From 1990be3933fb9e37f08edce3f33e022a3a164b9f Mon Sep 17 00:00:00 2001
From: Brad Lugo <blugo@redhat.com>
Date: Wed, 18 Feb 2026 16:37:38 -0800
Subject: [PATCH 1/2] ROX-33230: Handle trailing slash in amzn2 updater

---
 ext/vulnsrc/amzn/amzn.go | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/ext/vulnsrc/amzn/amzn.go b/ext/vulnsrc/amzn/amzn.go
index 48d6aff7a..7a1beb0b0 100644
--- a/ext/vulnsrc/amzn/amzn.go
+++ b/ext/vulnsrc/amzn/amzn.go
@@ -22,6 +22,7 @@ import (
 	"encoding/xml"
 	"fmt"
 	"io"
+	"net/url"
 	"regexp"
 	"strings"
 
@@ -194,10 +195,14 @@ func (u *updater) getUpdateInfoURI() (string, error) {
 	if !success {
 		log.WithError(err).Error("could not parse mirror list")
 	}
-	mirrorURI := scanner.Text()
+	mirrorURL, err := url.Parse(scanner.Text())
+	if err != nil {
+		log.WithError(err).Error("invalid url returned from mirror list")
+		return "", commonerr.ErrCouldNotDownload
+	}
 
 	// Download repomd.xml.
-	repoMdURI := mirrorURI + "/repodata/repomd.xml"
+	repoMdURI := mirrorURL.JoinPath("repodata", "repomd.xml").String()
 	repoMdResponse, err := httputil.GetWithUserAgent(repoMdURI)
 	if err != nil {
 		log.WithError(err).Error("could not download repomd.xml")
@@ -222,7 +227,7 @@ func (u *updater) getUpdateInfoURI() (string, error) {
 	var updateInfoURI string
 	for _, repo := range repoMd.RepoList {
 		if repo.Type == "updateinfo" {
-			updateInfoURI = mirrorURI + "/" + repo.Location.Href
+			updateInfoURI = mirrorURL.JoinPath(repo.Location.Href).String()
 			break
 		}
 	}

From 8b265a6fe58d87bbdafe4b30040e1483582acaf7 Mon Sep 17 00:00:00 2001
From: Brad Lugo <blugo@redhat.com>
Date: Wed, 18 Feb 2026 16:47:19 -0800
Subject: [PATCH 2/2] empty CI commit