Removal of temporary files not working with Git Bash on Windows

[Joerki]

What happened:

Hi guys!

When I use grype with Git Bash on Windows grype has trouble to remove files and directories:

$ grype .
<some stuff about DB (no update needed) and scanned project>
[0000]  WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal)
[0000] ERROR failed to remove file (C:\Users\joerki\AppData\Local\Temp\grype-db-listing974399563): %!w(string=remove C:\Users\joerki\AppData\Local\Temp\grype-db-list

(Yes, the filename seems to be incomplete) Files and (empty) directories stay in temp directory. I see grype-db-listing and grype-scratch relics there. (* are several digits each) I don't see this error when I use cmd.

What you expected to happen:

Grype erases temporary date even if (Git) Bash is used on Windows as shell.

How to reproduce it (as minimally and precisely as possible):

Use Git Bash instead of cmd for grype operations.

Anything else we need to know?:

Environment:

• Output of grype version:

• $ grype version Application: grype Version: 0.83.0 BuildDate: 2024-10-28T21:54:11Z GitCommit: 0602464ebc9f3c417b1175b3e104b19a006604b7 GitDescription: v0.83.0 Platform: windows/amd64 GoVersion: go1.23.2 Compiler: gc Syft Version: v1.15.0 Supported DB Schema: 5

• OS (e.g: cat /etc/os-release or similar): Windows 11 23H2 Git 2.47.0.2

[popey]

Thanks for the issue report @Joerki and the steps to reproduce, that's very helpful.

I have reproduced the issue here on Windows 11 Home 22H3 with Git 2.47.0.windows.2

popey@DESKTOP-DDU38TO MINGW64 ~/Downloads
$ ./grype.exe db check -vvv
[0000]  INFO grype version: 0.83.0
[0000] DEBUG config:
  log:
      quiet: false
      level: trace
      file: ""
  dev:
      profile: none
  db:
      cache-dir: C:\Users\popey\AppData\Local\cache/grype/db
      update-url: https://toolbox-data.anchore.io/grype/databases/listing.json
      ca-cert: ""
      auto-update: true
      validate-by-hash-on-start: false
      validate-age: true
      max-allowed-built-age: 120h0m0s
      require-update-check: true
      update-available-timeout: 30s
      update-download-timeout: 5m0s
      max-update-check-frequency: 2h0m0s
[0000] DEBUG checking for available database updates
[0000] ERROR failed to remove file (C:\Users\popey\AppData\Local\Temp\grype-db-listing971526387): %!w(string=remove C:\Users\popey\AppData\Local\Temp\grype-db-listing971526387: The process cannot access the file because it is being used by another process.)
[0000] DEBUG found database update candidate: Listing(url=https://grype.anchore.io/databases/vulnerability-db_v5_2024-11-03T01:32:42Z_1730607684.tar.gz)
[0000] DEBUG existing database is already up to date
[0000] DEBUG no database update available
No update available
[0000] TRACE worker stopped component=eventloop
[0000] TRACE signal exit component=eventloop

popey@DESKTOP-DDU38TO MINGW64 ~/Downloads
$