-
Notifications
You must be signed in to change notification settings - Fork 587
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add DB v6 schema #2128
Comments
hi @wagoodman ,
|
No, there is no functional change in the match results as currently planned out. There should be the same match results. This could change if we fix any matcher bugs while we're rewriting that portion of the
It will be more stateful than it is today. Most information will be in the
Since there would be new
grype is still in v0 so we're making breaking changes on minor releases still. However, v6 schema is a big step towards grype 1.0. We still need to determine if we want to make the DB schema part of the grype version contract (e.g. should we allow for breaking schema changes and not need to bump the major version of grype?) -- that still hasn't been decided. |
DB v6 is meant to cover several use cases (you can safely ignore this link). The high level goals are:
The high level design is as follows:
Here are a list of the “Handle” tables to search against:
These are related to two other auxiliary tables:
Here's how they AffectedPackageHandle table would relate to auxiliary tables:
And the rather simple Blobs table:
Here's how you might craft a search for an affected package for a specific OS:
At this point you can take these blob IDs and query the blob table for the JSON payload and deserialize. This has an advantage over the existing schemas: you can conditionally inflate DB objects based on what you need, not have to inflate entire records that you end up throwing away.
In v1-5 you'd need to craft the correct namespace, which was a bespoke string --this shifts this to relations per-record.
Eventually we’d like to add additional handle tables (out of scope for v6 though):
The proposed blobs are as follows:
Implied changes from this:
a. may have fields added to them over time, but not removed or modified (within the same schema version)
b. only one “version” of a blob may exist within a DB at a time
Specific changes (see prototype models for reference):
VulnerabilityHandle
gorm model Add v6 vulnerability & blob stores #2243OperatingSystem
gorm model Add AffectedPackage store #2245Package
gorm model Add AffectedPackage store #2245AffectedPackageHandle
gorm model Add AffectedPackage store #2245Provider
gorm model Add v6 provider store #2232DbMetadata
gorm model Add v6 DB metadata store #2146Blob
gorm model Add v6 vulnerability & blob stores #2243The text was updated successfully, but these errors were encountered: