Suggested CLI for Discussion

[dn-scribe]

Suggested CLI for vulndb tool

(moved from the original repo)

Generic Options

--help = help for the current sub command -v, -vv = verbose output, if any is provided - print output as logs. --file = output file name -o, --output-format = output format (table, json, cyclone-dx-json)

Commands

ingest

ingest data from various sources into vulndb database

version

Displays software version, database schema version, update date for each data source (none if not included)

sub commands:

nvd, osv (I sugget that the command is vulndb ingest nvd/osv)

Flags: --nvd-api-key

--limit (for experimentation, default - none)

--offset (for experimentation, default - 0) (Note: I'm not sure this is needed)

--update-only

--osv-sources pypi/maven/.... default - all

purl-cves

Retrieve CVE vulnerabilities for purl or a list of purls

Flags: --input-file = input file. if this flag is used it overrides input given as arguments

--input-file-format = raw-list, cycloneDX-json default raw-list

--min-level = minimum severity level (low, medium, high, critical) default - low

--package-managers = pypi,maven (a list), default to all

--from-date = inlude only new vulnerabilities published after from-date

--include-non-nvd = include non NVD vulnerabilities (from OSV) default - false

cve-lookup

Retrieve PURLs that are affected by the CVE (according to the OSV database)

Flags: As for the purl-cves command

In the case of output format cycloneDX, the purls will be added as components + linked to the vulnerabilities in the vulnerabilities section.

sbom-vulnerabilities

Add a vulnerabilities section to a CycloneDX SBOM

Command format: vulndb sbom-vulnerabilities

Notes:

• command should update the SBOM tool section and the SBOM identifier.
• command can be made redundant - the capability can be provided by the purl-cve command (input and output formats of cycloneDX)

search (optional)

Text search on all fields.

vulndb search 'query'

query can include SQL wildcard %

[dn-scribe]

lingo: cyclonedx-json output: output as json or table should be hierarchical [output json is missing]

Ingest: remove limit and offset, default to update and flag for not updating.

purl-cves: detect format (if not cyclonedx then raw list) - wei will add it to his flask PR.

purls affected by cve: only output as raw list, the cyclonedx does not make sense.

sbom-vulnerabilities - this is not a separate command - when running purl-cves with input format and output format cyclonedx then sbom patching will be preformed.

search: remains optional.

need an additional command to dictate if tool is run as cli or service - to be done by Wei or Frederick