add v6 search command

Signed-off-by: Alex Goodman <[email protected]>
anchore · Dec 17, 2024 · 4c79df6 · 4c79df6
1 parent 224be59
commit 4c79df6
Show file tree

Hide file tree

Showing 16 changed files with 1,541 additions and 76 deletions.
diff --git a/cmd/grype/cli/commands/db_search.go b/cmd/grype/cli/commands/db_search.go
@@ -2,6 +2,7 @@ package commands
 
 import (
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
 	"strings"
@@ -11,21 +12,18 @@ import (
 
 	"github.com/anchore/clio"
 	"github.com/anchore/grype/grype"
-	v6 "github.com/anchore/grype/grype/db/v6"
-	"github.com/anchore/grype/grype/db/v6/distribution"
-	"github.com/anchore/grype/grype/db/v6/installation"
 	"github.com/anchore/grype/grype/vulnerability"
 	"github.com/anchore/grype/internal/bus"
 	"github.com/anchore/grype/internal/log"
 )
 
+var _ clio.FlagAdder = (*dbQueryOptions)(nil)
+
 type dbQueryOptions struct {
 	Output    string `yaml:"output" json:"output" mapstructure:"output"`
 	DBOptions `yaml:",inline" mapstructure:",squash"`
 }
 
-var _ clio.FlagAdder = (*dbQueryOptions)(nil)
-
 func (c *dbQueryOptions) AddFlags(flags clio.FlagSet) {
 	flags.StringVarP(&c.Output, "output", "o", "format to display results (available=[table, json])")
 }
@@ -36,59 +34,41 @@ func DBSearch(app clio.Application) *cobra.Command {
 		DBOptions: *dbOptionsDefault(app.ID()),
 	}
 
-	return app.SetupCommand(&cobra.Command{
-		Use:   "search [vulnerability_id]",
-		Short: "get information on a vulnerability from the db",
-		Args:  cobra.ExactArgs(1),
-		RunE: func(_ *cobra.Command, args []string) (err error) {
-			id := args[0]
-			return runDBSearch(*opts, id)
+	cmd := &cobra.Command{
+		// this is here to support v5 functionality today but will be removed when v6 is the default DB version
+		Use:   "search ID...",
+		Short: "get information on vulnerabilities from the db",
+		//Use: "search",
+		//Short: "search the DB for vulnerabilities or affected packages",
+		PreRunE: disableUI(app),
+		RunE: func(cmd *cobra.Command, args []string) (err error) {
+			if opts.Experimental.DBv6 {
+				if len(args) > 0 {
+					// looks like the user attempted to use the search command as if it's v5 -- let them know about the new commands instead
+					return errors.New("this command is only supported for schema DB v5, please use `grype db search pkg` or `grype db search vuln` for schema DB v6+")
+				}
+				// running without args should only show help, not as a runtime error
+				return cmd.Usage()
+			}
+
+			// this is v5, do arg handling here. Why not do this earlier in the struct Args field? When v6 functionality is
+			// enabled we want this command to show usage and exit, so we need to do this check later in processing (here).
+			if err := cobra.MinimumNArgs(1)(cmd, args); err != nil {
+				return err
+			}
+			return legacyDBSearchPackages(*opts, args)
 		},
-	}, opts)
-}
-
-func runDBSearch(opts dbQueryOptions, vulnerabilityID string) error {
-	if opts.Experimental.DBv6 {
-		return newDBSearch(opts, vulnerabilityID)
-	}
-	return legacyDBSearch(opts, vulnerabilityID)
-}
-
-func newDBSearch(opts dbQueryOptions, vulnerabilityID string) error {
-	client, err := distribution.NewClient(opts.DB.ToClientConfig())
-	if err != nil {
-		return fmt.Errorf("unable to create distribution client: %w", err)
-	}
-
-	c, err := installation.NewCurator(opts.DB.ToCuratorConfig(), client)
-	if err != nil {
-		return fmt.Errorf("unable to create curator: %w", err)
-	}
-
-	reader, err := c.Reader()
-	if err != nil {
-		return fmt.Errorf("unable to get providers: %w", err)
-	}
-
-	vh, err := reader.GetVulnerabilities(&v6.VulnerabilitySpecifier{Name: vulnerabilityID}, &v6.GetVulnerabilityOptions{
-		Preload: true,
-	})
-	if err != nil {
-		return fmt.Errorf("unable to get vulnerability: %w", err)
 	}
 
-	if len(vh) == 0 {
-		return fmt.Errorf("vulnerability doesn't exist in the DB: %s", vulnerabilityID)
-	}
+	cmd.AddCommand(
+		DBSearchPackages(app),
+		DBSearchVulnerabilities(app),
+	)
 
-	// TODO: we need to implement the functions that inflate models to the grype vulnerability.Vulnerability struct
-	panic("not implemented")
+	return app.SetupCommand(cmd, opts)
 }
 
-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-// all legacy processing below ////////////////////////////////////////////////////////////////////////////////////////
-
-func legacyDBSearch(opts dbQueryOptions, vulnerabilityID string) error {
+func legacyDBSearchPackages(opts dbQueryOptions, vulnerabilityIDs []string) error {
 	log.Debug("loading DB")
 	str, status, err := grype.LoadVulnerabilityDB(opts.DB.ToLegacyCuratorConfig(), opts.DB.AutoUpdate)
 	err = validateDBLoad(err, status)
@@ -97,23 +77,27 @@ func legacyDBSearch(opts dbQueryOptions, vulnerabilityID string) error {
 	}
 	defer log.CloseAndLogError(str, status.Location)
 
-	vulnerabilities, err := str.Get(vulnerabilityID, "")
-	if err != nil {
-		return err
+	var vulnerabilities []vulnerability.Vulnerability
+	for _, vulnerabilityID := range vulnerabilityIDs {
+		vulns, err := str.Get(vulnerabilityID, "")
+		if err != nil {
+			return fmt.Errorf("unable to get vulnerability %q: %w", vulnerabilityID, err)
+		}
+		vulnerabilities = append(vulnerabilities, vulns...)
 	}
 
 	if len(vulnerabilities) == 0 {
-		return fmt.Errorf("vulnerability doesn't exist in the DB: %s", vulnerabilityID)
+		return errors.New("no affected packages found")
 	}
 
 	sb := &strings.Builder{}
-	err = presentLegacy(opts.Output, vulnerabilities, sb)
+	err = presentLegacyDBSearchPackages(opts.Output, vulnerabilities, sb)
 	bus.Report(sb.String())
 
 	return err
 }
 
-func presentLegacy(outputFormat string, vulnerabilities []vulnerability.Vulnerability, output io.Writer) error {
+func presentLegacyDBSearchPackages(outputFormat string, vulnerabilities []vulnerability.Vulnerability, output io.Writer) error {
 	if vulnerabilities == nil {
 		return nil
 	}
@@ -126,22 +110,9 @@ func presentLegacy(outputFormat string, vulnerabilities []vulnerability.Vulnerab
 		}
 
 		table := tablewriter.NewWriter(output)
-		columns := []string{"ID", "Package Name", "Namespace", "Version Constraint"}
-
-		table.SetHeader(columns)
-		table.SetAutoWrapText(false)
-		table.SetHeaderAlignment(tablewriter.ALIGN_LEFT)
-		table.SetAlignment(tablewriter.ALIGN_LEFT)
-
-		table.SetHeaderLine(false)
-		table.SetBorder(false)
-		table.SetAutoFormatHeaders(true)
-		table.SetCenterSeparator("")
-		table.SetColumnSeparator("")
-		table.SetRowSeparator("")
-		table.SetTablePadding("  ")
-		table.SetNoWhiteSpace(true)
+		commonTableWriterOptions(table)
 
+		table.SetHeader([]string{"ID", "Package Name", "Namespace", "Version Constraint"})
 		table.AppendBulk(rows)
 		table.Render()
 	case jsonOutputFormat:

diff --git a/cmd/grype/cli/commands/db_search_pkg.go b/cmd/grype/cli/commands/db_search_pkg.go
@@ -0,0 +1,156 @@
+package commands
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"strings"
+
+	"github.com/olekukonko/tablewriter"
+	"github.com/spf13/cobra"
+
+	"github.com/anchore/clio"
+	"github.com/anchore/grype/cmd/grype/cli/commands/internal/dbsearch"
+	"github.com/anchore/grype/cmd/grype/cli/options"
+	"github.com/anchore/grype/grype/db/v6/distribution"
+	"github.com/anchore/grype/grype/db/v6/installation"
+	"github.com/anchore/grype/internal/bus"
+)
+
+type dbSearchPackageOptions struct {
+	Format        options.DBSearchFormat          `yaml:",inline" mapstructure:",squash"`
+	Vulnerability options.DBSearchVulnerabilities `yaml:",inline" mapstructure:",squash"`
+	Package       options.DBSearchPackages        `yaml:",inline" mapstructure:",squash"`
+	OS            options.DBSearchOSs             `yaml:",inline" mapstructure:",squash"`
+
+	DBOptions `yaml:",inline" mapstructure:",squash"`
+}
+
+func DBSearchPackages(app clio.Application) *cobra.Command {
+	opts := &dbSearchPackageOptions{
+		Format: options.DBSearchFormat{
+			Output: tableOutputFormat,
+			Allowable: []string{
+				tableOutputFormat,
+				jsonOutputFormat,
+			},
+		},
+		Vulnerability: options.DBSearchVulnerabilities{
+			UseVulnIDFlag: true,
+		},
+		DBOptions: *dbOptionsDefault(app.ID()),
+	}
+
+	return app.SetupCommand(&cobra.Command{
+		Use:     "pkg PURL|CPE|NAME...",
+		Aliases: []string{"package", "packages", "pkgs"},
+		Short:   "Search for packages affected by vulnerabilities within the db (supports DB schema v6+ only)",
+		Args: func(_ *cobra.Command, args []string) error {
+			opts.Package.Names = args
+			return nil
+		},
+		RunE: func(_ *cobra.Command, _ []string) (err error) {
+			if !opts.Experimental.DBv6 {
+				return errors.New("this command only supports the v6+ database schemas")
+			}
+			return runDBSearchPackages(*opts)
+		},
+	}, opts)
+}
+
+func runDBSearchPackages(opts dbSearchPackageOptions) error {
+	client, err := distribution.NewClient(opts.DB.ToClientConfig())
+	if err != nil {
+		return fmt.Errorf("unable to create distribution client: %w", err)
+	}
+
+	curator, err := installation.NewCurator(opts.DB.ToCuratorConfig(), client)
+	if err != nil {
+		return fmt.Errorf("unable to create curator: %w", err)
+	}
+
+	reader, err := curator.Reader()
+	if err != nil {
+		return fmt.Errorf("unable to get providers: %w", err)
+	}
+
+	if err := validateProvidersFilter(reader, opts.Vulnerability.Providers); err != nil {
+		return err
+	}
+
+	rows, err := dbsearch.AffectedPackages(reader, dbsearch.AffectedPackagesOptions{
+		Vulnerability: opts.Vulnerability.Specs,
+		Package:       opts.Package.PkgSpecs,
+		CPE:           opts.Package.CPESpecs,
+		OS:            opts.OS.Specs,
+	})
+	if err != nil {
+		return err
+	}
+
+	if len(rows) == 0 {
+		return errors.New("no affected packages found")
+	}
+
+	sb := &strings.Builder{}
+	err = presentDBSearchPackages(opts.Format.Output, rows, sb)
+	bus.Report(sb.String())
+	return err
+}
+
+func presentDBSearchPackages(outputFormat string, structuredRows []dbsearch.AffectedPackageTableRow, output io.Writer) error {
+	if len(structuredRows) == 0 {
+		// TODO: show a message that no results were found?
+		return nil
+	}
+
+	switch outputFormat {
+	case tableOutputFormat:
+		rows := renderDBSearchPackagesTableRows(structuredRows)
+
+		table := tablewriter.NewWriter(output)
+		commonTableWriterOptions(table)
+
+		table.SetHeader([]string{"ID", "Package", "Ecosystem", "Namespace", "Version Constraint"})
+		table.AppendBulk(rows)
+		table.Render()
+	case jsonOutputFormat:
+		enc := json.NewEncoder(output)
+		enc.SetEscapeHTML(false)
+		enc.SetIndent("", " ")
+		if err := enc.Encode(structuredRows); err != nil {
+			return fmt.Errorf("failed to encode diff information: %+v", err)
+		}
+	default:
+		return fmt.Errorf("unsupported output format: %s", outputFormat)
+	}
+	return nil
+}
+
+func renderDBSearchPackagesTableRows(structuredRows []dbsearch.AffectedPackageTableRow) [][]string {
+	var rows [][]string
+	for _, rr := range structuredRows {
+		var pkgOrCPE, ecosystem string
+		if rr.Package != nil {
+			pkgOrCPE = rr.Package.Name
+			ecosystem = rr.Package.Ecosystem
+		} else if rr.CPE != nil {
+			pkgOrCPE = rr.CPE.String()
+			ecosystem = rr.CPE.TargetSoftware
+		}
+
+		namespace := rr.Vulnerability.Provider
+		if rr.OS != nil {
+			namespace = fmt.Sprintf("%s:%s", rr.OS.Family, rr.OS.Version)
+		}
+
+		var ranges []string
+		for _, ra := range rr.Detail.Ranges {
+			ranges = append(ranges, ra.Version.Constraint)
+		}
+		rangeStr := strings.Join(ranges, " || ")
+		rows = append(rows, []string{rr.Vulnerability.ID, pkgOrCPE, ecosystem, namespace, rangeStr})
+	}
+	return rows
+}