feat: added ci script that updates mismatch database #4236
Conversation
Signed-off-by: Meet Soni <[email protected]>
Signed-off-by: Meet Soni <[email protected]>
Signed-off-by: Meet Soni <[email protected]>
Signed-off-by: Meet Soni <[email protected]>
There was a problem hiding this comment.
See notes below, but basically: this should get integrated with the update-cache.yml github action if you want to have it running right now.
Longer term, though, we should have cve-bin-tool -u now load the mismatch data so a separate update isn't needed at all.
| - name: Update database | ||
| run: | | ||
| [[ -e cache ]] && mkdir -p .cache && mv cache ~/.cache/cve-bin-tool | ||
| python -m cve_bin_tool.cli test/assets/test-kerberos-5-1.15.1.out -u now | ||
| cp -r ~/.cache/cve-bin-tool cache | ||
| - name: Update mismatch database | ||
| run: | | ||
| python -m cve_bin_tool.mismatch_loader |
There was a problem hiding this comment.
This is doing a full database update which you probably don't want, and then it's saving the data from that update but not saving the data from the mismatch loader. Here's a quick rework just to highlight what's going on and what should be going on instead:
| - name: Update database | |
| run: | | |
| [[ -e cache ]] && mkdir -p .cache && mv cache ~/.cache/cve-bin-tool | |
| python -m cve_bin_tool.cli test/assets/test-kerberos-5-1.15.1.out -u now | |
| cp -r ~/.cache/cve-bin-tool cache | |
| - name: Update mismatch database | |
| run: | | |
| python -m cve_bin_tool.mismatch_loader | |
| - name: Copy github cache into appropriate directory | |
| run: | | |
| [[ -e cache ]] && mkdir -p .cache && mv cache ~/.cache/cve-bin-tool | |
| - name: Update mismatch database | |
| run: | | |
| python -m cve_bin_tool.mismatch_loader | |
| - name: Save data back to github cache | |
| run: | | |
| cp -r ~/.cache/cve-bin-tool cache |
That said, don't accept that suggestion. You definitely want to take what's there and integrate the update into the existing cache-update.yml file instead.
The reason is mostly that I want to make sure that only one job is updating the date and data in the github cache because doing anything else is going to obfuscate any uptime issues with NVD and they're already a pain to handle.
Longer-term, though: we shouldn't need to run a separate script to update the mismatch data. All of that should be integrated into what happens when you run cve-bin-tool -u now so that it happens seamlessly. Probably you want to treat mismatch as a data_source similar to how purl2cpe is loaded.
There was a problem hiding this comment.
Idea of separate script was to ensure we can make a library for mismatch database in which user can add/remove data as a standalone entity. Making it similar to data_source, wouldn't that be attached to cve-bin-tool?
Signed-off-by: Meet Soni <[email protected]>
depends on #4223
This script will run the
mismatch_loaderwhen thedata/directory is updated.cc @terriko @anthonyharrison