Merge branch 'main' into 711-External-Maven-Data-Source

.bouncer.yaml

@@ -20,3 +20,33 @@ ignore-packages:
   # from: https://github.com/owenrumney/go-sarif/blob/main/LICENSE
   # This is released into the public domain using the "Unlicense license"
   - github.com/owenrumney/go-sarif
+
+  # from: https://gitlab.com/cznic/sqlite/-/blob/v1.15.4/LICENSE
+  # This is a BSD-3-Clause license
+  - modernc.org/libc
+  - modernc.org/libc/errno
+  - modernc.org/libc/fcntl
+  - modernc.org/libc/fts
+  - modernc.org/libc/grp
+  - modernc.org/libc/langinfo
+  - modernc.org/libc/limits
+  - modernc.org/libc/netdb
+  - modernc.org/libc/netinet/in
+  - modernc.org/libc/poll
+  - modernc.org/libc/pthread
+  - modernc.org/libc/pwd
+  - modernc.org/libc/signal
+  - modernc.org/libc/stdio
+  - modernc.org/libc/stdlib
+  - modernc.org/libc/sys/socket
+  - modernc.org/libc/sys/stat
+  - modernc.org/libc/sys/types
+  - modernc.org/libc/termios
+  - modernc.org/libc/time
+  - modernc.org/libc/unistd
+  - modernc.org/libc/utime
+  - modernc.org/libc/uuid/uuid
+  - modernc.org/libc/wctype
+  - modernc.org/mathutil
+  - modernc.org/memory
+

go.mod

@@ -6,7 +6,6 @@ require (
 	github.com/Masterminds/sprig/v3 v3.2.2
 	github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d
 	github.com/adrg/xdg v0.2.1
-	github.com/alicebob/sqlittle v1.4.0
 	github.com/anchore/go-testutils v0.0.0-20200925183923-d5f45b0d3c04
 	github.com/anchore/go-version v1.2.2-0.20210903204242-51efa5b487c4
 	github.com/anchore/packageurl-go v0.1.1-0.20220314153042-1bcd40e5206b
@@ -17,6 +16,7 @@ require (
 	github.com/dustin/go-humanize v1.0.0
 	github.com/facebookincubator/nvdtools v0.1.4
 	github.com/gabriel-vasile/mimetype v1.4.0
+	github.com/glebarez/sqlite v1.4.1
 	github.com/go-test/deep v1.0.8
 	github.com/google/go-cmp v0.5.7
 	github.com/google/uuid v1.3.0
@@ -25,7 +25,6 @@ require (
 	github.com/hashicorp/go-getter v1.5.9
 	github.com/hashicorp/go-multierror v1.1.1
 	github.com/hashicorp/go-version v1.4.0
-	github.com/jinzhu/gorm v1.9.14
 	github.com/knqyf263/go-apk-version v0.0.0-20200609155635-041fdbb8563f
 	github.com/knqyf263/go-deb-version v0.0.0-20190517075300-09fca494f03d
 	github.com/mholt/archiver/v3 v3.5.1
@@ -42,13 +41,14 @@ require (
 	github.com/spf13/cobra v1.3.0
 	github.com/spf13/pflag v1.0.5
 	github.com/spf13/viper v1.10.1
-	github.com/stretchr/testify v1.7.0
+	github.com/stretchr/testify v1.7.1
 	github.com/wagoodman/go-partybus v0.0.0-20210627031916-db1f5573bbc5
 	github.com/wagoodman/go-progress v0.0.0-20200807221327-51d465df1451
 	github.com/wagoodman/jotframe v0.0.0-20211129225309-56b0d0a4aebb
 	github.com/x-cray/logrus-prefixed-formatter v0.5.2
 	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211
 	gopkg.in/yaml.v2 v2.4.0
+	gorm.io/gorm v1.23.3
 )
 
 require (
@@ -70,16 +70,15 @@ require (
 	github.com/containerd/containerd v1.5.10 // indirect
 	github.com/containerd/stargz-snapshotter/estargz v0.10.1 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/denisenkom/go-mssqldb v0.11.0 // indirect
 	github.com/docker/cli v20.10.12+incompatible // indirect
 	github.com/docker/distribution v2.8.0+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.6.4 // indirect
 	github.com/docker/go-connections v0.4.0 // indirect
 	github.com/docker/go-units v0.4.0 // indirect
 	github.com/dsnet/compress v0.0.2-0.20210315054119-f66993602bf5 // indirect
 	github.com/fsnotify/fsnotify v1.5.1 // indirect
+	github.com/glebarez/go-sqlite v1.15.1 // indirect
 	github.com/go-restruct/restruct v1.2.0-alpha // indirect
-	github.com/go-sql-driver/mysql v1.6.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
@@ -94,17 +93,16 @@ require (
 	github.com/inconshreveable/mousetrap v1.0.0 // indirect
 	github.com/jinzhu/copier v0.3.2 // indirect
 	github.com/jinzhu/inflection v1.0.0 // indirect
+	github.com/jinzhu/now v1.1.4 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/klauspost/compress v1.14.2 // indirect
 	github.com/klauspost/pgzip v1.2.5 // indirect
 	github.com/kr/pretty v0.3.0 // indirect
-	github.com/lib/pq v1.10.4 // indirect
 	github.com/logrusorgru/aurora v0.0.0-20200102142835-e9ef32dff381 // indirect
 	github.com/magiconair/properties v1.8.5 // indirect
 	github.com/mattn/go-colorable v0.1.12 // indirect
 	github.com/mattn/go-isatty v0.0.14 // indirect
 	github.com/mattn/go-runewidth v0.0.13 // indirect
-	github.com/mattn/go-sqlite3 v1.14.0 // indirect
 	github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/go-testing-interface v1.14.1 // indirect
@@ -120,6 +118,7 @@ require (
 	github.com/pierrec/lz4/v4 v4.1.2 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/remyoudompheng/bigfft v0.0.0-20200410134404-eec4a21b6bb0 // indirect
 	github.com/rivo/uniseg v0.2.0 // indirect
 	github.com/rogpeppe/go-internal v1.8.0 // indirect
 	github.com/shopspring/decimal v1.2.0 // indirect
@@ -136,12 +135,11 @@ require (
 	github.com/zclconf/go-cty v1.10.0 // indirect
 	go.opencensus.io v0.23.0 // indirect
 	golang.org/x/crypto v0.0.0-20220213190939-1e6e3497d506 // indirect
-	golang.org/x/exp v0.0.0-20220209042442-160e291fcf24 // indirect
 	golang.org/x/mod v0.6.0-dev.0.20211013180041-c96bc1413d57 // indirect
 	golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd // indirect
 	golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8 // indirect
 	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c // indirect
-	golang.org/x/sys v0.0.0-20220209214540-3681064d5158 // indirect
+	golang.org/x/sys v0.0.0-20220319134239-a9b59b0215f8 // indirect
 	golang.org/x/text v0.3.7 // indirect
 	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
 	google.golang.org/api v0.70.0 // indirect
@@ -151,4 +149,8 @@ require (
 	google.golang.org/protobuf v1.27.1 // indirect
 	gopkg.in/ini.v1 v1.66.2 // indirect
 	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
+	modernc.org/libc v1.14.12 // indirect
+	modernc.org/mathutil v1.4.1 // indirect
+	modernc.org/memory v1.0.7 // indirect
+	modernc.org/sqlite v1.15.2 // indirect
 )

go.sum

@@ -2028,4 +2028,4 @@ sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.15/go.mod h1:LEScyz
 sigs.k8s.io/structured-merge-diff/v4 v4.0.2/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw=
 sigs.k8s.io/structured-merge-diff/v4 v4.0.3/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw=
 sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o=
-sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc=
+sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc=

grype/db/curator.go

@@ -16,7 +16,7 @@ import (
 	"github.com/wagoodman/go-progress"
 
 	grypeDB "github.com/anchore/grype/grype/db/v3"
-	"github.com/anchore/grype/grype/db/v3/reader"
+	"github.com/anchore/grype/grype/db/v3/store"
 	"github.com/anchore/grype/grype/event"
 	"github.com/anchore/grype/grype/vulnerability"
 	"github.com/anchore/grype/internal/bus"
@@ -69,14 +69,14 @@ func (c Curator) SupportedSchema() int {
 	return c.targetSchema
 }
 
-func (c *Curator) GetStore() (*reader.Reader, error) {
+func (c *Curator) GetStore() (grypeDB.StoreReader, error) {
 	// ensure the DB is ok
 	err := c.Validate()
 	if err != nil {
 		return nil, fmt.Errorf("vulnerability database is corrupt (run db update to correct): %+v", err)
 	}
 
-	s, _, err := reader.New(c.dbPath)
+	s, err := store.New(c.dbPath, false)
 	return s, err
 }
 

grype/db/internal/gormadapter/logger.go

@@ -0,0 +1,37 @@
+package gormadapter
+
+import (
+	"context"
+	"time"
+
+	"gorm.io/gorm/logger"
+
+	"github.com/anchore/grype/internal/log"
+)
+
+type logAdapter struct {
+}
+
+func newLogger() logger.Interface {
+	return logAdapter{}
+}
+
+func (l logAdapter) LogMode(logger.LogLevel) logger.Interface {
+	return l
+}
+
+func (l logAdapter) Info(_ context.Context, fmt string, v ...interface{}) {
+	// unimplemented
+}
+
+func (l logAdapter) Warn(_ context.Context, fmt string, v ...interface{}) {
+	log.Warnf("gorm: "+fmt, v...)
+}
+
+func (l logAdapter) Error(_ context.Context, fmt string, v ...interface{}) {
+	log.Errorf("gorm: "+fmt, v...)
+}
+
+func (l logAdapter) Trace(ctx context.Context, begin time.Time, fc func() (sql string, rowsAffected int64), err error) {
+	// unimplemented
+}

grype/db/v1/writer/open.go → grype/db/internal/gormadapter/open.go

@@ -1,10 +1,11 @@
-package writer
+package gormadapter
 
 import (
 	"fmt"
 	"os"
 
-	"github.com/jinzhu/gorm"
+	"github.com/glebarez/sqlite"
+	"gorm.io/gorm"
 )
 
 var connectStatements = []string{
@@ -14,39 +15,23 @@ var connectStatements = []string{
 	`PRAGMA journal_mode = MEMORY`,
 }
 
-// config defines the information needed to connect and create a sqlite3 database
-type config struct {
-	dbPath    string
-	overwrite bool
-}
-
-// ConnectionString creates a connection string for sqlite3
-func (o config) ConnectionString() (string, error) {
-	if o.dbPath == "" {
-		return "", fmt.Errorf("no db filepath given")
-	}
-	return fmt.Sprintf("file:%s?cache=shared", o.dbPath), nil
-}
-
-// open a new connection to a sqlite3 database file
-func open(cfg config) (*gorm.DB, error) {
-	if cfg.overwrite {
+// Open a new connection to a sqlite3 database file
+func Open(path string, overwrite bool) (*gorm.DB, error) {
+	if overwrite {
 		// the file may or may not exist, so we ignore the error explicitly
-		_ = os.Remove(cfg.dbPath)
+		_ = os.Remove(path)
 	}
 
-	connStr, err := cfg.ConnectionString()
+	connStr, err := connectionString(path)
 	if err != nil {
 		return nil, err
 	}
 
-	dbObj, err := gorm.Open("sqlite3", connStr)
+	dbObj, err := gorm.Open(sqlite.Open(connStr), &gorm.Config{Logger: newLogger()})
 	if err != nil {
 		return nil, fmt.Errorf("unable to connect to DB: %w", err)
 	}
 
-	dbObj.SetLogger(&logAdapter{})
-
 	for _, sqlStmt := range connectStatements {
 		dbObj.Exec(sqlStmt)
 		if dbObj.Error != nil {
@@ -55,3 +40,11 @@ func open(cfg config) (*gorm.DB, error) {
 	}
 	return dbObj, nil
 }
+
+// ConnectionString creates a connection string for sqlite3
+func connectionString(path string) (string, error) {
+	if path == "" {
+		return "", fmt.Errorf("no db filepath given")
+	}
+	return fmt.Sprintf("file:%s?cache=shared", path), nil
+}