grype-db
grype-db copied to clipboard
anchore
Installation Instructions Do Not Work as Written
Please provide a set of steps on how to reproduce the issue
- Run the install command on recent Kali Linux
curl -sSfL https://raw.githubusercontent.com/anchore/grype-db/main/install.sh | sh -s -- -b /usr/local/bin
- Run grype-db -g, fails
└─# grype-db -g [0000] INFO grype-db version: 0.24.0 [0000] ERROR 1 error occurred: * unable to generate vunnel providers: unable to execute vunnel list: exec: "docker": executable file not found in $PATH
error: 1 error occurred: * unable to generate vunnel providers: unable to execute vunnel list: exec: "docker": executable file not found in $PATH
What happened:
grype-db -g fails to generate a list of providers, throws an error asking for docker in $PATH
What you expected to happen:
grype-db to create a list of providers
Anything else we need to know?:
Please update instructions for other necessary pre-reqs (does this require docker in some form?)
Environment:
-
Output of
grype-db version: grype-db version Application: grype-db Version: 0.24.0 BuildDate: 2024-09-26T11:38:18Z GitCommit: d8d1497bd5300438ab92b42d94cb064848b2a5f8 GitDescription: v0.24.0 Platform: linux/amd64 GoVersion: go1.23.1 Compiler: gc -
OS (e.g:
cat /etc/os-releaseor similar):
No LSB modules are available. Distributor ID: Kali Description: Kali GNU/Linux Rolling Release: 2023.4 Codename: kali-rolling
Hi @wits-zach - thanks for the issue. You're right, it's not completely clear to a new user what steps are required to bootstrap things.
You're right, you may need docker, podman, or a locally installed copy of vunnel. I went for the latter and did the following on my laptop, which already has uv installed.
$ mkdir -p ./temp/data
$ cd ./temp
$ uv venv
Using CPython 3.10.15
Creating virtual environment at: .venv
Activate with: source .venv/bin/activate
$ source .venv/bin/activate
(temp) $ uv pip install vunnel
Resolved 39 packages in 1.71s
Built untokenize==0.1.1
Built ijson==2.6.1
Built sqlalchemy==1.4.54
Prepared 30 packages in 3.64s
Installed 39 packages in 83ms
+ certifi==2024.8.30
+ charset-normalizer==3.3.2
+ click==8.1.7
+ click-default-group==1.2.4
+ colorlog==6.8.2
+ cvss==3.2
+ defusedxml==0.7.1
+ docformatter==1.5.0
+ exceptiongroup==1.2.2
+ idna==3.10
+ ijson==2.6.1
+ importlib-metadata==7.2.1
+ iniconfig==2.0.0
+ iso8601==2.1.0
+ jinja2==3.1.4
+ lxml==5.3.0
+ markupsafe==2.1.5
+ mashumaro==3.13.1
+ mergedeep==1.3.4
+ orjson==3.10.7
+ packaging==24.1
+ pluggy==1.5.0
+ pytest==8.3.3
+ pytest-snapshot==0.9.0
+ python-dateutil==2.9.0.post0
+ pyyaml==6.0.2
+ requests==2.32.3
+ six==1.16.0
+ sqlalchemy==1.4.54
+ tomli==2.0.1
+ toposort==1.10
+ typing-extensions==4.12.2
+ untokenize==0.1.1
+ urllib3==2.2.3
+ vunnel==0.27.0
+ xsdata==22.12
+ xxhash==3.5.0
+ zipp==3.20.2
+ zstandard==0.23.0
(temp) $ curl -sSfL https://raw.githubusercontent.com/anchore/grype-db/main/install.sh | sh -s -- -b .
[info] fetching release script for tag='v0.24.0'
[info] using release tag='v0.24.0' version='0.24.0' os='darwin' arch='arm64'
[info] installed ./grype-db
(temp) $ cat >.grype-db.yaml <<'EOT'
provider:
vunnel:
executor: local
EOT
(temp) $ ./grype-db -g
[0000] INFO grype-db version: 0.24.0
[0002] INFO aggregating vulnerability data providers=[nvd alpine amazon chainguard debian github mariner oracle rhel sles ubuntu wolfi]
[0002] INFO running vulnerability provider provider=chainguard
[0002] INFO running vulnerability provider provider=nvd
[0002] INFO running vulnerability provider provider=amazon
[0002] INFO running vulnerability provider provider=alpine
[0002] INFO chainguard: running chainguard provider
[0002] INFO nvd: running nvd provider
[0002] INFO chainguard: downloading chainguard secdb https://packages.cgr.dev/chainguard/security.json
[0002] INFO nvd: downloading all CVEs
[0002] INFO amazon: running amazon provider
[0002] INFO alpine: running alpine provider
[0002] INFO amazon: downloading amazon security advisory from https://alas.aws.amazon.com/AL2/alas.rss
[0002] INFO alpine: downloading alpine secdb metadata from: https://secdb.alpinelinux.org
[0002] INFO alpine: Downloading secdb edge main
etc.
Just thought I'd provide that to get you going, in case you don't want to install docker or podman. You don't need uv, but could use plain old pip install but this keeps it all nicely isolated.
Hope that helps, and we'll get the documentation updated accordingly.
Thanks again for the issue.
The action here is to update https://github.com/anchore/grype-db?tab=readme-ov-file#recommended to mention that grype-db doesn't do much without Vunnel, and explain that vunnel is run either in docker (which requires docker) directly as a python package, which requires that the python package be available and on PATH.
Won't the GitHub provider fail without a token? Do you have instructions for that?
Edit: I'd asked about this earlier on https://github.com/anchore/grype-db/issues/333. If I get it working I'll write up some instructions.
@smythp You're right, there's some API key requirements here, I suspect. A fresh pair of eyes on it would be very helpful,. Thank you.
I've got a blog post coming out on this on dev.to on Tuesday, once that comes out I'll crib commands from it to update the README.
@smythp awesome! I love reading blog posts from users. Do feel free to post the link here - or share it in the General category on the Anchore Community Discourse to start a conversation. :)
Thanks for the suggestion, @popey. The blog post is up and I posted in the general topic. Thanks for any feedback and hope it's a useful post for those digging into Grype's upstream provider utilities.
I'll look into doing a PR for the README using this material before the end of the week. :+1: