diff --git a/.github/actions/spelling/allow.txt b/.github/actions/spelling/allow.txt
index f9a7672b1a..db0efeff51 100644
--- a/.github/actions/spelling/allow.txt
+++ b/.github/actions/spelling/allow.txt
@@ -473,6 +473,8 @@ p
pacman
palletsprojects
pango
+PASSPHRASE
+passphrase
patch
pcre
pcsc
@@ -483,6 +485,8 @@ pdftotext
pdxjohnny
peb
perl
+PGP
+pgp
php
picocom
pigz
@@ -503,6 +507,7 @@ procps
proftpd
protobuf
pspp
+PUBKEY
Purvanshsingh
putty
pybabel
diff --git a/README.md b/README.md
index aa2eedd8c8..b01a605df3 100644
--- a/README.md
+++ b/README.md
@@ -410,27 +410,27 @@ options:
skips checking for a new version
--disable-validation-check
skips checking xml files against schema
- --offline operate in offline mode
+ --offline operate in offline mode
--detailed add CVE description in csv or json report (no effect on console, html or pdf)
CVE Data Download:
Arguments related to data sources and Cache Configuration
- -n {api,api2,json-nvd,json-mirror}, --nvd {api,api2,json-nvd,json-mirror}
+ -n {api,api2,json,json-mirror,json-nvd}, --nvd {api,api2,json,json-mirror,json-nvd}
choose method for getting CVE lists from NVD
-u {now,daily,never,latest}, --update {now,daily,never,latest}
update schedule for data sources and exploits database (default: daily)
--nvd-api-key NVD_API_KEY
specify NVD API key (used to improve NVD rate limit)
- -d {NVD,OSV} [{NVD,OSV} ...], --disable-data-source {NVD,OSV} [{NVD,OSV} ...]
- comma-separated list of data sources (GAD, NVD, OSV, REDHAT) to disable (default: NONE)
+ -d DISABLE_DATA_SOURCE, --disable-data-source DISABLE_DATA_SOURCE
+ comma-separated list of data sources (CURL, EPSS, GAD, NVD, OSV, REDHAT, RSD) to disable (default: NONE)
--use-mirror USE_MIRROR
use an mirror to update the database
Input:
directory directory to scan
- -i INPUT_FILE, --input-file INPUT_FILE
+ -i INPUT_FILE, --input-file INPUT_FILE
provide input filename
--triage-input-file TRIAGE_INPUT_FILE
provide input filename for triage data
@@ -455,15 +455,17 @@ Output:
update output format (default: console)
specify multiple output formats by using comma (',') as a separator
note: don't use spaces between comma (',') and the output formats.
+ --generate-config {yaml,toml,yaml,toml,toml,yaml}
+ generate config file for cve bin tool in toml and yaml formats.
-c CVSS, --cvss CVSS minimum CVSS score (as integer in range 0 to 10) to report (default: 0)
- --metrics
- check for metrics (e.g., EPSS) from found cves
- --epss-percentile
- minimum EPSS percentile of CVE range between 0 to 100 to report (input value can also be floating point) (default: 0)
- --epss-probability
- minimum EPSS probability of CVE range between 0 to 100 to report (input value can also be floating point) (default: 0)
-S {low,medium,high,critical}, --severity {low,medium,high,critical}
minimum CVE severity to report (default: low)
+ --metrics
+ check for metrics (e.g., EPSS) from found cves
+ --epss-percentile EPSS_PERCENTILE
+ minimum epss percentile of CVE range between 0 to 100 to report
+ --epss-probability EPSS_PROBABILITY
+ minimum epss probability of CVE range between 0 to 100 to report
--no-0-cve-report only produce report when CVEs are found
-A [-], --available-fix [-]
Lists available fixes of the package from Linux distribution
@@ -495,6 +497,19 @@ Checkers:
-r RUNS, --runs RUNS comma-separated list of checkers to enable
Database Management:
+ --import-json IMPORT_JSON
+ import database from json files chopped by years
+ --ignore-sig do not verify PGP signature while importing json data
+ --log-signature-error
+ when the signature doesn't match log the error only instead of halting (UNSAFE)
+ --verify PGP_PUBKEY_PATH
+ verify PGP sign while importing json files
+ --export-json EXPORT_JSON
+ export database as json files chopped by years
+ --pgp-sign PGP_PRIVATE_KEY_PATH
+ sign exported json files with PGP
+ --passphrase PASSPHRASE
+ required passphrase for signing with PGP
--export EXPORT export database filename
--import IMPORT import database filename
@@ -503,9 +518,7 @@ Exploits:
Deprecated:
-x, --extract autoextract compressed files
- CVE Binary Tool autoextracts all compressed files by default now
--report Produces a report even if there are no CVE for the respective output format
- CVE Binary Tool produces report by default even if there are no CVEs
For further information about all of these options, please see [the CVE Binary Tool user manual](https://cve-bin-tool.readthedocs.io/en/latest/MANUAL.html).