Skip to content

fix(vuln-scan): refresh VULN_DB + add monthly CI refresh workflow (closes #94)#95

Merged
Wolfvin merged 1 commit into
mainfrom
fix/issue-94-vuln-db-refresh
Jun 30, 2026
Merged

fix(vuln-scan): refresh VULN_DB + add monthly CI refresh workflow (closes #94)#95
Wolfvin merged 1 commit into
mainfrom
fix/issue-94-vuln-db-refresh

Conversation

@Wolfvin

@Wolfvin Wolfvin commented Jun 30, 2026

Copy link
Copy Markdown
Owner

Summary

Fix for issue #94. The built-in VULN_DB in scripts/vulnscan_engine.py was 487 days stale (last updated 2025-02-28), causing codelens vuln-scan to print a staleness warning and miss all CVEs published after 2025-02-28.

This PR:

  1. Updates VULN_DB — fetched 243 new CVEs from OSV.dev public API, merged into built-in database
  2. Adds scripts/refresh_vuln_db.py — reusable script for future refreshes
  3. Adds .github/workflows/refresh-vuln-db.yml — monthly cron that auto-refreshes VULN_DB and creates a PR

What changed

scripts/vulnscan_engine.py

  • 42 → 285 entries (+243 new CVEs)
  • VULN_DB_LAST_UPDATED: 2025-02-282026-06-30
  • 98 CVEs from 2025-2026 now present (were completely missing)
  • Breakdown: 76 npm CVEs + 167 pip/PyPI CVEs
  • Packages covered: lodash, express, axios, handlebars, ws, django, pillow, aiohttp, cryptography, urllib3, werkzeug, jinja2, requests, tornado, bleach, and 22 more

scripts/refresh_vuln_db.py (new)

Reusable script that:

  • Queries OSV.dev (https://api.osv.dev/v1/query) for 35 high-profile packages (18 npm + 17 PyPI)
  • Extracts CVE ID, severity, fix version, vulnerable range, title from each OSV response
  • Idempotent: skips CVEs already in VULN_DB (safe to re-run)
  • Updates VULN_DB_LAST_UPDATED to today's date
  • Verifies Python syntax after writing
  • Uses only stdlib (urllib, json, ast, pathlib, datetime) — no external deps

.github/workflows/refresh-vuln-db.yml (new)

Monthly cron workflow that:

  • Schedule: runs on the 1st of every month at 06:00 UTC
  • Manual trigger: workflow_dispatch for ad-hoc refreshes
  • Workflow:
    1. Checkout repo
    2. Run scripts/refresh_vuln_db.py
    3. Verify syntax + run test suite
    4. If changes detected → create branch + commit + PR (NOT push to main)
    5. If no changes → do nothing
  • Permissions: contents: write (branch + commit), pull-requests: write (open PR)
  • Guard: only runs on Wolfvin/CodeLens (not forks)
  • PR body includes: new CVE count, before/after stats, verification checklist

Verification

Test 1: staleness warning gone

$ python3 scripts/codelens.py vuln-scan /tmp
# (no warning printed — was: "WARNING: Built-in VULN_DB is 487 days old")

Test 2: VULN_DB stats

>>> from vulnscan_engine import VULN_DB, VULN_DB_LAST_UPDATED
>>> len(VULN_DB)
285
>>> VULN_DB_LAST_UPDATED
'2026-06-30'
>>> len([e for e in VULN_DB if e['cve'].startswith(('CVE-2025', 'CVE-2026'))])
98

Test 3: full test suite

$ PYTHONUTF8=1 python3 -m pytest tests/ --ignore=tests/test_integration.py
863 passed, 12 skipped in 26.06s

Test 4: workflow YAML valid

$ python3 -c "import yaml; yaml.safe_load(open('.github/workflows/refresh-vuln-db.yml'))"
# (no error)

How the refresh works

The refresh_vuln_db.py script queries OSV.dev for a curated list of 35 packages (18 npm + 17 PyPI). For each package, it queries a known-vulnerable version (e.g., lodash@4.17.20) so OSV returns all applicable CVEs. It then extracts:

  • CVE ID: first CVE-* alias, or OSV ID (GHSA-* / OSV-*) as fallback
  • Severity: parsed from CVSS v3 vector (counts High impact metrics)
  • Fix version: first fixed event in the affected ranges
  • Vulnerable range: <fix_version format (matches VULN_DB style)
  • Title: OSV summary (truncated to 80 chars)

CVEs already present in VULN_DB are skipped (idempotent). CVEs without a known fix version are skipped (can't be expressed in VULN_DB's <X.Y.Z format).

Related

…oses #94)

Update the built-in VULN_DB in scripts/vulnscan_engine.py:
- Was 42 entries, last updated 2025-02-28 (487 days stale)
- Now 285 entries, last updated 2026-06-30
- Added 243 new CVE entries fetched from OSV.dev public API
  - 76 npm CVEs (lodash, express, axios, handlebars, ws, ...)
  - 167 pip/PyPI CVEs (django, pillow, aiohttp, cryptography, ...)
- Includes 98 CVEs from 2025-2026 that were missing from the old DB

Add scripts/refresh_vuln_db.py — reusable script that:
- Queries OSV.dev for 35 high-profile packages (18 npm + 17 PyPI)
- Extracts CVE ID, severity, fix version, vulnerable range, title
- Idempotent: skips CVEs already in VULN_DB
- Updates VULN_DB_LAST_UPDATED to today's date
- Verifies syntax after writing

Add .github/workflows/refresh-vuln-db.yml — monthly cron workflow that:
- Runs on the 1st of every month at 06:00 UTC
- Also triggerable manually via workflow_dispatch
- Runs refresh_vuln_db.py
- Creates a PR with the update (NOT push to main)
- Idempotent: if no changes, does nothing

Closes #94: vuln-scan no longer prints
  WARNING: Built-in VULN_DB is 487 days old (last updated 2025-02-28).

Verification:
- codelens vuln-scan: no staleness warning
- Full test suite: 863 passed, 12 skipped, 0 failed
- 98 CVEs from 2025-2026 now present in VULN_DB
@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

@Wolfvin Wolfvin merged commit 0801cac into main Jun 30, 2026
2 of 8 checks passed
@sonarqubecloud

Copy link
Copy Markdown

@Wolfvin Wolfvin deleted the fix/issue-94-vuln-db-refresh branch July 1, 2026 06:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[BUG] Built-in VULN_DB is 487 days stale — needs update pipeline

1 participant