Simplify v6 distribution material #2277

wagoodman · 2024-11-21T18:10:00Z

This PR makes adjustments to the v6 schema + supporting code from previous PRs, specifically:

adjusts DB import to function with both today's and v6 schema automatically
add application config support to create v6 distribution client and installation curator config objects
removes the metadata.json file; now there is only the DB file in the distributed tarball
removes checksum from db.Distribution struct
makes the latest.json file flat (no nested objects)
adjusts the vulnerability blob such that "assigner" is plural (matches the type)
adds CHML severity scheme (will be used by the github provider)

This PR also introduces the ability to import both v6 and v5 schemas at once (since import now functions in both contexts) which requires disabling the static analysis check for cross-import of schemas.

Signed-off-by: Alex Goodman <[email protected]>

grype/db/v6/distribution/latest.go

willmurphyscode · 2024-11-25T20:20:56Z

grype/db/v6/enumerations.go

@@ -57,6 +60,11 @@ const (
 	NotAffectedFixStatus FixStatus = "not-affected"
 )

+const (
+	// AdvisoryReferenceTag is a reference to a vulnerability advisory
+	AdvisoryReferenceTag string = "advisory"


Should there be more of these?

A reference tag is a string we expect to be used often to tag a reference in https://github.com/anchore/grype/blob/main/grype/db/v6/blobs.go#L51.

What's an Advisory exactly? For example, a Red Hat Security Advisory (RHSA) is a list of patches, but a GitHub Security Advisory is a vulnerability description. Is advisory the right tag name? What kind of links or going to be tagged with this tag name?

I think I'll add these in another PR, but agree with the overall question

grype/db/v6/installation/curator.go

grype/db/v6/internal/db.go

grype/db/v6/provider_store.go

grype/db/v6/store.go

cmd/grype/cli/commands/db_import.go

Signed-off-by: Alex Goodman <[email protected]>

willmurphyscode · 2024-11-26T19:21:34Z

FYI, I re-ran the acceptance tests because they failed after a small commit with 502: bad gateway, so I assumed a transient network fault. We'll see if they pass on retry.

willmurphyscode · 2024-11-26T20:14:32Z

grype/db/v6/installation/curator.go

-		}
-	}
+	// override the checksum validation setting to ensure the checksum is always validated
+	digest, validateErr := c.validate(true)


I think this makes it so grype db status always validates the checksum, so that it can report if the db has been edited since it was fetched. Is that right?

If so, minor nit, the comment should say something like "grype db status should always validate"; right now the comment doesn't tell me why we're not passing the config setting.

righto -- I'll incorporate into another followup PR (this was automerged)

wagoodman added 3 commits November 21, 2024 10:51

adjust enumerations

9839d30

Signed-off-by: Alex Goodman <[email protected]>

simplify distribution artifacts and plumb to import

a16151b

Signed-off-by: Alex Goodman <[email protected]>

make assigner plural

8b50e31

Signed-off-by: Alex Goodman <[email protected]>

wagoodman marked this pull request as ready for review November 21, 2024 18:11

fix tests

ba4a2b4

Signed-off-by: Alex Goodman <[email protected]>

wagoodman force-pushed the v6-adjustments branch from 6c41fd6 to ba4a2b4 Compare November 21, 2024 18:18

wagoodman requested a review from kzantow November 21, 2024 18:19

wagoodman mentioned this pull request Nov 21, 2024

Add transformers for v6 DB schema anchore/grype-db#436

Draft

1 task

wagoodman added the changelog-ignore Don't include this issue in the release changelog label Nov 25, 2024

wagoodman self-assigned this Nov 25, 2024

wagoodman requested review from a team and removed request for kzantow November 25, 2024 19:10