This pull request adds a new script publish_cve_advisories, which uses the cvelib wrapper around the new CVE Service API to automatically publish and update the CVE advisories in this repository. This script can be operated in two different ways.
Locally: Install the script with pip install ., export the required secrets as environment variables and then run the script with publish_cve_advisories. This way you can interactively go through the publishing process. The advisories for the last two releases were already published this way.
Through CI on every push: This is currently still disabled so we can test the script manually for the next few releases, but in the future, the plan is to run the script through GitHub Workflows on every push, automatically mirroring the content of this repository to CVE Services.
If you still have any questions, concerns or feedback, let me know.
We have a private repo where we stage advisories. It is a straight copy of this repo - can we add some logic to the Github Action to check the repo name, and only do something if it is this named repo?
Yes, I am already doing that here. The false && in front of that same line will also disable the workflow entirely until we want it enabled on every push.
This pull request adds a new script
publish_cve_advisories
, which uses thecvelib
wrapper around the new CVE Service API to automatically publish and update the CVE advisories in this repository. This script can be operated in two different ways.pip install .
, export the required secrets as environment variables and then run the script withpublish_cve_advisories
. This way you can interactively go through the publishing process. The advisories for the last two releases were already published this way.If you still have any questions, concerns or feedback, let me know.