Warning
This project is no longer maintained and should not be used. This tool has been replaced by functionality in wolfictl (see docs and code).
Tool for generating Wolfi security databases
To create a security database for a given project, you can do something like:
$ wolfi-secdb generate ./path/to/source-repo \
--base-url https://packages.wolfi.dev/... \
--output-filename security/your-repo-name.json \
--repo-name your-repo-nameFor the Wolfi distribution, there is a GitHub action located in chainguard-dev/actions.
Wolfi security databases are based on Alpine's security database format, presenting a serialized JSON graph.
The root of the graph has these fields:
-
urlprefix: The prefix for all URLs. In Wolfi itself, this ishttps://packages.wolfi.dev. -
apkurl: The pattern used to deduce the package URL. In Wolfi itself, this is{{urlprefix}}/{{reponame}}/{{arch}}/{{pkg.name}}-{{pkg.ver}}.apk -
reponame: The name of the repository, such asbootstrap/stage3. -
archs: The architectures for packages built in the repository. In Wolfi itself, this is presently[ "x86_64" ]. -
packages: A list of package objects which have security updates.
A package object is a JSON object which has a single pkg object
underneath it, which has the following fields:
-
name: The name of the package. -
secfixes: An object containing version identifiers and lists of well-known vulnerability identifiers fixed by the package version.
{
"urlprefix": "https://packages.wolfi.dev",
"apkurl": "{{urlprefix}}/{{reponame}}/{{arch}}/{{pkg.name}}-{{pkg.ver}}.apk",
"reponame": "example/repo",
"archs": ["x86_64"],
"packages": [
{
"pkg": {
"name": "foo",
"secfixes": {
"1.2.3-r1": [
"CVE-9999-99999"
]
}
}
}
]
}