l3montree-dev · Hubtrick-Git · Jun 19, 2026 · Jun 22, 2026 · Jun 22, 2026 · Jun 22, 2026
diff --git a/.github/workflows/vulndb-1.7.3.yaml b/.github/workflows/vulndb-1.7.3.yaml
@@ -0,0 +1,89 @@
+name: VulnDB Workflow v2 (DevGuard v1.7.3)
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 */1 * * *"
+
+permissions:
+  contents: read
+  packages: write
+
+env:
+  POSTGRES_DB: devguard
+  POSTGRES_USER: devguard
+  POSTGRES_HOST: localhost
+  POSTGRES_PASSWORD: not_reachable_from_the_internet
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    env:
+      FRONTEND_URL: "doesntmatter"
+    services:
+      postgres:
+        image: ghcr.io/l3montree-dev/devguard/postgresql:v1.3.1
+        env:
+          POSTGRES_DB: ${{env.POSTGRES_DB}}
+          POSTGRES_USER: ${{env.POSTGRES_USER}}
+          POSTGRES_PASSWORD: ${{env.POSTGRES_PASSWORD}}
+        ports:
+          - 5432:5432
+        options: '--health-cmd="pg_isready -U devguard" --health-interval=10s --health-timeout=5s --health-retries=5 --tmpfs /docker-entrypoint-initdb.d --tmpfs /run/postgresql'
+    steps:
+      - name: Install postgresql client
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y wget
+          wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | sudo apt-key add -
+          echo "deb http://apt.postgresql.org/pub/repos/apt/ $(lsb_release -cs)-pgdg main" | sudo tee /etc/apt/sources.list.d/pgdg.list
+          sudo apt-get update
+          sudo apt-get install -y postgresql-client-16
+      - name: Create semver extension
+        run: |
+          PGPASSWORD=${{env.POSTGRES_PASSWORD}} psql -h localhost -U devguard devguard -c "CREATE EXTENSION IF NOT EXISTS semver;"
+      - name: Checkout code
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - https://github.com/actions/checkout/releases/tag/v5.0.0
+        with:
+          persist-credentials: false
+          ref: v1.7.3 # latest stable version for vulndb v2
+      - name: Install Golang
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 - https://github.com/actions/setup-go/releases/tag/v5.5.0
+        with:
+          go-version: "1.25"
+      - name: Export the vulnerability database archive
+        run: |
+          # writes the database snapshot files and bundles them into a single tar.zst archive
+          go run ./cmd/devguard-cli/main.go vulndb export --diffToPrevious
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
+        with:
+          cosign-release: "v2.6.1"
+
+      - name: Write signing key to disk
+        run: echo "${{ secrets.COSIGN_PRIVATE_KEY }}" > cosign.key
+
+      - name: Sign the database archive
+        env:
+          COSIGN_PASSWORD: ""
+        run: |
+          cosign import-key-pair --key cosign.key
+          cosign sign-blob --yes --key import-cosign.key vulndb.tar.zst > vulndb.tar.zst.sig
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Setup oras cli
+        uses: oras-project/setup-oras@22ce207df3b08e061f537244349aac6ae1d214f6 # v1
+
+      - name: Push the database archive to GitHub Container Registry
+        run: |
+          oras push ghcr.io/l3montree-dev/devguard/vulndb/v2:latest \
+            vulndb.tar.zst
+      - name: Push the archive signature to the GitHub Container Registry
+        run: |
+          oras push ghcr.io/l3montree-dev/devguard/vulndb/v2:latest.sig \
+            vulndb.tar.zst.sig
diff --git a/.github/workflows/vulndb.yaml b/.github/workflows/vulndb.yaml
@@ -80,9 +80,9 @@ jobs:
 
       - name: Push the database archive to GitHub Container Registry
         run: |
-          oras push ghcr.io/l3montree-dev/devguard/vulndb/v2:latest \
+          oras push ghcr.io/l3montree-dev/devguard/vulndb/v3:latest \
             vulndb.tar.zst
       - name: Push the archive signature to the GitHub Container Registry
         run: |
-          oras push ghcr.io/l3montree-dev/devguard/vulndb/v2:latest.sig \
+          oras push ghcr.io/l3montree-dev/devguard/vulndb/v3:latest.sig \
             vulndb.tar.zst.sig
diff --git a/.vscode/launch.json b/.vscode/launch.json
@@ -115,7 +115,20 @@
             "program": "${workspaceRoot}/cmd/devguard-cli/main.go",
             "args": [
                 "vulndb",
-                "import"
+                "import",
+            ]
+        },
+        {
+            "name": "VulnDB Local Import",
+            "type": "go",
+            "request": "launch",
+            "cwd": "${workspaceRoot}",
+            "mode": "auto",
+            "program": "${workspaceRoot}/cmd/devguard-cli/main.go",
+            "args": [
+                "vulndb",
+                "import",
+                "--localArchive",
             ]
         },
                 {

diff --git a/database/migrations/20260622103622_add-euvd-kev-information-to-cves.up.sql b/database/migrations/20260622103622_add-euvd-kev-information-to-cves.up.sql
@@ -0,0 +1 @@
+ALTER TABLE public.cves ADD COLUMN euvd_exploit_add date;
diff --git a/database/models/cve_model.go b/database/models/cve_model.go
@@ -48,6 +48,7 @@ type CVE struct {
 	Risk                  dtos.RiskMetrics    `json:"risk" gorm:"-" cve:"risk"`
 	Exploits              []Exploit           `json:"exploits" gorm:"foreignKey:CVEID;references:CVE;"`
 	Relationships         []CVERelationship   `json:"relationships" gorm:"foreignKey:SourceCVE;references:CVE;constraint:OnDelete:CASCADE;" cve:"relationships"`
+	EUVDExploitAdd        *datatypes.Date     `json:"euvdExploitAdd" gorm:"type:date"`
 }
 
 type Weakness struct {

diff --git a/database/models/cve_relationship_model.go b/database/models/cve_relationship_model.go
@@ -4,8 +4,8 @@ import "github.com/l3montree-dev/devguard/dtos"
 
 // CVERelationship stores source/target/type — TargetCVE is a plain string, not a DB FK constraint.
 type CVERelationship struct {
-	SourceCVE        string                `json:"source_cve" gorm:"type:text;primaryKey"`
-	TargetCVE        string                `json:"target_cve" gorm:"type:text;primaryKey"`
+	SourceCVE        string                `json:"source_cve" gorm:"type:text;primaryKey"` // an external CVE-ID (like DEBIAN-CVE-...)
+	TargetCVE        string                `json:"target_cve" gorm:"type:text;primaryKey"` // the official CVE-XXXX-...  the external CVE-ID relates to
 	RelationshipType dtos.RelationshipType `json:"relationship_type" gorm:"type:text;primaryKey"`
 	// TargetCVEData is populated by GORM nested preload. It is nil when the target
 	// CVE does not exist in this database — no DB-level FK constraint is added.

diff --git a/database/repositories/cve_repository.go b/database/repositories/cve_repository.go
@@ -258,40 +258,3 @@ func (g *cveRepository) UpdateEpssBatch(ctx context.Context, tx *gorm.DB, batch
 	// avoid slow sql log
 	return g.GetDB(ctx, tx).Exec(sql, ids, epss, percentiles).Error
 }
-
-// this function is used by the CISA KEV mirror function to update the KEV information for all cves
-func (g *cveRepository) UpdateCISAKEVBatch(ctx context.Context, tx *gorm.DB, batch []models.CVE) error {
-	ids := make([]string, len(batch))
-	exploitAdds := make([]any, len(batch))
-	actionDues := make([]any, len(batch))
-	requiredActions := make([]string, len(batch))
-	vulnNames := make([]string, len(batch))
-
-	for i := range batch {
-		ids[i] = batch[i].CVE
-		if batch[i].CISAExploitAdd != nil {
-			exploitAdds[i] = time.Time(*batch[i].CISAExploitAdd).Format("2006-01-02")
-		}
-		if batch[i].CISAActionDue != nil {
-			actionDues[i] = time.Time(*batch[i].CISAActionDue).Format("2006-01-02")
-		}
-		requiredActions[i] = *batch[i].CISARequiredAction
-		vulnNames[i] = *batch[i].CISAVulnerabilityName
-	}
-
-	sql := `UPDATE cves SET
-		cisa_exploit_add = new.cisa_exploit_add::date,
-		cisa_action_due = new.cisa_action_due::date,
-		cisa_required_action = new.cisa_required_action,
-		cisa_vulnerability_name = new.cisa_vulnerability_name
-	FROM (SELECT
-		unnest($1::text[]) as cve,
-		unnest($2::text[]) as cisa_exploit_add,
-		unnest($3::text[]) as cisa_action_due,
-		unnest($4::text[]) as cisa_required_action,
-		unnest($5::text[]) as cisa_vulnerability_name
-	) as new
-	WHERE cves.cve = new.cve;`
-
-	return g.GetDB(ctx, tx).Session(&gorm.Session{Logger: logger.Default.LogMode(logger.Silent)}).Exec(sql, ids, exploitAdds, actionDues, requiredActions, vulnNames).Error
-}
diff --git a/dtos/cve_relationship_dto.go b/dtos/cve_relationship_dto.go
@@ -6,6 +6,7 @@ const (
 	RelationshipTypeAlias    RelationshipType = "alias"
 	RelationshipTypeUpstream RelationshipType = "upstream"
 	RelationshipTypeRelated  RelationshipType = "related"
+	RelationshipTypeEUVD     RelationshipType = "euvd" // flag relationships only imported through euvd explicitly
 )
 
 // CVERelationshipDTO is the API response shape.

diff --git a/dtos/dependency_vuln_dto.go b/dtos/dependency_vuln_dto.go
@@ -56,6 +56,7 @@ type CVEDTO struct {
 	Risk                  RiskMetrics       `json:"risk"`
 	Exploits              []ExploitDTO      `json:"exploits"`
 	Relationships         []RelationshipDTO `json:"relationships"`
+	EUVDExploitAdd        *datatypes.Date   `json:"euvdExploitAdd" format:"date"`
 }
 
 type VulnState string

diff --git a/mocks/mock_APIStatsCollector.go b/mocks/mock_APIStatsCollector.go
diff --git a/mocks/mock_HTTPDoer.go b/mocks/mock_HTTPDoer.go
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		ALTER TABLE public.cves ADD COLUMN euvd_exploit_add date;