Add info subcommand in order to query grype db vulnerabilities

[tomerse-sg]

What would you like to be added:
I would like to have an option to see what packages are vulnerable for a certain CVE according to grype's DB. for example: info CVE-XXXX-YYYYYY will return list of packages names, distro & versions.
Why is this needed:
Sometimes I want to learn more about a certain CVE and this information is already stored in grype's DB which gets the information from multiple open sources. Today grype has "explain" but it is in a context of a specific scan.
Additional context:

[willmurphyscode]

Hi @tomerse-sg, if you're interested in querying grype's database more directly, you can use a sqlite client to do so.

For example:

$ grype db status
Location:  /Users/willmurphy/Library/Caches/grype/db/5 # folder containing vulnerability.db
Built:     2023-12-06 01:27:02 +0000 UTC
Schema:    5
Checksum:  sha256:fbe733701a8472bbc5a1e321fe228cbeb337cfb3958327d9ab21d0fb36458c67
Status:    valid
$ sqlite3 /Users/willmurphy/Library/Caches/grype/db/5/vulnerability.db # run whatever query you want

You can also look a lot of this information up on public vulnerability websites, such as NVD or GHSA, although that won't tell you how grype interpreted the data.

Is there a particular query you'd like to see built into grype info? What information were you hoping to see?

[tomerse-sg]

Hi @willmurphyscode ,

Thanks for the answer.
I would like to query a specific CVE \ GHSA and get a list of all vulnerable packages without context of a specific scan.

[tgerla]

Hey @tomerse-sg, thanks for the update. We'd like to talk in more detail about this feature at some point. We would need to do some design work to get this feature right. Would you be able to join one of our community calls to discuss your work? They happen every other Thursday at noon Eastern. We just had one today.