Skip to content

fix: query for ID before close but compute checksum after #368

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Aug 22, 2024
Merged

fix: query for ID before close but compute checksum after #368

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
192537f
fix: query for ID before close but compute checksum after
willmurphyscode Aug 22, 2024
f6647f9
fix: check error on getting database id
willmurphyscode Aug 22, 2024
2dfd293
fix: require grype to validate new db checksum on import
willmurphyscode Aug 22, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions config/grype/acceptance.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
db:
validate-by-hash-on-start: true
16 changes: 16 additions & 0 deletions manager/src/grype_db_manager/cli/db.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -132,6 +132,20 @@ def validate_db(
result_set = "db-validation"

yardstick_cfg = ycfg.Application(
profiles=ycfg.Profiles(
data={
"grype": {
"acceptance": {
"config_path": "config/grype/acceptance.yaml",
},
},
"grype[custom-db]": {
"acceptance": {
"config_path": "config/grype/acceptance.yaml",
},
},
},
),
store_root=cfg.data.yardstick_root,
default_max_year=cfg.validate.db.default_max_year,
result_sets={
Expand All @@ -144,10 +158,12 @@ def validate_db(
label="custom-db",
name="grype",
version=grype_version + f"+import-db={db_info.archive_path}",
profile="acceptance",
),
ycfg.Tool(
name="grype",
version=grype_version,
# profile="acceptance", # TODO: enable after current db is fixed
),
],
),
Expand Down
4 changes: 3 additions & 1 deletion manager/src/grype_db_manager/db/validation.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -204,7 +204,9 @@ def capture_results(cfg: ycfg.Application, db_uuid: str, result_set: str, root_d
)

if is_stale or recapture:
capture.result_set(result_set=result_set, scan_requests=cfg.result_sets[result_set].scan_requests())
capture.result_set(
result_set=result_set, scan_requests=cfg.result_sets[result_set].scan_requests(), profiles=cfg.profiles.data,
)
else:
logging.info(f"skipping grype capture for result-set={result_set} (already exists)")

Expand Down
19 changes: 11 additions & 8 deletions pkg/process/v4/writer.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,16 +73,20 @@ func (w writer) Write(entries ...data.Entry) error {
return nil
}

func (w writer) metadata() (*db.Metadata, error) {
hashStr, err := file.ContentDigest(afero.NewOsFs(), w.dbPath, sha256.New())
if err != nil {
return nil, fmt.Errorf("failed to hash database file (%s): %w", w.dbPath, err)
}

// metadataAndClose closes the database and returns its metadata.
// The reason this is a compound action is that getting the built time and
// schema version from the database is an operation on the open database,
// but the checksum must be computed after the database is compacted and closed.
func (w writer) metadataAndClose() (*db.Metadata, error) {
storeID, err := w.store.GetID()
if err != nil {
return nil, fmt.Errorf("failed to fetch store ID: %w", err)
}
w.store.Close()
hashStr, err := file.ContentDigest(afero.NewOsFs(), w.dbPath, sha256.New())
if err != nil {
return nil, fmt.Errorf("failed to hash database file (%s): %w", w.dbPath, err)
}

metadata := db.Metadata{
Built: storeID.BuildTimestamp,
Expand All @@ -93,11 +97,10 @@ func (w writer) metadata() (*db.Metadata, error) {
}

func (w writer) Close() error {
metadata, err := w.metadata()
metadata, err := w.metadataAndClose()
if err != nil {
return err
}
w.store.Close()

metadataPath := path.Join(filepath.Dir(w.dbPath), db.MetadataFileName)
if err = metadata.Write(metadataPath); err != nil {
Expand Down
19 changes: 11 additions & 8 deletions pkg/process/v5/writer.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -91,16 +91,20 @@ func (w writer) Write(entries ...data.Entry) error {
return nil
}

func (w writer) metadata() (*db.Metadata, error) {
hashStr, err := file.ContentDigest(afero.NewOsFs(), w.dbPath, sha256.New())
if err != nil {
return nil, fmt.Errorf("failed to hash database file (%s): %w", w.dbPath, err)
}

// metadataAndClose closes the database and returns its metadata.
// The reason this is a compound action is that getting the built time and
// schema version from the database is an operation on the open database,
// but the checksum must be computed after the database is compacted and closed.
func (w writer) metadataAndClose() (*db.Metadata, error) {
storeID, err := w.store.GetID()
if err != nil {
return nil, fmt.Errorf("failed to fetch store ID: %w", err)
}
w.store.Close()
hashStr, err := file.ContentDigest(afero.NewOsFs(), w.dbPath, sha256.New())
if err != nil {
return nil, fmt.Errorf("failed to hash database file (%s): %w", w.dbPath, err)
}

metadata := db.Metadata{
Built: storeID.BuildTimestamp,
Expand Down Expand Up @@ -129,11 +133,10 @@ func (w writer) ProviderMetadata() *ProviderMetadata {
}

func (w writer) Close() error {
metadata, err := w.metadata()
metadata, err := w.metadataAndClose()
if err != nil {
return err
}
w.store.Close()

metadataPath := path.Join(filepath.Dir(w.dbPath), db.MetadataFileName)
if err = metadata.Write(metadataPath); err != nil {
Expand Down