search

eclipse / steady

Analyses your Java applications for open-source dependencies with known vulnerabilities, using both static analysis and testing to determine code context and usage for greater accuracy. https://eclipse.github.io/steady/
Apache License 2.0
517 stars 124 forks source link

Some issues regarding the running mode of the Steady database #586

Open ZupeiNie opened 1 year ago

ZupeiNie commented 1 year ago

Steady build method: [QuickStart](https://eclipse.github.io/steady/user/tutorials/)

Question 1:View backend http://localhost:8033/bugs/ Found only 501 cve information, while there are 729 cve information in kb-importer/data/.kaybee/repositories/github.com_ sap.project-kb_vulnerability-data/statementsand 731 cve information in kb-importer/data/statements. I suspect that Steady's database import was not completed or was interrupted for some reason, so I want to manually import the information. Firstly, the three information items in kb-importer/data/steady.sh were modified: USER_ TOKEN、BACKEND_ URL、KB_ IMPORTER_ PATH, and then run steady.sh. May I ask if this can manually import vulnerability information.

Question 2:I attempted to rebuild steady by [QuickStart](https://eclipse.github.io/steady/user/tutorials/). Prior to this, I deleted the relevant docker images and found that the backend information of steady had not changed after rebuilding. http://localhost:8033/bugs/ ,The CVE information displayed on the webpage is consistent with the information before reconstruction. I checked the content in the kb-importer/data and found that the CVE information is empty and gradually increasing. Therefore, I would like to ask why there is still previous data on the backend and deleting the docker images cannot delete all the previous steady data. What should I do if I need to completely delete steady data.

I would greatly appreciate receiving a response!

serenaponta commented 1 year ago

Hi @11111821

Q1: More information about how data are imported from project-KB to eclipse steady (and how to manually do it) is available at . If you relied on the default configuration of .env, you run the tool with KB_IMPORTER_SKIP_CLONE=True. This means that only the subset of CVEs was processed (those whose changed code is already available in the project-kb repository). We opted for such default as the runtime increases once repositories have to be cloned. To process the entire list of vulnerabilities you can modify the configuration to KB_IMPORTER_SKIP_CLONE=False

Q2: the data already imported is stored in a docker volume (visible in the docker-compose.yaml). To delete the steady data you can list the existing volumes with docker volume ls and delete the corresponding volume.

I hope this helps!