merge main

Signed-off-by: rafi <refaei.shikho@hotmail.com>

Author: refoo0

.github/workflows/devguard-scanner.yaml

@@ -46,7 +46,7 @@ jobs:
           substituters = https://cache.nixos.org https://nix.garage.l3montree.cloud
           trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= nix.garage.l3montree.cloud:MGlzfPQKA91/zxw91CN+GP7NpjAAwmKvWXlDYgeeI8k=
     - name: Run unittests
-      run: nix develop . --command bash -c "go test \$(go list ./... | grep -v '/mocks') -coverprofile=coverage.out && go tool cover -func=coverage.out"
+      run: nix develop . --command bash -c "go test -timeout 20m \$(go list ./... | grep -v '/mocks') -coverprofile=coverage.out && go tool cover -func=coverage.out"
     - name: Archive code coverage results
       uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 - https://github.com/actions/upload-artifact/releases/tag/v4.6.2
       with:
@@ -121,7 +121,7 @@ jobs:
       devguard-token: ${{ secrets.DEVGUARD_TOKEN }}
 
   postgresql-pipeline:
-    if: github.event_name == 'workflow_dispatch' || startsWith(github.ref, 'refs/tags/') || github.ref == 'refs/heads/main'
+    if: github.event_name == 'workflow_dispatch' || startsWith(github.ref, 'refs/tags/')
     uses: l3montree-dev/devguard-action/.github/workflows/full-nix.yml@nix
     permissions:
       contents: read

.github/workflows/mirror-to-gitlab.yml

@@ -23,7 +23,7 @@ jobs:
           # Avoid --mirror, which also pushes refs/remotes/* that GitLab rejects as hidden refs.
           # Push from refs/remotes/origin/* so all branches are present and --prune never deletes the default branch.
           git push --prune gitlab 'refs/remotes/origin/*:refs/heads/*'
-          git push --prune gitlab 'refs/tags/*:refs/tags/*'
+          git push --force gitlab 'refs/tags/*:refs/tags/*'
         env:
           GITLAB_TOKEN: ${{ secrets.GITLAB_MIRROR_TOKEN }}
           GITLAB_HOST: ${{ vars.GITLAB_HOST }}

.github/workflows/vulndb-v1.yaml

@@ -0,0 +1,133 @@
+name: VulnDB v1 Workflow
+
+on:
+  workflow_dispatch:
+    inputs:
+      run_generate_snapshot:
+        description: "Run generate snapshot job"
+        required: false
+        default: "false"
+  schedule:
+    - cron: "0 */6 * * *" # every hour
+
+permissions:
+  contents: read
+  packages: write
+
+env:
+  POSTGRES_DB: devguard
+  POSTGRES_USER: devguard
+  POSTGRES_HOST: localhost
+  POSTGRES_PASSWORD: not_reachable_from_the_internet
+  DATE: $(date +%s)
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    env:
+      FRONTEND_URL: "doesntmatter"
+    services:
+      postgres:
+        image: ghcr.io/l3montree-dev/devguard-postgresql:v0.5.3@sha256:a06c9e7c8ee334790cc66d52e89ff5ef05352ab264841d3d9f3659c046732251
+        env:
+          POSTGRES_DB: ${{env.POSTGRES_DB}}
+          POSTGRES_USER: ${{env.POSTGRES_USER}}
+          POSTGRES_PASSWORD: ${{env.POSTGRES_PASSWORD}}
+        ports:
+          - 5432:5432
+        options: '--health-cmd="pg_isready -U devguard"  --health-interval=10s  --health-timeout=5s  --health-retries=5 '
+    steps:
+      - name: Install postgresql client
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y wget
+          wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | sudo apt-key add -
+          echo "deb http://apt.postgresql.org/pub/repos/apt/ $(lsb_release -cs)-pgdg main" | sudo tee /etc/apt/sources.list.d/pgdg.list
+          sudo apt-get update
+          sudo apt-get install -y postgresql-client-16
+      - name: Create semver extension
+        run: |
+          PGPASSWORD=${{env.POSTGRES_PASSWORD}} psql -h localhost -U devguard devguard -c "CREATE EXTENSION IF NOT EXISTS semver;"
+      - name: Checkout code
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - https://github.com/actions/checkout/releases/tag/v5.0.0
+        with:
+          persist-credentials: false
+          ref: v1.3.1
+      - name: Install Golang
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 - https://github.com/actions/setup-go/releases/tag/v5.5.0
+        with:
+          go-version: "1.25"
+      - name: Build the database (this takes some time)
+        run: |
+          # will fetch the latest build database from ghcr.io
+          go run ./cmd/devguard-cli/main.go vulndb sync
+
+      - name: Dump the PostgreSQL database
+        if: ${{ github.event.inputs.run_generate_snapshot == 'true' }}
+        # skip:checkov:CKV_SECRET_6
+        run: |
+          PGPASSWORD=${{env.POSTGRES_PASSWORD}} psql -h localhost -U devguard devguard -c "COPY (SELECT * FROM affected_components) TO STDOUT WITH DELIMITER ',' CSV HEADER" > affected_components.csv 
+          PGPASSWORD=${{env.POSTGRES_PASSWORD}} psql -h localhost -U devguard devguard -c "COPY (SELECT * FROM cve_affected_component) TO STDOUT WITH DELIMITER ',' CSV HEADER" > cve_affected_component.csv 
+          PGPASSWORD=${{env.POSTGRES_PASSWORD}} psql -h localhost -U devguard devguard -c "COPY (SELECT * FROM cves) TO STDOUT WITH DELIMITER ',' CSV HEADER" > cves.csv 
+          PGPASSWORD=${{env.POSTGRES_PASSWORD}} psql -h localhost -U devguard devguard -c "COPY (SELECT * FROM cwes) TO STDOUT WITH DELIMITER ',' CSV HEADER" > cwes.csv 
+          PGPASSWORD=${{env.POSTGRES_PASSWORD}} psql -h localhost -U devguard devguard -c "COPY (SELECT * FROM exploits) TO STDOUT WITH DELIMITER ',' CSV HEADER" > exploits.csv 
+          PGPASSWORD=${{env.POSTGRES_PASSWORD}} psql -h localhost -U devguard devguard -c "COPY (SELECT * FROM malicious_packages) TO STDOUT WITH DELIMITER ',' CSV HEADER" > malicious_packages.csv 
+          PGPASSWORD=${{env.POSTGRES_PASSWORD}} psql -h localhost -U devguard devguard -c "COPY (SELECT * FROM malicious_affected_components) TO STDOUT WITH DELIMITER ',' CSV HEADER" > malicious_affected_components.csv 
+          # PGPASSWORD=${{env.POSTGRES_PASSWORD}} psql -h localhost -U devguard devguard -c "COPY (SELECT * FROM weaknesses) TO STDOUT WITH DELIMITER ',' CSV HEADER" > weaknesses.csv
+          PGPASSWORD=${{env.POSTGRES_PASSWORD}} psql -h localhost -U devguard devguard -c "COPY (SELECT * FROM cve_relationships) TO STDOUT WITH DELIMITER ',' CSV HEADER" > cve_relationships.csv
+      - name: Export the diff csv files (this does not take some time)
+        if: ${{ github.event.inputs.run_generate_snapshot == 'false' || github.event.inputs.run_generate_snapshot == '' }}
+        run: |
+          # writes the difference from the db before and after the sync into csv files
+          go run ./cmd/devguard-cli/main.go vulndb export
+
+      - name: install zip
+        run: sudo apt-get install zip
+
+      - name: Zip the CSV files
+        if: ${{ github.event.inputs.run_generate_snapshot == 'true' }}
+        run: zip vulndb.zip affected_components.csv  cve_affected_component.csv cves.csv cwes.csv exploits.csv malicious_packages.csv malicious_affected_components.csv cve_relationships.csv
+      - name: Zip the CSV files
+        if: ${{  github.event.inputs.run_generate_snapshot == 'false' || github.event.inputs.run_generate_snapshot == '' }}
+        run: zip -r vulndb.zip diffs-tmp
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
+        with:
+          cosign-release: "v2.6.1"
+
+      - name: Write signing key to disk
+        run: echo "${{ secrets.COSIGN_PRIVATE_KEY }}" > cosign.key
+
+      - name: Sign the database zip file
+        env:
+          COSIGN_PASSWORD: ""
+        run: cosign import-key-pair --key cosign.key && cosign sign-blob --yes --key import-cosign.key vulndb.zip > vulndb.zip.sig
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Setup oras cli
+        uses: oras-project/setup-oras@22ce207df3b08e061f537244349aac6ae1d214f6 # v1
+
+      - name: set the date
+        run: echo "date="${{env.DATE}} >> "$GITHUB_ENV"
+
+      - name: Push the database ZIP file to GitHub Container Registry (vulndb/v1)
+        if: ${{  github.event.inputs.run_generate_snapshot == 'false' || github.event.inputs.run_generate_snapshot == '' }}
+        run: |
+          oras push ghcr.io/l3montree-dev/devguard/vulndb/v1:$date vulndb.zip
+
+      - name: Push the database ZIP file to GitHub Container Registry (snapshot)
+        if: ${{ github.event.inputs.run_generate_snapshot == 'true' }}
+        run: |
+          oras push ghcr.io/l3montree-dev/devguard/vulndb/v1:$date-snapshot vulndb.zip
+      - name: Push the signatures to the GitHub Container Registry
+        if: ${{  github.event.inputs.run_generate_snapshot == 'false' || github.event.inputs.run_generate_snapshot == '' }}
+        run: |
+          oras push ghcr.io/l3montree-dev/devguard/vulndb/v1:$date.sig vulndb.zip.sig
+      - name: Push the signatures to the GitHub Container Registry (snapshot)
+        if: ${{ github.event.inputs.run_generate_snapshot == 'true' }}
+        run: |
+          oras push ghcr.io/l3montree-dev/devguard/vulndb/v1:$date-snapshot.sig vulndb.zip.sig

.github/workflows/vulndb.yaml

@@ -2,13 +2,8 @@ name: VulnDB Workflow
 
 on:
   workflow_dispatch:
-    inputs:
-      run_generate_snapshot:
-        description: "Run generate snapshot job"
-        required: false
-        default: "false"
   schedule:
-    - cron: "0 */6 * * *" # every hour
+    - cron: "0 */1 * * *"
 
 permissions:
   contents: read
@@ -19,7 +14,6 @@ env:
   POSTGRES_USER: devguard
   POSTGRES_HOST: localhost
   POSTGRES_PASSWORD: not_reachable_from_the_internet
-  DATE: $(date +%s)
 
 jobs:
   build:
@@ -28,14 +22,14 @@ jobs:
       FRONTEND_URL: "doesntmatter"
     services:
       postgres:
-        image: ghcr.io/l3montree-dev/devguard-postgresql:v0.5.3@sha256:a06c9e7c8ee334790cc66d52e89ff5ef05352ab264841d3d9f3659c046732251
+        image: ghcr.io/l3montree-dev/devguard/postgresql:v1.3.1
         env:
           POSTGRES_DB: ${{env.POSTGRES_DB}}
           POSTGRES_USER: ${{env.POSTGRES_USER}}
           POSTGRES_PASSWORD: ${{env.POSTGRES_PASSWORD}}
         ports:
           - 5432:5432
-        options: '--health-cmd="pg_isready -U devguard"  --health-interval=10s  --health-timeout=5s  --health-retries=5 '
+        options: '--health-cmd="pg_isready -U devguard" --health-interval=10s --health-timeout=5s --health-retries=5 --tmpfs /docker-entrypoint-initdb.d --tmpfs /run/postgresql'
     steps:
       - name: Install postgresql client
         run: |
@@ -56,39 +50,11 @@ jobs:
         uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 - https://github.com/actions/setup-go/releases/tag/v5.5.0
         with:
           go-version: "1.25"
-      - name: Build the database (this takes some time)
+      - name: Export the vulnerability database archive
         run: |
-          # will fetch the latest build database from ghcr.io
-          go run ./cmd/devguard-cli/main.go vulndb sync
-
-      - name: Dump the PostgreSQL database
-        if: ${{ github.event.inputs.run_generate_snapshot == 'true' }}
-        # skip:checkov:CKV_SECRET_6
-        run: |
-          PGPASSWORD=${{env.POSTGRES_PASSWORD}} psql -h localhost -U devguard devguard -c "COPY (SELECT * FROM affected_components) TO STDOUT WITH DELIMITER ',' CSV HEADER" > affected_components.csv 
-          PGPASSWORD=${{env.POSTGRES_PASSWORD}} psql -h localhost -U devguard devguard -c "COPY (SELECT * FROM cve_affected_component) TO STDOUT WITH DELIMITER ',' CSV HEADER" > cve_affected_component.csv 
-          PGPASSWORD=${{env.POSTGRES_PASSWORD}} psql -h localhost -U devguard devguard -c "COPY (SELECT * FROM cves) TO STDOUT WITH DELIMITER ',' CSV HEADER" > cves.csv 
-          PGPASSWORD=${{env.POSTGRES_PASSWORD}} psql -h localhost -U devguard devguard -c "COPY (SELECT * FROM cwes) TO STDOUT WITH DELIMITER ',' CSV HEADER" > cwes.csv 
-          PGPASSWORD=${{env.POSTGRES_PASSWORD}} psql -h localhost -U devguard devguard -c "COPY (SELECT * FROM exploits) TO STDOUT WITH DELIMITER ',' CSV HEADER" > exploits.csv 
-          PGPASSWORD=${{env.POSTGRES_PASSWORD}} psql -h localhost -U devguard devguard -c "COPY (SELECT * FROM malicious_packages) TO STDOUT WITH DELIMITER ',' CSV HEADER" > malicious_packages.csv 
-          PGPASSWORD=${{env.POSTGRES_PASSWORD}} psql -h localhost -U devguard devguard -c "COPY (SELECT * FROM malicious_affected_components) TO STDOUT WITH DELIMITER ',' CSV HEADER" > malicious_affected_components.csv 
-          # PGPASSWORD=${{env.POSTGRES_PASSWORD}} psql -h localhost -U devguard devguard -c "COPY (SELECT * FROM weaknesses) TO STDOUT WITH DELIMITER ',' CSV HEADER" > weaknesses.csv
-          PGPASSWORD=${{env.POSTGRES_PASSWORD}} psql -h localhost -U devguard devguard -c "COPY (SELECT * FROM cve_relationships) TO STDOUT WITH DELIMITER ',' CSV HEADER" > cve_relationships.csv
-      - name: Export the diff csv files (this does not take some time)
-        if: ${{ github.event.inputs.run_generate_snapshot == 'false' || github.event.inputs.run_generate_snapshot == '' }}
-        run: |
-          # writes the difference from the db before and after the sync into csv files
+          # writes the database snapshot files and bundles them into a single tar.zst archive
           go run ./cmd/devguard-cli/main.go vulndb export
 
-      - name: install zip
-        run: sudo apt-get install zip
-
-      - name: Zip the CSV files
-        if: ${{ github.event.inputs.run_generate_snapshot == 'true' }}
-        run: zip vulndb.zip affected_components.csv  cve_affected_component.csv cves.csv cwes.csv exploits.csv malicious_packages.csv malicious_affected_components.csv cve_relationships.csv
-      - name: Zip the CSV files
-        if: ${{  github.event.inputs.run_generate_snapshot == 'false' || github.event.inputs.run_generate_snapshot == '' }}
-        run: zip -r vulndb.zip diffs-tmp
       - name: Install Cosign
         uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
         with:
@@ -97,10 +63,12 @@ jobs:
       - name: Write signing key to disk
         run: echo "${{ secrets.COSIGN_PRIVATE_KEY }}" > cosign.key
 
-      - name: Sign the database zip file
+      - name: Sign the database archive
         env:
           COSIGN_PASSWORD: ""
-        run: cosign import-key-pair --key cosign.key && cosign sign-blob --yes --key import-cosign.key vulndb.zip > vulndb.zip.sig
+        run: |
+          cosign import-key-pair --key cosign.key
+          cosign sign-blob --yes --key import-cosign.key vulndb.tar.zst > vulndb.tar.zst.sig
       - name: Login to GitHub Container Registry
         uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
         with:
@@ -110,23 +78,11 @@ jobs:
       - name: Setup oras cli
         uses: oras-project/setup-oras@22ce207df3b08e061f537244349aac6ae1d214f6 # v1
 
-      - name: set the date
-        run: echo "date="${{env.DATE}} >> "$GITHUB_ENV"
-
-      - name: Push the database ZIP file to GitHub Container Registry (vulndb/v1)
-        if: ${{  github.event.inputs.run_generate_snapshot == 'false' || github.event.inputs.run_generate_snapshot == '' }}
-        run: |
-          oras push ghcr.io/l3montree-dev/devguard/vulndb/v1:$date vulndb.zip
-
-      - name: Push the database ZIP file to GitHub Container Registry (snapshot)
-        if: ${{ github.event.inputs.run_generate_snapshot == 'true' }}
-        run: |
-          oras push ghcr.io/l3montree-dev/devguard/vulndb/v1:$date-snapshot vulndb.zip
-      - name: Push the signatures to the GitHub Container Registry
-        if: ${{  github.event.inputs.run_generate_snapshot == 'false' || github.event.inputs.run_generate_snapshot == '' }}
+      - name: Push the database archive to GitHub Container Registry
         run: |
-          oras push ghcr.io/l3montree-dev/devguard/vulndb/v1:$date.sig vulndb.zip.sig
-      - name: Push the signatures to the GitHub Container Registry (snapshot)
-        if: ${{ github.event.inputs.run_generate_snapshot == 'true' }}
+          oras push ghcr.io/l3montree-dev/devguard/vulndb/v2:latest \
+            vulndb.tar.zst
+      - name: Push the archive signature to the GitHub Container Registry
         run: |
-          oras push ghcr.io/l3montree-dev/devguard/vulndb/v1:$date-snapshot.sig vulndb.zip.sig
+          oras push ghcr.io/l3montree-dev/devguard/vulndb/v2:latest.sig \
+            vulndb.tar.zst.sig

.vscode/launch.json

@@ -42,16 +42,16 @@
             "program": "${workspaceRoot}/cmd/devguard/main.go",
             "args": [],
         },
-    {
-        "name": "Launch DepTreeWalk",
-        "type": "go",
-        "request": "launch",
-        "cwd": "${workspaceRoot}",
-        "mode": "auto",
-        "program": "${workspaceRoot}/cmd/devguard-cli/test",
-        "args": [
-        ],
-    },
+        {
+            "name": "Launch DepTreeWalk",
+            "type": "go",
+            "request": "launch",
+            "cwd": "${workspaceRoot}",
+            "mode": "auto",
+            "program": "${workspaceRoot}/cmd/devguard-cli/test",
+            "args": [
+            ],
+        },
         {
             "name": "Launch Policy eval",
             "type": "go",
@@ -105,6 +105,30 @@
                 "epss"
             ]
         },
+        {
+            "name": "VulnDB Import",
+            "type": "go",
+            "request": "launch",
+            "cwd": "${workspaceRoot}",
+            "mode": "auto",
+            "program": "${workspaceRoot}/cmd/devguard-cli/main.go",
+            "args": [
+                "vulndb",
+                "import"
+            ]
+        },
+         {
+            "name": "VulnDB ExportRC",
+            "type": "go",
+            "request": "launch",
+            "cwd": "${workspaceRoot}",
+            "mode": "auto",
+            "program": "${workspaceRoot}/cmd/devguard-cli/main.go",
+            "args": [
+                "vulndb",
+                "export"
+            ]
+        },
         {
             "name": "Scanner attestations",
             "type": "go",