Update Grype database version to 6

Author: ramanan-ravi

Dockerfile

@@ -24,8 +24,6 @@ ENV PACKAGE_SCAN_CONCURRENCY=5 \
     DOCKER_VERSION=29.1.3 \
     NERDCTL_VERSION=2.2.0
 
-# ENV GRYPE_DB_UPDATE_URL="https://threat-intel.deepfence.io/vulnerability-db/listing.json"
-
 COPY --from=build /go/package-scanner/package-scanner /usr/local/bin/package-scanner
 COPY --from=build /go/package-scanner/tools/grype-bin/grype.bin /usr/local/bin/grype
 COPY --from=build /go/package-scanner/tools/syft-bin/syft.bin /usr/local/bin/syft

go.mod

@@ -8,7 +8,7 @@ replace github.com/deepfence/YaraHunter => ../YaraHunter
 
 require (
 	github.com/Jeffail/tunny v0.1.4
-	github.com/deepfence/YaraHunter v0.0.0-20251223175657-4ceef247193f
+	github.com/deepfence/YaraHunter v0.0.0-20251227063923-c7661011a975
 	github.com/deepfence/agent-plugins-grpc v0.0.0-00010101000000-000000000000
 	github.com/deepfence/golang_deepfence_sdk/client v0.0.0-20251220185839-eab97c9c3b76
 	github.com/deepfence/golang_deepfence_sdk/utils v0.0.0-20251220185839-eab97c9c3b76

grype.yaml

@@ -1,73 +1,250 @@
-# enable/disable checking for application updates on startup
-# same as GRYPE_CHECK_FOR_APP_UPDATE env var
-check-for-app-update: false
+log:
+  # suppress all logging output (env: GRYPE_LOG_QUIET)
+  quiet: false
 
-# upon scanning, if a severity is found at or above the given severity then the return code will be 1
-# default is unset which will skip this validation (options: negligible, low, medium, high, critical)
-# same as --fail-on ; GRYPE_FAIL_ON_SEVERITY env var
-fail-on-severity: ''
+  # explicitly set the logging level (available: [error warn info debug trace]) (env: GRYPE_LOG_LEVEL)
+  level: "warn"
+
+  # file path to write logs to (env: GRYPE_LOG_FILE)
+  file: ""
+
+dev:
+  # capture resource profiling data (available: [cpu, mem]) (env: GRYPE_DEV_PROFILE)
+  profile: ""
 
-# the output format of the vulnerability report (options: table, json, cyclonedx)
-# same as -o ; GRYPE_OUTPUT env var
-output: "table"
+  db:
+    # (env: GRYPE_DEV_DB_DEBUG)
+    debug: false
 
-# suppress all output (except for the vulnerability list)
-# same as -q ; GRYPE_QUIET env var
-quiet: false
+# the output format of the vulnerability report (options: table, template, json, cyclonedx)
+# when using template as the output type, you must also provide a value for 'output-template-file' (env: GRYPE_OUTPUT)
+output: []
 
-# write output report to a file (default is to write to stdout)
-# same as --file; GRYPE_FILE env var
+# if using template output, you must provide a path to a Go template file
+# see https://github.com/anchore/grype#using-templates for more information on template output
+# the default path to the template file is the current working directory
+# output-template-file: .grype/html.tmpl
+#
+# write output report to a file (default is to write to stdout) (env: GRYPE_FILE)
 file: ""
 
+# pretty-print output (env: GRYPE_PRETTY)
+pretty: false
+
+# distro to match against in the format: <distro>[-:@]<version> (env: GRYPE_DISTRO)
+distro: ""
+
+# generate CPEs for packages with no CPE data (env: GRYPE_ADD_CPES_IF_NONE)
+add-cpes-if-none: false
+
+# specify the path to a Go template file (requires 'template' output to be selected) (env: GRYPE_OUTPUT_TEMPLATE_FILE)
+output-template-file: ""
+
+# enable/disable checking for application updates on startup (env: GRYPE_CHECK_FOR_APP_UPDATE)
+check-for-app-update: true
+
+# ignore matches for vulnerabilities that are not fixed (env: GRYPE_ONLY_FIXED)
+only-fixed: false
+
+# ignore matches for vulnerabilities that are fixed (env: GRYPE_ONLY_NOTFIXED)
+only-notfixed: false
+
+# ignore matches for vulnerabilities with specified comma separated fix states, options=[fixed not-fixed unknown wont-fix] (env: GRYPE_IGNORE_WONTFIX)
+ignore-wontfix: ""
+
+# an optional platform specifier for container image sources (e.g. 'linux/arm64', 'linux/arm64/v8', 'arm64', 'linux') (env: GRYPE_PLATFORM)
+platform: ""
+
+search:
+  # selection of layers to analyze, options=[squashed all-layers deep-squashed] (env: GRYPE_SEARCH_SCOPE)
+  scope: "squashed"
+
+  # search within archives that do not contain a file index to search against (tar, tar.gz, tar.bz2, etc)
+  # note: enabling this may result in a performance impact since all discovered compressed tars will be decompressed
+  # note: for now this only applies to the java package cataloger (env: GRYPE_SEARCH_UNINDEXED_ARCHIVES)
+  unindexed-archives: false
+
+  # search within archives that do contain a file index to search against (zip)
+  # note: for now this only applies to the java package cataloger (env: GRYPE_SEARCH_INDEXED_ARCHIVES)
+  indexed-archives: true
+
+# A list of vulnerability ignore rules, one or more property may be specified and all matching vulnerabilities will be ignored.
+# This is the full set of supported rule fields:
+#   - vulnerability: CVE-2008-4318
+#     fix-state: unknown
+#     package:
+#       name: libcurl
+#       version: 1.5.1
+#       type: npm
+#       location: "/usr/local/lib/node_modules/**"
+#
+# VEX fields apply when Grype reads vex data:
+#   - vex-status: not_affected
+#     vex-justification: vulnerable_code_not_present
+ignore: []
+
 # a list of globs to exclude from scanning, for example:
-# exclude:
 #   - '/etc/**'
 #   - './out/**/*.json'
-# same as --exclude ; GRYPE_EXCLUDE env var
+# same as --exclude (env: GRYPE_EXCLUDE)
 exclude:
 - '/opt/deepfence/**'
 
-# os and/or architecture to use when referencing container images (e.g. "windows/armv6" or "arm64")
-# same as --platform; GRYPE_PLATFORM env var
-platform: ""
+external-sources:
+  # enable Grype searching network source for additional information (env: GRYPE_EXTERNAL_SOURCES_ENABLE)
+  enable: false
 
-# If using SBOM input, automatically generate CPEs when packages have none
-add-cpes-if-none: false
+  maven:
+    # search for Maven artifacts by SHA1 (env: GRYPE_EXTERNAL_SOURCES_MAVEN_SEARCH_MAVEN_UPSTREAM)
+    search-maven-upstream: true
+
+    # base URL of the Maven repository to search (env: GRYPE_EXTERNAL_SOURCES_MAVEN_BASE_URL)
+    base-url: "https://search.maven.org/solrsearch/select"
+
+    # (env: GRYPE_EXTERNAL_SOURCES_MAVEN_RATE_LIMIT)
+    rate-limit: 300ms
+
+match:
+  java:
+    # use CPE matching to find vulnerabilities (env: GRYPE_MATCH_JAVA_USING_CPES)
+    using-cpes: false
+
+  jvm:
+    # (env: GRYPE_MATCH_JVM_USING_CPES)
+    using-cpes: true
+
+  dotnet:
+    # use CPE matching to find vulnerabilities (env: GRYPE_MATCH_DOTNET_USING_CPES)
+    using-cpes: false
+
+  golang:
+    # use CPE matching to find vulnerabilities (env: GRYPE_MATCH_GOLANG_USING_CPES)
+    using-cpes: false
+
+    # use CPE matching to find vulnerabilities for the Go standard library (env: GRYPE_MATCH_GOLANG_ALWAYS_USE_CPE_FOR_STDLIB)
+    always-use-cpe-for-stdlib: true
+
+    # allow comparison between main module pseudo-versions (e.g. v0.0.0-20240413-2b432cf643...) (env: GRYPE_MATCH_GOLANG_ALLOW_MAIN_MODULE_PSEUDO_VERSION_COMPARISON)
+    allow-main-module-pseudo-version-comparison: false
+
+  javascript:
+    # use CPE matching to find vulnerabilities (env: GRYPE_MATCH_JAVASCRIPT_USING_CPES)
+    using-cpes: false
+
+  python:
+    # use CPE matching to find vulnerabilities (env: GRYPE_MATCH_PYTHON_USING_CPES)
+    using-cpes: false
+
+  ruby:
+    # use CPE matching to find vulnerabilities (env: GRYPE_MATCH_RUBY_USING_CPES)
+    using-cpes: false
 
-# Explicitly specify a linux distribution to use as <distro>:<version> like alpine:3.10
-distro:
+  rust:
+    # use CPE matching to find vulnerabilities (env: GRYPE_MATCH_RUST_USING_CPES)
+    using-cpes: false
+
+  stock:
+    # use CPE matching to find vulnerabilities (env: GRYPE_MATCH_STOCK_USING_CPES)
+    using-cpes: true
+
+# upon scanning, if a severity is found at or above the given severity then the return code will be 1
+# default is unset which will skip this validation (options: negligible, low, medium, high, critical) (env: GRYPE_FAIL_ON_SEVERITY)
+fail-on-severity: ""
+
+registry:
+  # skip TLS verification when communicating with the registry (env: GRYPE_REGISTRY_INSECURE_SKIP_TLS_VERIFY)
+  insecure-skip-tls-verify: false
+
+  # use http instead of https when connecting to the registry (env: GRYPE_REGISTRY_INSECURE_USE_HTTP)
+  insecure-use-http: false
+
+  # Authentication credentials for specific registries. Each entry describes authentication for a specific authority:
+  # - authority: the registry authority URL the URL to the registry (e.g. "docker.io", "localhost:5000", etc.) (env: SYFT_REGISTRY_AUTH_AUTHORITY)
+  #  username: a username if using basic credentials (env: SYFT_REGISTRY_AUTH_USERNAME)
+  #  password: a corresponding password (env: SYFT_REGISTRY_AUTH_PASSWORD)
+  #  token: a token if using token-based authentication, mutually exclusive with username/password (env: SYFT_REGISTRY_AUTH_TOKEN)
+  #  tls-cert: filepath to the client certificate used for TLS authentication to the registry (env: SYFT_REGISTRY_AUTH_TLS_CERT)
+  #  tls-key: filepath to the client key used for TLS authentication to the registry (env: SYFT_REGISTRY_AUTH_TLS_KEY)
+  auth: []
+
+  # filepath to a CA certificate (or directory containing *.crt, *.cert, *.pem) used to generate the client certificate (env: GRYPE_REGISTRY_CA_CERT)
+  ca-cert: ""
+
+# show suppressed/ignored vulnerabilities in the output (only supported with table output format) (env: GRYPE_SHOW_SUPPRESSED)
+show-suppressed: false
+
+# orient results by CVE instead of the original vulnerability ID when possible (env: GRYPE_BY_CVE)
+by-cve: false
+
+# sort the match results with the given strategy, options=[package severity epss risk kev vulnerability] (env: GRYPE_SORT_BY)
+sort-by: "risk"
+
+# same as --name; set the name of the target being analyzed (env: GRYPE_NAME)
+name: ""
+
+# allows users to specify which image source should be used to generate the sbom
+# valid values are: registry, docker, podman (env: GRYPE_DEFAULT_IMAGE_PULL_SOURCE)
+default-image-pull-source: ""
+
+# specify the source behavior to use (e.g. docker, registry, podman, oci-dir, ...) (env: GRYPE_FROM)
+from: []
+
+# a list of VEX documents to consider when producing scanning results (env: GRYPE_VEX_DOCUMENTS)
+vex-documents: []
+
+# VEX statuses to consider as ignored rules (env: GRYPE_VEX_ADD)
+vex-add: []
+
+# match kernel-header packages with upstream kernel as kernel vulnerabilities (env: GRYPE_MATCH_UPSTREAM_KERNEL_HEADERS)
+match-upstream-kernel-headers: false
+
+fix-channel:
+  redhat-eus:
+    # whether fixes from this channel should be considered, options are "never", "always", or "auto" (conditionally applied based on SBOM data) (env: GRYPE_FIX_CHANNEL_REDHAT_EUS_APPLY)
+    apply: "auto"
+
+    # (env: GRYPE_FIX_CHANNEL_REDHAT_EUS_VERSIONS)
+    versions: ">= 8.0"
+
+# (env: GRYPE_TIMESTAMP)
+timestamp: true
 
 db:
-  # check for database updates on execution
-  # same as GRYPE_DB_AUTO_UPDATE env var
-  auto-update: true
-  
-  # location to write the vulnerability database cache
-  # same as GRYPE_DB_CACHE_DIR env var
+  # location to write the vulnerability database cache (env: GRYPE_DB_CACHE_DIR)
   cache-dir: "/root/.cache/grype/db"
-  
-  # URL of the vulnerability database
-  # same as GRYPE_DB_UPDATE_URL env var
-  update-url: "https://threat-intel.deepfence.io/vulnerability-db/listing.json"
 
-  # it ensures db build is no older than the max-allowed-built-age
-  # set to false to disable check
+  # URL of the vulnerability database (env: GRYPE_DB_UPDATE_URL)
+  update-url: "https://threat-intel.threatmapper.org/threat-intel/vulnerability"
+
+  # certificate to trust download the database and listing file (env: GRYPE_DB_CA_CERT)
+  ca-cert: ""
+
+  # check for database updates on execution (env: GRYPE_DB_AUTO_UPDATE)
+  auto-update: true
+
+  # validate the database matches the known hash each execution (env: GRYPE_DB_VALIDATE_BY_HASH_ON_START)
+  validate-by-hash-on-start: false
+
+  # ensure db build is no older than the max-allowed-built-age (env: GRYPE_DB_VALIDATE_AGE)
   validate-age: false
-  
+
   # Max allowed age for vulnerability database,
   # age being the time since it was built
-  # Default max age is 120h (or five days)
-  max-allowed-built-age: "120h"
+  # Default max age is 120h (or five days) (env: GRYPE_DB_MAX_ALLOWED_BUILT_AGE)
+  max-allowed-built-age: 120h0m0s
 
-log:
-  # use structured logging
-  # same as GRYPE_LOG_STRUCTURED env var
-  structured: false
-  
-  # the log level; note: detailed logging suppress the ETUI
-  # same as GRYPE_LOG_LEVEL env var
-  level: "error"
-  
-  # location to write the log file (default is not to have a log file)
-  # same as GRYPE_LOG_FILE env var
-  file: ""
+  # fail the scan if unable to check for database updates (env: GRYPE_DB_REQUIRE_UPDATE_CHECK)
+  require-update-check: false
+
+  # Timeout for downloading GRYPE_DB_UPDATE_URL to see if the database needs to be downloaded
+  # This file is ~156KiB as of 2024-04-17 so the download should be quick; adjust as needed (env: GRYPE_DB_UPDATE_AVAILABLE_TIMEOUT)
+  update-available-timeout: 30s
+
+  # Timeout for downloading actual vulnerability DB
+  # The DB is ~156MB as of 2024-04-17 so slower connections may exceed the default timeout; adjust as needed (env: GRYPE_DB_UPDATE_DOWNLOAD_TIMEOUT)
+  update-download-timeout: 5m0s
+
+  # Maximum frequency to check for vulnerability database updates (env: GRYPE_DB_MAX_UPDATE_CHECK_FREQUENCY)
+  max-update-check-frequency: 2h0m0s
+
+exp:

run-once.go

@@ -27,7 +27,7 @@ import (
 
 var (
 	checksumFile = "checksum.txt"
-	grypeDBPath  = "grype/db/5"
+	grypeDBPath  = "grype/db/6"
 )
 
 func RunOnce(config utils.Config) {
@@ -68,7 +68,13 @@ func RunOnce(config utils.Config) {
 		if config.ScanID == "" {
 			config.ScanID = fmt.Sprintf("%s_%d", hostname, utils.GetIntTimestamp())
 		}
-		if imageID, err := config.ContainerRuntime.GetImageID(config.Source); err != nil {
+		// Check if ContainerRuntime is available before trying to get image ID
+		if config.ContainerRuntime == nil {
+			log.Warn().Msg("container runtime not available, using source as node ID")
+			imageID := uuid.New().String()
+			config.ImageID = imageID
+			config.NodeID = imageID
+		} else if imageID, err := config.ContainerRuntime.GetImageID(config.Source); err != nil {
 			log.Error().Err(err).Msg("failed to get image ID")
 			// generate image_id if we are unable to get it from runtime
 			imageID = []byte(uuid.New().String())

scanner/grype/grype.go

@@ -17,7 +17,7 @@ import (
 )
 
 const (
-	grypeDBVersion = "5"
+	grypeDBVersion = "6"
 )
 
 var (