Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vulnerability Database management #238

Open
anthonyharrison opened this issue Sep 14, 2024 · 1 comment
Open

Vulnerability Database management #238

anthonyharrison opened this issue Sep 14, 2024 · 1 comment
Assignees

Comments

@anthonyharrison
Copy link

Each time bomber is run, the vulnerability database is downloaded. For multiple scans of SBOMs, this is not ideal and it would be good if the database download could be controlled particularly if the data has already been downloaded. Having a continually changing vulnerability baseline isn't ideal either.

Suggested enhancements:

1/ Cache the database download and only download a new copy if the data is older than X (default is 24 hours but could be a command line or configuration parameter)
2/ Add a command line to just use the existing data (regardless of how old it is).
3/ To allow the tool to operate in an offline (or air-gapped environment), provide options to import and export a vulnerability database.
4/ If the data already exists elsewhere in the system (e.g. because it has been used by an other tool), provide a filepath to the data to use.

@anthonyharrison anthonyharrison changed the title Vulnerabitliy Database management Vulnerability Database management Sep 14, 2024
@djschleen djschleen self-assigned this Sep 20, 2024
@djschleen
Copy link
Member

Hwy Anthony! I’ll definitely dig into this. I like the idea of having bomber configurable to utilize offline data. Right now it is fully connected and doesn’t cache anything.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

2 participants