grype db publication 2024-08-22 01:31:37 +0000 UTC db checksum does not match

[philroche]

What happened:
The grype db published on 2024-08-22 01:31:37 +0000 UTC @ https://grype.anchore.io/databases/vulnerability-db_v5_2024-08-22T01:31:37Z_1724300383.tar.gz 's metadata.sjon checksum entry does not match the checksum of the vulnerability.db resulting in error unable to update vulnerability database: bad db checksum (/tmp/grype-scratch1220908777/vulnerability.db): "sha256:a11915b8368897dd446ad5cbb855414870297841f8bccc3b466c5c5e9ba5539b" vs "sha256:9aba357712f1f68620ccd19349038e59f17a337189a075f9abea884591925f9b" when trying to import.

Using grype command directly to scan does not result in an issue but when using the https://pkg.go.dev/github.com/anchore/grype the issue is present.

What you expected to happen:
I expect the checksums to match as they have in previous db updates and imports and scan to succeed.

How to reproduce it (as minimally and precisely as possible):

➜ db list
Built:    2024-08-22 01:31:37 +0000 UTC
URL:      https://grype.anchore.io/databases/vulnerability-db_v5_2024-08-22T01:31:37Z_1724300383.tar.gz
Checksum: sha256:1c0d7e9c027c31e476352157e83575181e9420f2788ff23b01e0b4b096971541

Built:    2024-08-21 01:31:31 +0000 UTC
URL:      https://grype.anchore.io/databases/vulnerability-db_v5_2024-08-21T01:31:31Z_1724213998.tar.gz
Checksum: sha256:2aff16956eb083b6f3444b1b7c80ac64929dad293474dfc75ea20138aedb3bb1

Built:    2024-08-20 01:31:48 +0000 UTC
URL:      https://grype.anchore.io/databases/vulnerability-db_v5_2024-08-20T01:31:48Z_1724127570.tar.gz
Checksum: sha256:53db3b06bc97a9bcc042cb6fe335e3584ab180d707b901307c304e30aa7af783

Built:    2024-08-19 01:31:16 +0000 UTC
URL:      https://grype.anchore.io/databases/vulnerability-db_v5_2024-08-19T01:31:16Z_1724075654.tar.gz
Checksum: sha256:23f6bf57e6f22cd66fa2e51873c5356108b12e3a06e46a06bbe69e088718ab55

4 databases available for schema 5

➜ wget -q "https://grype.anchore.io/databases/vulnerability-db_v5_2024-08-22T01:31:37Z_1724300383.tar.gz" -O db.tar.gz
➜ tar --extract --ungzip --file "db.tar.gz"                                                                        
➜ sha256sum vulnerability.db                                                                
9aba357712f1f68620ccd19349038e59f17a337189a075f9abea884591925f9b  vulnerability.db
➜ jq '.checksum' metadata.json                         
"sha256:a11915b8368897dd446ad5cbb855414870297841f8bccc3b466c5c5e9ba5539b"
➜  20240822-grype-db-issues 

Anything else we need to know?:

Example from the previous db published on 2024-08-21 01:31:31 +0000 UTC

➜  wget -q -O db.tar.gz "https://grype.anchore.io/databases/vulnerability-db_v5_2024-08-21T01:31:31Z_1724213998.tar.gz"
➜  tar --extract --ungzip --file "db.tar.gz"
➜  sha256sum vulnerability.db
46c455997da1f2b649e2d4b9590ddc7d95ad2890f80e1d9cadf76e7f6764563d  vulnerability.db
➜ jq '.checksum' metadata.json
"sha256:46c455997da1f2b649e2d4b9590ddc7d95ad2890f80e1d9cadf76e7f6764563d"

Environment:

• Output of grype version:

grype version
Application:         grype
Version:             0.80.0
BuildDate:           2024-08-20T17:56:40Z
GitCommit:           205ccfb6c90edb7258a9d25995f0a59c32e48142
GitDescription:      v0.80.0
Platform:            linux/amd64
GoVersion:           go1.22.6
Compiler:            gc
Syft Version:        v1.11.1
Supported DB Schema: 5

• OS (e.g: cat /etc/os-release or similar):

cat /etc/os-release                                                              
PRETTY_NAME="Ubuntu 24.04 LTS"
NAME="Ubuntu"
VERSION_ID="24.04"
VERSION="24.04 LTS (Noble Numbat)"
VERSION_CODENAME=noble
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=noble
LOGO=ubuntu-logo

[willmurphyscode]

Hi @philroche thanks for the report. I'm taking a look now.

[philroche]

@willmurphyscode Thank you. The latest grype db published today has no checksum issue.

➜  20240822-grype-db-issues grype db delete && grype db update
Vulnerability database deleted
 ✔ Vulnerability DB                [updated]  
Vulnerability database updated to latest version!
➜  20240822-grype-db-issues grype db list | head -n 3                                                                                 
Built:    2024-08-23 01:31:27 +0000 UTC
URL:      https://grype.anchore.io/databases/vulnerability-db_v5_2024-08-23T01:31:27Z_1724386835.tar.gz
Checksum: sha256:d8b31c95d998c89f4664a2f318ad727bb45c8a2c918a3dddd8196afd985e5db1
➜  20240822-grype-db-issues wget -q -O db.tar.gz "https://grype.anchore.io/databases/vulnerability-db_v5_2024-08-23T01:31:27Z_1724386835.tar.gz"
➜  20240822-grype-db-issues tar --extract --ungzip --file "db.tar.gz"
➜  20240822-grype-db-issues sha256sum vulnerability.db
4fdadd9a0d6d2c43ab18a5c3086145f15534206fed803aae2f18034bf5dca719  vulnerability.db
➜  20240822-grype-db-issues jq '.checksum' metadata.json
"sha256:4fdadd9a0d6d2c43ab18a5c3086145f15534206fed803aae2f18034bf5dca719"

Scans are being performed successfully with this db.

[willmurphyscode]

Hi @philroche thanks for the report for reporting back that it's fixed! I'm glad things are working for you now.

Aside: I'm adding changelog-ignore to this because no change was made in grype, only in the DB publishing infra.

[philroche]

Thanks for the quick turnaround