sec-updater Tool


sec-updater [--debug level] [--quiet] [--security] --os string --arch string --uri uri \
            --file filename

sec-updater -h | --help


The sec-updater tool extracts information about security updates and backports of Linux repositories (e.g. Debian or Ubuntu). This information is used to update the package version information stored in the strongTNC SQLite database. The dpkg --compare-versions command is used to determine which package versions are affected by a given security update.




Prints usage information and a short summary of the available commands


--debug level

Set debug level, default: 1



Disable debug output to stderr



Set when parsing a distributions file with security updates.


--os <string>

Name of operating system (OS). eg. Ubuntu 16.04


`--arch <string>>

Name of HW architecture. eg. x86_64


--uri <uri>

URI where to download deb package from


--file <filename>

Linux package information file to parse


The following parameters can be configured in the sec-updater section of strongswan.conf:

Key Default Description


Plugins to load in sec-updater tool



Temporary storage for downloaded deb package file. [/tmp/deb]



Temporary storage for generated SWID tags. [/tmp/tag]



strongTNC command used to import SWID tags. [/var/www/tnc/]

SWID Tag Generation

The parameters of the swid_generator used when a ISO 19770-2:2015 SWID tag has to be derived from a downloaded deb package can be changed in the libimcv section of strongswan.conf:

Key Default Description



SWID generator command to be executed. [/usr/local/bin/swid_generator]


Name of the tagCreator entity. [strongSwan Project]



regid of the tagCreator entity. []


sec-updater {
  database = sqlite:///etc/pts/config.db
  tnc_manage_command = /var/www/tnc/
  tmp {
    deb_file = /tmp/sec-updater.deb
    tag_file = /tmp/sec-updater.tag

libimcv {
  swid_gen {
    command = /usr/local/bin/swid_generator
    tag_creator {
      name = strongSwan Project
      regid =

Command Use

Here is an example how the sec-updater command can be used in a script file

sec-updater --os "Ubuntu 16.04" --arch "x86_64" --uri \
            --security --file xenial-security/binary-amd64/Packages-main