refactor: use XDG_CACHE_HOME for default cache directory

Update the tool to determine the default cache directory using the
XDG_CACHE_HOME environment variable, falling back to ~/.cache if
unset. This brings the tool in line with the XDG Base Directory
Specification.

Move cache-related default values into a new
`database_defaults.py` module to centralize configuration and improve
code maintainability.

These changes improve compatibility with diverse environments and
promote cleaner filesystem usage.

Signed-off-by: Rafal Ilnicki <[email protected]>

Author: rilnicki

cve_bin_tool/available_fix/debian_cve_tracker.py

@@ -4,18 +4,16 @@
 from __future__ import annotations
 
 from json import dump, load
-from pathlib import Path
 from time import time
 
 from cve_bin_tool.cve_scanner import CVEData
+from cve_bin_tool.database_defaults import DISK_LOCATION_DEFAULT
 from cve_bin_tool.log import LOGGER
 from cve_bin_tool.output_engine.util import ProductInfo, format_output
 from cve_bin_tool.util import make_http_requests
 
 JSON_URL = "https://security-tracker.debian.org/tracker/data/json"
-DEB_CVE_JSON_PATH = (
-    Path("~").expanduser() / ".cache" / "cve-bin-tool" / "debian_cve_data.json"
-)
+DEB_CVE_JSON_PATH = DISK_LOCATION_DEFAULT / "debian_cve_data.json"
 
 UBUNTU_DEBIAN_MAP = {
     "hirsute": "bullseye",

cve_bin_tool/cli.py

@@ -42,7 +42,7 @@
 from cve_bin_tool.config import ConfigParser
 from cve_bin_tool.config_generator import config_generator
 from cve_bin_tool.cve_scanner import CVEScanner
-from cve_bin_tool.cvedb import CVEDB, OLD_CACHE_DIR
+from cve_bin_tool.cvedb import CVEDB
 from cve_bin_tool.data_sources import (
     DataSourceSupport,
     curl_source,
@@ -53,6 +53,7 @@
     purl2cpe_source,
     redhat_source,
 )
+from cve_bin_tool.database_defaults import OLD_CACHE_DIR
 from cve_bin_tool.error_handler import (
     ERROR_CODES,
     CVEDataMissing,

cve_bin_tool/cve_scanner.py

@@ -11,7 +11,7 @@
 
 from rich.console import Console
 
-from cve_bin_tool.cvedb import DBNAME, DISK_LOCATION_DEFAULT
+from cve_bin_tool.database_defaults import DBNAME, DISK_LOCATION_DEFAULT
 from cve_bin_tool.error_handler import ErrorMode
 from cve_bin_tool.input_engine import TriageData
 from cve_bin_tool.log import LOGGER

cve_bin_tool/cvedb.py

@@ -31,6 +31,12 @@
     osv_source,
     purl2cpe_source,
 )
+from cve_bin_tool.database_defaults import (
+    DBNAME,
+    DISK_LOCATION_BACKUP,
+    DISK_LOCATION_DEFAULT,
+    OLD_CACHE_DIR,
+)
 from cve_bin_tool.error_handler import ERROR_CODES, CVEDBError, ErrorMode, SigningError
 from cve_bin_tool.fetch_json_db import Fetch_JSON_DB
 from cve_bin_tool.log import LOGGER
@@ -39,12 +45,6 @@
 
 logging.basicConfig(level=logging.DEBUG)
 
-# database defaults
-DISK_LOCATION_DEFAULT = Path("~").expanduser() / ".cache" / "cve-bin-tool"
-DISK_LOCATION_BACKUP = Path("~").expanduser() / ".cache" / "cve-bin-tool-backup"
-DBNAME = "cve.db"
-OLD_CACHE_DIR = Path("~") / ".cache" / "cvedb"
-
 UNKNOWN_METRIC_ID = 0
 EPSS_METRIC_ID = 1
 CVSS_2_METRIC_ID = 2

cve_bin_tool/data_sources/__init__.py

@@ -5,22 +5,12 @@
 
 import sys
 from abc import ABC, abstractmethod
-from pathlib import Path
 
 if sys.version_info >= (3, 9):
     import importlib.resources as resources
 else:
     import importlib_resources as resources
 
-USER_HOME = Path("~")
-
-# database defaults
-DISK_LOCATION_DEFAULT = str(USER_HOME.expanduser() / ".cache" / "cve-bin-tool")
-DISK_LOCATION_BACKUP = str(USER_HOME.expanduser() / ".cache" / "cve-bin-tool-backup")
-DBNAME = "cve.db"
-OLD_CACHE_DIR = str(USER_HOME.expanduser() / ".cache" / "cvedb")
-NVD_FILENAME_TEMPLATE = "nvdcve-1.1-{}.json.gz"
-
 
 class Data_Source(ABC):
     @abstractmethod

cve_bin_tool/data_sources/curl_source.py

@@ -10,10 +10,10 @@
 import aiohttp
 
 from cve_bin_tool.async_utils import FileIO, RateLimiter
-from cve_bin_tool.data_sources import (
+from cve_bin_tool.data_sources import Data_Source
+from cve_bin_tool.database_defaults import (
     DISK_LOCATION_BACKUP,
     DISK_LOCATION_DEFAULT,
-    Data_Source,
 )
 from cve_bin_tool.error_handler import ErrorMode
 from cve_bin_tool.log import LOGGER

cve_bin_tool/data_sources/epss_source.py

@@ -13,7 +13,7 @@
 
 import aiohttp
 
-from cve_bin_tool.data_sources import DISK_LOCATION_BACKUP, DISK_LOCATION_DEFAULT
+from cve_bin_tool.database_defaults import DISK_LOCATION_BACKUP, DISK_LOCATION_DEFAULT
 from cve_bin_tool.error_handler import ErrorMode
 from cve_bin_tool.version import HTTP_HEADERS
 

cve_bin_tool/data_sources/gad_source.py

@@ -16,7 +16,8 @@
 from yaml.loader import SafeLoader
 
 from cve_bin_tool.async_utils import FileIO, RateLimiter
-from cve_bin_tool.data_sources import DISK_LOCATION_DEFAULT, Data_Source
+from cve_bin_tool.data_sources import Data_Source
+from cve_bin_tool.database_defaults import DISK_LOCATION_DEFAULT
 from cve_bin_tool.error_handler import ErrorMode
 from cve_bin_tool.log import LOGGER
 from cve_bin_tool.version import HTTP_HEADERS

cve_bin_tool/data_sources/nvd_source.py

@@ -18,12 +18,12 @@
 from rich.progress import track
 
 from cve_bin_tool.async_utils import FileIO, GzipFile, RateLimiter
-from cve_bin_tool.data_sources import (
+from cve_bin_tool.data_sources import Data_Source
+from cve_bin_tool.database_defaults import (
     DBNAME,
     DISK_LOCATION_BACKUP,
     DISK_LOCATION_DEFAULT,
     NVD_FILENAME_TEMPLATE,
-    Data_Source,
 )
 from cve_bin_tool.error_handler import (
     AttemptedToWriteOutsideCachedir,

cve_bin_tool/data_sources/osv_source.py

@@ -16,7 +16,8 @@
 from cvss import CVSS3
 
 from cve_bin_tool.async_utils import FileIO, RateLimiter, aio_run_command
-from cve_bin_tool.data_sources import DISK_LOCATION_DEFAULT, Data_Source
+from cve_bin_tool.data_sources import Data_Source
+from cve_bin_tool.database_defaults import DISK_LOCATION_DEFAULT
 from cve_bin_tool.error_handler import ErrorMode
 from cve_bin_tool.log import LOGGER
 from cve_bin_tool.version import HTTP_HEADERS

cve_bin_tool/data_sources/purl2cpe_source.py

@@ -6,7 +6,8 @@
 
 import aiohttp
 
-from cve_bin_tool.data_sources import DISK_LOCATION_DEFAULT, Data_Source
+from cve_bin_tool.data_sources import Data_Source
+from cve_bin_tool.database_defaults import DISK_LOCATION_DEFAULT
 from cve_bin_tool.error_handler import ErrorMode
 from cve_bin_tool.log import LOGGER
 from cve_bin_tool.version import HTTP_HEADERS

cve_bin_tool/data_sources/redhat_source.py

@@ -8,7 +8,8 @@
 import aiohttp
 
 from cve_bin_tool.async_utils import FileIO, RateLimiter
-from cve_bin_tool.data_sources import DISK_LOCATION_DEFAULT, Data_Source
+from cve_bin_tool.data_sources import Data_Source
+from cve_bin_tool.database_defaults import DISK_LOCATION_DEFAULT
 from cve_bin_tool.error_handler import ErrorMode
 from cve_bin_tool.log import LOGGER
 from cve_bin_tool.version import HTTP_HEADERS

cve_bin_tool/data_sources/rsd_source.py

@@ -14,7 +14,8 @@
 from cvss import CVSS2, CVSS3
 
 from cve_bin_tool.async_utils import FileIO, RateLimiter
-from cve_bin_tool.data_sources import DISK_LOCATION_DEFAULT, Data_Source
+from cve_bin_tool.data_sources import Data_Source
+from cve_bin_tool.database_defaults import DISK_LOCATION_DEFAULT
 from cve_bin_tool.error_handler import ErrorMode
 from cve_bin_tool.log import LOGGER
 from cve_bin_tool.version import HTTP_HEADERS

cve_bin_tool/database_defaults.py

@@ -0,0 +1,12 @@
+# Copyright (C) 2025 Intel Corporation
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+import os
+from pathlib import Path
+
+CACHE_DIR = Path(os.environ.get("XDG_CACHE_HOME", Path.home() / ".cache"))
+DISK_LOCATION_DEFAULT = CACHE_DIR / "cve-bin-tool"
+DISK_LOCATION_BACKUP = CACHE_DIR / "cve-bin-tool-backup"
+OLD_CACHE_DIR = Path.home() / ".cache" / "cvedb"
+DBNAME = "cve.db"
+NVD_FILENAME_TEMPLATE = "nvdcve-1.1-{}.json.gz"

cve_bin_tool/helper_script.py

@@ -15,7 +15,8 @@
 from rich import print as rprint
 from rich.console import Console
 
-from cve_bin_tool.cvedb import CVEDB, DBNAME, DISK_LOCATION_DEFAULT
+from cve_bin_tool.cvedb import CVEDB
+from cve_bin_tool.database_defaults import DBNAME, DISK_LOCATION_DEFAULT
 from cve_bin_tool.error_handler import ErrorHandler, ErrorMode, UnknownArchiveType
 from cve_bin_tool.extractor import Extractor, TempDirExtractorContext
 from cve_bin_tool.log import LOGGER

cve_bin_tool/merge.py

@@ -11,7 +11,7 @@
 
 from cve_bin_tool.cve_scanner import CVEScanner
 
-from .cvedb import DISK_LOCATION_DEFAULT
+from .database_defaults import DISK_LOCATION_DEFAULT
 from .error_handler import (
     ErrorHandler,
     ErrorMode,

cve_bin_tool/mismatch_loader.py

@@ -5,7 +5,7 @@
 
 import yaml
 
-from cve_bin_tool.cvedb import DBNAME, DISK_LOCATION_DEFAULT
+from cve_bin_tool.database_defaults import DBNAME, DISK_LOCATION_DEFAULT
 from cve_bin_tool.log import LOGGER
 
 SQL_CREATE_TABLE = """

cve_bin_tool/version_signature.py

@@ -8,7 +8,7 @@
 from datetime import datetime
 from pathlib import Path
 
-from cve_bin_tool.cvedb import DISK_LOCATION_DEFAULT
+from cve_bin_tool.database_defaults import DISK_LOCATION_DEFAULT
 
 
 class InvalidVersionSignatureTable(ValueError):

mismatch/cli.py

@@ -1,12 +1,10 @@
 import argparse
 import os
 import sqlite3
-from pathlib import Path
 
+from cve_bin_tool.database_defaults import DBNAME, DISK_LOCATION_DEFAULT
 from cve_bin_tool.mismatch_loader import run_mismatch_loader
 
-DBNAME = "cve.db"
-DISK_LOCATION_DEFAULT = Path("~").expanduser() / ".cache" / "cve-bin-tool"
 parent_dir = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
 data_dir = os.path.join(parent_dir, "mismatch_data")
 dbpath = DISK_LOCATION_DEFAULT / DBNAME