diff --git a/DEVELOPING.md b/DEVELOPING.md index 3c1993ecbb0..3adc899ef57 100644 --- a/DEVELOPING.md +++ b/DEVELOPING.md @@ -79,3 +79,101 @@ id record_source package_name namespace version_constraint vers ------------- ------------- ------------ ---------- ------------------ -------------- ----------------------------------------------------------- --------------------- CVE-2006-2450 libvncserver nvd = 0.7.1 unknown ["cpe:2.3:a:libvncserver:libvncserver:0.7.1:*:*:*:*:*:*:*"] [] ``` + +## Adding a Data Source + +These are the steps for adding a new data source to Grype. For example, +maybe we don't have vulnerabilities for your favorite Linux yet, or +maybe a language you work in hosts a vulnerability feed on their package +manager, and you would like to add it to Grype. Here is an outline of the +process. + +### Step 1: Ensure Syft can Find what you want to Match + +Grype uses [Syft](https://github.com/anchore/syft) to scan artifacts. + +Before Grype can tell you whether a package is vulnerable, Syft needs +to be able to correctly identify the package. + +If you're adding a new distro, you could run something like: + +``` sh +syft -o json my-favorite-distro:latest | jq .distro +``` + +and make sure you agree with what you see. Syft will automatically +try to parse distro information from `/etc/os-release`, so you probably +don't need to make a change here, but it's a good idea to check. + +Next, make sure syft can find packages you want: + +``` sh +syft my-favorite-distro:latest +``` + +and take a look at the resulting table. Are you seeing the OS packages you'd +expect to see? For example, here's `alpine:latest` as of this writing: + +``` sh +$ syft -o json alpine:latest | jq .distro +{ + "prettyName": "Alpine Linux v3.20", + "name": "Alpine Linux", + "id": "alpine", + "versionID": "3.20.0", + "homeURL": "https://alpinelinux.org/", + "bugReportURL": "https://gitlab.alpinelinux.org/alpine/aports/-/issues" +} +$ syft alpine:latest + ✔ Loaded image alpine:latest + ... snip ... +NAME VERSION TYPE +alpine-baselayout 3.6.5-r0 apk +alpine-baselayout-data 3.6.5-r0 apk +alpine-keys 2.4-r1 apk +... +``` + +Syft is identifying Alpine Linux correctly, and is finding `apk` packages (that +is, packages from Alpine's package manager), so we're good to go. + +If Syft does not identify your the new distro or the its package manager's +packages correctly, please [open an issue +there](https://github.com/anchore/syft/issues/new?assignees=&labels=enhancement&projects=&template=feature_request.md&title=) + + +### Step 2. Add a Vunnel Provider + +[Vunnel](https://github.com/anchore/vunnel) is a project that serves as an +adapter layer between vulnerability providers and Grype's code base. The main +coding work of adding a data source to Grype is to write a Vunnel provider +that takes the vulnerability data from its source and renders it in a format +that [Grype DB](https://github.com/anchore/grype-db) speaks, so that it can +be written into the database that grype downloads on each execution. + +Create a new directory in which to clone 3 repos: + +1. This repo, grype +2. [Vunnel](https://github.com/anchore/vunnel) +3. [Grype DB](https://github.com/anchore/grype-db) + +So that it looks like this: + +``` sh +. +├── grype +├── grype-db +└── vunnel +``` + +The majority of the work will be done within Vunnel. Vunnel +has a command `make dev` that has a few effects: + +1. It compiles `grype` and `grype-db` binaries from the source code in the + sibling directories +2. It writes config files for `grype` and `grype-db` so that they use the + development vunnel +3. Creates a `poetry shell` to put vunnel and its python dev tools on PATH + +For more details on actually building the vunnel provider, see the +[Vunnel development docs](https://github.com/anchore/vunnel/blob/main/DEVELOPING.md)