Update vulnerabilities database script #60
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
Author
|
Also, the log warns when an app may have a "CPE" although not declared in the manifest: It does so by looking by using the app_id as keyword for search at EUVD. If there is a match there although no CPE is defined in the manifest (whether because it didn't exist at the time of initial packaging, or because it was forgotten), it can suggest there now one available. But it can also be a false positive, given that search on EUVD is not strict (or at least it is not documented for now I guess) - i.e. searching for |
oleole39
force-pushed
the
update_vulnerabilities_db_script
branch
from
d1db75a to
ced5c23
Compare
alexAubin
reviewed
Dec 30, 2025
alexAubin
reviewed
Dec 30, 2025
alexAubin
reviewed
Dec 30, 2025
update_vulnerabilities_database/update_vulnerabilities_database.py
Outdated
Show resolved
Hide resolved
alexAubin
reviewed
Dec 30, 2025
update_vulnerabilities_database/update_vulnerabilities_database.py
Outdated
Show resolved
Hide resolved
alexAubin
reviewed
Dec 30, 2025
update_vulnerabilities_database/update_vulnerabilities_database.py
Outdated
Show resolved
Hide resolved
oleole39
force-pushed
the
update_vulnerabilities_db_script
branch
from
2603c1f to
38e607a
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Here is the script that generated this file: YunoHost/apps#3274
It comes together with a README.md which gives most of the info that might be required.
It is meant to be run regularly, at minimum every 119 days not to risk missing some entries (cf. NIST NVD API limitation of 120 days lookup span in
call_nist()) . Several API calls could be made instead of one to have a larger period, but it should be unnecessary as anyway running the script much more often would be better from the security point of view.Note in particular that:
--prfeature hasn't been tested yet. It needs a github token.NIST_API_KEYcould be set as env variable via a Github repository secret to speed up the script execution.This scripts makes use of
appslib/get_apps_repo.pyandappslib/utils.py, add this PR adds asecurity.toml-related function to the latter.PS: You will run into TOML formatting issue you don't want to cope with if you try to run it with the original
security.tomltemplate. If you want to run the script against that version, you'd better use this version with no starting space/tabs instead. If you try the script on a TOML file generated by a previous run of the script, there will be no issue.