Skip to main content Link Menu Expand (external link) Document Search Copy Copied

Import or update the vulnerability database with Swarm

This procedure describe how to update the vulnerability database of a Cyberwatch instance deployed in offline mode with Docker Swarm.

The vulnerability database can be updated from a web browser or from the command line. Browser-based import from a browser is suitable for occasional update of the vulnerability database, while command line import will be more suitable for frequent use as it can be automated.


The procedure for importing the vulnerability database requires:

  • a machine connected to the Internet;
  • valid credentials to access the Cyberwatch repository;
  • a Cyberwatch instance deployed in offline mode with Swarm.

From a web browser

This section describes how to retrieve and import the vulnerability database from a web browser. It is suitable for occasional use.

  1. Download the vulnerability database from URL The access is authenticated. The credentials are those sent by Cyberwatch.

  2. Log in to the web interface of your Cyberwatch instance with an Administrator account.

  3. Go to the admin overview.

  4. Click the “upload” button, near the “Security Database” title.

  5. Import the previously downloaded database file and click on “Update”.

  6. Import the vulnerability database file previously downloaded, then click on the ‘Update’ button.

From the command line

This section describes how to retrieve and import the vulnerability database from the command line. It is designed to be automated.

Download the database

  1. Export the Cyberwatch’s credentials (complete the commands):

     export CBW_USER=
     export CBW_PASSWORD=
  2. Download the vulnerability database:

    curl -u "$CBW_USER:$CBW_PASSWORD" \
       -sf \
  3. (Optional) Verify the integrity of the vulnerability database:

    1. Extract the archive:

    2. Download Cyberwatch’s public key:

      curl -o
    3. Compute the sha256sum of the database:

      head -c -1 cyberwatch.sig > signature
      head -c -1 cyberwatch.db | sha256sum | cut -f1 -d' '| tr -d '\n' > cyberwatch.db.sha256
    4. Verify the signature:

      openssl dgst -sha256 -verify -signature signature cyberwatch.db.sha256

      The output of this command must be Verified OK.

Import the archive in Cyberwatch

  1. Import the archive in the machine where Cyberwatch is deployed.

  2. Connect with SSH to the machine where Cyberwatch is deployed.

  3. Move the archive .zip to /var/lib/cyberwatch/security_database:

    mv /var/lib/cyberwatch/security_database
  4. Restart Cyberwatch:

    sudo cyberwatch restart
  5. Load the vulnerability database:

    sudo cyberwatch exec sidekiq security_database_import_task

Automate the import using a cron task

It is possible to automate the security database import using a scheduled cron task for example.

The cyberwatch executable allows to execute commands directly in our containers using the command cyberwatch exec. This command is equivalent to the command docker exec -it that can be used to execute a command on a container through an interactive shell.

However, this approach does not work for scripts executed from a crontab, cron not being able to use an interactive shell.

Default use of the cyberwatch exec command in a script called by cron will therefore have no effect.

The solution consists of calling the cyberwatch command in non-interactive mode. The database synchronization command could therefore be:

sudo exec_interactive=false cyberwatch exec sidekiq security_database_import_task

Setting up a cron task can be done using the following example, with sudoer rights:

# Open the crontab editor
sudo crontab -e

# To the end of the file, put the following line that launches the import task every day at 8 A.M.
0 8 * * * exec_interactive=false cyberwatch exec sidekiq security_database_import_task