search

owasp-dep-scan / dep-scan

OWASP dep-scan is a next-generation security and risk audit tool based on known vulnerabilities, advisories, and license limitations for project dependencies. Both local repositories and container images are supported as the input, and the tool is ideal for integration.
https://owasp.org/www-project-dep-scan/
MIT License
933 stars 94 forks source link

Feature: VDB update frequency information #280

Open johennin opened 3 months ago

johennin commented 3 months ago

Request Description

Hello! I'm just curious about how often the vulnerability database updates, I've looked through the help CLI command, OWASP page, git page and even the source code but can't seem to find any information regarding the update frequency of the VDB or how often it updates.

My initial guess is that the database is updated dynamically every time a new vulnerability is released but that's only a guess.

This is also a suggestion/request to add the database update frequency somewhere because many other SBOM scanners such as Trivy and Grype mentions it for transparency and reliability reasons.

(If it stands somewhere and I missed it I apologize in advance)

Thank you!

Additional Information

No response

prabhu commented 3 months ago

@johennin, the update frequency is 6 hours as mentioned here.

https://github.com/AppThreat/vdb/blob/main/.github/workflows/build.yml#L5

Please feel free to fork the vdb repo to customize the update frequency. You can pass the custom download URL using the environment variables here or simply download the file to the VDB_HOME directory before invoking depscan.

johennin commented 3 months ago

Alright, thank you for the quick and precise response!