Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Suggested CLI for Discussion #8

Open
dn-scribe opened this issue Nov 14, 2023 · 1 comment
Open

Suggested CLI for Discussion #8

dn-scribe opened this issue Nov 14, 2023 · 1 comment

Comments

@dn-scribe
Copy link

Suggested CLI for vulndb tool

(moved from the original repo)

Generic Options

--help = help for the current sub command
-v, -vv = verbose output, if any is provided - print output as logs.
--file = output file name
-o, --output-format = output format (table, json, cyclone-dx-json)

Commands

ingest

ingest data from various sources into vulndb database

version

Displays software version, database schema version, update date for each data source (none if not included)

sub commands:

nvd,
osv (I sugget that the command is vulndb ingest nvd/osv)

Flags:
--nvd-api-key

--limit (for experimentation, default - none)

--offset (for experimentation, default - 0) (Note: I'm not sure this is needed)

--update-only

--osv-sources pypi/maven/.... default - all

purl-cves

Retrieve CVE vulnerabilities for purl or a list of purls

Flags:
--input-file = input file. if this flag is used it overrides input given as arguments

--input-file-format = raw-list, cycloneDX-json default raw-list

--min-level = minimum severity level (low, medium, high, critical) default - low

--package-managers = pypi,maven (a list), default to all

--from-date = inlude only new vulnerabilities published after from-date

--include-non-nvd = include non NVD vulnerabilities (from OSV) default - false

cve-lookup

Retrieve PURLs that are affected by the CVE (according to the OSV database)

Flags: As for the purl-cves command

In the case of output format cycloneDX, the purls will be added as components + linked to the vulnerabilities in the vulnerabilities section.

sbom-vulnerabilities

Add a vulnerabilities section to a CycloneDX SBOM

Command format: vulndb sbom-vulnerabilities

Notes:

  • command should update the SBOM tool section and the SBOM identifier.
  • command can be made redundant - the capability can be provided by the purl-cve command (input and output formats of cycloneDX)

search (optional)

Text search on all fields.

vulndb search 'query'

query can include SQL wildcard %
@dn-scribe
Copy link
Author

lingo: cyclonedx-json
output: output as json or table should be hierarchical
[output json is missing]

Ingest: remove limit and offset, default to update and flag for not updating.

purl-cves:
detect format (if not cyclonedx then raw list) - wei will add it to his flask PR.

purls affected by cve: only output as raw list, the cyclonedx does not make sense.

sbom-vulnerabilities - this is not a separate command - when running purl-cves with input format and output format cyclonedx then sbom patching will be preformed.

search: remains optional.

need an additional command to dictate if tool is run as cli or service - to be done by Wei or Frederick

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@dn-scribe