Enhance v6 search command #2303

wagoodman · 2024-12-04T22:33:52Z

Plumbs up the search command for the v6 schema with the store + presenter logic. Functionally this adds the ability to refine affected package searches by various criteria, such as vuln published date, vuln modified date, provider, distro, etc. Note that any form of date searching will be partially functional until there is more data in the DB for search conditions to key off of; in the meantime any records without date information are included in the output.

Here an additional vulnerability command has been added:

$ grype db search vuln --help

Search for vulnerabilities within the DB (supports DB schema v6+ only)

Usage:
  grype db search vuln ID... [flags]

Aliases:
  vuln, vulnerability, vulnerabilities, vulns

Flags:
  -h, --help                     help for vuln
      --limit int                limit the number of results returned (supports DB schema v6+ only) (default 5000)
      --modified-after string    only show vulnerabilities originally published or modified since the given date (format: YYYY-MM-DD) (supports DB schema v6+ only)
  -o, --output string            format to display results (available=[table, json]) (default "table")
      --provider stringArray     only show vulnerabilities from the given provider (supports DB schema v6+ only)
      --published-after string   only show vulnerabilities originally published after the given date (format: YYYY-MM-DD) (supports DB schema v6+ only)

...and the existing search for affected packages command has been enhanced:

$ grype db search --help

Search the DB for vulnerabilities or affected packages

Usage:
  grype db search VULN|PKG... [flags]

Flags:
      --distro stringArray       refine to results with the given operating system (format: 'name', 'name@version', '[email protected]', 'name@codename') (supports DB schema v6+ only)
      --ecosystem string         ecosystem of the package to search within (supports DB schema v6+ only)
  -h, --help                     help for search
      --limit int                limit the number of results returned (supports DB schema v6+ only) (default 5000)
      --modified-after string    only show vulnerabilities originally published or modified since the given date (format: YYYY-MM-DD) (supports DB schema v6+ only)
  -o, --output string            format to display results (available=[table, json]) (default "table")
      --pkg stringArray          package name/CPE/PURL to search for (supports DB schema v6+ only)
      --provider stringArray     only show vulnerabilities from the given provider (supports DB schema v6+ only)
      --published-after string   only show vulnerabilities originally published after the given date (format: YYYY-MM-DD) (supports DB schema v6+ only)
      --vuln stringArray         only show results for the given vulnerability ID (supports DB schema v6+ only)

Here's example output of searching by package:

$ grype db search --pkg log4j --distro [email protected]
VULNERABILITY   PACKAGE  ECOSYSTEM  NAMESPACE              VERSION CONSTRAINT        
CVE-2019-17571  log4j    rpm        sles:distro:sles:15.6  < 0:2.17.2-150200.4.27.45  
CVE-2020-9488   log4j    rpm        sles:distro:sles:15.6  < 0:2.17.2-150200.4.27.45  
CVE-2021-4104   log4j    rpm        sles:distro:sles:15.6  < 0:2.17.2-150200.4.27.45  
CVE-2021-42550  log4j    rpm        sles:distro:sles:15.6  < 0:2.17.2-150200.4.24.13  
CVE-2021-44228  log4j    rpm        sles:distro:sles:15.6  < 0:2.16.0-4.10.1          
CVE-2021-44832  log4j    rpm        sles:distro:sles:15.6  < 0:2.17.0-4.16.1          
CVE-2021-45046  log4j    rpm        sles:distro:sles:15.6  < 0:2.16.0-4.10.1          
CVE-2021-45105  log4j    rpm        sles:distro:sles:15.6  < 0:2.17.0-4.13.1

It also allows for fuzzier argument input:

$ grype db search ELSA-2023-12205            # same as '--vuln ELSA-2023-12205'
$ grype db search log4j                      # same as '--pkg log4j '
$ grype db search log4j CVE-2021-44228       # same as '--pkg log4j --vuln CVE-2021-44228'
$ grype db search 'pkg:rpm/redhat/openssl'   # same as '--ecosystem rpm --pkg openssl'
$ grype db search 'cpe:2.3:a:jetty:jetty_http_server:*:*:*:*:*:*'
$ grype db search 'cpe:/a:jetty:jetty_http_server'

Notice that we can specify a PURL, CPE, package name, or vulnerability ID -- the search command will attempt to parse each value and adjust the search criteria accordingly. If there is ever any ambiguity or opposition to using arbitrary args, there are still the equivalent flags for each (--pkg and --vuln).

Note that the Namespace mimics the v5 namespace values, even though this is not present in the DB today (in a future PR this code will be moved).

And similarly, example output searching by vulnerability:

$ grype db search vuln CVE-2021-4104
ID             PROVIDER                                                                                 PUBLISHED   SEVERITY                                            REFERENCE                                                 
CVE-2021-4104  debian (10, 11, 12, 13, unstable)                                                                                                                        https://security-tracker.debian.org/tracker/CVE-2021-4104  
CVE-2021-4104  debian (9)                                                                                           high                                                https://security-tracker.debian.org/tracker/CVE-2021-4104  
CVE-2021-4104  nvd                                                                                      2021-12-14  CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (7.5)  https://nvd.nist.gov/vuln/detail/CVE-2021-4104             
CVE-2021-4104  rhel (7, 8)                                                                                          medium                                              https://access.redhat.com/security/cve/CVE-2021-4104       
CVE-2021-4104  sles (11.1, 11.3, 11.4, 12.2, 12.3, 12.4, 12.5, 15, 15.1, 15.2, 15.3, 15.4, 15.5, 15.6)              medium                                              https://www.suse.com/security/cve/CVE-2021-4104            
CVE-2021-4104  ubuntu (16.04, 18.04, 20.04, 21.04, 21.10, 23.04, 23.10, 24.04, 24.10)                               medium                                              https://ubuntu.com/security/CVE-2021-4104

Each command has JSON output as well, which the JSON schemas are automatically generated for (and validated in CI on pull requests).

Closes Stabilize DB search output #2130
Partially implements Replace grype db diff with grype db search --since DATE #2129

PR stack:

Signed-off-by: Alex Goodman <[email protected]>

wagoodman force-pushed the v6-search branch from 7726fd5 to 08505f6 Compare December 4, 2024 22:34

wagoodman force-pushed the v6-search branch 2 times, most recently from 38de0a5 to f2baf2b Compare December 17, 2024 14:12

wagoodman mentioned this pull request Dec 17, 2024

Allow v6 store to support multiple qualifiers #2338

Merged

wagoodman force-pushed the v6-search branch from 9c40131 to 4c79df6 Compare December 17, 2024 16:01

wagoodman changed the base branch from main to v6-search-store-support December 17, 2024 16:01

wagoodman force-pushed the v6-search-store-support branch from 224be59 to c7f35a1 Compare December 18, 2024 15:54

wagoodman force-pushed the v6-search branch 2 times, most recently from e6fbc31 to d96ae23 Compare December 18, 2024 16:52

wagoodman force-pushed the v6-search-store-support branch from c7f35a1 to 01f1def Compare December 18, 2024 17:54

wagoodman force-pushed the v6-search branch 4 times, most recently from e5651dc to 19840d1 Compare December 18, 2024 19:23

Base automatically changed from v6-search-store-support to main December 18, 2024 19:43

wagoodman force-pushed the v6-search branch 4 times, most recently from 2ab51bd to c410aa6 Compare December 23, 2024 14:51

wagoodman changed the base branch from main to release-id December 23, 2024 14:51

Base automatically changed from release-id to main December 23, 2024 18:28

wagoodman force-pushed the v6-search branch 3 times, most recently from b68f60f to 0802095 Compare December 23, 2024 18:53

wagoodman added 6 commits January 8, 2025 14:33

add v6 search command

310d130

Signed-off-by: Alex Goodman <[email protected]>

add json schema generation

6d8f289

Signed-off-by: Alex Goodman <[email protected]>

add schema drift checks

cbd4542

Signed-off-by: Alex Goodman <[email protected]>

add initial db search schemas

bae648c

Signed-off-by: Alex Goodman <[email protected]>

add readmes for schemas

3363f07

Signed-off-by: Alex Goodman <[email protected]>

add field comments to json schema

d8b9021

Signed-off-by: Alex Goodman <[email protected]>

wagoodman added 5 commits January 8, 2025 14:34

fix cpe and ecosystem filtering

9afbad5

Signed-off-by: Alex Goodman <[email protected]>

mimic v5 help

c301f17

Signed-off-by: Alex Goodman <[email protected]>

fix cli test

bb8a9f8

Signed-off-by: Alex Goodman <[email protected]>

keep config shape clean

ca58c16

Signed-off-by: Alex Goodman <[email protected]>

add tests

368f232

Signed-off-by: Alex Goodman <[email protected]>

wagoodman force-pushed the v6-search branch from 0802095 to 368f232 Compare January 8, 2025 21:22

wagoodman self-assigned this Jan 8, 2025

wagoodman requested a review from willmurphyscode January 8, 2025 21:33

wagoodman added the changelog-ignore Don't include this issue in the release changelog label Jan 8, 2025

wagoodman marked this pull request as ready for review January 8, 2025 21:33

Merge remote-tracking branch 'origin/main' into v6-search

1adaac0

Signed-off-by: Alex Goodman <[email protected]>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Enhance v6 search command #2303

Enhance v6 search command #2303

wagoodman commented Dec 4, 2024 •

edited

Loading

Enhance v6 search command #2303

Are you sure you want to change the base?

Enhance v6 search command #2303

Conversation

wagoodman commented Dec 4, 2024 • edited Loading

wagoodman commented Dec 4, 2024 •

edited

Loading