Latest version of grype with V6 schema lists incorrect URL for v6 database

[philroche]

What happened:

Latest version of grype with V6 schema lists incorrect URL for v6 databases

grype db list                                              
Status:   active
Schema:   v6.0.2
Built:    2025-03-07T04:06:47Z
Listing:  https://grype.anchore.io/databases
DB URL:   https://grype.anchore.io/vulnerability-db_v6.0.2_2025-03-07T01:30:57Z_1741320407.tar.zst
Checksum: sha256:b49ecadd781dbb5376cce851c044d9987fba100ebaa0f7bd2316d07fe8718404

Bbut the actual URL is https://grype.anchore.io/databases/v6/vulnerability-db_v6.0.2_2025-03-07T01:30:57Z_1741320407.tar.zst and the listing URL is https://grype.anchore.io/databases/v6

What you expected to happen:

I expect to see a URL I can click on to download the DB

How to reproduce it (as minimally and precisely as possible):

Use grype db list and observe the URL

One liner curl --silent --head --output /dev/null --write-out "%{http_code}\n" $(grype db list | grep "DB URL" | awk -F" " '{print $2}') should return 200. Not 404

Environment:

• Output of grype version:
  0.89.0 - commit 1bf47c3

• OS (e.g: cat /etc/os-release or similar):

cat /etc/os-release                                                                                                             
PRETTY_NAME="Ubuntu 24.04.1 LTS"
NAME="Ubuntu"
VERSION_ID="24.04"
VERSION="24.04.1 LTS (Noble Numbat)"
VERSION_CODENAME=noble
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=noble
LOGO=ubuntu-logo

[popey]

Thank for the issue @philroche

Confirmed here:

$ grype version
Application:         grype
Version:             0.89.0
BuildDate:           2025-03-06T22:15:44Z
GitCommit:           1bf47c38bede40dea7b72bbe4712191820f1aa15
GitDescription:      v0.89.0
Platform:            darwin/arm64
GoVersion:           go1.24.1
Compiler:            gc
Syft Version:        v1.20.0
Supported DB Schema: 6

$ grype db list
Status:   active
Schema:   v6.0.2
Built:    2025-03-07T04:06:47Z
Listing:  https://grype.anchore.io/databases
DB URL:   https://grype.anchore.io/vulnerability-db_v6.0.2_2025-03-07T01:30:57Z_1741320407.tar.zst
Checksum: sha256:b49ecadd781dbb5376cce851c044d9987fba100ebaa0f7bd2316d07fe8718404

$ curl -I https://grype.anchore.io/vulnerability-db_v6.0.2_2025-03-07T01:30:57Z_1741320407.tar.zst
HTTP/2 404
date: Fri, 07 Mar 2025 13:10:39 GMT
content-type: text/html
vary: Accept-Encoding
cache-control: max-age=86400
cf-cache-status: HIT
age: 110
server: cloudflare
cf-ray: 91ca55929caa6376-LHR

The database does update via the right url though.

$ grype db update
 ✔ Vulnerability DB                [updated]
Vulnerability database updated to latest version!

$ grype db status
Path:      /Users/alan/Library/Caches/grype/db/6/vulnerability.db
Schema:    v6.0.2
Built:     2025-03-07T04:06:47Z
Checksum:  xxh64:433e6ae2f9e68538
Status:    valid

[kzantow]

There is a function that takes the "base" URL (e.g. https://grype.anchore.io/databases) and based on the schema version / direct JSON link / etc. returns the correct link. I think we just need to use that function to get the listing file in the command here, and adjust the relative database links accordingly: https://github.com/anchore/grype/blob/main/cmd/grype/cli/commands/db_list.go#L65