From e89455d391b165e2e760e9aa7876858b370f00f7 Mon Sep 17 00:00:00 2001 From: Alex Goodman Date: Mon, 30 Sep 2024 15:47:19 -0400 Subject: [PATCH] add db curator Signed-off-by: Alex Goodman --- grype/db/v6/db.go | 8 + grype/db/v6/description.go | 16 + grype/db/v6/description_test.go | 22 + grype/db/v6/distribution/client.go | 12 +- grype/db/v6/installation/curator.go | 432 ++++++++++++++++++ grype/db/v6/installation/curator_test.go | 552 +++++++++++++++++++++++ grype/db/v6/status.go | 9 + grype/db/v6/store.go | 21 +- internal/file/hasher.go | 12 +- 9 files changed, 1074 insertions(+), 10 deletions(-) create mode 100644 grype/db/v6/installation/curator.go create mode 100644 grype/db/v6/installation/curator_test.go create mode 100644 grype/db/v6/status.go diff --git a/grype/db/v6/db.go b/grype/db/v6/db.go index ca1e3cc8242..3ae07f39638 100644 --- a/grype/db/v6/db.go +++ b/grype/db/v6/db.go @@ -35,6 +35,14 @@ type Writer interface { io.Closer } +type Curator interface { + Reader() (Reader, error) + Status() Status + Delete() error + Update() (bool, error) + Import(dbArchivePath string) error +} + type Config struct { DBDirPath string } diff --git a/grype/db/v6/description.go b/grype/db/v6/description.go index 18f7456b1f1..8d7e88e6a81 100644 --- a/grype/db/v6/description.go +++ b/grype/db/v6/description.go @@ -1,7 +1,9 @@ package v6 import ( + "encoding/json" "fmt" + "io" "path" "time" @@ -85,3 +87,17 @@ func NewDescriptionFromDir(fs afero.Fs, dir string) (*Description, error) { func (m Description) String() string { return fmt.Sprintf("DB(version=%s built=%s checksum=%s)", m.SchemaVersion, m.Built, m.Checksum) } + +func writeDescription(writer io.Writer, m Description) error { + if m.SchemaVersion == "" { + return fmt.Errorf("missing schema version") + } + + contents, err := json.MarshalIndent(m, "", " ") + if err != nil { + return fmt.Errorf("failed to encode metadata file: %w", err) + } + + _, err = writer.Write(contents) + return err +} diff --git a/grype/db/v6/description_test.go b/grype/db/v6/description_test.go index dc4949f8637..8ad39872c5f 100644 --- a/grype/db/v6/description_test.go +++ b/grype/db/v6/description_test.go @@ -6,6 +6,7 @@ import ( "io" "os" "path" + "strings" "testing" "time" @@ -125,3 +126,24 @@ func TestTime_JSONUnmarshalling(t *testing.T) { }) } } + +func TestDatabaseDescription_Write(t *testing.T) { + + validDescription := Description{ + SchemaVersion: "1.0.0", + Built: Time{Time: time.Date(2023, 9, 26, 12, 2, 3, 0, time.UTC)}, + Checksum: "xxh64:dummychecksum", + } + + sb := strings.Builder{} + + err := writeDescription(&sb, validDescription) + require.NoError(t, err) + + expected := fmt.Sprintf(`{ + "schemaVersion": "1.0.0", + "built": "2023-09-26T12:02:03Z", + "checksum": "xxh64:dummychecksum" +}`) + assert.Equal(t, expected, sb.String()) +} diff --git a/grype/db/v6/distribution/client.go b/grype/db/v6/distribution/client.go index a4b7cf329f4..8995ce706f1 100644 --- a/grype/db/v6/distribution/client.go +++ b/grype/db/v6/distribution/client.go @@ -28,8 +28,7 @@ type Config struct { CACert string // validations - ValidateByHashOnGet bool - RequireUpdateCheck bool + RequireUpdateCheck bool // timeouts CheckTimeout time.Duration @@ -50,11 +49,10 @@ type client struct { func DefaultConfig() Config { return Config{ - LatestURL: "https://grype.anchore.io/databases/latest.json", - ValidateByHashOnGet: true, - RequireUpdateCheck: false, - CheckTimeout: 30 * time.Second, - UpdateTimeout: 300 * time.Second, + LatestURL: "https://grype.anchore.io/databases/latest.json", + RequireUpdateCheck: false, + CheckTimeout: 30 * time.Second, + UpdateTimeout: 300 * time.Second, } } diff --git a/grype/db/v6/installation/curator.go b/grype/db/v6/installation/curator.go new file mode 100644 index 00000000000..440170b7323 --- /dev/null +++ b/grype/db/v6/installation/curator.go @@ -0,0 +1,432 @@ +package installation + +import ( + "encoding/json" + "fmt" + "os" + "path" + "path/filepath" + "strconv" + "time" + + "github.com/adrg/xdg" + "github.com/hako/durafmt" + "github.com/mholt/archiver/v3" + "github.com/spf13/afero" + "github.com/wagoodman/go-partybus" + "github.com/wagoodman/go-progress" + + db "github.com/anchore/grype/grype/db/v6" + "github.com/anchore/grype/grype/db/v6/distribution" + "github.com/anchore/grype/grype/event" + "github.com/anchore/grype/internal/bus" + "github.com/anchore/grype/internal/file" + "github.com/anchore/grype/internal/log" +) + +const lastUpdateCheckFileName = "last_update_check" + +type monitor struct { + *progress.AtomicStage + downloadProgress *progress.Manual + importProgress *progress.Manual +} + +type Config struct { + DBRootDir string + + // validations + ValidateAge bool + ValidateChecksum bool + MaxAllowedBuiltAge time.Duration + UpdateCheckMaxFrequency time.Duration +} + +func DefaultConfig() Config { + return Config{ + DBRootDir: filepath.Join(xdg.CacheHome, "grype", "db"), + ValidateAge: true, + ValidateChecksum: true, + MaxAllowedBuiltAge: time.Hour * 24 * 5, // 5 days + UpdateCheckMaxFrequency: 2 * time.Hour, // 2 hours + } +} + +func (c Config) DBFilePath() string { + return path.Join(c.DBDirectoryPath(), db.VulnerabilityDBFileName) +} + +func (c Config) DBDirectoryPath() string { + return path.Join(c.DBRootDir, strconv.Itoa(db.ModelVersion)) +} + +type curator struct { + fs afero.Fs + client distribution.Client + config Config +} + +func NewCurator(cfg Config, downloader distribution.Client) (db.Curator, error) { + return curator{ + fs: afero.NewOsFs(), + client: downloader, + config: cfg, + }, nil +} + +func (c curator) Reader() (db.Reader, error) { + s, err := db.NewReader( + db.Config{ + DBDirPath: c.config.DBDirectoryPath(), + }, + ) + if err != nil { + return nil, err + } + + return s, c.validate() +} + +func (c curator) Status() db.Status { + dbDir := c.config.DBDirectoryPath() + + d, err := readDatabaseDescription(c.fs, dbDir) + if err != nil { + return db.Status{ + Err: fmt.Errorf("failed to parse database metadata (%s): %w", dbDir, err), + } + } + if d == nil { + return db.Status{ + Err: fmt.Errorf("database metadata not found at %q", dbDir), + } + } + + return db.Status{ + Built: db.Time{Time: d.Built.Time}, + SchemaVersion: d.SchemaVersion.String(), + Location: dbDir, + Checksum: d.Checksum, + Err: c.validate(), + } +} + +// Delete removes the DB and metadata file for this specific schema. +func (c curator) Delete() error { + return c.fs.RemoveAll(c.config.DBDirectoryPath()) +} + +// Update the existing DB, returning an indication if any action was taken. +func (c curator) Update() (bool, error) { + if !c.isUpdateCheckAllowed() { + // we should not notify the user of an update check if the current configuration and state + // indicates we're should be in a low-pass filter mode (and the check frequency is too high). + // this should appear to the user as if we never attempted to check for an update at all. + return false, nil + } + + mon := newMonitor() + defer mon.SetCompleted() + + current, err := readDatabaseDescription(c.fs, c.config.DBDirectoryPath()) + if err != nil { + return false, fmt.Errorf("unable to read current database metadata: %w", err) + } + + mon.Set("checking for update") + update, checkErr := c.client.IsUpdateAvailable(current) + if checkErr != nil { + // we want to continue if possible even if we can't check for an update + log.Warnf("unable to check for vulnerability database update") + log.Debugf("check for vulnerability update failed: %+v", checkErr) + } + + if update == nil { + if checkErr == nil { + // there was no update (or any issue while checking for an update) + c.setLastSuccessfulUpdateCheck() + } + + mon.Set("no update available") + return false, nil + } + + log.Infof("downloading new vulnerability DB") + mon.Set("downloading") + dest, err := c.client.Download(*update, filepath.Dir(c.config.DBRootDir), mon.downloadProgress) + if err != nil { + return false, fmt.Errorf("unable to update vulnerability database: %w", err) + } + + if err := c.activate(dest, mon); err != nil { + return false, fmt.Errorf("unable to activate new vulnerability database: %w", err) + } + + // only set the last successful update check if the update was successful + c.setLastSuccessfulUpdateCheck() + + if current != nil { + log.WithFields( + "from", current.Built.String(), + "to", update.Description.Built.String(), + "version", update.Description.SchemaVersion, + ).Info("updated vulnerability DB") + return true, nil + } + + log.WithFields( + "version", update.Description.SchemaVersion, + "built", update.Description.Built.String(), + ).Info("downloaded new vulnerability DB") + return true, nil +} + +func (c curator) isUpdateCheckAllowed() bool { + if c.config.UpdateCheckMaxFrequency == 0 { + log.Trace("no max-frequency set for update check") + return true + } + + elapsed, err := c.durationSinceUpdateCheck() + if err != nil { + // we had an IO error (or similar) trying to read or parse the file, we should not block the update check. + log.WithFields("error", err).Trace("unable to determine if update check is allowed") + return true + } + if elapsed == nil { + // there was no last check (this is a first run case), we should not block the update check. + return true + } + + return *elapsed > c.config.UpdateCheckMaxFrequency +} + +func (c curator) durationSinceUpdateCheck() (*time.Duration, error) { + // open `$dbDir/last_update_check` file and read the timestamp and do now() - timestamp + + filePath := path.Join(c.config.DBDirectoryPath(), lastUpdateCheckFileName) + + if _, err := c.fs.Stat(filePath); os.IsNotExist(err) { + log.Trace("first-run of DB update") + return nil, nil + } + + fh, err := c.fs.OpenFile(filePath, os.O_RDONLY, 0) + if err != nil { + return nil, fmt.Errorf("unable to read last update check timestamp: %w", err) + } + + defer fh.Close() + + // read and parse rfc3339 timestamp + var lastCheckStr string + _, err = fmt.Fscanf(fh, "%s", &lastCheckStr) + if err != nil { + return nil, fmt.Errorf("unable to read last update check timestamp: %w", err) + } + + lastCheck, err := time.Parse(time.RFC3339, lastCheckStr) + if err != nil { + return nil, fmt.Errorf("unable to parse last update check timestamp: %w", err) + } + + if lastCheck.IsZero() { + return nil, fmt.Errorf("empty update check timestamp") + } + + elapsed := time.Since(lastCheck) + return &elapsed, nil +} + +func (c curator) setLastSuccessfulUpdateCheck() { + // note: we should always assume the DB dir actually exists, otherwise let this operation fail (since having a DB + // is a prerequisite for a successful update). + + filePath := path.Join(c.config.DBDirectoryPath(), lastUpdateCheckFileName) + fh, err := c.fs.OpenFile(filePath, os.O_CREATE|os.O_TRUNC|os.O_WRONLY, 0644) + if err != nil { + log.WithFields("error", err).Trace("unable to write last update check timestamp") + return + } + + defer fh.Close() + + _, _ = fmt.Fprintf(fh, "%s", time.Now().UTC().Format(time.RFC3339)) +} + +// validate checks the current database to ensure file integrity and if it can be used by this version of the application. +func (c curator) validate() error { + metadata, err := c.validateIntegrity(c.config.DBDirectoryPath()) + if err != nil { + return err + } + + return c.ensureNotStale(metadata) +} + +// Import takes a DB archive file and imports it into the final DB location. +func (c curator) Import(dbArchivePath string) error { + mon := newMonitor() + mon.Set("unarchiving") + defer mon.SetCompleted() + + // note: the temp directory is persisted upon download/validation/activation failure to allow for investigation + tempDir, err := os.MkdirTemp(c.config.DBRootDir, fmt.Sprintf("tmp-v%v-import", db.ModelVersion)) + if err != nil { + return fmt.Errorf("unable to create db temp dir: %w", err) + } + + err = archiver.Unarchive(dbArchivePath, tempDir) + if err != nil { + return err + } + + mon.downloadProgress.SetCompleted() + + err = c.activate(tempDir, mon) + if err != nil { + removeAllOrLog(c.fs, tempDir) + return err + } + + return nil +} + +// activate swaps over the downloaded db to the application directory +func (c curator) activate(dbDirPath string, mon monitor) error { + defer mon.importProgress.SetCompleted() + + mon.Set("validating DB integrity") + + if _, err := c.validateIntegrity(dbDirPath); err != nil { + return err + } + + mon.Set("activating") + + dbDir := c.config.DBDirectoryPath() + _, err := c.fs.Stat(dbDir) + if !os.IsNotExist(err) { + // remove any previous databases + err = c.Delete() + if err != nil { + return fmt.Errorf("failed to purge existing database: %w", err) + } + } + + // activate the new db cache by moving the temp dir to final location + return os.Rename(dbDirPath, dbDir) +} + +func (c curator) validateIntegrity(dbDirPath string) (*db.Description, error) { + // check that the disk checksum still matches the db payload + metadata, err := readDatabaseDescription(c.fs, dbDirPath) + if err != nil { + return nil, fmt.Errorf("failed to parse database metadata (%s): %w", dbDirPath, err) + } + if metadata == nil { + return nil, fmt.Errorf("database metadata not found: %s", dbDirPath) + } + + if c.config.ValidateChecksum { + dbPath := path.Join(dbDirPath, db.VulnerabilityDBFileName) + valid, actualHash, err := file.ValidateByHash(c.fs, dbPath, metadata.Checksum) + if err != nil { + return nil, err + } + if !valid { + return nil, fmt.Errorf("bad db checksum (%s): %q vs %q", dbPath, metadata.Checksum, actualHash) + } + } + + gotModel, ok := metadata.SchemaVersion.Model() + if !ok || gotModel != db.ModelVersion { + return nil, fmt.Errorf("unsupported database version: have=%d want=%d", gotModel, db.ModelVersion) + } + + // TODO: add version checks here to ensure this version of the application can use this database version (relative to what the DB says, not JUST the metadata!) + + return metadata, nil +} + +// ensureNotStale ensures the vulnerability database has not passed +// the max allowed age, calculated from the time it was built until now. +func (c curator) ensureNotStale(m *db.Description) error { + if m == nil { + return fmt.Errorf("no metadata to validate") + } + + if !c.config.ValidateAge { + return nil + } + + // built time is defined in UTC, + // we should compare it against UTC + now := time.Now().UTC() + + age := now.Sub(m.Built.Time) + if age > c.config.MaxAllowedBuiltAge { + return fmt.Errorf("the vulnerability database was built %s ago (max allowed age is %s)", durafmt.ParseShort(age), durafmt.ParseShort(c.config.MaxAllowedBuiltAge)) + } + + return nil +} + +func removeAllOrLog(fs afero.Fs, dir string) { + if err := fs.RemoveAll(dir); err != nil { + log.WithFields("error", err).Warnf("failed to remove path %q", dir) + } +} + +func newMonitor() monitor { + // let consumers know of a monitorable event (download + import stages) + importProgress := progress.NewManual(1) + stage := progress.NewAtomicStage("") + downloadProgress := progress.NewManual(1) + aggregateProgress := progress.NewAggregator(progress.DefaultStrategy, downloadProgress, importProgress) + + bus.Publish(partybus.Event{ + Type: event.UpdateVulnerabilityDatabase, + Value: progress.StagedProgressable(&struct { + progress.Stager + progress.Progressable + }{ + Stager: progress.Stager(stage), + Progressable: progress.Progressable(aggregateProgress), + }), + }) + + return monitor{ + AtomicStage: stage, + downloadProgress: downloadProgress, + importProgress: importProgress, + } +} + +func (m monitor) SetCompleted() { + m.downloadProgress.SetCompleted() + m.importProgress.SetCompleted() +} + +func readDatabaseDescription(fs afero.Fs, dir string) (*db.Description, error) { + metadataFilePath := path.Join(dir, db.DescriptionFileName) + exists, err := file.Exists(fs, metadataFilePath) + if err != nil { + return nil, fmt.Errorf("unable to check if DB metadata path exists (%s): %w", metadataFilePath, err) + } + if !exists { + return nil, nil + } + f, err := fs.Open(metadataFilePath) + if err != nil { + return nil, fmt.Errorf("unable to open DB metadata path (%s): %w", metadataFilePath, err) + } + defer f.Close() + + var m db.Description + err = json.NewDecoder(f).Decode(&m) + if err != nil { + return nil, fmt.Errorf("unable to parse DB metadata (%s): %w", metadataFilePath, err) + } + return &m, nil +} diff --git a/grype/db/v6/installation/curator_test.go b/grype/db/v6/installation/curator_test.go new file mode 100644 index 00000000000..9981fa8d237 --- /dev/null +++ b/grype/db/v6/installation/curator_test.go @@ -0,0 +1,552 @@ +package installation + +import ( + "bytes" + "encoding/json" + "errors" + "os" + "path" + "path/filepath" + "testing" + "time" + + "github.com/OneOfOne/xxhash" + "github.com/spf13/afero" + "github.com/stretchr/testify/mock" + "github.com/stretchr/testify/require" + "github.com/wagoodman/go-progress" + + "github.com/anchore/grype/grype/db/internal/schemaver" + db "github.com/anchore/grype/grype/db/v6" + "github.com/anchore/grype/grype/db/v6/distribution" + "github.com/anchore/grype/internal/file" +) + +type mockClient struct { + mock.Mock +} + +func (m *mockClient) IsUpdateAvailable(current *db.Description) (*distribution.Archive, error) { + args := m.Called(current) + + err := args.Error(1) + + if err != nil { + return nil, err + } + + return args.Get(0).(*distribution.Archive), nil +} + +func (m *mockClient) Download(archive distribution.Archive, dest string, downloadProgress *progress.Manual) (string, error) { + args := m.Called(archive, dest, downloadProgress) + return args.String(0), args.Error(1) +} + +func newTestCurator(t *testing.T) curator { + tempDir := t.TempDir() + cfg := DefaultConfig() + cfg.DBRootDir = tempDir + + ci, err := NewCurator(cfg, new(mockClient)) + require.NoError(t, err) + + c := ci.(curator) + return c +} + +type setupConfig struct { + badDbChecksum bool + workingUpdate bool +} + +type setupOption func(*setupConfig) + +func withBadDBChecksum() setupOption { + return func(c *setupConfig) { + c.badDbChecksum = true + } +} + +func withWorkingUpdateIntegrations() setupOption { + return func(c *setupConfig) { + c.workingUpdate = true + } +} + +func setupCuratorForUpdate(t *testing.T, opts ...setupOption) curator { + cfg := setupConfig{} + + for _, o := range opts { + o(&cfg) + } + + c := newTestCurator(t) + + dbDir := c.config.DBDirectoryPath() + stageDir := filepath.Join(c.config.DBRootDir, "staged") + + // populate metadata into the downloaded dir + oldDescription := db.Description{ + SchemaVersion: schemaver.New(db.ModelVersion, db.Revision, db.Addition), + Built: db.Time{Time: time.Now().Add(-48 * time.Hour)}, + Checksum: writeTestDB(t, c.fs, dbDir), + } + + newDescription := oldDescription + newDescription.Built = db.Time{Time: time.Now()} + newDescription.Checksum = writeTestDB(t, c.fs, stageDir) + if cfg.badDbChecksum { + newDescription.Checksum = "xxh64:badchecksum" + } + + writeTestMetadata(t, c.fs, dbDir, oldDescription) + writeTestMetadata(t, c.fs, stageDir, newDescription) + + if cfg.workingUpdate { + mc := c.client.(*mockClient) + + // ensure the update "works" + mc.On("IsUpdateAvailable", mock.Anything).Return(&distribution.Archive{}, nil) + mc.On("Download", mock.Anything, mock.Anything, mock.Anything).Return(stageDir, nil) + } + + return c +} + +func writeTestMetadata(t *testing.T, fs afero.Fs, dir string, description db.Description) { + require.NoError(t, fs.MkdirAll(dir, 0755)) + + descriptionJSON, err := json.Marshal(description) + require.NoError(t, err) + + metadataFilePath := path.Join(dir, db.DescriptionFileName) + require.NoError(t, afero.WriteFile(fs, metadataFilePath, descriptionJSON, 0644)) +} + +func writeTestDB(t *testing.T, fs afero.Fs, dir string) string { + require.NoError(t, fs.MkdirAll(dir, 0755)) + + content := []byte(dir) + p := path.Join(dir, db.VulnerabilityDBFileName) + require.NoError(t, afero.WriteFile(fs, p, content, 0644)) + h, err := file.HashReader(bytes.NewReader(content), xxhash.New64()) + require.NoError(t, err) + return "xxh64:" + h +} + +func TestCurator_Update(t *testing.T) { + + t.Run("happy path: successful update", func(t *testing.T) { + c := setupCuratorForUpdate(t, withWorkingUpdateIntegrations()) + mc := c.client.(*mockClient) + + updated, err := c.Update() + + require.NoError(t, err) + require.True(t, updated) + require.FileExists(t, filepath.Join(c.config.DBDirectoryPath(), lastUpdateCheckFileName)) + + mc.AssertExpectations(t) + }) + + t.Run("error checking for updates", func(t *testing.T) { + c := setupCuratorForUpdate(t) + mc := c.client.(*mockClient) + + mc.On("IsUpdateAvailable", mock.Anything).Return(nil, errors.New("check failed")) + + updated, err := c.Update() + + require.NoError(t, err) + require.False(t, updated) + require.NoFileExists(t, filepath.Join(c.config.DBDirectoryPath(), lastUpdateCheckFileName)) + + mc.AssertExpectations(t) + }) + + t.Run("error during download", func(t *testing.T) { + c := setupCuratorForUpdate(t) + mc := c.client.(*mockClient) + + mc.On("IsUpdateAvailable", mock.Anything).Return(&distribution.Archive{}, nil) + mc.On("Download", mock.Anything, mock.Anything, mock.Anything).Return("", errors.New("download failed")) + + updated, err := c.Update() + + require.ErrorContains(t, err, "download failed") + require.False(t, updated) + require.NoFileExists(t, filepath.Join(c.config.DBDirectoryPath(), lastUpdateCheckFileName)) + + mc.AssertExpectations(t) + }) + + t.Run("error during activation: bad checksum", func(t *testing.T) { + c := setupCuratorForUpdate(t, withBadDBChecksum(), withWorkingUpdateIntegrations()) + mc := c.client.(*mockClient) + + updated, err := c.Update() + + require.ErrorContains(t, err, "bad db checksum") + require.False(t, updated) + require.NoFileExists(t, filepath.Join(c.config.DBDirectoryPath(), lastUpdateCheckFileName)) + + mc.AssertExpectations(t) + }) + + t.Run("error during activation: cannot move dir", func(t *testing.T) { + c := setupCuratorForUpdate(t, withWorkingUpdateIntegrations()) + mc := c.client.(*mockClient) + + // simulate not being able to move the staged dir to the db dir + c.fs = afero.NewReadOnlyFs(c.fs) + + updated, err := c.Update() + + require.ErrorContains(t, err, "operation not permitted") + require.False(t, updated) + require.NoFileExists(t, filepath.Join(c.config.DBDirectoryPath(), lastUpdateCheckFileName)) + + mc.AssertExpectations(t) + }) +} + +func TestReadDatabaseDescription(t *testing.T) { + fs := afero.NewMemMapFs() + + description := db.Description{ + SchemaVersion: "1.0.0", + Built: db.Time{Time: time.Date(2021, 1, 2, 3, 4, 5, 6, time.UTC)}, + Checksum: "xxh64:dummychecksum", + } + + descriptionJSON, err := json.Marshal(description) + require.NoError(t, err) + + metadataFilePath := path.Join("someDir", db.DescriptionFileName) + require.NoError(t, afero.WriteFile(fs, metadataFilePath, descriptionJSON, 0644)) + + result, err := readDatabaseDescription(fs, "someDir") + require.NoError(t, err) + + require.NotNil(t, result) + require.Equal(t, + db.Description{ + SchemaVersion: "1.0.0", + Built: db.Time{Time: description.Built.Time.Truncate(time.Second)}, + Checksum: "xxh64:dummychecksum", + }, + *result, + ) +} + +func TestCurator_IsUpdateCheckAllowed(t *testing.T) { + + newCurator := func(t *testing.T) curator { + tempDir := t.TempDir() + + cfg := DefaultConfig() + cfg.UpdateCheckMaxFrequency = 10 * time.Minute + cfg.DBRootDir = tempDir + + ci, err := NewCurator(cfg, nil) + require.NoError(t, err) + + c := ci.(curator) + return c + } + + writeLastCheckContents := func(t *testing.T, cfg Config, contents string) { + require.NoError(t, os.MkdirAll(cfg.DBDirectoryPath(), 0755)) + p := filepath.Join(cfg.DBDirectoryPath(), lastUpdateCheckFileName) + err := os.WriteFile(p, []byte(contents), 0644) + require.NoError(t, err) + } + + writeLastCheckTime := func(t *testing.T, cfg Config, lastCheckTime time.Time) { + writeLastCheckContents(t, cfg, lastCheckTime.Format(time.RFC3339)) + } + + t.Run("first run check (no last check file)", func(t *testing.T) { + c := newCurator(t) + require.True(t, c.isUpdateCheckAllowed()) + }) + + t.Run("check not allowed due to frequency", func(t *testing.T) { + c := newCurator(t) + writeLastCheckTime(t, c.config, time.Now().Add(-5*time.Minute)) + + require.False(t, c.isUpdateCheckAllowed()) + }) + + t.Run("check allowed after the frequency period", func(t *testing.T) { + c := newCurator(t) + writeLastCheckTime(t, c.config, time.Now().Add(-20*time.Minute)) + + require.True(t, c.isUpdateCheckAllowed()) + }) + + t.Run("error reading last check file", func(t *testing.T) { + c := newCurator(t) + + // simulate a situation where the last check file exists but is corrupted + writeLastCheckContents(t, c.config, "invalid timestamp") + + allowed := c.isUpdateCheckAllowed() + require.True(t, allowed) // should return true since an error is encountered + }) + +} + +func TestCurator_DurationSinceUpdateCheck(t *testing.T) { + newCurator := func(t *testing.T) curator { + tempDir := t.TempDir() + + cfg := DefaultConfig() + cfg.DBRootDir = tempDir + + ci, err := NewCurator(cfg, nil) + require.NoError(t, err) + + c := ci.(curator) + return c + } + + writeLastCheckContents := func(t *testing.T, cfg Config, contents string) { + require.NoError(t, os.MkdirAll(cfg.DBDirectoryPath(), 0755)) + p := filepath.Join(cfg.DBDirectoryPath(), lastUpdateCheckFileName) + err := os.WriteFile(p, []byte(contents), 0644) + require.NoError(t, err) + } + + t.Run("no last check file", func(t *testing.T) { + c := newCurator(t) + elapsed, err := c.durationSinceUpdateCheck() + require.NoError(t, err) + require.Nil(t, elapsed) // should be nil since no file exists + }) + + t.Run("valid last check file", func(t *testing.T) { + c := newCurator(t) + writeLastCheckContents(t, c.config, time.Now().Add(-5*time.Minute).Format(time.RFC3339)) + + elapsed, err := c.durationSinceUpdateCheck() + require.NoError(t, err) + require.NotNil(t, elapsed) + require.True(t, *elapsed >= 5*time.Minute) // should be at least 5 minutes + }) + + t.Run("malformed last check file", func(t *testing.T) { + c := newCurator(t) + writeLastCheckContents(t, c.config, "invalid timestamp") + + _, err := c.durationSinceUpdateCheck() + require.Error(t, err) + require.Contains(t, err.Error(), "unable to parse last update check timestamp") + }) +} + +func TestCurator_SetLastSuccessfulUpdateCheck(t *testing.T) { + newCurator := func(t *testing.T) curator { + tempDir := t.TempDir() + + cfg := DefaultConfig() + cfg.DBRootDir = tempDir + + ci, err := NewCurator(cfg, nil) + require.NoError(t, err) + + c := ci.(curator) + + require.NoError(t, c.fs.MkdirAll(c.config.DBDirectoryPath(), 0755)) + + return c + } + + t.Run("set last successful update check", func(t *testing.T) { + c := newCurator(t) + + c.setLastSuccessfulUpdateCheck() + + data, err := afero.ReadFile(c.fs, filepath.Join(c.config.DBDirectoryPath(), lastUpdateCheckFileName)) + require.NoError(t, err) + + lastCheckTime, err := time.Parse(time.RFC3339, string(data)) + require.NoError(t, err) + require.WithinDuration(t, time.Now().UTC(), lastCheckTime, time.Second) + }) + + t.Run("error writing last successful update check", func(t *testing.T) { + c := newCurator(t) + + // make the file system read-only to simulate a write error + readonlyFs := afero.NewReadOnlyFs(c.fs) + c.fs = readonlyFs + + c.setLastSuccessfulUpdateCheck() + + require.NoFileExists(t, filepath.Join(c.config.DBDirectoryPath(), lastUpdateCheckFileName)) + }) + + t.Run("ensure last successful update check file is created", func(t *testing.T) { + c := newCurator(t) + + c.setLastSuccessfulUpdateCheck() + + require.FileExists(t, filepath.Join(c.config.DBDirectoryPath(), lastUpdateCheckFileName)) + }) +} + +func TestCurator_EnsureNotStale(t *testing.T) { + newCurator := func(t *testing.T) curator { + tempDir := t.TempDir() + cfg := DefaultConfig() + cfg.DBRootDir = tempDir + cfg.MaxAllowedBuiltAge = 48 * time.Hour // set max age to 48 hours + + ci, err := NewCurator(cfg, new(mockClient)) + require.NoError(t, err) + + return ci.(curator) + } + + hoursAgo := func(h int) db.Time { + return db.Time{Time: time.Now().UTC().Add(-time.Duration(h) * time.Hour)} + } + + tests := []struct { + name string + description *db.Description + wantErr require.ErrorAssertionFunc + modifyConfig func(*Config) + }{ + { + name: "valid metadata within age limit", + description: &db.Description{ + Built: hoursAgo(24), + }, + }, + { + name: "stale metadata exactly at age limit", + description: &db.Description{ + Built: hoursAgo(48), + }, + wantErr: func(t require.TestingT, err error, msgAndArgs ...interface{}) { + require.ErrorContains(t, err, "the vulnerability database was built") + }, + }, + { + name: "stale metadata", + description: &db.Description{ + Built: hoursAgo(50), + }, + wantErr: func(t require.TestingT, err error, msgAndArgs ...interface{}) { + require.ErrorContains(t, err, "the vulnerability database was built") + }, + }, + { + name: "no metadata", + description: nil, + wantErr: func(t require.TestingT, err error, msgAndArgs ...interface{}) { + require.ErrorContains(t, err, "no metadata to validate") + }, + }, + { + name: "age validation disabled", + description: &db.Description{ + Built: hoursAgo(50), + }, + modifyConfig: func(cfg *Config) { + cfg.ValidateAge = false + }, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if tt.wantErr == nil { + tt.wantErr = require.NoError + } + + c := newCurator(t) + + if tt.modifyConfig != nil { + tt.modifyConfig(&c.config) + } + + err := c.ensureNotStale(tt.description) + tt.wantErr(t, err) + }) + } +} + +func TestCurator_ValidateIntegrity(t *testing.T) { + newCurator := func(t *testing.T) curator { + tempDir := t.TempDir() + cfg := DefaultConfig() + cfg.DBRootDir = tempDir + + ci, err := NewCurator(cfg, new(mockClient)) + require.NoError(t, err) + + return ci.(curator) + } + + t.Run("valid metadata with correct checksum", func(t *testing.T) { + c := newCurator(t) + dbDir := c.config.DBDirectoryPath() + + metadata := db.Description{ + SchemaVersion: schemaver.New(db.ModelVersion, db.Revision, db.Addition), + Built: db.Time{Time: time.Now()}, + Checksum: writeTestDB(t, c.fs, dbDir), + } + + writeTestMetadata(t, c.fs, dbDir, metadata) + + result, err := c.validateIntegrity(dbDir) + require.NoError(t, err) + require.NotNil(t, result) + }) + + t.Run("invalid metadata (not found)", func(t *testing.T) { + c := newCurator(t) + + _, err := c.validateIntegrity("non/existent/path") + require.ErrorContains(t, err, "database metadata not found") + }) + + t.Run("invalid checksum", func(t *testing.T) { + c := newCurator(t) + dbDir := c.config.DBDirectoryPath() + + metadata := db.Description{ + SchemaVersion: schemaver.New(db.ModelVersion, db.Revision, db.Addition), + Built: db.Time{Time: time.Now()}, + Checksum: "xxh64:invalidchecksum", + } + + writeTestMetadata(t, c.fs, dbDir, metadata) + + writeTestDB(t, c.fs, dbDir) + + _, err := c.validateIntegrity(dbDir) + require.ErrorContains(t, err, "bad db checksum") + }) + + t.Run("unsupported database version", func(t *testing.T) { + c := newCurator(t) + dbDir := c.config.DBDirectoryPath() + + metadata := db.Description{ + SchemaVersion: schemaver.New(9999, 0, 0), // invalid version + Built: db.Time{Time: time.Now()}, + Checksum: writeTestDB(t, c.fs, dbDir), + } + + writeTestMetadata(t, c.fs, dbDir, metadata) + + _, err := c.validateIntegrity(dbDir) + require.ErrorContains(t, err, "unsupported database version") + }) +} diff --git a/grype/db/v6/status.go b/grype/db/v6/status.go new file mode 100644 index 00000000000..3d275bf51ea --- /dev/null +++ b/grype/db/v6/status.go @@ -0,0 +1,9 @@ +package v6 + +type Status struct { + Built Time `json:"built"` + SchemaVersion string `json:"schemaVersion"` + Location string `json:"location"` + Checksum string `json:"checksum"` + Err error `json:"error"` +} diff --git a/grype/db/v6/store.go b/grype/db/v6/store.go index a95ffe9bf21..0df09d339e4 100644 --- a/grype/db/v6/store.go +++ b/grype/db/v6/store.go @@ -2,7 +2,10 @@ package v6 import ( "fmt" + "os" + "path/filepath" + "github.com/spf13/afero" "gorm.io/gorm" "github.com/anchore/grype/grype/db/internal/gormadapter" @@ -47,5 +50,21 @@ func (s *store) Close() error { return fmt.Errorf("failed to vacuum: %w", err) } - return nil + fs := afero.NewOsFs() + + desc, err := NewDescriptionFromDir(fs, s.config.DBDirPath) + if err != nil { + return fmt.Errorf("failed to create description from dir: %w", err) + } + + if desc == nil { + return fmt.Errorf("unable to describe the database") + } + + fh, err := fs.OpenFile(filepath.Join(s.config.DBDirPath, DescriptionFileName), os.O_CREATE|os.O_TRUNC|os.O_WRONLY, 0644) + if err != nil { + return fmt.Errorf("failed to open description file: %w", err) + } + + return writeDescription(fh, *desc) } diff --git a/internal/file/hasher.go b/internal/file/hasher.go index c9af0c0b69e..bf1b2b4f4db 100644 --- a/internal/file/hasher.go +++ b/internal/file/hasher.go @@ -8,6 +8,7 @@ import ( "io" "strings" + "github.com/OneOfOne/xxhash" "github.com/spf13/afero" ) @@ -18,6 +19,9 @@ func ValidateByHash(fs afero.Fs, path, hashStr string) (bool, string, error) { case strings.HasPrefix(hashStr, "sha256:"): hashFn = "sha256" hasher = sha256.New() + case strings.HasPrefix(hashStr, "xxh64:"): + hashFn = "xxh64" + hasher = xxhash.New64() default: return false, "", fmt.Errorf("hasher not supported or specified (given: %s)", hashStr) } @@ -39,8 +43,12 @@ func HashFile(fs afero.Fs, path string, hasher hash.Hash) (string, error) { } defer f.Close() - if _, err := io.Copy(hasher, f); err != nil { - return "", fmt.Errorf("failed to hash file '%s': %w", path, err) + return HashReader(f, hasher) +} + +func HashReader(reader io.Reader, hasher hash.Hash) (string, error) { + if _, err := io.Copy(hasher, reader); err != nil { + return "", fmt.Errorf("failed to hash reader: %w", err) } return hex.EncodeToString(hasher.Sum(nil)), nil