search

l3montree-dev / devguard

DevGuard Backend - Manage your CVEs seamlessly, Integrate your Vulnerability Scanners, Security Framework Documentation made easy, Compliance to security Frameworks - OWASP Incubating Project
https://flawfix.dev
Other
37 stars 4 forks source link

Provide vulnerability database as csv files #152

Open timbastin opened 1 month ago

timbastin commented 1 month ago

The tables:

  1. affected_components
  2. cpe_matches
  3. cve_affected_component
  4. cve_cpe_match
  5. cves
  6. cwes
  7. exploits
  8. weaknesses

should be provided as csv files in a single compressed zip file in the github container registry. A lot of it is already done in the: .github/workflows/vulndb.yaml file.

What needs to be done is:

  1. Check if the right tables are exported (the script is rather outdated)
  2. The tables should be exported as CSV files, not sql.
  3. The csv files should be compressed into a single .zip archive
  4. The data should be pushed into the ghcr (already done!)
  5. A checksum of the data should be signed and pushed into the registry as well (https://docs.sigstore.dev/signing/signing_with_blobs/#signing-with-a-key) (${{ secrets.COSIGN_PRIVATE_KEY }})

After that:

  1. Create a vulndb import command (which just executes a changed Mirror function)
  2. The command should download the csv files
  3. The command should verify the checksum of the .zip archive
  4. The command should insert all the data