Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Simplify v6 distribution material #2277

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Simplify v6 distribution material #2277

wants to merge 4 commits into from

Conversation

wagoodman
Copy link
Contributor

@wagoodman wagoodman commented Nov 21, 2024

This PR makes adjustments to the v6 schema + supporting code from previous PRs, specifically:

  • adjusts DB import to function with both today's and v6 schema automatically
  • add application config support to create v6 distribution client and installation curator config objects
  • removes the metadata.json file; now there is only the DB file in the distributed tarball
  • removes checksum from db.Distribution struct
  • makes the latest.json file flat (no nested objects)
  • adjusts the vulnerability blob such that "assigner" is plural (matches the type)
  • adds CHML severity scheme (will be used by the github provider)

This PR also introduces the ability to import both v6 and v5 schemas at once (since import now functions in both contexts) which requires disabling the static analysis check for cross-import of schemas.

@wagoodman wagoodman marked this pull request as ready for review November 21, 2024 18:11
Signed-off-by: Alex Goodman <[email protected]>
@wagoodman wagoodman added the changelog-ignore Don't include this issue in the release changelog label Nov 25, 2024
@wagoodman wagoodman self-assigned this Nov 25, 2024
@wagoodman wagoodman requested review from a team and removed request for kzantow November 25, 2024 19:10
}

// calculate the sh256sum of the archive
checksum, err := db.CalculateArchiveDigest(cfg.DBFilePath())
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should the parameter here be path not cfg.DBFilePath()? It seems weird t calculate the archive digest by doing anything besides hashing the tar.

@@ -67,6 +73,43 @@ func NewLatestFromReader(reader io.Reader) (*LatestDocument, error) {
return &l, nil
}

func NewArchive(path string) (*Archive, error) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this constructor still necessary if the suggestion at https://github.com/anchore/grype-db/pull/437/files#r1857293906 is implemented?

@@ -57,6 +60,11 @@ const (
NotAffectedFixStatus FixStatus = "not-affected"
)

const (
// AdvisoryReferenceTag is a reference to a vulnerability advisory
AdvisoryReferenceTag string = "advisory"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should there be more of these?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A reference tag is a string we expect to be used often to tag a reference in https://github.com/anchore/grype/blob/main/grype/db/v6/blobs.go#L51.

What's an Advisory exactly? For example, a Red Hat Security Advisory (RHSA) is a list of patches, but a GitHub Security Advisory is a vulnerability description. Is advisory the right tag name? What kind of links or going to be tagged with this tag name?

var persistentErr error
digest, persistentErr := db.CalculateDBDigest(c.config.DBFilePath())

if validateErr := c.validate(); validateErr != nil {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How did the digest from line 106 get into c.validate()? Are we calculating the digest twice?

@@ -301,13 +313,13 @@ func (c curator) activate(dbDirPath string, mon monitor) error {

// overwrite the checksums file with the new checksums
dbFilePath := filepath.Join(dbDirPath, db.VulnerabilityDBFileName)
desc, err := db.CalculateDescription(dbFilePath)
digest, err := db.CalculateDBDigest(dbFilePath)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add to method dc comment and calculates the db checksum and writes the checksum file.

@@ -14,7 +14,7 @@ func NewDB(dbFilePath string, models []any, truncate bool) (*gorm.DB, error) {
return nil, err
}

if len(models) > 0 {
if len(models) > 0 && truncate {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This line, and probably this method, could use a comment that we have only 2 modes of interacting with the DB which shouldn't mix:

  1. Read mode for Grype at runtime should not migrate, vacuum, etc to avoid changing checksum or other corruption
  2. Writing via grype-db should truncate the path to an empty db, apply all migration, migrate.

log.Trace("fetching all provider records")

var providers []Provider
result := s.db.Find(&providers)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this need any sort of ordering?

fh, err := os.OpenFile(filepath.Join(s.config.DBDirPath, ChecksumFileName), os.O_CREATE|os.O_TRUNC|os.O_WRONLY, 0644)
if err != nil {
return fmt.Errorf("failed to open description file: %w", err)
}

return WriteChecksums(fh, *desc)
return WriteChecksums(fh, digest)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Might be worth a comment or logging like "no-op on read-only store"

}

return stderrPrintLnf("Vulnerability database imported")
}

func isLegacy(path string) bool {
return !strings.Contains(filepath.Base(path), "vulnerability-db_v6")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since a rename might make this return true when it shouldn't, it might be worth inverting to isNew for now. It might be nice to have a config or a less brittle check or something at some point.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
changelog-ignore Don't include this issue in the release changelog
Projects
Status: In Review
Development

Successfully merging this pull request may close these issues.

2 participants