Date: January 20, 2026 Issue: CVE Database card showed "Not Downloaded" with no clear action
- Static card showing "Not Downloaded"
- No visual indication of what to do
- Users confused about how to download
- Had to manually navigate to Settings
- Clickable card - Tapping opens Settings automatically
- Shows "Tap to Download" with download icon (β¬οΈ)
- Color-coded:
- π’ Green (statusLow) when database loaded
- π Orange (statusHigh) when not downloaded
- Tooltip explains: "Click to download CVE database (~2GB, 10-20 min)"
- Checkmark icon (β) when database is loaded
File: DashboardView.swift
Before:
StatCard(
title: "CVE Database",
value: cveDatabase.totalCVEs > 0 ? "\(cveDatabase.totalCVEs / 1000)k" : "Not Downloaded",
icon: "doc.text.fill",
color: ModernColors.accent
)After:
Button {
showSettings = true // Opens Settings sheet
} label: {
StatCard(
title: "CVE Database",
value: cveDatabase.totalCVEs > 0 ? "\(cveDatabase.totalCVEs / 1000)k CVEs" : "Tap to Download",
icon: cveDatabase.totalCVEs > 0 ? "checkmark.circle.fill" : "arrow.down.circle.fill",
color: cveDatabase.totalCVEs > 0 ? ModernColors.statusLow : ModernColors.statusHigh
)
}
.buttonStyle(.plain)
.help(cveDatabase.totalCVEs > 0 ? "CVE database loaded" : "Click to download CVE database (~2GB, 10-20 min)")- Open Bastion app
- Click the "CVE Database" card on dashboard (shows "Tap to Download")
- Settings opens automatically
- Click "CVE Database" tab
- Click "Download CVE Database (~2GB)" button
- Wait 10-20 minutes for download to complete
- Open Bastion app
- Click Settings button (gear icon)
- Go to "CVE Database" tab
- Click "Download CVE Database (~2GB)"
- Size: ~2GB compressed
- Time: 10-20 minutes (depends on internet speed)
- Years: 2002 - Present (downloads all years)
- Source: NIST NVD (National Vulnerability Database)
- Format: JSON files, one per year
- Location:
~/Library/Application Support/Bastion/CVE/
The CVE download uses the NVD API 1.1 which was deprecated in 2021 and replaced with API 2.0.
Old API (what Bastion uses):
"https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-\(year).json.gz"New API (requires API key):
https://services.nvd.nist.gov/rest/json/cves/2.0?pubStartDate=...&apiKey=YOUR_KEY
- Old API feeds may be unavailable
- Download might fail with 404 errors
- Need to migrate to API 2.0
If the NVD download fails:
-
Use Manual CVE Data:
- Download from: https://github.com/CVEProject/cvelistV5
- Place JSON files in:
~/Library/Application Support/Bastion/CVE/
-
Alternative CVE Sources:
- Vulners API: https://vulners.com/api/v3/
- CVE.org API: https://www.cve.org/AllResources/CveServices
- Exploit-DB: https://www.exploit-db.com/
Migrate to NVD API 2.0:
// Required changes to CVEDatabase.swift
1. Get free API key from: https://nvd.nist.gov/developers/request-an-api-key
2. Update URL to use API 2.0 endpoint
3. Add API key to secure storage (Keychain)
4. Handle pagination (API 2.0 returns 2000 CVEs max per request)
5. Update JSON parsing for new formatFiles to modify:
Bastion/Security/CVEDatabase.swift(lines 56-83)- Add API key settings to
SettingsView.swift
- Launch Bastion
- Dashboard shows CVE Database card
- Card shows: "Tap to Download" with orange color
- Hover over card: Tooltip appears
- Click card: Settings sheet opens
- In Settings β CVE Database tab
- Button shows: "Download CVE Database (~2GB)"
- Click button: Download starts
- Progress bar shows: 0% β 100%
- Card updates: Shows CVE count when complete
Once downloaded:
- β Card shows: "250k CVEs" (example count)
- β Color changes to green
- β Icon changes to checkmark (β)
- β Tooltip: "CVE database loaded"
Once CVE database is downloaded, Bastion can:
-
Match CVEs to Services
- Detects SSH 7.4 β Shows CVE-2018-15473 (username enumeration)
- Detects Apache 2.4.29 β Shows CVE-2017-15715 (file upload)
-
AI-Powered Exploit Selection
- AI reads CVE descriptions
- Recommends which CVEs to exploit
- Generates custom exploits
-
Vulnerability Scoring
- CVSS scores (0-10)
- Severity levels (Low/Medium/High/Critical)
- Risk assessment
-
CVE Search
- Search by CVE ID (CVE-2021-44228)
- Search by keyword ("OpenSSL")
- Search by severity
- Pre-download top 10,000 critical CVEs
- Bundle with app (~50MB compressed)
- Auto-updates on launch
- Host CVE database on cloud server
- App fetches CVEs via REST API
- No local download required
- Bundle critical CVEs (top 10k)
- Download full database optionally
- Use cloud API for latest CVEs
- CVE Database card is clickable
- Opens Settings automatically
- Clear visual indicators
- Helpful tooltips
- Color-coded status
- NVD API 1.1 download (deprecated)
- May need migration to API 2.0
- Alternative CVE sources recommended
- Before: "Not Downloaded" (confusing)
- After: "Tap to Download" (actionable)
- Before: No indication of what to do
- After: Click card β Settings opens β Download button
- Before: Static card
- After: Interactive with tooltips
Built by Jordan Koch Date: January 20, 2026
# Check if CVE database exists
ls -lh ~/Library/Application\ Support/Bastion/CVE/
# Check CVE file sizes
du -sh ~/Library/Application\ Support/Bastion/CVE/*
# Test NVD API availability
curl -I "https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2024.json.gz"
# If you get 404, API is deprecated. Need to migrate to 2.0.