Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Change DB publish workflow to account for V6 #387

Open
wagoodman opened this issue Sep 17, 2024 · 2 comments
Open

Change DB publish workflow to account for V6 #387

wagoodman opened this issue Sep 17, 2024 · 2 comments
Assignees
Labels
blocked enhancement New feature or request
Milestone

Comments

@wagoodman
Copy link
Contributor

wagoodman commented Sep 17, 2024

Today the v1-5 schemas have a fan-out-fan-in approach, where we fan out to build and upload the DB and fan in to update the listing file (since each DB schema is combined into a single listing).

With the changes proposed in anchore/grype#2125 , there will be a different listing file (latest.json), a new history.json file, and there is one schema per fileset. This means we no loner need to fan in for v6+ 🎉

However, grype-db/grype-db-manager is still responsible for assembling db v1-5 listing files -- we need the new and old paradigms to live side-by-side.

Grype DB changes

  • still output metadata.json and provider-metadata.json for v1-5 use cases (affects build step)
  • when schema v6 is indicated:
    • on build: output only metadata.json and DB
    • on package:
      • output archive vulnerability-db_VERSION_OLDESTDATADATE_BUILTEPOCH.tar.gz
      • Where:
        • VERSION: schema version in the form of v#
        • OLDESTDATADATE: RFC3338 formatted value of the oldest .compiled date found for all contained providers
        • BUILTEPOCH: linux epoch formatted value of the .database.built field
      • output metadata filevulnerability-db_VERSION_OLDESTDATADATE_BUILTEPOCH.json, which is the basis of the latest.json file downstream in the manager (same variable meanings as a the archive)

Grype DB Manager changes

  • when schema v6 is indicated:
    • use the relative URLs as provided directly by grype-db, no need to recreate the latest.json file
    • still smoke test validate the given latest.json with new assumptions (schema is in hosted path, use given latest file, etc)
    • when uploading the DB tar archive, also upload: grype-db_VERSION_OLDESTDATADATE_BUILTEPOCH.json latest.json
    • when uploading the listing
      • the user indicates a remote grype-db_VERSION_OLDESTDATADATE_BUILTEPOCH.json name...
      • we check for the existence of the JSON file, the archive tar, and verify the JSON file checksum matches that of the archive
      • copy the grype-db_VERSION_OLDESTDATADATE_BUILTEPOCH.json as the new latest.json and upload
    • operationally we should start segmenting schema DBs into separate paths in S3 (...databases/v6/vulnerability-....tar.gz vs databases/vulnerability-....tar.gz). V1-5 should still be placed in "databases/vulnerability-....tar.gz"
    • the history.json file should be built based on : the last history.json file and the current s3 state, pruning beyond 90 days. Instead of using the tar files as state indications, use the newly uploaded json files.

edits:

  • history.json functionality has been descoped for this effort
  • latest.json can be smoke tested in place and uploaded with the DB (no need for a separate json file being renamed and moved)
@wagoodman wagoodman added the enhancement New feature or request label Sep 17, 2024
@wagoodman wagoodman added this to the DB v6 milestone Sep 17, 2024
@wagoodman wagoodman moved this to Ready in OSS Sep 17, 2024
@kzantow kzantow self-assigned this Nov 12, 2024
@wagoodman wagoodman assigned wagoodman and unassigned kzantow Nov 13, 2024
@wagoodman wagoodman moved this from Ready to In Progress in OSS Nov 20, 2024
@wagoodman
Copy link
Contributor Author

I've decided to defer any work around the history.json functionality

@wagoodman
Copy link
Contributor Author

Currently mostly implemented in #446 but cannot continue until there is prototype matching implemented

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
blocked enhancement New feature or request
Projects
Status: In Progress
Development

No branches or pull requests

2 participants