Allow disabling data sources when fetching CVEs.

README.md

@@ -46,6 +46,14 @@ NOTE: To mention multiple directories, use comma as a separator and don't includ
 
 **Optional** Provide input filename for triage data. The supported format is CycloneDX VEX, OpenVEX and CSAF. Find more information [here](https://github.com/intel/cve-bin-tool#providing-triage-input).
 
+### `disable_data_source`
+
+**Optional** Comma-separated list of data sources to disable (CURL, EPSS, GAD, NVD, OSV, PURL2CPE, REDHAT, RSD)
+
+### `skips`
+
+**Optional** This option allows one to skip (disable) a comma-separated list of checkers and language parsers.
+
 ### `filter_triage`
 
 **Optional** Provide a filter_triage flag in addition to triage_input_file that filters out vulnerabilities marked as 'not affected' and 'false positive' in the triage input file from the security tab.

action.yml

@@ -31,6 +31,12 @@ inputs:
   vex_file:
     required: false
     description: 'Provide input filename for triage data.'
+  disable_data_source:
+    required: false
+    description: 'While scanning, CVE Binary Tool will disable these data sources.'
+  skips:
+    required: false
+    description: 'While scanning, CVE Binary Tool will skip these checks.'
   filter_triage:
     required: false
     default: true
@@ -63,13 +69,16 @@ runs:
         --sbom-format '${{ inputs.sbom_format }}'
         --alerts-based-on-file '${{inputs.alerts_based_on_file}}'
         --vex-file '${{ inputs.vex_file }}'
+        --disable-data-source '${{ inputs.disable_data_source }}'
+        --skips '${{ inputs.skips }}'
         --filter-triage '${{inputs.filter_triage}}'
       shell: bash
     - uses: actions/upload-artifact@v4
       with:
         name: cve_reports
         path: |
           scan-result.html
+          scan-result.json
           scan-result.pdf
           SBOM.json
           SBOM.spdx

src/cve_bin_tool.py

@@ -12,20 +12,34 @@
 
 
 class CVE_BIN_TOOL:
-    def update_db(self, nvd_api_key):
-        command = ["cve-bin-tool"]
+    def update_db(
+            self,
+            dir,
+            nvd_api_key,
+            disable_data_source=None,
+            skips=None,
+        ):
+        command = [
+            "cve-bin-tool",
+            dir
+        ]
         if nvd_api_key:
             command.append("--nvd-api-key")
             command.append(nvd_api_key)
         else:
             command.append("--nvd")
             command.append("json-mirror")
+        if disable_data_source:
+            command.append("--disable-data-source")
+            command.append(disable_data_source)
+        if skips:
+            command.append("--skips")
+            command.append(skips)
         subprocess.run(command)
 
     def scan(
         self,
         dir,
-        filter_triage=False,
         scan_mode="repo-only",
         formats=[],
         output=None,
@@ -35,6 +49,9 @@ def scan(
         sbom_output="SBOM.json",
         vex_file=None,
         triage_input_file=None,
+        disable_data_source=None,
+        skips=None,
+        filter_triage=False,
     ):
         json_data = []
         captured_output = ""
@@ -72,16 +89,24 @@ def scan(
                 # Backwards compatibility with old arg name
                 command.append("--vex-file")
                 command.append(triage_input_file)
+            if disable_data_source:
+                command.append("--disable-data-source")
+                command.append(disable_data_source)
+            if skips:
+                command.append("--skips")
+                command.append(skips)
             if filter_triage:
                 command.append("--filter-triage")
+            print(f"Running command: {' '.join(command)}")
             captured_output += subprocess.run(
                 command, capture_output=True, text=True
             ).stdout
             print(captured_output)
             with open(f"{output}.json") as fd:
                 try:
                     json_output = json.load(fd)
-                except Exception:
+                except Exception as e:
+                    print(f"Error reading JSON output: {e}")
                     json_output = []
                 for obj in json_output:
                     obj["type"] = "Library"

src/generate_sarif.py

@@ -75,10 +75,13 @@ def write_file(self, output_file):
             fd.write(json.dumps(self.sarif_file))
 
     def check_cves_in_json(self):
+        print(f"Checking for CVEs in {self.json_file_path}")
         if not self.json_file_path.is_file():
+            print(f"File {self.json_file_path} does not exist.")
             return False
         with open(self.json_file_path) as fp:
             json_data = json.load(fp)
+            print(f"Found {len(json_data)} CVEs in {self.json_file_path}")
         return bool(len(json_data))
 
     def extract_vulnerablities_from_json(self):

src/scanner.py

@@ -71,6 +71,16 @@ def main():
         help="Provide input filename for triage data.",
         required=False,
     )
+    parser.add_argument(
+        "--disable-data-source",
+        help="Disable data sources for the scan.",
+        required=False,
+    )
+    parser.add_argument(
+        "--skips",
+        help="Skip checkers for the scan.",
+        required=False,
+    )
     parser.add_argument(
         "--filter-triage",
         help="Filter vulnerabilities based on triage data.",
@@ -95,7 +105,12 @@ def main():
             exit(1)
 
     cve_bin_tool = CVE_BIN_TOOL()
-    cve_bin_tool.update_db(args.nvd_api_key)
+    cve_bin_tool.update_db(
+            args.directory,
+            args.nvd_api_key,
+            args.disable_data_source,
+            args.skips,
+        )
 
     # backwards compatibility for folk still using triage-input-file instead of vex-file
     if args.triage_input_file and not args.vex_file:
@@ -125,6 +140,8 @@ def main():
         sbom_format=args.sbom_format,
         sbom_output=f"{args.sbom_output}.{output_extension}",
         vex_file=args.vex_file,
+        disable_data_source=args.disable_data_source,
+        skips=args.skips,
         filter_triage=args.filter_triage,
     )
 

test/test_cve_bin_tool.py

@@ -89,7 +89,7 @@ def test_update_db(self, mocker: MockerFixture):
         mocker.patch("subprocess.run")
         spy_subprocess = mocker.spy(subprocess, "run")
         cve_bin_tool_scanner = cve_bin_tool.CVE_BIN_TOOL()
-        cve_bin_tool_scanner.update_db("NVD_API_KEY")
+        cve_bin_tool_scanner.update_db(".", "NVD_API_KEY")
         spy_subprocess.assert_called_once_with(
             [
                 "cve-bin-tool",