sec-updater Tool


sec-updater [--debug level] [--quiet] [--security] --os string --arch string --uri uri \
            --file filename

sec-updater -h | --help


The sec-updater tool extracts information about security updates and backports of Linux repositories (e.g. Debian or Ubuntu). This information is used to update the package version information stored in the SQLite database of the strongTNC tool and also provide SWID tags of the updated package versions. The dpkg --compare-versions command is used to determine which package versions are affected by a given security update.




Prints usage information and a short summary of the available commands



Set debug level, default: 1



Disable debug output to stderr



Set when parsing a distributions file with security updates.



Name of operating system (OS). eg. Ubuntu 16.04



Name of HW architecture. eg. x86_64



URI where to download deb package from



Linux package information file to parse


The following parameters can be configured in the sec-updater section of strongswan.conf:

Key Default Description


Global IMV policy database URI. If it contains a password, make sure to adjust the access permissions of the config file accordingly


Plugins to load in sec-updater tool



Temporary storage for downloaded deb package file. [/tmp/deb]



Temporary storage for generated SWID tags. [/tmp/tag]



strongTNC command used to import SWID tags. [/var/www/tnc/]

SWID Tag Generation

The parameters of the swid_generator used when a ISO 19770-2:2015 SWID tag has to be derived from a downloaded deb package can be changed in the libimcv section of strongswan.conf:

Key Default Description



SWID generator command to be executed. [/usr/local/bin/swid_generator]


Name of the tagCreator entity. [strongSwan Project]



regid of the tagCreator entity. []


sec-updater {
  database = sqlite:///etc/pts/config.db
  tnc_manage_command = /var/www/tnc/
  tmp {
    deb_file = /tmp/sec-updater.deb
    tag_file = /tmp/sec-updater.tag

libimcv {
  swid_gen {
    command = /usr/local/bin/swid_generator
    tag_creator {
      name = strongSwan Project
      regid =

Command Use

Here is an example how the sec-updater command can be used in a script file

sec-updater --os "Ubuntu 16.04" --arch "x86_64" --uri \
            --security --file xenial-security/binary-amd64/Packages-main