CLI Suggestion

[dn-scribe]

Suggested CLI for vulndb tool

Generic Options

--help = help for the current sub command -v, -vv = verbose output, if any is provided - print output as logs. --file = output file name -o, --output-format = output format (table, json, cyclone-dx-json)

Commands

ingest

ingest data from various sources into vulndb database

version

Displays software version, database schema version, update date for each data source (none if not included)

sub commands:

nvd, osv (I sugget that the command is vulndb ingest nvd/osv)

Flags: --nvd-api-key

--limit (for experimentation, default - none)

--offset (for experimentation, default - 0) (Note: I'm not sure this is needed)

--update-only

--osv-sources pypi/maven/.... default - all

purl-cves

Retrieve CVE vulnerabilities for purl or a list of purls

Flags: --input-file = input file. if this flag is used it overrides input given as arguments

--input-file-format = raw-list, cycloneDX-json default raw-list

--min-level = minimum severity level (low, medium, high, critical) default - low

--package-managers = pypi,maven (a list), default to all

--from-date = inlude only new vulnerabilities published after from-date

--include-non-nvd = include non NVD vulnerabilities (from OSV) default - false

cve-lookup

Retrieve PURLs that are affected by the CVE (according to the OSV database)

Flags: As for the purl-cves command

In the case of output format cycloneDX, the purls will be added as components + linked to the vulnerabilities in the vulnerabilities section.

sbom-vulnerabilities

Add a vulnerabilities section to a CycloneDX SBOM

Command format: vulndb sbom-vulnerabilities

Notes:

• command should update the SBOM tool section and the SBOM identifier.
• command can be made redundant - the capability can be provided by the purl-cve command (input and output formats of cycloneDX)

search (optional)

Text search on all fields.

vulndb search 'query'

query can include SQL wildcard %