rhel-vex updater can fail when RedHat removes json files during in-progress update

[frostmar]

Since approx 2026-01-09 10:00UTC we're seeing the rhel-vex updater consistently fail on every updater run with the following error logged:

message: errors encountered during updater run
error: updating errors:
    rhel-vex: unexpected response: unexpected status code: 404 Not Found (body starts: "<!DOCTYPE html>...

This is caused by a JSON file such as https://security.access.redhat.com/data/csaf/v2/vex/2022/cve-2022-26426.json being removed from the website after a https://security.access.redhat.com/data/csaf/v2/vex/changes.csv has been read that listed the file.

This unusual state may be triggered by the current state of RedHat's vex feed

• the current https://security.access.redhat.com/data/csaf/v2/vex/csaf_vex_2026-01-03.tar.zst is 10 days old
• so https://security.access.redhat.com/data/csaf/v2/vex/changes.csv is very long ... currently 291,714 rows
  and https://security.access.redhat.com/data/csaf/v2/vex/deletions.csv currently has 18,343 rows
• fetching 290k individual json files can take ~15mins, giving time for the vex feed to update removing some json files. There's also a new changes.csv and deletions.csv, but we're still processing the old ones
• unusual behaviour of the vex feed may have been triggered by an outage of some RedHat web systems
  https://status.redhat.com/incidents/6cqmnpcmqvrs
  https://status.redhat.com/incidents/trq7cgsrhr3r

---

I can't think of a bullet-proof definitive way for this to be perfect, but perhaps the rhel-vex updater could treat HTTP404 of an individual CVE json file to be a non-fatal error, log a warning, proceed assuming it's just been deleted. The CVE wouldn't be part of the in-progress update, subsequent update runs would find and add it again if it's a transient problem on the vex feed.

[frostmar]

Related PR gives better logging to spot the cause:

• internal/httputil: include URL in error #1727

[hdonnay]

We've filed SECDATA-1187 internally to get the process fixed and prevent this from happening again.

I'm loathe to change the behavior in claircore to accommodate these sort of errors: if the manifest says a file should exist, it should be an error for it to not exist.
I also think it would cause correctness problems to allow the the process to continue when a VEX file 404s; we'd have no way to know that a VEX file needs to be re-processed later, because the updater is purposefully designed to not do a lot of database reads while doing its processing.

[frostmar]

Thanks for picking up quickly.

I think no matter what, there's always a race window where claircore has fetched the changes.csv file, then shortly afterward the VEX feed removes a json file that was listed. It's just with the current large number of changes.csv rows and greater VEX churn that's a larger window than normal with more deletions to hit