8000 `grype db status` doesn't always check the db's checksum and validity · Issue #1648 · anchore/grype · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

grype db status doesn't always check the db's checksum and validity #1648

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
luhring opened this issue Jan 4, 2024 · 2 comments · Fixed by #2439
Closed

grype db status doesn't always check the db's checksum and validity #1648

luhring opened this issue 8000 Jan 4, 2024 · 2 comments · Fixed by #2439
Assignees
@kzantow
Labels
bug Something isn't working database Relating to the grype DB asset
Milestone
DB v6

Comments

@luhring
Copy link
Contributor
luhring commented Jan 4, 2024

What happened:

A coworker was getting this output from Grype:

1 error occurred:
	* failed to load vulnerability db: unable to get namespaces from store: database disk image is malformed (11)

This error is originating from the sqlite driver, and it looks like other Grype users encounter it on occasion, e.g. #1150. The underlying cause is that the database has been corrupted (somehow).

But... I asked them to run grype db status, and here's what they got:

grype db status
Location:  /Users/<snip>/Library/Caches/grype/db/5
Built:     2024-01-04 01:26:41 +0000 UTC
Schema:    5
Checksum:  sha256:d853702af304b86fb2180b83d8fcef1ddf7f6578df8216cfe427d42abb2b5d26
Status:    valid

This could be way more helpful than it currently is, especially when debugging database issues like this one.

It's not actually checking the real database's checksum, or the real database's validity. It's just reporting what's in the metadata JSON file. This makes it harder to find out why Grype isn't working correctly, when it's a database issue. This is frustrating for users, too, because such database issues usually render Grype inoperable until you run grype db delete && grype db update or something (which the average user doesn't know about).

What you expected to happen:

From talking on Anchore Slack, it sounds like the config check used during the execution of grype db status should become a non-conditional, "always do the check" execution path.

grype/grype/db/curator.go

Line 323 in d5ced7f

if c.validateByHashOnGet {

How to reproduce it (as minimally and precisely as possible):

$ echo "booboo" > ~/Library/Caches/grype/db/5/vulnerability.db
$ grype db status
Location:  /Users/dan/Library/Caches/grype/db/5
Built:     2024-01-04 01:26:41 +0000 UTC
Schema:    5
Checksum:  sha256:d853702af304b86fb2180b83d8fcef1ddf7f6578df8216cfe427d42abb2b5d26
Status:    valid

Anything else we need to know?:

Environment:

  • Output of grype version:
  • OS (e.g: cat /etc/os-release or similar):
@luhring luhring added the bug Something isn't working label Jan 4, 2024
@tgerla tgerla moved this to Backlog in OSS Jan 25, 2024
@tgerla
Copy link
Contributor
tgerla commented Jan 25, 2024

Thanks @luhring, we'll add this to the backlog.

@wagoodman wagoodman added the database Relating to the grype DB asset label Jul 24, 2024
This was referenced Jul 24, 2024
Closed
Closed
@luhring luhring mentioned this issue Aug 22, 2024
Closed
@wagoodman wagoodman added this to the DB v6 milestone Sep 17, 2024
@wagoodman wagoodman mentioned this issue Sep 17, 2024
Closed
@wagoodman wagoodman moved this from Backlog to Ready in OSS Sep 26, 2024
@wagoodman
Copy link
Contributor

Current status of this with v6 development is that we are detecting the condition, but could be filling in more values into the status struct:

Path:
Schema:
Built:     0001-01-01T00:00:00Z
Checksum:
Status:    invalid
[0000] ERROR failed to read DB metadata: file is not a database (26)

@wagoodman wagoodman mentioned this issue Feb 18, 2025
Merged
@kzantow kzantow moved this from Ready to In Review in OSS Feb 20, 2025
@github-project-automation github-project-automation bot moved this from In Review to Done in OSS Feb 28, 2025
@BrewTestBot BrewTestBot mentioned this issue Mar 5, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kzantow kzantow

Labels
bug Something isn't working database Relating to the grype DB asset
Projects
OSS
Archived in project
Milestone
DB v6
4 participants
@tgerla @wagoodman @kzantow @luhring
0