Automatically update OSV from CVE Services

[sethmlarson]

I got tired of updating OSV manually after CVEs are published or updated, so this will now automatically generate pull requests for OSV updates.

• Added a new GitHub Action
• Changed the import script to use CVE Services instead of the CVE GitHub dump due to latency, CVE services are updated in realtime so we can run this script manually after publishing advisories.

The question I had is how we want to handle our CVE services "bot" account, since it's read-only we wouldn't need an admin account. Wasn't sure if there was an email address we use for cases like this already (see [email protected])

Would also require creating a GitHub Action secret for the CVE API token. I ran the script locally and saw some expected changes to existing OSV records.

[ewdurbin]

The question I had is how we want to handle our CVE services "bot" account, since it's read-only we wouldn't need an admin account. Wasn't sure if there was an email address we use for cases like this already (see [email protected])

ideally we would integrate as a GitHub App, but that is a couple more hoops to jump through for a single use case.

[sethmlarson]

ideally we would integrate as a GitHub App, but that is a couple more hoops to jump through for a single use case.

Ah! The sentence on the CVE Services bot account was unclear. This would be an account on CVE Services, not on GitHub.

[sethmlarson]

@ewdurbin Alright, I've updated to the new bot account that I've created along with adding a repository secret for CVE_API_TOKEN.