Pre-built databases:
-
purl2cpe database for cdxgen - Unused
-
vulnerability database for dep-scan, including OS and application vulnerabilities. The following VDB settings were used:
-
NVD_START_YEAR: 2018 or 2014 (10y)
-
GITHUB_PAGE_COUNT: 5 or 10 (10y)
To download this database manually, use the ORAS cli
export VDB_HOME=$HOME/vdb
oras pull ghcr.io/appthreat/vdbzst:v6 -o $VDB_HOME
zstd -d *.zst
rm *.zst
Or use the xz version.
export VDB_HOME=$HOME/vdb
oras pull ghcr.io/appthreat/vdbxz:v6 -o $VDB_HOME
tar -xvf *.tar.xz
rm *.tar.xz
Use the name vdb-10y
, to download a larger database with data from 2014.
export VDB_HOME=$HOME/vdb
# ghcr.io/appthreat/vdbzst-10y:v6
oras pull ghcr.io/appthreat/vdbxz-10y:v6 -o $VDB_HOME
tar -xvf *.tar.xz
rm *.tar.xz
dep-scan would automatically use this database for all the scans using the environment variable VDB_HOME
.
A private registry is usually not required since the entire vdb comprises only two files - an index and a db. Any mounted share is usually sufficient. If you are looking for your private registry, you can try Zot Registry. In addition to Zot, ORAS cli can work with many OCI-native container image registries.