We create this repository to build a stand-alone Docker image that contains CVE Search. We want to start a container and access to the CVE Search API as quick as possible.
So our Docker images contain the MongoDB server and database and the Redis server and database.
The simpliest way to start CVE Search on a Docker container is to use the images we generate and publish on Docker Hub.
You can use the Docker Compose file to test them. You will need to install docker-compose in order to perform this option.
Simply clone the repo, move into the root of the cloned repo and run the command:
docker-compose -f docker-compose.fromDockerHub.yml up
This will download the latest image and start it. The latest image contains CVE Search from the master branch and an initiated database. Each time the container starts it will update the database. It tooks a couple of minutes (10 minutes maximum).
The CVE Search instance should be available under https://localhost:8443
The container contains a cron that update the CVE Search database every 2 hours.
After testing you could remove the container and the volume that contains the database with the command:
docker-compose -f docker-compose.fromDockerHub.yml down -v
In the root of this repo there is a docker-compose.yml file that can be used to build and run the required container for CVE Search.
You will need to install docker-compose in order to perform this option.
Simply clone the repo, move into the root of the cloned repo and run the command:
docker-compose up
Be patient: first start will initialise the database and it takes about 1 hour (at the time of writing, 2022, with a 9th generation core i7).
The cve_search instance should be available under https://localhost:8443
Your can change the build arguments into the docker-compose.yml file to tune the image you produce.
See below for a description of the different arguments.
After testing you could remove the container and the volume that contains the database with the command:
docker-compose down -v
We produce several images, push them to Docker Hub and tag them as describe below:
| Tag | CVE Search version |
|---|---|
| master | CVE Search from branch master |
| 4.2.1 | CVE Search from tag v4.2.1 |
| 4.2.0 | CVE Search from tag v4.2 |
| 4.2 | latest v4.2 so identical to tag 4.2.1 as the time of writing |
| Tag suffix | Decription |
|---|---|
| -withdb | The image include the database |
| -startyear2020 | Only the CVE from 2020 will be used by CVE Search |
Images that contains only CVE Search and no database cost about 300MB. Adding the suffix -withdb add about 1400MB, they contain a database with CVE from 2002. Adding the suffix -withdb-startyear2020 add only about 700MB because the database contains CVE from 2020.
If you choose the tag 4.2.1, the image is lighter (about 270MB) but the container will initialise the
database at the first start and it takes about 1 hour.
If you choose the tag 4.2.1-withdb, the image is heavier (about 1.66GB) but the container will just update the database at the first start and it takes less than 10 minutes.
Between this 2 options, if you need only the most recent CVE, you can choose the tag 4.2.1-withdb-startyear2020, the image is about 925MB and the container will just update the database at the first start and it takes less than 10 minutes.
The Dockerfile accept several build arguments to tune the produced image to feed your needs.
| Argument | Possible values | Default value | Description |
|---|---|---|---|
| WITH_DB | true or false | true | The image will contain the CVE Search database |
| REPO | a valid GitHub repo | cve-search/cve-search | The GitHub repository from where the CVE Search version will be downloaded |
| BRANCH | a valid branch or tag from the REPO | master | The branch or tag of the GitHub repository |
| CVE_START_YEAR | a year between 2002 and now | 2002 | The year from which the CVE will be downloaded |
| WEBSERVER_PORT | a valid port | 5000 | The exposed port used by the web server |
| UPDATE_CRON | a valid cron expression | "0 */2 * * *" | Use to schedule database update regularly (every 2 hours by default) |
For example, an image without the database and that will contains CVE starting 2015:
docker build -t cve-search:my-settings --build-arg WITH_DB=false --build-arg CVE_START_YEAR=2015 .
Or, an image from a fork of the CVE Search repo:
docker build -t cve-search:my-settings --build-arg REPO=my-name/cve-search .
You can then push your custom image to Docker Hub or to your private repository.
docker push cve-search:my-settings
This repo is mainly inspire by the docker-cve-search GitHub repo from ttimasdf from which we took the idea of having a single docker-entrypoint script that permit to launch various operations and the idea of having images that contains or not the database.
We've been also inspired by the official CVE Search Docker repository from which we took the idea of copying CVE Search from its repository by cloning a specific branch or tag.
And, finally, we use the CVE Search repository of course.
Thanks for all these good works.
I try to build a Docker image for CVE Search v4.1.0. The image was built succefully but I have an error when starting the Web server:
cve_search_1 | ==================== Starting web app ====================
cve_search_1 | Traceback (most recent call last):
cve_search_1 | File "./web/index.py", line 14, in <module>
cve_search_1 | from web.run import create_app
cve_search_1 | File "/opt/cve/web/../web/run.py", line 6, in <module>
cve_search_1 | from flask import Flask, render_template
cve_search_1 | File "/usr/local/lib/python3.8/dist-packages/flask/__init__.py", line 14, in <module>
cve_search_1 | from jinja2 import escape
cve_search_1 | File "/usr/local/lib/python3.8/dist-packages/jinja2/__init__.py", line 12, in <module>
cve_search_1 | from .environment import Environment
cve_search_1 | File "/usr/local/lib/python3.8/dist-packages/jinja2/environment.py", line 25, in <module>
cve_search_1 | from .defaults import BLOCK_END_STRING
cve_search_1 | File "/usr/local/lib/python3.8/dist-packages/jinja2/defaults.py", line 3, in <module>
cve_search_1 | from .filters import FILTERS as DEFAULT_FILTERS # noqa: F401
cve_search_1 | File "/usr/local/lib/python3.8/dist-packages/jinja2/filters.py", line 13, in <module>
cve_search_1 | from markupsafe import soft_unicode
cve_search_1 | ImportError: cannot import name 'soft_unicode' from 'markupsafe' (/usr/local/lib/python3.8/dist-packages/markupsafe/__init__.py)
Probably a python3 library that are not compatible. I do not try to solve this.
As with v4.1.0, the Docker image was built succefully but I have the same error when starting the Web server:
cve_search_1 | ==================== Starting web app ====================
cve_search_1 | Traceback (most recent call last):
cve_search_1 | File "./web/index.py", line 14, in <module>
cve_search_1 | from web.run import create_app
cve_search_1 | File "/opt/cve/web/../web/run.py", line 6, in <module>
cve_search_1 | from flask import Flask, render_template
cve_search_1 | File "/usr/local/lib/python3.8/dist-packages/flask/__init__.py", line 14, in <module>
cve_search_1 | from jinja2 import escape
cve_search_1 | File "/usr/local/lib/python3.8/dist-packages/jinja2/__init__.py", line 12, in <module>
cve_search_1 | from .environment import Environment
cve_search_1 | File "/usr/local/lib/python3.8/dist-packages/jinja2/environment.py", line 25, in <module>
cve_search_1 | from .defaults import BLOCK_END_STRING
cve_search_1 | File "/usr/local/lib/python3.8/dist-packages/jinja2/defaults.py", line 3, in <module>
cve_search_1 | from .filters import FILTERS as DEFAULT_FILTERS # noqa: F401
cve_search_1 | File "/usr/local/lib/python3.8/dist-packages/jinja2/filters.py", line 13, in <module>
cve_search_1 | from markupsafe import soft_unicode
cve_search_1 | ImportError: cannot import name 'soft_unicode' from 'markupsafe' (/usr/local/lib/python3.8/dist-packages/markupsafe/__init__.py)
I do not try to solve this.
Those versions are impossible to build mainly because the python3 libraries (requirements.txt)
have not been sticked to a particular version. So, now, the pip3 install -r requirements.txt
downloads the latest version for each library and they are not compatibles.
Changing Debug: to True in the [Webserver] section of ./etc/configuration.ini will desactivate SSL. So the web UI does not answer anymore on https://localhost:8443/ but answers on http://localhost:8443/.
When you develop the Dockerfile that downloads the database during the build (WITH_DB=true), if you
need to change docker-entrypoint.sh and build the image again this will initialise the database
and you will wait about 1 hour between each test...
A good way to solve that is to duplicate docker-entrypoint.sh to docker-entrypoint-after.sh and
to add ADD docker-entrypoint-after.sh /usr/local/bin/cvedb at the end of the Dockerfile. Do your
changes into docker-entrypoint-after.sh so the builds will be quick and you can test changes
in minutes.
When your changes work, copy back the content of docker-entrypoint-after.sh into
docker-entrypoint.sh, delete docker-entrypoint-after.sh and suppress the line added at the end
of the Dockerfile.