Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Convenient support for db downloads from artifactory. #2004

Open
sfc-gh-mhazy opened this issue Jul 24, 2024 · 3 comments
Open

Convenient support for db downloads from artifactory. #2004

sfc-gh-mhazy opened this issue Jul 24, 2024 · 3 comments
Labels
database Relating to the grype DB asset enhancement New feature or request

Comments

@sfc-gh-mhazy
Copy link

What would you like to be added:

Hi,
Thank you for developing the grype tool, it's really great.

I wanted to ask about some feature to support convenient downloads through artifactory proxies, for example JFrog.

I am happy to implement it once the proposal is accepted.

Constraints

  • Metadata file cannot be rewritten (proxy is just a passthrough), so the urls to specific dbs remain the same.

Current possible solution

  • Specify the GRYPE_DB_UPDATE_URL to download metadata from the proxy.
  • url=grype db list | some parsing to get latest db url
  • curl url -o out
  • grype db import out

Desired solution

  1. I would like to eliminate the curl step and rely solely on grype calls
  2. As a bonus the single grype db update call would be sufficient.

Proposals

  1. Expose a "rewrite" parameter for grype db update that would replace the prefix of the url from listing.json. For example: --rewrite=https://toolbox-data.anchore.io/grype/databases=https://my_proxy.com would rewrite https://toolbox-data.anchore.io/grype/databases/vulnerability-db_v5_2024-07-24T01:31:07Z_1721794870.tar.gz to https://my_proxy.com/vulnerability-db_v5_2024-07-24T01:31:07Z_1721794870.tar.gz
    • This would allow single grype db update call
    • Not sure if this is generic enough or targets just my specific problem, looking forward to your feedback.
  2. Expose UpdateTo in new or existing commands. Either grype db updateto or grype db update --version=vulnerability-db_v5_2024-07-24T01:31:07Z_1721794870.tar.gz
    • This would allow combining the curl and import into single grype call.

Why is this needed:

This is mostly for convenience.

Additional context:

@sfc-gh-mhazy sfc-gh-mhazy added the enhancement New feature or request label Jul 24, 2024
@wagoodman wagoodman added the database Relating to the grype DB asset label Jul 24, 2024
@willmurphyscode
Copy link
Contributor

Hi @sfc-gh-mhazy, thanks for the request! We plan to make the paths relative as part of the schema v6 work.

@sfc-gh-mhazy
Copy link
Author

@willmurphyscode Thank you, this is great news.

Just to clarify, with such relative paths, will it be sufficient to set appropriate GRYPE_DB_UPDATE_URL value?

@kzantow
Copy link
Contributor

kzantow commented Sep 4, 2024

Just to clarify, with such relative paths, will it be sufficient to set appropriate GRYPE_DB_UPDATE_URL value?

Yes! This is exactly the idea of having relative paths to the databases, so you simply mirror the listing.json and the databases, and a proxy should just work as expected.

@kzantow kzantow moved this to Ready in OSS Sep 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
database Relating to the grype DB asset enhancement New feature or request
Projects
Status: Ready
Development

No branches or pull requests

4 participants