anchore / grype

A vulnerability scanner for container images and filesystems
Apache License 2.0
8.91k stars 575 forks source link

Environment variables are not expanded in the configuration #2206

Closed sttcns closed 1 month ago

sttcns commented 1 month ago

What happened:

Running Grype with the default configuration fails to expand the $XDG_CACHE_HOME environment variable. Instead, it creates the directory with the literal name $XDG_CACHE_HOME.

What you expected to happen:

Grype expands the variable in the configuration file.

How to reproduce it (as minimally and precisely as possible):

Update Grype database

grype db update
#  ✔ Vulnerability DB                [no update available]
# No vulnerability database update available

Notice that the database was created/updated in the right place

ls "$XDG_CACHE_HOME/grype/db/5"
# last_update_check  metadata.json  provider-metadata.json  vulnerability.db

Notice our working directory is empty

```bash
ls
#

Create the default configuration copied from the readme of this project

vi .grype.yml

Create the database again.

grype db update
# ✔ Vulnerability DB                [updated]
# Vulnerability database updated to latest version!

notice that grype created a new directory with the literal name $XDG_CACHE_HOME instead of expanding the environment variable

ls
# $XDG_CACHE_HOME

tree \$XDG_CACHE_HOME
# $XDG_CACHE_HOME
#└── grype
#   └── db
#      └── 5
#         ├── last_update_check
#         ├── metadata.json
#         ├── provider-metadata.json
#         └── vulnerability.db

Anything else we need to know?:

Interestingly, without the configuration file Grype works fine, as shown above. The issue may lie in the documentation or in the implementation. The docs should say that the environment variables are not expanded in the configuration and that absolute paths should be used. Otherwise, Grype should expand the environment variables.

Environment:

Arch Linux with the lastest Grype.

grype version
Application:         grype
Version:             0.82.2
BuildDate:           2024-10-21T18:07:15Z
GitCommit:           d018ffa51b60dff0a3ea42868b3b9aecac894d0f
GitDescription:      v0.82.2
Platform:            linux/amd64
GoVersion:           go1.23.2
Compiler:            gc
Syft Version:        v1.14.2
Supported DB Schema: 5
kzantow commented 1 month ago

Hey @sttcns, apologies for the confusion -- I see that the readme has an incorrect value for this field, which includes an environment variable that will never be expanded.

Question for team discussion: should Syft/Grype/et.al. be able to expand environment variables in strings?

willmurphyscode commented 1 month ago

This is somewhat related to https://github.com/anchore/grype/issues/2024.

willmurphyscode commented 1 month ago

Hi @sttcns we updated the README to fix that example. Sorry for the confusion!

We plan to continue the discussion of #2024, a closely related issue, at an upcoming community gardening.