Over the Air FOSSA Vulnerability Database Updates

FOSSA provides over-the-air (OTA) updates to on premise vulnerability databases. This documentation will describe how to access the feature.

API Keys

You will need a vulnerability Service API token ID and Secret. You can find details on how to receive them on this page.

Helm Chart

Within the on premise Helm chart values, there is a section as follow (in it's default state)

# Configuration for Vulnerability Database OTA Updates
vulns:
  updater:
    enabled: false

    # URL of the FOSSA Vulns update service.
    host: https://vulns.fossa.com

    # These values are provided by FOSSA and authenticate your installtion
    # to our update service.
    auth:
      id: ""
      secret: ""

Once you have API Key id and secret provisioned, the updated values should look like this:

# Configuration for Vulnerability Database OTA Updates
vulns:
  updater:
    enabled: true # * this is updated from false -> true

    # URL of the FOSSA Vulns update service.
    host: https://vulns.fossa.com

    # These values are provided by FOSSA and authenticate your installtion
    # to our update service.
    auth:
      id: "<provisioned key ID>" # this field should be the value of the provided key ID
      secret: "<provisioned key secret>"  # this field should be the value of the provided key secret

After the configuration is updated, you can apply the changes by running helm upgrade to ensure that the feature is turned on. Under the hood, this operates as a cron job, so it might not run immediately. The update should be applied within 24 hours of applying the updated helm charts.

Operation

The OTA feature will run in the background as a daily cronjob. No additional steps need be taken by the Organization with the on premise installation.

IP Space Whitelisting

For proper functionality on premise, if there is a firewall then the following IP spaces should be whitelisted (follow the links for more information on whitelisting these addresses).

Feature Access Restrictions

Access to this feature is subject to contractual agreements and that there may be additional steps that need to have access to this feature authorized. Authorized usage of this data will be outlined within the contractual agreement with FOSSA.