Skip to content

feat(advisories): add advisories init to create an empty offline database#847

Open
ELHart05 wants to merge 2 commits into
OWASP:mainfrom
ELHart05:feature/issue-695-advisories-init
Open

feat(advisories): add advisories init to create an empty offline database#847
ELHart05 wants to merge 2 commits into
OWASP:mainfrom
ELHart05:feature/issue-695-advisories-init

Conversation

@ELHart05

Copy link
Copy Markdown
Contributor

Summary

Adds cve-lite advisories init [--output <path>], which creates an empty local advisory database with the current schema and no data. It is meant for air-gapped users who cannot run advisories sync because outbound access to OSV is blocked: they run init, populate the database from their own sources with any SQLite client, and scan with --offline-db.

Why this change

Issue #695: in an air-gapped or SSL-inspected corporate environment, advisories sync cannot reach OSV, so there was no supported way to get a database with the shape the scanner expects. In the thread you proposed exactly this command ("a new cve-lite advisories init command that creates an empty SQLite DB with the correct schema and no data"), and the reporter confirmed it fits their use case. This implements that.

What changed

  • New advisories init subcommand, parsed alongside advisories sync and sharing its --output option (defaults to the standard advisory DB path).
  • initAdvisoryDatabase() in src/cli/advisories-init.ts opens a writable LocalAdvisoryDatabase, which runs the existing CREATE TABLE IF NOT EXISTS schema, then closes it. No new schema and no import pipeline.
  • It refuses to overwrite an existing file, so a populated database is never clobbered by accident.
  • Help text and usage examples updated.

Validation

  • npm run build (strict tsc) passes.
  • New tests pass: initAdvisoryDatabase creates a readable, empty, correctly-shaped database and throws on an existing file; parseArgs recognizes advisories init and its --output. The test-hygiene pretest gate passes.
  • Manually: advisories init --output x.db creates the file and prints next steps; re-running errors; --offline-db x.db then scans a project against the empty database and reports no findings without any network calls.

User-facing impact

Does this change:

  • affect scanning behavior
  • affect output formatting
  • affect JSON output
  • affect docs only

Adds a new advisories init command; it does not change scanning, output formatting, or JSON output.

Notes

When you scan with a freshly initialized (or self-populated) database, the offline freshness check still prints "no recorded sync timestamp. Re-run cve-lite advisories sync", because the metadata row is empty. That advice is a little off for a user-managed database. I kept it out of this PR to stay focused, but happy to refine that message in a follow-up if you would like.

Closes #695

…tabase

Air-gapped users who cannot reach OSV to run `advisories sync` had no
supported way to get a correctly-shaped advisory database. This adds
`cve-lite advisories init [--output <path>]`, which writes an empty SQLite
database with the current schema and no data. Users populate it from their
own sources and scan with `--offline-db`, exactly as outlined in the issue
thread.

The command refuses to overwrite an existing file, so a populated database
is never clobbered. It reuses the existing LocalAdvisoryDatabase schema and
path resolution, so the file is identical in shape to one produced by
`advisories sync`.

Closes OWASP#695
@ELHart05
ELHart05 requested a review from sonukapoor as a code owner July 18, 2026 14:33
… in tests

Importing the advisories-init module statically from index.ts pulled
getDefaultAdvisoryDbPath into index's static import graph, which broke
named-export linking under the cache-busting
`import('../src/index.ts?test=...')` that cli-integration.test.ts uses.
Load the module on demand inside the handler, the same way the overrides
command is loaded, so it links against a fully evaluated osv-sync at call
time. Runtime behavior is unchanged.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Feature]: Option to pass down your own advisory.json file

1 participant