grype
grype copied to clipboard
anchore
better errors needed when database can't get updated
What happened: While running CI tests, got problems when the database check ran:
go run ../../main.go ubuntu:latest -vv -o cyclonedx > bom.xml
[0000] DEBUG Application config:
configpath: ""
presenteropt: 3
output: cyclonedx
scopeopt: Squashed
scope: Squashed
quiet: false
log:
structured: false
levelopt: debug
level: ""
filelocation: ""
clioptions:
configpath: ""
verbosity: 2
db:
dir: /home/runner/.cache/grype/db
updateurl: https://toolbox-data.anchore.io/grype/databases/listing.json
autoupdate: true
validatebyhashonstart: false
dev:
profilecpu: false
checkforappupdate: true
failon: ""
failonseverity: null
[0000] DEBUG No new grype update available
[0000] DEBUG gathering packages
[0000] DEBUG image: source=DockerDaemon location=ubuntu:latest from-lib=stereoscope
[0000] DEBUG loading DB
[0000] DEBUG checking for available database updates
[0000] DEBUG pulling docker image="ubuntu:latest" from-lib=stereoscope
[0000] DEBUG using docker config="/home/runner/.docker/config.json" from-lib=stereoscope
[0000] DEBUG using docker credentials for "index.docker.io" from-lib=stereoscope
[0000] INFO unable to check for vulnerability database update
[0000] DEBUG check for vulnerability update failed: no db candidates with correct version available (maybe there is an application update available?)
[0000] ERROR failed to load vulnerability db: vulnerability database is corrupt (run db update to correct): database metadata not found: /home/runner/.cache/grype/db
exit status 1
What you expected to happen: It seems that the error involves several different problems, not sure which one is to blame for the underlying issue. These is a list of things (depending on what the problem is) I would expect:
- If grype is "unable to check for vulnerability database update" then this must be an error, not an INFO level entry
- if the update fails, this should also be an ERROR level message, not DEBUG.
- If there are "no db candidates with correct version available" I would expect information as to what is "the correct version"
- I would prefer removing open questions that a user (myself) can't answer: "maybe there is an application update available?" doesn't help me understand what is going on. What does "application update" mean in this case? Actionable messages or clarifying notifications would be better
- It doesn't seem like the database is corrupt because the error message is "metadata not found". Which one is it? Is it metadata not found or database corrupt?
How to reproduce it (as minimally and precisely as possible): Re-running the Github action for the unit tests resolved this, can't really see how to reproduce it
Anything else we need to know?:
This was hit while trying to get a Github workflow running for the v2-schema branch that is bumping the new schema version (2)
Environment:
- Output of
grype version: - OS (e.g:
cat /etc/os-releaseor similar):
When the GRYPE_DB_UPDATE_URL environment variable is incorrectly set, we got the following error message which directs the user to update the database which would not solve the issue.
✔ Vulnerability DB [no update available]
New version of grype is available: 0.50.2
[0000] WARN unable to check for vulnerability database update
1 error occurred:
* failed to load vulnerability db: vulnerability database is corrupt (run db update to correct): database metadata not found: ~/Library/Caches/grype/db/3
What happened was in curator.go, a check was made to see if there was a vulnerability database update. After determining that there was not, it attempts to load the vulnerability database which is not possible as the GRYPE_DB_UPDATE_URL was incorrectly set and there is no database to load.
There's a related PR, though not exactly this issue: https://github.com/anchore/grype/pull/1247
