future-architect · MaineK00n · Apr 2, 2026
diff --git a/detector/detector.go b/detector/detector.go
@@ -317,14 +317,11 @@ func DetectPkgCves(r *models.ScanResult, gostCnf config.GostConf, vuls2Conf conf
 		switch r.Family {
 		case constant.RedHat, constant.CentOS, constant.Fedora, constant.Alma, constant.Rocky, constant.Oracle, constant.Amazon,
 			constant.OpenSUSE, constant.OpenSUSELeap, constant.SUSEEnterpriseServer, constant.SUSEEnterpriseDesktop,
-			constant.Debian, constant.Raspbian, constant.Ubuntu, constant.Alpine:
+			constant.Debian, constant.Raspbian, constant.Ubuntu, constant.Alpine,
+			constant.Windows:
 			if err := vuls2.Detect(r, vuls2Conf, noProgress); err != nil {
 				return xerrors.Errorf("Failed to detect CVE with Vuls2: %w", err)
 			}
-		case constant.Windows:
-			if err := detectPkgsCvesWithGost(gostCnf, r, logOpts); err != nil {
-				return xerrors.Errorf("Failed to detect CVE with gost: %w", err)
-			}
 		default:
 			return xerrors.Errorf("Unsupported detection methods for %s", r.Family)
 		}
@@ -496,27 +493,6 @@ func fillCertAlerts(cvedetail *cvemodels.CveDetail) (dict models.AlertDict) {
 	return dict
 }
 
-func detectPkgsCvesWithGost(cnf config.GostConf, r *models.ScanResult, logOpts logging.LogOpts) error {
-	client, err := gost.NewGostClient(cnf, r.Family, logOpts)
-	if err != nil {
-		return xerrors.Errorf("Failed to new a gost client: %w", err)
-	}
-	defer func() {
-		if err := client.CloseDB(); err != nil {
-			logging.Log.Errorf("Failed to close the gost DB. err: %+v", err)
-		}
-	}()
-
-	nCVEs, err := client.DetectCVEs(r, true)
-	if err != nil {
-		return xerrors.Errorf("Failed to detect CVEs with gost: %w", err)
-	}
-
-	logging.Log.Infof("%s: %d CVEs are detected with gost", r.FormatServerName(), nCVEs)
-
-	return nil
-}
-
 // DetectCpeURIsCves detects CVEs of given CPE-URIs
 func DetectCpeURIsCves(r *models.ScanResult, cpes []Cpe, cnf config.GoCveDictConf, logOpts logging.LogOpts) error {
 	client, err := newGoCveDictClient(&cnf, logOpts)

diff --git a/detector/vuls2/vendor.go b/detector/vuls2/vendor.go
@@ -11,14 +11,14 @@
 	rpm "github.com/knqyf263/go-rpm-version"
 	"golang.org/x/xerrors"

 	criterionTypes "github.com/MaineK00n/vuls-data-update/pkg/extract/types/data/detection/condition/criteria/criterion"
 	noneexistcriterionTypes "github.com/MaineK00n/vuls-data-update/pkg/extract/types/data/detection/condition/criteria/criterion/noneexistcriterion"
 	vcAffectedRangeTypes "github.com/MaineK00n/vuls-data-update/pkg/extract/types/data/detection/condition/criteria/criterion/versioncriterion/affected/range"
 	fixstatusTypes "github.com/MaineK00n/vuls-data-update/pkg/extract/types/data/detection/condition/criteria/criterion/versioncriterion/fixstatus"
 	versioncriterionpackageTypes "github.com/MaineK00n/vuls-data-update/pkg/extract/types/data/detection/condition/criteria/criterion/versioncriterion/package"
 	segmentTypes "github.com/MaineK00n/vuls-data-update/pkg/extract/types/data/detection/segment"
 	ecosystemTypes "github.com/MaineK00n/vuls-data-update/pkg/extract/types/data/detection/segment/ecosystem"
 	severityTypes "github.com/MaineK00n/vuls-data-update/pkg/extract/types/data/severity"
 	v2 "github.com/MaineK00n/vuls-data-update/pkg/extract/types/data/severity/cvss/v2"
 	v31 "github.com/MaineK00n/vuls-data-update/pkg/extract/types/data/severity/cvss/v31"
 	v40 "github.com/MaineK00n/vuls-data-update/pkg/extract/types/data/severity/cvss/v40"
@@ -47,6 +47,8 @@
 
 func toVuls2Family(vuls0Family, vuls0Release string) string {
 	switch vuls0Family {
+	case constant.Windows:
+		return ecosystemTypes.EcosystemTypeMicrosoft
 	case constant.Raspbian:
 		return ecosystemTypes.EcosystemTypeDebian
 	case constant.SUSEEnterpriseServer, constant.SUSEEnterpriseDesktop:
@@ -577,6 +579,12 @@
 			Source: "SUSE",
 			RefID:  da.AdvisoryID,
 		}, nil
+	case ecosystemTypes.EcosystemTypeMicrosoft:
+		return models.Reference{
+			Link:   fmt.Sprintf("https://msrc.microsoft.com/update-guide/vulnerability/%s", da.AdvisoryID),
+			Source: "MICROSOFT",
+			RefID:  da.AdvisoryID,
+		}, nil
 	default:
 		return models.Reference{}, xerrors.Errorf("unsupported family: %s", et)
 	}
@@ -600,6 +608,8 @@
 		return fmt.Sprintf("https://security.alpinelinux.org/vuln/%s", v.Content.ID)
 	case models.Nvd:
 		return fmt.Sprintf("https://nvd.nist.gov/vuln/detail/%s", v.Content.ID)
+	case models.Microsoft:
+		return fmt.Sprintf("https://msrc.microsoft.com/update-guide/vulnerability/%s", v.Content.ID)
 	default:
 		return ""
 	}
@@ -731,6 +741,22 @@
 			}
 		}
 		return cmp.Compare(preferenceFn(a), preferenceFn(b))
+	case ecosystemTypes.EcosystemTypeMicrosoft:
+		preferenceFn := func(sourceID sourceTypes.SourceID) int {
+			switch sourceID {
+			case sourceTypes.MicrosoftCVRF:
+				return 5
+			case sourceTypes.MicrosoftCSAF:
+				return 4
+			case sourceTypes.MicrosoftBulletin:
+				return 3
+			case sourceTypes.MicrosoftWSUSSCN2, sourceTypes.MicrosoftMSUC:
+				return 2
+			default:
+				return 1
+			}
+		}
+		return cmp.Compare(preferenceFn(a), preferenceFn(b))
 	default:
 		return 0
 	}
@@ -828,6 +854,8 @@
 		}
 	case ecosystemTypes.EcosystemTypeSUSELinuxEnterprise, ecosystemTypes.EcosystemTypeOpenSUSE, ecosystemTypes.EcosystemTypeOpenSUSELeap, ecosystemTypes.EcosystemTypeOpenSUSETumbleweed:
 		return models.SUSE
+	case ecosystemTypes.EcosystemTypeMicrosoft:
+		return models.Microsoft
 	default:
 		return models.NewCveContentType(et)
 	}
@@ -978,6 +1006,8 @@
 		default:
 			return models.OvalMatch
 		}
+	case ecosystemTypes.EcosystemTypeMicrosoft:
+		return models.WindowsUpdateSearch
 	default:
 		return models.Confidence{
 			Score:           0,

diff --git a/detector/vuls2/vuls2.go b/detector/vuls2/vuls2.go
@@ -15,8 +15,8 @@

 	"golang.org/x/xerrors"

 	dataTypes "github.com/MaineK00n/vuls-data-update/pkg/extract/types/data"
 	criteriaTypes "github.com/MaineK00n/vuls-data-update/pkg/extract/types/data/detection/condition/criteria"
 	criterionTypes "github.com/MaineK00n/vuls-data-update/pkg/extract/types/data/detection/condition/criteria/criterion"
 	vcAffectedRangeTypes "github.com/MaineK00n/vuls-data-update/pkg/extract/types/data/detection/condition/criteria/criterion/versioncriterion/affected/range"
 	vcFixStatusTypes "github.com/MaineK00n/vuls-data-update/pkg/extract/types/data/detection/condition/criteria/criterion/versioncriterion/fixstatus"
@@ -156,7 +156,27 @@
 			Version:        sr.RunningKernel.Version,
 			RebootRequired: sr.RunningKernel.RebootRequired,
 		},
-		OSPackages: slices.Collect(maps.Values(pkgs)),
+		OSPackages: func() []scanTypes.OSPackage {
+			ps := slices.Collect(maps.Values(pkgs))
+			// For Windows, include the OS release as a synthetic package so that
+			// kernel-version-based detection can report the correct release name.
+			if sr.Family == constant.Windows && sr.RunningKernel.Version != "" {
+				ps = append(ps, scanTypes.OSPackage{
+					Name:    toVuls2Release(sr.Family, sr.Release),
+					Version: sr.RunningKernel.Version,
+				})
+			}
+			return ps
+		}(),
+		MicrosoftKB: func() scanTypes.MicrosoftKB {
+			if sr.WindowsKB == nil {
+				return scanTypes.MicrosoftKB{}
+			}
+			return scanTypes.MicrosoftKB{
+				Applied:   sr.WindowsKB.Applied,
+				Unapplied: sr.WindowsKB.Unapplied,
+			}
+		}(),
 
 		ScannedAt: time.Now(),
 		ScannedBy: version.String(),
@@ -166,34 +186,32 @@
 func detect(sesh *session.Session, sr scanTypes.ScanResult) (detectTypes.DetectResult, error) {
 	detected := make(map[dataTypes.RootID]detectTypes.VulnerabilityData)
 
-	if len(sr.OSPackages) > 0 {
-		m, err := ospkg.Detect(sesh.Storage(), sr, runtime.NumCPU())
-		if err != nil {
-			return detectTypes.DetectResult{}, xerrors.Errorf("Failed to detect os packages. err: %w", err)
+	m, err := ospkg.Detect(sesh.Storage(), sr, runtime.NumCPU())
+	if err != nil {
+		return detectTypes.DetectResult{}, xerrors.Errorf("Failed to detect os packages. err: %w", err)
+	}
+	for rootID, d := range m {
+		base := detectTypes.VulnerabilityData{
+			ID:         rootID,
+			Detections: []detectTypes.VulnerabilityDataDetection{d},
 		}
-		for rootID, d := range m {
-			base := detectTypes.VulnerabilityData{
-				ID:         rootID,
-				Detections: []detectTypes.VulnerabilityDataDetection{d},
-			}
 
-			avs, err := sesh.GetVulnerabilityData(rootID, dbTypes.Filter{
-				Contents: []dbTypes.FilterContentType{
-					dbTypes.FilterContentTypeAdvisories,
-					dbTypes.FilterContentTypeVulnerabilities,
-				},
-				RootIDs:     []dataTypes.RootID{rootID},
-				Ecosystems:  []ecosystemTypes.Ecosystem{d.Ecosystem},
-				DataSources: slices.Collect(maps.Keys(d.Contents)),
-			})
-			if err != nil {
-				return detectTypes.DetectResult{}, xerrors.Errorf("Failed to get vulnerability data. RootID: %s, err: %w", rootID, err)
-			}
-
-			base.Advisories = avs.Advisories
-			base.Vulnerabilities = avs.Vulnerabilities
-			detected[rootID] = base
+		avs, err := sesh.GetVulnerabilityData(rootID, dbTypes.Filter{
+			Contents: []dbTypes.FilterContentType{
+				dbTypes.FilterContentTypeAdvisories,
+				dbTypes.FilterContentTypeVulnerabilities,
+			},
+			RootIDs:     []dataTypes.RootID{rootID},
+			Ecosystems:  []ecosystemTypes.Ecosystem{d.Ecosystem},
+			DataSources: slices.Collect(maps.Keys(d.Contents)),
+		})
+		if err != nil {
+			return detectTypes.DetectResult{}, xerrors.Errorf("Failed to get vulnerability data. RootID: %s, err: %w", rootID, err)
 		}
+
+		base.Advisories = avs.Advisories
+		base.Vulnerabilities = avs.Vulnerabilities
+		detected[rootID] = base
 	}
 
 	var sourceIDs []sourceTypes.SourceID
@@ -420,6 +438,19 @@
 		vi.AffectedPackages = ps
 		vi.CpeURIs = am[vi.CveID].cpes
 
+		// Populate WindowsKBFixedIns and KB-based DistroAdvisories for Microsoft detections
+		if string(scanned.Family) == ecosystemTypes.EcosystemTypeMicrosoft {
+			for _, p := range ps {
+				if kbID, ok := strings.CutPrefix(p.FixedIn, "KB"); ok {
+					if !slices.Contains(vi.WindowsKBFixedIns, kbID) {
+						vi.WindowsKBFixedIns = append(vi.WindowsKBFixedIns, kbID)
+					}
+					da := models.DistroAdvisory{AdvisoryID: p.FixedIn, Description: "Microsoft Knowledge Base"}
+					vi.DistroAdvisories.AppendIfMissing(&da)
+				}
+			}
+		}
+
 		vim[vi.CveID] = vi
 	}
 
@@ -552,59 +583,76 @@
 			return nil, nil, true, nil
 		}
 
-		if cn.Criterion.Type != criterionTypes.CriterionTypeVersion || cn.Criterion.Version == nil {
-			continue
-		}
-
-		if ignoreCriterion(e, cn, tag) {
-			continue
-		}
-
-		fcn, err := filterCriterion(e, scanned, cn)
-		if err != nil {
-			return nil, nil, false, xerrors.Errorf("Failed to filter criterion. err: %w", err)
-		}
+		switch cn.Criterion.Type {
+		case criterionTypes.CriterionTypeVersion:
+			if cn.Criterion.Version == nil {
+				continue
+			}
 
-		switch fcn.Criterion.Version.Package.Type {
-		case vcPackageTypes.PackageTypeBinary, vcPackageTypes.PackageTypeSource:
-			if !fcn.Criterion.Version.Vulnerable {
+			if ignoreCriterion(e, cn, tag) {
 				continue
 			}
 
-			rangeType, fixedIn := func() (vcAffectedRangeTypes.RangeType, string) {
-				if fcn.Criterion.Version.Affected == nil {
-					return vcAffectedRangeTypes.RangeTypeUnknown, ""
+			fcn, err := filterCriterion(e, scanned, cn)
+			if err != nil {
+				return nil, nil, false, xerrors.Errorf("Failed to filter criterion. err: %w", err)
+			}
+
+			switch fcn.Criterion.Version.Package.Type {
+			case vcPackageTypes.PackageTypeBinary, vcPackageTypes.PackageTypeSource:
+				if !fcn.Criterion.Version.Vulnerable {
+					continue
 				}
-				return fcn.Criterion.Version.Affected.Type, selectFixedIn(fcn.Criterion.Version.Affected.Type, fcn.Criterion.Version.Affected.Fixed)
-			}()
 
-			for _, index := range fcn.Accepts.Version {
-				if len(scanned.OSPackages) <= index {
-					return nil, nil, false, xerrors.Errorf("Too large OSPackage index. len(OSPackage): %d, index: %d", len(scanned.OSPackages), index)
+				rangeType, fixedIn := func() (vcAffectedRangeTypes.RangeType, string) {
+					if fcn.Criterion.Version.Affected == nil {
+						return vcAffectedRangeTypes.RangeTypeUnknown, ""
+					}
+					return fcn.Criterion.Version.Affected.Type, selectFixedIn(fcn.Criterion.Version.Affected.Type, fcn.Criterion.Version.Affected.Fixed)
+				}()
+
+				for _, index := range fcn.Accepts.Version {
+					if len(scanned.OSPackages) <= index {
+						return nil, nil, false, xerrors.Errorf("Too large OSPackage index. len(OSPackage): %d, index: %d", len(scanned.OSPackages), index)
+					}
+					statuses = append(statuses, packStatus{
+						rangeType: rangeType,
+						status: models.PackageFixStatus{
+							Name: affectedPackageName(e, scanned.OSPackages[index]),
+							FixState: func() string {
+								if fcn.Criterion.Version.FixStatus == nil {
+									return ""
+								}
+								return fixState(e, sourceID, fcn.Criterion.Version.FixStatus.Vendor)
+							}(),
+							FixedIn:     fixedIn,
+							NotFixedYet: fcn.Criterion.Version.FixStatus == nil || fcn.Criterion.Version.FixStatus.Class != vcFixStatusTypes.ClassFixed,
+						},
+					})
 				}
-				statuses = append(statuses, packStatus{
-					rangeType: rangeType,
-					status: models.PackageFixStatus{
-						Name: affectedPackageName(e, scanned.OSPackages[index]),
-						FixState: func() string {
-							if fcn.Criterion.Version.FixStatus == nil {
-								return ""
-							}
-							return fixState(e, sourceID, fcn.Criterion.Version.FixStatus.Vendor)
-						}(),
-						FixedIn:     fixedIn,
-						NotFixedYet: fcn.Criterion.Version.FixStatus == nil || fcn.Criterion.Version.FixStatus.Class != vcFixStatusTypes.ClassFixed,
-					},
-				})
-			}
-		case vcPackageTypes.PackageTypeCPE:
-			for _, index := range fcn.Accepts.Version {
-				if len(scanned.CPE) <= index {
-					return nil, nil, false, xerrors.Errorf("Too large CPE index. len(CPE): %d, index: %d", len(scanned.CPE), index)
+			case vcPackageTypes.PackageTypeCPE:
+				for _, index := range fcn.Accepts.Version {
+					if len(scanned.CPE) <= index {
+						return nil, nil, false, xerrors.Errorf("Too large CPE index. len(CPE): %d, index: %d", len(scanned.CPE), index)
+					}
 				}
+				cpes = append(cpes, string(*fcn.Criterion.Version.Package.CPE))
+			default:
+			}
+		case criterionTypes.CriterionTypeKB:
+			if cn.Criterion.KB == nil || !cn.Accepts.KB {
+				continue
 			}
-			cpes = append(cpes, string(*fcn.Criterion.Version.Package.CPE))
+			statuses = append(statuses, packStatus{
+				rangeType: vcAffectedRangeTypes.RangeTypeUnknown,
+				status: models.PackageFixStatus{
+					Name:        cn.Criterion.KB.Product,
+					FixedIn:     fmt.Sprintf("KB%s", cn.Criterion.KB.KBID),
+					NotFixedYet: true,
+				},
+			})
 		default:
+			continue
 		}
 	}
 	return statuses, cpes, false, nil