On-Prem Vulnerability Database Updates
Keep your on-premises vulnerability database current with over-the-air updates from FOSSA's vulnerability feed.
Enterprise feature
Access to FOSSA's vulnerability feed is governed by your contract. Confirm with your FOSSA account team before enabling updates.
Overview
When FOSSA runs on-premises, its vulnerability database lives in your own environment. The over-the-air (OTA) updater keeps that database current by periodically pulling the latest data from FOSSA's vulnerability feed at vulns.fossa.com. This page explains how the updater works and how to enable and monitor it.
Warning
The updater authenticates to the feed with a Vulnerability Service API token (a token ID and secret), which is separate from your main FOSSA API token. See Vulnerability Service API Token Provisioning to request one.
How the updater works
- The updater runs inside your cluster as a Kubernetes CronJob (
onprem-vulns-updater). - It polls FOSSA's vulnerability feed once per hour, but only downloads a new snapshot when FOSSA has published new data, so most runs are no-ops. FOSSA publishes new data roughly daily.
- Enabling the updater also turns on the Security product in your installation and runs a vulnerability database migration as part of your next Helm upgrade.
- The updater only pulls vulnerability intelligence into your instance; your proprietary code and scan results never leave your network. See the Architecture Overview for how outbound connections are scoped.
Enabling OTA updates
- 1
Locate the vulns configuration
In your Helm values, the vulnerability updater is disabled by default:
YAMLvulns: # URL of the FOSSA Vulns update service. host: https://vulns.fossa.com # Provided by FOSSA to authenticate your installation to the update service. auth: id: "" secret: "" updater: enabled: false - 2
Add your credentials and enable the updater
Set
updater.enabledtotrueand fill in the token ID and secret provisioned by FOSSA:YAMLvulns: host: https://vulns.fossa.com auth: id: "<provisioned key ID>" secret: "<provisioned key secret>" updater: enabled: trueWarning
hostandauthsit directly undervulns:, not nested insideupdater:. The updater requiresvulns.auth.idandvulns.auth.secretto be set. - 3
Apply the change
Run
helm upgradeto apply the updated values. The updater runs on a schedule, so it may not run immediately, the first update typically lands within an hour.
Monitoring updates
Once enabled, the updater runs unattended; no further action is needed. To confirm updates are landing, check the status of the onprem-vulns-updater CronJob, or query the database for the time elapsed since the last successful update:
SELECT (now() - (SELECT "createdAt" FROM "VulnMigrations" ORDER BY id DESC LIMIT 1))-- example: 0 years 0 mons 0 days 4 hours 23 mins 9.114582 secsRequired network egress
If your cluster sits behind a firewall, allow outbound access to FOSSA's vulnerability feed and its file storage. See IP Space Allowlisting for the exact hosts and IP ranges.
FAQ
How often does the updater run? It polls hourly, but only downloads data when FOSSA has published a new snapshot, so you'll typically see roughly one new update per day.
Can I update vulnerabilities in an air-gapped environment? If your installation cannot reach vulns.fossa.com, you can pull the dataset manually instead. See Vulnerability Snapshot Downloads, and ask your FOSSA account team about an offline import path.
Do I need to enable anything else to use vulnerability data? No. Enabling the updater automatically turns on the Security product in your installation.