search

anchore / grype

A vulnerability scanner for container images and filesystems
Apache License 2.0
8.18k stars 529 forks source link

`db status` does not validate `vulnerability.db` #1975

Open joshuai96 opened 5 days ago

joshuai96 commented 5 days ago

What happened:

grype db status does not validate vulnerability.db hash.

What you expected to happen:

grype db status fully validates the vulnerability.db and fails on an invalid db.

How to reproduce it (as minimally and precisely as possible):

$ cd $HOME/.cache/grype/db/5/
$ mv vulnerability.db vulnerability.db.bak

# with an invalid db
$ tail -n 50 vulnerability.db.bak > vulnerability.db
$ grype db status
Location:  /home/joshua/.cache/grype/db/5
Built:     2024-07-03 01:30:39 +0000 UTC
Schema:    5
Checksum:  sha256:a7920011e5de7de5e0acafb614f94c38dc4353d34784de07cf16fa765c07904f
Status:    valid

# with missing db
$ rm vulnerability.db
$ grype db status
Location:  /home/joshua/.cache/grype/db/5
Built:     2024-07-03 01:30:39 +0000 UTC
Schema:    5
Checksum:  sha256:a7920011e5de7de5e0acafb614f94c38dc4353d34784de07cf16fa765c07904f
Status:    valid

Anything else we need to know?:

Scans with grype, do not report a invalid DB either:

# with invalid db
$ grype alpine:latest
 ✔ Vulnerability DB                [no update available]  
 ✔ Parsed image                              sha256:a606584aa9aa875552092ec9e1d62cb98d486f51f389609914039aabd9414687
 ✔ Cataloged contents                               dabf91b69c191a1a0a1628fd6bdd029c0c4018041c7f052870bb13c5a222ae76
   ├── ✔ Packages                        [14 packages]  
   ├── ✔ File digests                    [77 files]  
   ├── ✔ File metadata                   [77 locations]  
   └── ✔ Executables                     [17 executables]  
failed to load vulnerability db: unable to get namespaces from store: file is not a database (26)

# with missing db
$ grype alpine:latest
 ✔ Vulnerability DB                [no update available]  
 ✔ Parsed image                              sha256:a606584aa9aa875552092ec9e1d62cb98d486f51f389609914039aabd9414687
 ✔ Cataloged contents                               dabf91b69c191a1a0a1628fd6bdd029c0c4018041c7f052870bb13c5a222ae76
   ├── ✔ Packages                        [14 packages]  
   ├── ✔ File digests                    [77 files]  
   ├── ✔ File metadata                   [77 locations]  
   └── ✔ Executables                     [17 executables]  
[0001] ERROR gorm: failed to initialize database, got error unable to open database file: out of memory (14)
failed to load vulnerability db: unable to connect to DB: unable to open database file: out of memory (14)

Environment:

$ grype version
Application:         grype
Version:             0.79.2
BuildDate:           2024-07-02T15:43:38Z
GitCommit:           1ab36b470823003de6dca93bf3e7a9372ba8317e
GitDescription:      v0.79.2
Platform:            linux/amd64
GoVersion:           go1.22.4
Compiler:            gc
Syft Version:        v1.8.0
Supported DB Schema: 5

$ cat /etc/os-release
NAME="Fedora Linux"
VERSION="39 (Workstation Edition)"
ID=fedora
VERSION_ID=39
VERSION_CODENAME=""
PLATFORM_ID="platform:f39"
PRETTY_NAME="Fedora Linux 39 (Workstation Edition)"
ANSI_COLOR="0;38;2;60;110;180"
LOGO=fedora-logo-icon
CPE_NAME="cpe:/o:fedoraproject:fedora:39"
DEFAULT_HOSTNAME="fedora"
HOME_URL="https://fedoraproject.org/"
DOCUMENTATION_URL="https://docs.fedoraproject.org/en-US/fedora/f39/system-administrators-guide/"
SUPPORT_URL="https://ask.fedoraproject.org/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Fedora"
REDHAT_BUGZILLA_PRODUCT_VERSION=39
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=39
SUPPORT_END=2024-11-12
VARIANT="Workstation Edition"
VARIANT_ID=workstation
joshuai96 commented 4 days ago

To further clarify this, as this issue might seem a little bit constructed.

I was trying to run grype on an arbitrary amount of projects in parallel in a CI/CD. This starts out with an empty $HOME/.cache. When multiple grype processes tried to download and write the database, some issues arose.

So i decided to use grype db update in the bootstrapping phase, to have a single process to get the database.

This worked, until it didn't. I suspect some network hiccup that lead to an invalid database directory without grype db update reporting an issue.

When grype started to scan 84 seconds later, all scan processes failed with this message:

failed to load vulnerability db: vulnerability database is invalid (run db update to correct): database metadata not found: /home/scanner/.cache/grype/db/5

Trying to have an early stop to my CI/CD pipeline. I tried using grype db status to catch an invalid db and don't execute the scans.

While trying to provoke an invalid database, I came across this issue.