Simplify and document process for determining whether a particular CVE is in trivy-db-glad

Proposal

The process provided for checking whether a particular CVE is in trivy-db-glad is complicated and not documented. This feature proposal suggests:

simplifying the process
documenting the simplified process

When complete, we should be able to provide customers with a (relatively) simple set of instructions/commands they can use to answer this question:

For a particular CVE-XXXX-XXXXX, does that CVE exist in https://gitlab.com/gitlab-org/security-products/dependencies/trivy-db-glad?

The Process

As we understand it today, the process to use is what was suggested by @adamcohen (Thank you Adam)!

Click to expand

docker run -it --rm -w /src golang:latest bash

VERSION="1.0.0"
curl -LO "https://github.com/oras-project/oras/releases/download/v${VERSION}/oras_${VERSION}_linux_amd64.tar.gz"
mkdir -p oras-install/
tar -zxf oras_${VERSION}_*.tar.gz -C oras-install/
mv oras-install/oras /usr/local/bin/
rm -rf oras_${VERSION}_*.tar.gz oras-install/

oras pull registry.gitlab.com/gitlab-org/security-products/dependencies/trivy-db-glad:2
tar -xzf db.tar.gz

cat << EOF > main.go
package main

import (
	"fmt"
	"log"
	"time"

	bolt "go.etcd.io/bbolt"
)

func findAdvisories(advisories []string) {
	db, err := bolt.Open("trivy.db", 0600, &bolt.Options{Timeout: 1 * time.Second})
	if err != nil {
		log.Fatal(err)
	}
	defer db.Close()

	db.View(func(tx *bolt.Tx) error {
		b := tx.Bucket([]byte("vulnerability"))
		numFound := 0

		for _, advisory := range advisories {
			v := b.Get([]byte(advisory))

			if v == nil {
				fmt.Printf("Advisory %s was not found\n", advisory)
			} else {
				numFound++
				fmt.Printf("\nAdvisory %s was found with value:\n%s\n", advisory, v)
			}
		}

		fmt.Printf("\nFound %d advisories out of %d\n", numFound, len(advisories))

		return nil
	})
	return
}

func main() {
	findAdvisories([]string{"CVE-2014-6271 ", "CVE-2014-7169"})
}
EOF

go mod init example.com/m
go mod tidy

go run .

Advisory CVE-2014-6271 was found with value:
Advisory CVE-2014-7169 was found with value:


Found 2 advisories out of 2

Implementation Plan

Create a command-line tool to allow looking up vulnerabilities in trivy-db-glad based on their CVE value:

https://gitlab.com/adamcohen/trivy-db-glad-cve-finder
Document how to use the tool:

See Using the Docker image for details.

Edited Oct 10, 2025 by 🤖 GitLab Bot 🤖