anchore
Latest version of grype with V6 schema lists incorrect URL for v6 database
What happened:
Latest version of grype with V6 schema lists incorrect URL for v6 databases
grype db list
Status: active
Schema: v6.0.2
Built: 2025-03-07T04:06:47Z
Listing: https://grype.anchore.io/databases
DB URL: https://grype.anchore.io/vulnerability-db_v6.0.2_2025-03-07T01:30:57Z_1741320407.tar.zst
Checksum: sha256:b49ecadd781dbb5376cce851c044d9987fba100ebaa0f7bd2316d07fe8718404
Bbut the actual URL is https://grype.anchore.io/databases/v6/vulnerability-db_v6.0.2_2025-03-07T01:30:57Z_1741320407.tar.zst and the listing URL is https://grype.anchore.io/databases/v6
What you expected to happen:
I expect to see a URL I can click on to download the DB
How to reproduce it (as minimally and precisely as possible):
Use grype db list and observe the URL
One liner curl --silent --head --output /dev/null --write-out "%{http_code}\n" $(grype db list | grep "DB URL" | awk -F" " '{print $2}') should return 200. Not 404
Environment:
-
Output of
grype version: 0.89.0 - commit 1bf47c38bede40dea7b72bbe4712191820f1aa15 -
OS (e.g:
cat /etc/os-releaseor similar):
cat /etc/os-release
PRETTY_NAME="Ubuntu 24.04.1 LTS"
NAME="Ubuntu"
VERSION_ID="24.04"
VERSION="24.04.1 LTS (Noble Numbat)"
VERSION_CODENAME=noble
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=noble
LOGO=ubuntu-logo
Thank for the issue @philroche
Confirmed here:
$ grype version
Application: grype
Version: 0.89.0
BuildDate: 2025-03-06T22:15:44Z
GitCommit: 1bf47c38bede40dea7b72bbe4712191820f1aa15
GitDescription: v0.89.0
Platform: darwin/arm64
GoVersion: go1.24.1
Compiler: gc
Syft Version: v1.20.0
Supported DB Schema: 6
$ grype db list
Status: active
Schema: v6.0.2
Built: 2025-03-07T04:06:47Z
Listing: https://grype.anchore.io/databases
DB URL: https://grype.anchore.io/vulnerability-db_v6.0.2_2025-03-07T01:30:57Z_1741320407.tar.zst
Checksum: sha256:b49ecadd781dbb5376cce851c044d9987fba100ebaa0f7bd2316d07fe8718404
$ curl -I https://grype.anchore.io/vulnerability-db_v6.0.2_2025-03-07T01:30:57Z_1741320407.tar.zst
HTTP/2 404
date: Fri, 07 Mar 2025 13:10:39 GMT
content-type: text/html
vary: Accept-Encoding
cache-control: max-age=86400
cf-cache-status: HIT
age: 110
server: cloudflare
cf-ray: 91ca55929caa6376-LHR
The database does update via the right url though.
$ grype db update
✔ Vulnerability DB [updated]
Vulnerability database updated to latest version!
$ grype db status
Path: /Users/alan/Library/Caches/grype/db/6/vulnerability.db
Schema: v6.0.2
Built: 2025-03-07T04:06:47Z
Checksum: xxh64:433e6ae2f9e68538
Status: valid
There is a function that takes the "base" URL (e.g. https://grype.anchore.io/databases) and based on the schema version / direct JSON link / etc. returns the correct link. I think we just need to use that function to get the listing file in the command here, and adjust the relative database links accordingly: https://github.com/anchore/grype/blob/main/cmd/grype/cli/commands/db_list.go#L65
This appears to have been resolved now.
$ grype db update
✔ Vulnerability DB [updated]
Vulnerability database updated to latest version!
$ grype db list
Status: active
Schema: v6.0.2
Built: 2025-07-07T04:17:44Z
Listing: https://grype.anchore.io/databases/v6/latest.json
DB URL: https://grype.anchore.io/databases/v6/vulnerability-db_v6.0.2_2025-07-07T01:31:39Z_1751861864.tar.zst
Checksum: sha256:0f916eb75f4b817706c2db7f5cac1b413739d9c22c3950536f8b0e0752ac12ce
DB URL: is a valid URL
Closing as completed