diff --git a/README.md b/README.md
index 8b94c51e3c..8038c6ad15 100644
--- a/README.md
+++ b/README.md
@@ -425,7 +425,8 @@ CVE Data Download:
-u {now,daily,never,latest}, --update {now,daily,never,latest}
update schedule for data sources and exploits database (default: daily)
--nvd-api-key NVD_API_KEY
- specify NVD API key (used to improve NVD rate limit)
+ Specify NVD API key (used to improve NVD rate limit).
+ Set to `no` to ignore any keys in the environment.
-d DISABLE_DATA_SOURCE, --disable-data-source DISABLE_DATA_SOURCE
comma-separated list of data sources (CURL, EPSS, GAD, NVD, OSV, REDHAT, RSD) to disable (default: NONE)
diff --git a/cve_bin_tool/cli.py b/cve_bin_tool/cli.py
index e4ab587191..999033b0ca 100644
--- a/cve_bin_tool/cli.py
+++ b/cve_bin_tool/cli.py
@@ -150,7 +150,12 @@ def main(argv=None):
"--nvd-api-key",
action="store",
default="",
- help="specify NVD API key (used to improve NVD rate limit)",
+ help=textwrap.dedent(
+ """\
+ Specify NVD API key (used to improve NVD rate limit).
+ Set to `no` to ignore any keys in the environment.
+ """
+ ),
)
data_source_disable_help = f'comma-separated list of data sources ({", ".join(DataSourceSupport.available_data_sources())}) to disable (default: NONE)'
data_sources_group.add_argument(
diff --git a/cve_bin_tool/data_sources/nvd_source.py b/cve_bin_tool/data_sources/nvd_source.py
index e1ad2db190..16ff6a0955 100644
--- a/cve_bin_tool/data_sources/nvd_source.py
+++ b/cve_bin_tool/data_sources/nvd_source.py
@@ -88,6 +88,13 @@ def __init__(
# store the nvd api key for use later
self.nvd_api_key = nvd_api_key
+ # if nvd_api_key was set to "No" then unset it
+ # This makes it easier to disable usage from the command line
+ # and over-riding existing environment variables.
+ if self.nvd_api_key.lower() == "no":
+ self.nvd_api_key = ""
+ LOGGER.info("NVD API Key was set to 'no' and will not be used")
+
async def get_cve_data(self):
"""Retrieves the CVE data from the data source."""
await self.fetch_cves()
diff --git a/doc/MANUAL.md b/doc/MANUAL.md
index 559c1fa6a6..b6a30029c6 100644
--- a/doc/MANUAL.md
+++ b/doc/MANUAL.md
@@ -125,7 +125,8 @@ which is useful if you're trying the latest code from
-u {now,daily,never,latest}, --update {now,daily,never,latest}
update schedule for data sources and exploits database (default: daily)
--nvd-api-key NVD_API_KEY
- specify NVD API key (used to improve NVD rate limit)
+ Specify NVD API key (used to improve NVD rate limit).
+ Set to `no` to ignore any keys in the environment.
-d {NVD,OSV,GAD,REDHAT,CURL} [{NVD,OSV,GAD,REDHAT,CURL} ...], --disable-data-source {NVD,OSV,GAD,REDHAT,CURL} [{NVD,OSV,GAD,REDHAT,CURL} ...]
specify data sources that should be disabled
@@ -451,6 +452,8 @@ By stating it in command line interface(cli)
cve-bin-tool --nvd-api-key your_api_key_here
```
+You can also set your API Key to be "no" on the command line, which will allow you to ignore any keys set in the environment. This is occasionally useful for testing purposes or to force cve-bin-tool to use the mirrors only.
+
Once you have set up your NVD API Key, cve-bin-tool will use it to retrieve vulnerability data from the NVD. This will ensure that you have access to the full database and will reduce the likelihood of encountering errors due to limited access.
If for any reason, the NVD API Key is not working, cve-bin-tool will automatically switch to the JSON fallback. However, it is highly recommended that you verify that your API Key is working properly to ensure access with the NVD database. To use the json method, use the flag [`-n json-nvd` or `--nvd json-nvd`](https://github.com/intel/cve-bin-tool/blob/main/doc/MANUAL.md#-n-jsonapi---nvd-jsonapi) . You can use it in the following way
diff --git a/test/test_cli.py b/test/test_cli.py
index c60e514b1b..6c62e33668 100644
--- a/test/test_cli.py
+++ b/test/test_cli.py
@@ -809,3 +809,32 @@ def test_config_generator(self, args, expected_files, expected_contents, caplog)
assert expected_content in content
# Cleanup
os.remove(expected_files)
+
+ def test_disabled_sources(self, caplog):
+ """Attempts to disable various data sources and makes sure they appear
+ to be disabled correctly.
+
+ This only tests for disabled messages, it doesn't check on the update code
+ because we'd have to actually do updates then and they're slow.
+ """
+
+ # attempt to call with all sources disabled
+ with caplog.at_level(logging.INFO):
+ main(
+ [
+ "cve-bin-tool",
+ "--update",
+ "never",
+ "--nvd-api-key",
+ "no",
+ "-n",
+ "json-mirror",
+ "--disable-data-source",
+ "CURL,EPSS,GAD,OSV,REDHAT,RSD",
+ self.tempdir,
+ ]
+ )
+ # check that nvd key was disabled as expected
+ assert "NVD API Key was set to 'no' and will not be used" in caplog.text
+ for source in ["CURL", "EPSS", "GAD", "OSV", "REDHAT", "RSD"]:
+ assert f"Disabling data source {source}" in caplog.text