Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

db status does not validate vulnerability.db #1975

Open
joshuai96 opened this issue Jul 3, 2024 · 2 comments · May be fixed by #1976
Open

db status does not validate vulnerability.db #1975

joshuai96 opened this issue Jul 3, 2024 · 2 comments · May be fixed by #1976
Labels
bug Something isn't working database Relating to the grype DB asset

Comments

@joshuai96
Copy link

What happened:

grype db status does not validate vulnerability.db hash.

What you expected to happen:

grype db status fully validates the vulnerability.db and fails on an invalid db.

How to reproduce it (as minimally and precisely as possible):

$ cd $HOME/.cache/grype/db/5/
$ mv vulnerability.db vulnerability.db.bak

# with an invalid db
$ tail -n 50 vulnerability.db.bak > vulnerability.db
$ grype db status
Location:  /home/joshua/.cache/grype/db/5
Built:     2024-07-03 01:30:39 +0000 UTC
Schema:    5
Checksum:  sha256:a7920011e5de7de5e0acafb614f94c38dc4353d34784de07cf16fa765c07904f
Status:    valid

# with missing db
$ rm vulnerability.db
$ grype db status
Location:  /home/joshua/.cache/grype/db/5
Built:     2024-07-03 01:30:39 +0000 UTC
Schema:    5
Checksum:  sha256:a7920011e5de7de5e0acafb614f94c38dc4353d34784de07cf16fa765c07904f
Status:    valid

Anything else we need to know?:

Scans with grype, do not report a invalid DB either:

# with invalid db
$ grype alpine:latest
 ✔ Vulnerability DB                [no update available]  
 ✔ Parsed image                              sha256:a606584aa9aa875552092ec9e1d62cb98d486f51f389609914039aabd9414687
 ✔ Cataloged contents                               dabf91b69c191a1a0a1628fd6bdd029c0c4018041c7f052870bb13c5a222ae76
   ├── ✔ Packages                        [14 packages]  
   ├── ✔ File digests                    [77 files]  
   ├── ✔ File metadata                   [77 locations]  
   └── ✔ Executables                     [17 executables]  
failed to load vulnerability db: unable to get namespaces from store: file is not a database (26)

# with missing db
$ grype alpine:latest
 ✔ Vulnerability DB                [no update available]  
 ✔ Parsed image                              sha256:a606584aa9aa875552092ec9e1d62cb98d486f51f389609914039aabd9414687
 ✔ Cataloged contents                               dabf91b69c191a1a0a1628fd6bdd029c0c4018041c7f052870bb13c5a222ae76
   ├── ✔ Packages                        [14 packages]  
   ├── ✔ File digests                    [77 files]  
   ├── ✔ File metadata                   [77 locations]  
   └── ✔ Executables                     [17 executables]  
[0001] ERROR gorm: failed to initialize database, got error unable to open database file: out of memory (14)
failed to load vulnerability db: unable to connect to DB: unable to open database file: out of memory (14)

Environment:

$ grype version
Application:         grype
Version:             0.79.2
BuildDate:           2024-07-02T15:43:38Z
GitCommit:           1ab36b470823003de6dca93bf3e7a9372ba8317e
GitDescription:      v0.79.2
Platform:            linux/amd64
GoVersion:           go1.22.4
Compiler:            gc
Syft Version:        v1.8.0
Supported DB Schema: 5
 
$ cat /etc/os-release
NAME="Fedora Linux"
VERSION="39 (Workstation Edition)"
ID=fedora
VERSION_ID=39
VERSION_CODENAME=""
PLATFORM_ID="platform:f39"
PRETTY_NAME="Fedora Linux 39 (Workstation Edition)"
ANSI_COLOR="0;38;2;60;110;180"
LOGO=fedora-logo-icon
CPE_NAME="cpe:/o:fedoraproject:fedora:39"
DEFAULT_HOSTNAME="fedora"
HOME_URL="https://fedoraproject.org/"
DOCUMENTATION_URL="https://docs.fedoraproject.org/en-US/fedora/f39/system-administrators-guide/"
SUPPORT_URL="https://ask.fedoraproject.org/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Fedora"
REDHAT_BUGZILLA_PRODUCT_VERSION=39
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=39
SUPPORT_END=2024-11-12
VARIANT="Workstation Edition"
VARIANT_ID=workstation
@joshuai96 joshuai96 added the bug Something isn't working label Jul 3, 2024
@joshuai96 joshuai96 linked a pull request Jul 3, 2024 that will close this issue
Open
@joshuai96
Copy link
Author

joshuai96 commented Jul 4, 2024
edited
Loading

To further clarify this, as this issue might seem a little bit constructed.

I was trying to run grype on an arbitrary amount of projects in parallel in a CI/CD. This starts out with an empty $HOME/.cache. When multiple grype processes tried to download and write the database, some issues arose.

So i decided to use grype db update in the bootstrapping phase, to have a single process to get the database.

This worked, until it didn't. I suspect some network hiccup that lead to an invalid database directory without grype db update reporting an issue.

When grype started to scan 84 seconds later, all scan processes failed with this message:

failed to load vulnerability db: vulnerability database is invalid (run db update to correct): database metadata not found: /home/scanner/.cache/grype/db/5

Trying to have an early stop to my CI/CD pipeline. I tried using grype db status to catch an invalid db and don't execute the scans.

While trying to provoke an invalid database, I came across this issue.

@wagoodman wagoodman added the database Relating to the grype DB asset label Jul 24, 2024
@wagoodman
Copy link
Contributor

note: this is a duplicate of #1648

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working database Relating to the grype DB asset
Projects
OSS
Status: No status
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix: Fully validate vulnerability.db by hash joshuai96/grype
2 participants
@wagoodman @joshuai96