fix(vuln-scan): refresh VULN_DB + add monthly CI refresh workflow (closes #94)#95
Merged
Merged
Conversation
…oses #94) Update the built-in VULN_DB in scripts/vulnscan_engine.py: - Was 42 entries, last updated 2025-02-28 (487 days stale) - Now 285 entries, last updated 2026-06-30 - Added 243 new CVE entries fetched from OSV.dev public API - 76 npm CVEs (lodash, express, axios, handlebars, ws, ...) - 167 pip/PyPI CVEs (django, pillow, aiohttp, cryptography, ...) - Includes 98 CVEs from 2025-2026 that were missing from the old DB Add scripts/refresh_vuln_db.py — reusable script that: - Queries OSV.dev for 35 high-profile packages (18 npm + 17 PyPI) - Extracts CVE ID, severity, fix version, vulnerable range, title - Idempotent: skips CVEs already in VULN_DB - Updates VULN_DB_LAST_UPDATED to today's date - Verifies syntax after writing Add .github/workflows/refresh-vuln-db.yml — monthly cron workflow that: - Runs on the 1st of every month at 06:00 UTC - Also triggerable manually via workflow_dispatch - Runs refresh_vuln_db.py - Creates a PR with the update (NOT push to main) - Idempotent: if no changes, does nothing Closes #94: vuln-scan no longer prints WARNING: Built-in VULN_DB is 487 days old (last updated 2025-02-28). Verification: - codelens vuln-scan: no staleness warning - Full test suite: 863 passed, 12 skipped, 0 failed - 98 CVEs from 2025-2026 now present in VULN_DB
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.



Summary
Fix for issue #94. The built-in VULN_DB in
scripts/vulnscan_engine.pywas 487 days stale (last updated 2025-02-28), causingcodelens vuln-scanto print a staleness warning and miss all CVEs published after 2025-02-28.This PR:
scripts/refresh_vuln_db.py— reusable script for future refreshes.github/workflows/refresh-vuln-db.yml— monthly cron that auto-refreshes VULN_DB and creates a PRWhat changed
scripts/vulnscan_engine.pyVULN_DB_LAST_UPDATED:2025-02-28→2026-06-30scripts/refresh_vuln_db.py(new)Reusable script that:
https://api.osv.dev/v1/query) for 35 high-profile packages (18 npm + 17 PyPI)VULN_DB_LAST_UPDATEDto today's date.github/workflows/refresh-vuln-db.yml(new)Monthly cron workflow that:
workflow_dispatchfor ad-hoc refreshesscripts/refresh_vuln_db.pycontents: write(branch + commit),pull-requests: write(open PR)Wolfvin/CodeLens(not forks)Verification
Test 1: staleness warning gone
$ python3 scripts/codelens.py vuln-scan /tmp # (no warning printed — was: "WARNING: Built-in VULN_DB is 487 days old")Test 2: VULN_DB stats
Test 3: full test suite
$ PYTHONUTF8=1 python3 -m pytest tests/ --ignore=tests/test_integration.py 863 passed, 12 skipped in 26.06sTest 4: workflow YAML valid
How the refresh works
The
refresh_vuln_db.pyscript queries OSV.dev for a curated list of 35 packages (18 npm + 17 PyPI). For each package, it queries a known-vulnerable version (e.g.,lodash@4.17.20) so OSV returns all applicable CVEs. It then extracts:CVE-*alias, or OSV ID (GHSA-*/OSV-*) as fallbackfixedevent in the affected ranges<fix_versionformat (matches VULN_DB style)CVEs already present in VULN_DB are skipped (idempotent). CVEs without a known fix version are skipped (can't be expressed in VULN_DB's
<X.Y.Zformat).Related
scripts/osv_client.py) provides real-time data when network is available — this PR complements it by keeping the offline fallback current