diff --git a/README.md b/README.md
index 3caffd8e23..7ec9307843 100644
--- a/README.md
+++ b/README.md
@@ -174,7 +174,7 @@ cve-bin-tool file -f csv,json,json2,html -o report
Note: You must not use spaces between the commas (',') and the output formats.
The reported vulnerabilities can additionally be reported in the
-Vulnerability Exchange (VEX) format by specifying `--vex-output` with type defined using `--vex-type` command line option.
+Vulnerability Exploitability eXchange (VEX) format by specifying `--vex-output` with type defined using `--vex-type` command line option.
The generated VEX file can then be used as a `--vex-file` to support
a triage process.
@@ -445,7 +445,7 @@ CVE Data Download:
Specify NVD API key (used to improve NVD rate limit).
Set to `no` to ignore any keys in the environment.
-d DISABLE_DATA_SOURCE, --disable-data-source DISABLE_DATA_SOURCE
- comma-separated list of data sources (CURL, EPSS, GAD, NVD, OSV, REDHAT, RSD) to disable (default: NONE)
+ comma-separated list of data sources (CURL, EPSS, GAD, NVD, OSV, PURL2CPE, REDHAT, RSD) to disable (default: NONE)
--use-mirror USE_MIRROR
use an mirror to update the database
@@ -463,7 +463,7 @@ Input:
--sbom-file SBOM_FILE
provide sbom filename
--vex-file VEX_FILE
- provide vex filename used for triage processing, the type of vex will be automatically detected.
+ provide vulnerability exploitability exchange (vex) filename for triage processing
Output:
@@ -486,9 +486,9 @@ Output:
--metrics
check for metrics (e.g., EPSS) from found cves
--epss-percentile EPSS_PERCENTILE
- minimum epss percentile of CVE range between 0 to 100 to report
+ minimum epss percentile of CVE range between 0 to 100 to report. Automatically enables `--metrics`
--epss-probability EPSS_PROBABILITY
- minimum epss probability of CVE range between 0 to 100 to report
+ minimum epss probability of CVE range between 0 to 100 to report. Automatically enables `--metrics`
--no-0-cve-report only produce report when CVEs are found
-A [-], --available-fix [-]
Lists available fixes of the package from Linux distribution
@@ -501,10 +501,21 @@ Output:
specify type of software bill of materials (sbom) to generate (default: spdx)
--sbom-format {tag,json,yaml}
specify format of software bill of materials (sbom) to generate (default: tag)
- --vex-type {cyclonedx, csaf, openvex}
- specify type of vulnerability exploitability exchange (vex) to generate (default: cyclonedx)
+
+Vex Output:
+ Arguments related to Vex output document.
+
--vex-ouptput VEX_OUTPUT
Provide vulnerability exploitability exchange (vex) filename to generate
+ --vex-type {cyclonedx, csaf, openvex}
+ specify type of vulnerability exploitability exchange (vex) to generate (default: cyclonedx)
+ --product PRODUCT Product Name
+ --release RELEASE Release Version
+ --vendor VENDOR Vendor/Supplier of Product
+ -rr REVISION_REASON, --revision-reason REVISION_REASON
+ a reason for the update to the vex document should be specified in double quotes
+ --filter-triage Filter cves based on triage data from Vex file
+
Merge Report:
Arguments related to Intermediate and Merged Reports
@@ -542,6 +553,8 @@ Exploits:
--exploits check for exploits from found cves
Deprecated:
+ --triage-input-file TRIAGE_INPUT_FILE
+ replaced by --vex-file
-x, --extract autoextract compressed files
--report Produces a report even if there are no CVE for the respective output format
diff --git a/doc/MANUAL.md b/doc/MANUAL.md
index 16d077e3fe..4125d3b20d 100644
--- a/doc/MANUAL.md
+++ b/doc/MANUAL.md
@@ -107,7 +107,7 @@ You can also do `python -m cve_bin_tool.cli`
which is useful if you're trying the latest code from
[the cve-bin-tool github](https://github.com/intel/cve-bin-tool).
- optional arguments:
+ options:
-h, --help show this help message and exit
-e EXCLUDE, --exclude EXCLUDE
Comma separated Exclude directory path
@@ -117,20 +117,22 @@ which is useful if you're trying the latest code from
--disable-validation-check
skips checking xml files against schema
--offline operate in offline mode
- --detailed display detailed report
+ --detailed add CVE description in csv or json report (no effect on console, html or pdf)
CVE Data Download:
Arguments related to data sources and Cache Configuration
- -n {api,api2,json-nvd,json-mirror}, --nvd {api,api2,json-nvd,json-mirror}
+ -n {api,api2,json,json-mirror,json-nvd}, --nvd {api,api2,json,json-mirror,json-nvd}
choose method for getting CVE lists from NVD
-u {now,daily,never,latest}, --update {now,daily,never,latest}
update schedule for data sources and exploits database (default: daily)
--nvd-api-key NVD_API_KEY
Specify NVD API key (used to improve NVD rate limit).
Set to `no` to ignore any keys in the environment.
- -d {NVD,OSV,GAD,REDHAT,CURL} [{NVD,OSV,GAD,REDHAT,CURL} ...], --disable-data-source {NVD,OSV,GAD,REDHAT,CURL} [{NVD,OSV,GAD,REDHAT,CURL} ...]
- specify data sources that should be disabled
+ -d DISABLE_DATA_SOURCE, --disable-data-source DISABLE_DATA_SOURCE
+ comma-separated list of data sources (CURL, EPSS, GAD, NVD, OSV, PURL2CPE, REDHAT, RSD) to disable (default: NONE)
+ --use-mirror USE_MIRROR
+ use an mirror to update the database
Input:
directory directory to scan
@@ -144,6 +146,7 @@ which is useful if you're trying the latest code from
specify type of software bill of materials (sbom) (default: spdx)
--sbom-file SBOM_FILE
provide sbom filename
+ --vex-file VEX_FILE provide vulnerability exploitability exchange (vex) filename for triage processing
Output:
-q, --quiet suppress output
@@ -157,13 +160,16 @@ which is useful if you're trying the latest code from
update output format (default: console)
specify multiple output formats by using comma (',') as a separator
note: don't use spaces between comma (',') and the output formats.
+ --generate-config {yaml,toml,yaml,toml,toml,yaml}
+ generate config file for cve bin tool in toml and yaml formats.
-c CVSS, --cvss CVSS minimum CVSS score (as integer in range 0 to 10) to report (default: 0)
- --epss-percentile minimum EPSS percentile of CVE range between 0 to 100 to report
- (input value can also be floating point)(default: 0)
- --epss-probability minimum EPSS probability of CVE range between 0 to 100 to report
- (input value can also be floating point)(default: 0)
-S {low,medium,high,critical}, --severity {low,medium,high,critical}
minimum CVE severity to report (default: low)
+ --metrics check for metrics (e.g., EPSS) from found cves
+ --epss-percentile EPSS_PERCENTILE
+ minimum epss percentile of CVE range between 0 to 100 to report. Automatically enables `--metrics`
+ --epss-probability EPSS_PROBABILITY
+ minimum epss probability of CVE range between 0 to 100 to report. Automatically enables `--metrics`
--no-0-cve-report only produce report when CVEs are found
-A [-], --available-fix [-]
Lists available fixes of the package from Linux distribution
@@ -171,15 +177,25 @@ which is useful if you're trying the latest code from
Lists backported fixes if available from Linux distribution
--affected-versions Lists versions of product affected by a given CVE (to facilitate upgrades)
--sbom-output SBOM_OUTPUT
- provide software bill of materials (sbom) filename to generate
+ Provide software bill of materials (sbom) filename to generate
--sbom-type {spdx,cyclonedx}
specify type of software bill of materials (sbom) to generate (default: spdx)
--sbom-format {tag,json,yaml}
specify format of software bill of materials (sbom) to generate (default: tag)
- --vex-type {cyclonedx, csaf, openvex}
- specify type of vulnerability exploitability exchange (vex) to generate (default: cyclonedx)
+
+ Vex Output:
+ Arguments related to Vex output document.
+
--vex-output VEX_OUTPUT
- provide vulnerability exploitability exchange (vex) filename to generate
+ Provide vulnerability exploitability exchange (vex) filename to generate
+ --vex-type {cyclonedx,csaf,openvex}
+ specify type of vulnerability exploitability exchange (vex) to generate (default: cyclonedx)
+ --product PRODUCT Product Name
+ --release RELEASE Release Version
+ --vendor VENDOR Vendor/Supplier of Product
+ -rr REVISION_REASON, --revision-reason REVISION_REASON
+ a reason for the update to the vex document should be specified in double quotes
+ --filter-triage Filter cves based on triage data from Vex file
Merge Report:
Arguments related to Intermediate and Merged Reports
@@ -198,6 +214,19 @@ which is useful if you're trying the latest code from
-r RUNS, --runs RUNS comma-separated list of checkers to enable
Database Management:
+ --import-json IMPORT_JSON
+ import database from json files chopped by years
+ --ignore-sig do not verify PGP signature while importing json data
+ --log-signature-error
+ when the signature doesn't match log the error only instead of halting (UNSAFE)
+ --verify PGP_PUBKEY_PATH
+ verify PGP sign while importing json files
+ --export-json EXPORT_JSON
+ export database as json files chopped by years
+ --pgp-sign PGP_PRIVATE_KEY_PATH
+ sign exported json files with PGP
+ --passphrase PASSPHRASE
+ required passphrase for signing with PGP
--export EXPORT export database filename
--import IMPORT import database filename
@@ -205,10 +234,10 @@ which is useful if you're trying the latest code from
--exploits check for exploits from found cves
Deprecated:
+ --triage-input-file TRIAGE_INPUT_FILE
+ replaced by --vex-file
-x, --extract autoextract compressed files
- CVE Binary Tool autoextracts all compressed files by default now
--report Produces a report even if there are no CVE for the respective output format
- CVE Binary Tool produces report by default even if there are no CVEs
| | | | Available checkers | | | |