cve-bin-tool icon indicating copy to clipboard operation
cve-bin-tool copied to clipboard

Published 20 hours ago verified publisher icon intel

docs: save the NVD api key for future use

Open b31ngd3v opened this issue 1 year ago • 5 comments

when a user runs the tool with an api key (nvd), it would be really great if we save that api key for future use, so that when the user runs the tool again he/she will not have to specify the api key again.

b31ngd3v avatar Jul 18 '22 19:07 b31ngd3v

This is already possible in two ways:

  1. Set the NVD_API_KEY as an environment variable (on linux: export NVD_API_KEY=your-key-here, put it in .profile or something)
  2. Set the NVD_API_KEY in the config file

Do we need to document that more clearly somewhere?

terriko avatar Jul 19 '22 22:07 terriko

That last question was kind of rhetorical. We always need more docs. :)

Anyhow, the environment variable and config file options could both be mentioned here: https://cve-bin-tool.readthedocs.io/en/latest/MANUAL.html#nvd-api-key-nvd-api-key

The config file stuff is kind of buried elsewhere and although we use the environment variable in CI in order to use github secrets (and I use it in bash all the time) it's quite easy for someone to miss. Since this is the thing people are mostly likely to want to use, we should just go ahead and mention it in the manual where the flag is described.

terriko avatar Jul 19 '22 22:07 terriko

I'm going to flag this as an easy docs bug for someone, though you might have to do a bit of reading to give a nice config file example.

terriko avatar Jul 19 '22 22:07 terriko

Can I try working on this? Where should I do the reading for the config file part?

Kaushik-Iyer avatar Aug 24 '22 05:08 Kaushik-Iyer

@Kaushik-Iyer please feel free to work on it! the config file examples are here: https://github.com/intel/cve-bin-tool/blob/main/doc/MANUAL.md#-c-config---config-config

Unfortunately, our example files predate the NVD API Key option, so they'll need some updates too.

Let us know if you get stuck!

terriko avatar Aug 29 '22 19:08 terriko

Hey, I would like to work on this issue.

Regarding the config file, I found these 2 -

  1. https://github.com/intel/cve-bin-tool/blob/main/.github/workflows/update-cache.yml (LINE - 12)

  2. https://github.com/intel/cve-bin-tool/blob/main/.github/workflows/testing.yml (LINE - 21)

which one of the above is to be configured for the NVD_API_KEY?

rootxrishabh avatar Jan 23 '23 18:01 rootxrishabh

@rootxrishabh those are github actions config files and they're already configured to use the NVD API Key when available.

This issue needs someone to update the documentation with information on configuring the cve-bin-tool config file, which is described here: https://github.com/intel/cve-bin-tool/blob/main/doc/MANUAL.md#-c-config---config-config

terriko avatar Jan 23 '23 18:01 terriko

I have opened a PR regarding this issue please take a look. #2575

rootxrishabh avatar Jan 23 '23 20:01 rootxrishabh