fix: Add --update-only flag for database updates without scanning

Author: Gyan-max

cve_bin_tool/cli.py

@@ -486,6 +486,12 @@ def main(argv=None):
     )
 
     database_group = parser.add_argument_group("Database Management")
+    database_group.add_argument(
+        "--update-only",
+        action="store_true",
+        help="update the database without scanning any files or directories",
+        default=False,
+    )
     database_group.add_argument(
         "--import-json",
         action="store",
@@ -908,6 +914,11 @@ def main(argv=None):
                     "Consult the documentation at https://cve-bin-tool.readthedocs.io/en/latest/how_to_guides/offline.html to find out how to setup offline operation."
                 )
             return ERROR_CODES[CVEDBOutdatedSchema]
+    
+    # If running in update-only mode, exit now
+    if args.get("update_only", False):
+        LOGGER.info("Database update completed. Exiting without scanning.")
+        return 0
 
     # CVE Database validation
     if not cvedb_orig.check_cve_entries():
@@ -965,6 +976,22 @@ def main(argv=None):
             "Use -F --filter only when you want to filter out intermediate reports on the basis of tag"
         )
 
+    # Handle --update-only flag
+    if args.get("update_only", False):
+        LOGGER.info("Running in update-only mode")
+        # Force the update regardless of update setting
+        db_update = "now"
+        # Skip input validation
+        if (
+            not args["directory"]
+            and not args["input_file"]
+            and not args["package_list"]
+            and not args["merge"]
+            and not args["sbom_file"]
+            and not args["vex_file"]
+        ):
+            args["directory"] = ""  # Set a dummy value to pass validation
+    
     # Input validation
     if (
         not args["directory"]
@@ -1099,7 +1126,7 @@ def main(argv=None):
             LOGGER.info(f"Number of checkers: {version_scanner.number_of_checkers()}")
             version_scanner.print_checkers()
             LOGGER.debug(
-                "If the checkers aren’t loading properly: https://cve-bin-tool.readthedocs.io/en/latest/CONTRIBUTING.html#help-my-checkers-aren-t-loading"
+                "If the checkers aren't loading properly: https://cve-bin-tool.readthedocs.io/en/latest/CONTRIBUTING.html#help-my-checkers-aren-t-loading"
             )
             LOGGER.info(
                 f"Number of language checkers: {version_scanner.number_of_language_checkers()}"

doc/MANUAL.md

@@ -74,6 +74,9 @@
   - [Database Management](#database-management)
     - [--export EXPORT](#--export-export)
     - [--import IMPORT](#--import-import)
+    - [--update-only         update the database without scanning any files or directories](#--update-only-update-the-database-without-scanning-any-files-or-directories)
+    - [--import-json IMPORT_JSON](#--import-json-import_json)
+                            import database from json files chopped by years
   - [Deprecated Arguments](#deprecated-arguments)
     - [-x, --extract](#-x---extract)
     - [--report](#--report)
@@ -216,6 +219,11 @@ which is useful if you're trying the latest code from
       -r RUNS, --runs RUNS  comma-separated list of checkers to enable
 
     Database Management:
+      --export EXPORT
+                            make a copy of the database
+      --import IMPORT
+                            import a copy of the database
+      --update-only         update the database without scanning any files or directories
       --import-json IMPORT_JSON
                             import database from json files chopped by years
       --ignore-sig          do not verify PGP signature while importing json data
@@ -1487,6 +1495,14 @@ This option allows you to make a copy of the database. This is typically require
 
 This option allows you to import a copy of the database (typically created using the `--export` option). If the specified file does not exist, this operation has no effect.
 
+### --update-only         update the database without scanning any files or directories
+
+This option allows you to update the database without scanning any files or directories. This is useful when you want to update the database without running any scans.
+
+### --import-json IMPORT_JSON
+
+This option allows you to import a copy of the database from JSON files chopped by years. This is useful when you want to import a pre-existing database from JSON files.
+
 ## Deprecated Arguments
 
 ### -x, --extract

doc/how_to_guides/multiple_scans_at_once.md

@@ -13,6 +13,12 @@ To update (without scanning) you can use the following command:
 cve-bin-tool -u now
 ```
 
+Alternatively, you can use the dedicated update-only flag:
+
+```
+cve-bin-tool --update-only
+```
+
 We recommend once per day, but this can be more frequently or less frequently depending on your needs.  Ideally, you want to be sure this completes before you kick off any other scans, so that you aren't checking against a partial database.
 
 ## Step 2: Scan

test/test_cli.py

@@ -275,6 +275,28 @@ def test_update(self, caplog):
         ) in caplog.record_tuples
         caplog.clear()
 
+    @pytest.mark.skipif(not LONG_TESTS(), reason="Update-only flag tests are long tests")
+    def test_update_only(self, caplog):
+        """Test the --update-only flag"""
+        with caplog.at_level(logging.INFO):
+            main(["cve-bin-tool", "--update-only"])
+        
+        # Check that we see the update-only mode message
+        assert (
+            "cve_bin_tool",
+            logging.INFO,
+            "Running in update-only mode",
+        ) in caplog.record_tuples
+        
+        # Check that we see the completion message
+        assert (
+            "cve_bin_tool",
+            logging.INFO,
+            "Database update completed. Exiting without scanning.",
+        ) in caplog.record_tuples
+        
+        caplog.clear()
+
     def test_unknown_warning(self, caplog):
         """Test that an "UNKNOWN" file generates a log (only in debug mode)"""