      ├── cve_feed.json     # OS package vulnerabilities
      └── app/
          └── cve_feed.json # Application package vulnerabilities

Testing

• Tests verify correct fetching and parsing of both OS and app feeds
• Error scenarios tested include invalid JSON, missing endpoints, and server errors
• Tests ensure proper directory structure and file placement

[DmitriyLewen]

How can I download the new files for testing?
Only https://api.root.io/external/cve_feed is available.

[chait-slim]

Youre right. Its being developed at the same time. I want to validate the PRs are accepted and I'll merge it on our side before merging the Trivy ones

[DmitriyLewen]

And can you add the PR description, please?