From 2632ffcf67fee0e6acb1fb3d2c5c96c1cbfcda1f Mon Sep 17 00:00:00 2001 From: Sonu Kapoor Date: Sat, 4 Apr 2026 15:28:59 -0400 Subject: [PATCH] docs: add advisory sync benchmark note --- README.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index b59242d..a1e252c 100644 --- a/README.md +++ b/README.md @@ -269,6 +269,8 @@ Sync the local advisory database: cve-lite advisories sync ``` +In our local benchmark on the same machine, syncing the OSV npm dump with about `217,065` advisory records improved from `87.53s` to `8.84s` after bulk SQLite ingestion optimizations, or about `9.9x` faster end-to-end. Results will vary by machine and network conditions. + Write the advisory database to a specific path: ```bash @@ -305,17 +307,15 @@ cve-lite . --osv-url https://security.company.internal/osv The local advisory DB is only as current as the last successful sync. -For now, the recommended model is: +Offline scans now report advisory DB freshness and warn when the local DB appears stale or is missing sync metadata. + +The recommended model is: - sync the advisory DB on a schedule using cron, CI, or another automation system - distribute the refreshed DB where needed - run offline scans against that updated DB -A future improvement is to add built-in advisory DB freshness metadata, such as: - -- last sync timestamp reporting -- a TTL-style warning when the DB is older than a recommended threshold -- clearer CLI guidance when a local advisory DB should be refreshed +This helps keep offline scan results current without requiring developers to manually track advisory update cadence. ## Detecting malicious package incidents