rhel-vex updater can fail when RedHat removes json files during in-progress update #1729
Description
Since approx 2026-01-09 10:00UTC we're seeing the rhel-vex updater consistently fail on every updater run with the following error logged:
message: errors encountered during updater run
error: updating errors:
rhel-vex: unexpected response: unexpected status code: 404 Not Found (body starts: "<!DOCTYPE html>...
This is caused by a JSON file such as https://security.access.redhat.com/data/csaf/v2/vex/2022/cve-2022-26426.json being removed from the website after a https://security.access.redhat.com/data/csaf/v2/vex/changes.csv has been read that listed the file.
This unusual state may be triggered by the current state of RedHat's vex feed
- the current https://security.access.redhat.com/data/csaf/v2/vex/csaf_vex_2026-01-03.tar.zst is 10 days old
- so https://security.access.redhat.com/data/csaf/v2/vex/changes.csv is very long ... currently 291,714 rows
and https://security.access.redhat.com/data/csaf/v2/vex/deletions.csv currently has 18,343 rows - fetching 290k individual json files can take ~15mins, giving time for the vex feed to update removing some json files. There's also a new changes.csv and deletions.csv, but we're still processing the old ones
- unusual behaviour of the vex feed may have been triggered by an outage of some RedHat web systems
https://status.redhat.com/incidents/6cqmnpcmqvrs
https://status.redhat.com/incidents/trq7cgsrhr3r
I can't think of a bullet-proof definitive way for this to be perfect, but perhaps the rhel-vex updater could treat HTTP404 of an individual CVE json file to be a non-fatal error, log a warning, proceed assuming it's just been deleted. The CVE wouldn't be part of the in-progress update, subsequent update runs would find and add it again if it's a transient problem on the vex feed.