Skip to content

grype error handling

name: Bug Report
about: Create a report to help us improve
  • Version: 1.4.8
  • Platform: Linux

The code that interacts with grype to download the database and to scan the sbom does not check for failures. We are seeing intermittent errors when the grype database download times out. This leads to grype failing in the get_vulnerabilities_for_sbom method. But, since the return code is not checked, the code continues to operate as if the grype command was successful. It tries to load stdout as json which fails because stdout is the empty string. So, the user sees the error:

GrypeScanner generated an exception: Expecting value: line 1 column 1 (char 0)
unexpected error: Expecting value: line 1 column 1 (char 0)

It would be more user-friendly to detect when the grype command fails. And then raise the stderr content as an error. That way, a user will have a better idea of what's going on.