Hi,
I'm trying to generate a vex report, where the input is an spdx sbom and the cve database is NVD
Without restricting the internet this is working perfectly with, and generates the file I expect:
--sbom spdx
--sbom-format json
--sbom-file spdx-manifest/buildtime-manifest.spdx.json
--sbom-output cves.spdx.json
--vex-output vulnerabilities.vex.json
--vex-type openvex
--product ${CI_PROJECT_NAME}
--release ${DESCRIBE}
--disable-data-source CURL,EPSS,GAD,OSV,PURL2CPE,REDHAT,RSD
However if I first pull in the json nvd mirror via:
cve-bin-tool \
--nvd json-mirror \
--disable-data-source CURL,EPSS,GAD,OSV,PURL2CPE,REDHAT,RSD \
--export-json cve-bin-tool-json-mirror \
dummy-scan-target
And then run the exact same generation command, but with the additions of:
--offline
--import-json cve-bin-tool-json-mirror
I don't get an error
[17:03:58] INFO cve_bin_tool - CVE Binary Tool v3.4 cli.py:624
INFO cve_bin_tool - This product uses the NVD API but is not endorsed or certified by the NVD. cli.py:625
INFO cve_bin_tool - For potentially faster NVD downloads, mirrors are available using -n json-mirror cli.py:628
INFO cve_bin_tool - Disabling data source CURL cli.py:771
INFO cve_bin_tool - Disabling data source EPSS cli.py:771
INFO cve_bin_tool - Disabling data source GAD cli.py:771
INFO cve_bin_tool - Disabling data source OSV cli.py:771
INFO cve_bin_tool - Disabling data source PURL2CPE cli.py:771
INFO cve_bin_tool - Disabling data source REDHAT cli.py:771
INFO cve_bin_tool - Disabling data source RSD cli.py:771
WARNING cve_bin_tool.CVEDB - Updating cachedir /root/.cache/cve-bin-tool cvedb.py:652
WARNING cve_bin_tool - Importing JSON data that is not signed, the JSON data might have been tampered with
However no resulting vexoutput is created. Is there extra context that needs to be mirrored to enable the generation of the vex context, in an offline scenario with nvd as the data source?
Thanks!
Hi,
I'm trying to generate a vex report, where the input is an spdx sbom and the cve database is NVD
Without restricting the internet this is working perfectly with, and generates the file I expect:
However if I first pull in the json nvd mirror via:
And then run the exact same generation command, but with the additions of:
I don't get an error
However no resulting vexoutput is created. Is there extra context that needs to be mirrored to enable the generation of the vex context, in an offline scenario with nvd as the data source?
Thanks!