-
Notifications
You must be signed in to change notification settings - Fork 532
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
"No vulnerability database update available" when actually the check for an update was unsuccessful #310
Comments
I am not able to reproduce this. I test by doing the below: docker run -d --name grype-test --rm -it ubuntu:latest tail -f /dev/null
docker exec -it grype-test apt update
docker exec -it grype-test apt install curl -y
docker exec -it grype-test bash -c 'curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin'
docker exec -it grype-test grype db update The final command outputs ✔ Vulnerability DB [updated]
Vulnerability database updated to latest version! Maybe this was fixed already and this issue wasn't tagged to close? Tagging @tgerla @wagoodman to see if this should be closed. |
I'm still able to reproduce this. @shanedell a key step that looks like it's missing in your case was to intentionally break DNS resolution (as one example of how to cause a network issue for Grype) via editing I did have that step out of order in my original issue description, and I've just edited the description to be correct. If you run through those steps, you should still see this problem. |
@luhring You are right. My apologies I must have looked past the part docker run -d --name grype-test --rm -it ubuntu:latest tail -f /dev/null
docker exec -it grype-test apt update
docker exec -it grype-test apt install curl -y
docker exec -it grype-test bash -c 'curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin'
docker exec -it grype-test bash -c 'echo "nameserver 8.8.8.9" > /etc/resolv.conf'
docker exec -it grype-test grype db update output: ✔ Vulnerability DB [no update available]
No vulnerability database update available |
Closes anchore#310 Signed-off-by: Shane Dell <shanedell100@gmail.com>
Closes anchore#310 Signed-off-by: Shane Dell <shanedell100@gmail.com>
What happened:
Grype shows "No vulnerability database update available" when it hasn't actually checked to see if a database update is available.
What you expected to happen:
If Grype is unable (for any reason) to check to see if a database update is available, it should report the failure to the user and exit non-zero.
How to reproduce it (as minimally and precisely as possible):
docker run --rm -it ubuntu:latest bash
curl
if it's not already present:apt-get update && apt-get install -y curl
grype
:curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
/etc/resolv.conf
so that the system relies on an incorrect address for its DNS server. For example:echo "nameserver 8.8.8.9" > /etc/resolv.conf
grype db update
Grype will show
No vulnerability database update available
, and its exit code will be0
.But in fact, Grype doesn't even have a local database yet. The same behavior can be witnessed if Grype has an outdated database, too.
Anything else we need to know?:
There may exist other network-related failure modes that produce the same symptom, but this is the mode that I encountered today.
Also, this impacts the security of the user — because this output leads them to behave their Grype scans have considered the latest vulnerability data when this might not really be the case.
Environment:
grype version
:cat /etc/os-release
or similar):(I've also seen this issue on macOS 11.2.3)
The text was updated successfully, but these errors were encountered: