Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enhance v6 search command #2303

Draft
wants to merge 10 commits into
base: main
Choose a base branch
from
Draft

Enhance v6 search command #2303

wants to merge 10 commits into from

Conversation

wagoodman
Copy link
Contributor

@wagoodman wagoodman commented Dec 4, 2024

Plumbs up the search command for the v6 schema with the store + presenter logic. Functionally this adds the ability to refine affected package searches by various criteria, such as vuln published date, vuln modified date, provider, distro, etc. Note that any form of date searching will be partially functional until there is more data in the DB for search conditions to key off of; in the meantime any records without date information are included in the output.

Here an additional vulnerability command has been added:

$ grype db search vuln --help
Search for vulnerabilities within the DB (supports DB schema v6+ only)

Usage:
  grype db search vuln ID... [flags]

Aliases:
  vuln, vulnerability, vulnerabilities, vulns

Flags:
  -h, --help                     help for vuln
      --modified-after string    only show vulnerabilities originally published or modified since the given date (format: YYYY-MM-DD)
  -o, --output string            format to display results (available=[table, json]) (default "table")
      --provider stringArray     only show vulnerabilities from the given provider
      --published-after string   only show vulnerabilities originally published after the given date (format: YYYY-MM-DD)

...and the existing search for affected packages command has been enhanced:

$ grype db search --help

Search the DB for vulnerabilities or affected packages

Usage:
  grype db search [VULNID...] [flags]
  grype db search [command]

Available Commands:
  vuln        Search for vulnerabilities within the DB (supports DB schema v6+ only)

Flags:
      --distro stringArray       refine to results with the given operating system (format: 'name', 'name@version', '[email protected]', 'name@codename')
      --ecosystem string         ecosystem of the package to search within
  -h, --help                     help for search
      --modified-after string    only show vulnerabilities originally published or modified since the given date (format: YYYY-MM-DD)
  -o, --output string            format to display results (available=[table, json]) (default "table")
  -p, --package stringArray      package name/CPE/PURL to search for
      --provider stringArray     only show vulnerabilities from the given provider
      --published-after string   only show vulnerabilities originally published after the given date (format: YYYY-MM-DD)
      --vuln stringArray         only show results for the given vulnerability ID

Here's example output of searching by package:

$ grype db search --package log4j --distro [email protected]
VULNERABILITY   PACKAGE  ECOSYSTEM  NAMESPACE              VERSION CONSTRAINT        
CVE-2019-17571  log4j    rpm        sles:distro:sles:15.6  < 0:2.17.2-150200.4.27.45  
CVE-2020-9488   log4j    rpm        sles:distro:sles:15.6  < 0:2.17.2-150200.4.27.45  
CVE-2021-4104   log4j    rpm        sles:distro:sles:15.6  < 0:2.17.2-150200.4.27.45  
CVE-2021-42550  log4j    rpm        sles:distro:sles:15.6  < 0:2.17.2-150200.4.24.13  
CVE-2021-44228  log4j    rpm        sles:distro:sles:15.6  < 0:2.16.0-4.10.1          
CVE-2021-44832  log4j    rpm        sles:distro:sles:15.6  < 0:2.17.0-4.16.1          
CVE-2021-45046  log4j    rpm        sles:distro:sles:15.6  < 0:2.16.0-4.10.1          
CVE-2021-45105  log4j    rpm        sles:distro:sles:15.6  < 0:2.17.0-4.13.1

Note that the Namespace mimics the v5 namespace values, even though this is not present in the DB today (in a future PR this code will be moved).

And similarly, example output searching by vulnerability:

$ grype db search vuln CVE-2021-4104
ID             PROVIDER                                                                                 PUBLISHED   SEVERITY                                            REFERENCE                                                 
CVE-2021-4104  debian (10, 11, 12, 13, unstable)                                                                                                                        https://security-tracker.debian.org/tracker/CVE-2021-4104  
CVE-2021-4104  debian (9)                                                                                           high                                                https://security-tracker.debian.org/tracker/CVE-2021-4104  
CVE-2021-4104  nvd                                                                                      2021-12-14  CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (7.5)  https://nvd.nist.gov/vuln/detail/CVE-2021-4104             
CVE-2021-4104  rhel (7, 8)                                                                                          medium                                              https://access.redhat.com/security/cve/CVE-2021-4104       
CVE-2021-4104  sles (11.1, 11.3, 11.4, 12.2, 12.3, 12.4, 12.5, 15, 15.1, 15.2, 15.3, 15.4, 15.5, 15.6)              medium                                              https://www.suse.com/security/cve/CVE-2021-4104            
CVE-2021-4104  ubuntu (16.04, 18.04, 20.04, 21.04, 21.10, 23.04, 23.10, 24.04, 24.10)                               medium                                              https://ubuntu.com/security/CVE-2021-4104

Each command has JSON output as well, which the JSON schemas are automatically generated for (and validated in CI on pull requests).

PR stack:

  1. Finalize label version and add release id to OS model #2349
  2. Allow v6 store to support multiple qualifiers #2338

@wagoodman wagoodman force-pushed the v6-search branch 2 times, most recently from 38de0a5 to f2baf2b Compare December 17, 2024 14:12
@wagoodman wagoodman changed the base branch from main to v6-search-store-support December 17, 2024 16:01
@wagoodman wagoodman force-pushed the v6-search-store-support branch from 224be59 to c7f35a1 Compare December 18, 2024 15:54
@wagoodman wagoodman force-pushed the v6-search branch 2 times, most recently from e6fbc31 to d96ae23 Compare December 18, 2024 16:52
@wagoodman wagoodman force-pushed the v6-search-store-support branch from c7f35a1 to 01f1def Compare December 18, 2024 17:54
@wagoodman wagoodman force-pushed the v6-search branch 4 times, most recently from e5651dc to 19840d1 Compare December 18, 2024 19:23
Base automatically changed from v6-search-store-support to main December 18, 2024 19:43
@wagoodman wagoodman force-pushed the v6-search branch 4 times, most recently from 2ab51bd to c410aa6 Compare December 23, 2024 14:51
@wagoodman wagoodman changed the base branch from main to release-id December 23, 2024 14:51
Base automatically changed from release-id to main December 23, 2024 18:28
Signed-off-by: Alex Goodman <[email protected]>
Signed-off-by: Alex Goodman <[email protected]>
Signed-off-by: Alex Goodman <[email protected]>
Signed-off-by: Alex Goodman <[email protected]>
Signed-off-by: Alex Goodman <[email protected]>
Signed-off-by: Alex Goodman <[email protected]>
Signed-off-by: Alex Goodman <[email protected]>
Signed-off-by: Alex Goodman <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant