unable to check for vulnerability database update

[erhan-]

Hey everyone,

I have the following problem at the moment which blocks me for scanning for vulnerabilities:

 Executing: grype -o sarif --fail-on medium sbom:action-sandbox-sbom.spdx.json
  [0060] WARN unable to check for vulnerability database update
  
  1 error occurred:
  	* failed to load vulnerability db: vulnerability database is invalid (run db update to correct): database metadata not found: .cache/grype/db/4
  	

Does someone have or had this problem as well?

Thanks for your help.

Best regards,

Erhan

[kzantow]

Hi @erhan- is this a problem that just started or has it happened for multiple runs? Can you maybe just re-run the workflow to fix it?

This error happens if Grype is unable to download the latest database. I don't see a problem with this happening locally, so the latest database is definitely available and working. Maybe it was a network hiccup on GitHub's side?

[erhan-]

I am using this yesterday for the first time and have no comparison. It might be a network issue but it would be nice if that error would indicate that I think. I will try again these days and rerun the workflow. Thanks for your help!

[kzantow]

One other question: which version are you using? Could you share your action config for this?

[kzantow]

Hey @erhan- I'm going to close this one, as I think it was probably just a network hiccup and haven't heard otherwise. Please reopen if this continues to be an issue!

[erhan-]

Sorry for not responding. I had not checked my notifications and also have not worked with this for a while. If I get back to this and it does not occur, I will edit this comment as well to confirm the potential network hiccup as well.
Thanks for your help!

[erhan-]

@kzantow Hey, I had time to test around again and I can confirm that it is not a connectivity issue. I added a curl step after it to check if the Internet works and it does:

We are using Github enterprise. Unfortunately I can not reopen this issue.

We are using a proxy for the Internet. The env variables are set correctly and can also be echoed out in the actions.

Edit: Still reading around but I think Nodejs ignores the http_proxy env variables. There are some issues on it:
nodejs/node#8381

Found this issue then and saw that the variables used are lowercase. Testing that now:
anchore/grype#305

[kzantow]

We are using Github enterprise.
We are using a proxy for the Internet.

Aha! This explains a lot more. I suspect the proxy is not allowing access to the grype db. Can you CURL the latest database from the action?

https://toolbox-data.anchore.io/grype/databases/vulnerability-db_v5_2022-10-17T08:14:57Z_b50a86ce07d268101316.tar.gz

[erhan-]

The env variables are set correctly, also lowercase for both http and https.

Curl works for that file:

[kzantow]

Ok, I'm pretty sure I know what the problem is here -- we're providing an environment to the grype command: https://github.com/anchore/scan-action/blob/main/index.js#L109

We need to make sure to pass in at least the HTTPS_PROXY variable from the existing environment.

This should be a pretty simple thing to get fixed 👍

[erhan-]

Good catch!

[kzantow]

Thanks for your help on this one @erhan- -- new release published, so if you're using anchore/scan-action@v3 you shouldn't have to make any other changes! 👍

[erhan-]

No problem. All for security for the people. Are the three dots okay which I commented?

[kzantow]

@erhan- I don't know what you mean about "the three dots which I commented"?

[erhan-]

I never tried to change anything in node code so this looked strange but I tested and it works:

Thanks again. All good with 3.3.2

[kzantow]

Ahh -- that's the spread operator -- it is used to copy all the properties of an object to another object or all the entries in a list to another list. I did this because I've seen strange things when modifying process.env, this way we only modify the env object. 👍