-
Notifications
You must be signed in to change notification settings - Fork 600
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix: Fully validate vulnerability.db
by hash
#1976
base: main
Are you sure you want to change the base?
Conversation
This enables the db curator to fully validate the db file by hash Signed-off-by: Joshua Irmer <[email protected]>
It was intentional to only validate the DB on download and not on start (for performance reasons) since validating every time could lead to startup performance issues. That being said, I can also see the point where getting grype results with a known bad database is also not ideal, since we can no longer trust those results. I think ultimately it's the right call to turn on validation by default, however, I feel that it should coincide with attempting to improve performance. Right now we're working on grype DB v6, which is very different than DB v1-5. Part of this work may also switch the distributing sha256 digests to xxh64, which is much faster. One question I have: I have an anecdote from the past that startup was taking an extra second due to hashing the DB -- what extra time at startup are you seeing with this change @joshuai96 ? |
In the setup I described in #1975 (comment) I've seen You mean the startup before a scan runs, @wagoodman ? I didn't notice any inconvenient increase in time, but I can run some tests, to have some numbers backing that up. IMHO a second or two, has no impact on a scan that usually takes a few seconds anyway, but I'm not as sensitive to time, as this scans run over night in a CI/CD setup. |
Hello @wagoodman, I've run some simple timing tests for both versions. Setup:
Test:
Result: Looking at these numbers it may indicate that checking the database on startup decreased scanning time and made it more stable. But the sample size and incrrease are so small, that this can not be stated with confidence. |
FWIW, enabling this option in the latest grype seems to increase the scan time of |
@wagoodman any idea, why I don't see a slowdown of scans? |
I think we'll include this with the grype DB v6 work (as mentioned above) -- so we won't make this change in v5. Keep this PR open and we can rebase on that work and pull it in 👍 |
Fixes: #1975
Fixes: #1648
Setting
ValidateByHashOnStart
totrue
by default, enables the database curator to executeValidateByHash
invalidateIntegrity
and report an invalid database.Scans with
grype
now give a better error too: