Vulnerabilities not found, probably due to some file errors

[mar1ged]

What happened:

I get this output:

[0000] ERROR failed to fetch latest version: Get "https://toolbox-data.anchore.io/grype/releases/latest/VERSION": dial tcp: lookup toolbox-data.anchore.io: no such host
[0000] ERROR failed to remove file (C:\Users\e1\AppData\Local\Temp\grype-db-listing446274175): %!w(*fs.PathError=&{remove C:\Users\e1\AppData\Local\Temp\grype-db-listing446274175 32})
[0000] ERROR unable to close source file="testfiles/affected_jar_with_changed_name.jar" from zip="C:\\Users\\e1\\AppData\\Local\\Temp\\syft-archive-contents-937249351\\archive-testfiles.zip": flate: corrupt input before offset 1 from-lib=syft
[0000] ERROR unable to cleanup archive tempdir: remove C:\Users\e1\AppData\Local\Temp\syft-archive-contents-335866897\archive-affected_jar_with_changed_name.jar: The process cannot access the file because it is being used by another process. from-lib=syft
No vulnerabilities found

What you expected to happen:

I would have have expected that grype detects my known vulnerable files in the testfiles folder.

How to reproduce it (as minimally and precisely as possible):

set GRYPE_DB_CACHE_DIR=./vulndb
grype dir:.\testfiles

I have the vulnerability db in the folder named vulndb. Below testfiles I stored two files which contain the log4j vulnerability.

Anything else we need to know?:

The same version of grype, on the same set of testfiles and locally provided offline vulndb, works on the same machine. I tested this on the WSL2 in order to have a Linux environment and here grype works as expected:

Environment:

• Output of grype version:

Application: grype Version: 0.31.1 Syft Version: v0.35.1 BuildDate: 2022-01-11T16:17:38Z GitCommit: 24ef03efc4f2a5530dc458ae15f438233e730c1d GitTreeState: clean Platform: windows/amd64 GoVersion: go1.16.12 Compiler: gc Supported DB Schema: 3

• OS (e.g: cat /etc/os-release or similar): This fails on Windows 10 Enterprise 20H2 (Version 10.0.19042.1348) and a clean VM with Windows 10 Pro 21H2 (Version 10.0.19044.1466, which I installed to make sure this isn't an issue with my company machine)

[spiffcs]

Thanks for filing this bug @mar1ged. I'll get a windows box turned on and see what I can do to reproduce this. Do you have the test files pushed to any public repository so I can be sure we're working off the same inputs?

[spiffcs]

Hey @mar1ged out of an abundance of caution I deleted your last comment to make sure that IF there was anything within that uploaded content that was potentially harmful it would not be available on the issue history here. Apologies in advance if it was a totally harmless zip file.

If the test files are private and internal-only let me see if we can find a way to resolve and replicate this issue. If I am unsuccesful on my machine I will DM you and we can work from there.

Thanks again!

[mar1ged]

I'm fine with that.

I don't consider the provided as harmful because it only contains a library that by itself can't do anything. I didn't put a self executing virus inside the archive ;-)