-
Notifications
You must be signed in to change notification settings - Fork 602
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DB v6 distribution approach #2125
Comments
Two of the open questions have been addressed an incorporated:
In one of the latest grype store PRs we've done just this. Now there is a
the providers information has been removed from the latest.json |
features around |
Currently mostly implemented in anchore/grype-db#446 but cannot continue until there is prototype matching implemented |
Today the grype DB is distributed via a hosted
listing.json
file with URLs to DBs, listing out historical entries to N many days. There are a few points here:grype db status
doesn't always check the db's checksum and validity #1648grype db status
reports "valid" when the DB is missing #2077Based on these points here are the suggested changes:
latest.json
andhistory.json
, split based on use case. This means that the most common use case (latest.json) is as small as possible, removing pressure from the CDN.db.Curator
by use case: DB distribution vs access to an already installed DB.latest.json
fileThis file would describe only a single DB. This also combines the
metadata.json
andprovider-metadata.json
concerns (so onlymetadata.json
needs to be packaged into the tar.There is a status field with possible values:
active
: the database is actively being maintained and distributeddeprecated
: the database is still being distributed but is approaching end of life. Upgrade grype to avoid future disruptions.inactive
: the database is no longer being distributed. Users must build their own databases or upgrade grype.history.json
file (deferred)How these distribution files relate to one another...
Another way to look at the contained information and how it is produced/consumed:
metadata.json
(output from grype-db build) is made up of a single “database description”... used to generate alatest.json
later in the processlatest.json
(output from grype-db package) is made up of a single “archive description”, schema info, and the contained “database description”... used to populate/updatehistory.json
in the future :history.json
is an array of “archive descriptions”, but otherwise is just likelatest.json
Comments / open questions
(from earlier conversations with @anchore/tools about this topic)
providers
data entirely from the listing use case, so that end users must query the DB for this info?metadata.json
and require clients to get this kind of information directly from the DB?Prototype branch for reference: https://github.com/anchore/grype/tree/db-v6-blob-store
The text was updated successfully, but these errors were encountered: