Grype setup: Check DB status before updating
Why is this change being made?
During tests with Grype in my local dev environment in https://gitlab.com/gitlab-org/security-products/analyzers/container-scanning/-/issues/6 the Docker build with the DB update took forever. It seems that a check with db status first can help determine the state better to proceed.
It is also a nice debug output for developers, seeing that there actually is an update available, the db update itself does not provide this information.
Before
=> [stage-2 6/6] RUN ["/bin/bash","./setup.sh"] 25.8s
=> => # anchore/grype info checking GitHub for tag 'v0.26.1'
=> => # anchore/grype info found version: 0.26.1 for v0.26.1/linux/amd64
=> => # anchore/grype info installed /home/gitlab/grype
=> => # Downloading Grype database
=> => # [0001] INFO downloading new vulnerability DBAfter
=> [stage-2 6/6] RUN ["/bin/bash","./setup.sh"] 25.8s
=> => # anchore/grype info checking GitHub for tag 'v0.26.1'
=> => # anchore/grype info found version: 0.26.1 for v0.26.1/linux/amd64
=> => # anchore/grype info installed /home/gitlab/grype
=> => # Downloading Grype database
=> => # Update available!
=> => # [0001] INFO downloading new vulnerability DBThe DB download takes a long time with everyone using Grype these days. The DB status check helped me understand that there is an update, and the next step actually is performing the upgrade then.
Unfortunately the CLI commands cannot be chained, they always return 0.
➜ grype db check -v
Update available!
➜ echo $?
0
➜ grype db update
Vulnerability database updated!
➜ echo $?
0
➜ grype db check -v
No update available
➜ echo $?
0cc @thiagocsf