Import or update the vulnerability information problems
ZupeiNie opened this issue · comments
Hi,
Documentation:
When you deploy Eclipse Steady using Docker, not only the vulnerability data from project KB is automatically imported, but it is also periodically updated so that any new vulnerabilities are imported automatically into your Eclipse Steady backend.
However, in the course of actual use, I found that there were only 124 vulnerabilities in my backend and 747 in the official library, whether there were problems in automatic updates.
Second, when I use kaybee to add vulnerability information, I don't know how to value the parameter KB_IMPORTER_PATH. I didn't find kb-importer jar file.
Can you help me? Thank you very much!
Hi @11111821 ,
Using the default configuration coming with docker/.env.sample
(see [1] ), around 500 vulnerabilities should be imported because of KB_IMPORTER_SKIP_CLONE=True
. As you only have 124, could you run docker logs steady-kb-importer
to check what went wrong? In fact we are currently working on improving the initial import of vulnerabilities as it takes long (~2h as mentioned at [1]) and, with the images available in docker-hub, if the container is stopped during the initial import a flag needs to be manually removed to have to continue processing the vulnerabilities (removing kb-importer/data/running
). Once the new docker images will be published (likely next week) this bug will be fixed.
KB_IMPORTER_PATH
should contain the path to the executable jar that you can find in the volume mounted to the steady-kb-importer
container, i.e., at kb-importer/data/kb-importer.jar
.
[1] https://eclipse.github.io/steady/admin/tutorials/docker/#populatemaintain-the-vulnerability-database
Hi, @serenaponta
In the afternoon, I redeployed steady-3.2.2. At this time, the vulnerability information can be imported to the back end. Although the speed is very slow, it is feasible! I look forward to the release of steady-3.2.3, and thank you very much for your detailed reply!
@11111821, we just released steady 3.2.4 and published the corresponding docker images. In particular it contains some improvements to make kb-importer
restart in case it was stopped before the initialization was done and fixes an issue with the cron job to keep the vulnerability database up to date.
The performance improvement is still not part of release 3.2.4 and it's work in progress (#537)
Hello @11111821, Can this ticket be closed? I suggest that you watch the repo to be notified once #537 is completed and a new release is available.
hi @henrikplate Okay, no problem