Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add createdAt or updatedAt for vulnerabilities scheme #1498

Open
Tracked by #108
tomerse-sg opened this issue Sep 18, 2023 · 9 comments
Open
Tracked by #108

add createdAt or updatedAt for vulnerabilities scheme #1498

tomerse-sg opened this issue Sep 18, 2023 · 9 comments
Assignees
Labels
Milestone

Comments

@tomerse-sg
Copy link

What would you like to be added:
vulnerabilities from NVD and GHSA contains sometimes modification and creation time.
is it possible to add it into the scheme of grype?

Why is this needed:
full information on CVEs \ GHSA\s
Additional context:

@willmurphyscode
Copy link
Contributor

Thanks for the suggestion @tomerse-sg! I've added this to the "schema version 6 wish list" over at anchore/grype-db#108. Bumping the schema of the database grype uses is a bit of a heavy lift right now, but we're looking at ways to make it easier, and discussing what should be included in the next version (hence the "version 6 wish list").

I've you like to be part of the discussion, feel free to join the community meeting at https://github.com/anchore/grype/#join-our-community-meetings, or ping us on Slack (I think you're already in the slack).

@tomerse-sg
Copy link
Author

hi, from your experience, what is the approximate estimation time for the schema version 6 wish list?

@willmurphyscode
Copy link
Contributor

Hi @tomerse-sg,

Sorry, but we don't have a time estimate right now for the v6 schema wish list, or even know exactly what the final implementation will look like. If you're interested in working with us on it, please let us know!

@tomersein
Copy link
Contributor

it can be useful. make the DB stateful. will it be added to the v6 db plan? @willmurphyscode

@willmurphyscode
Copy link
Contributor

@tomerse-sg yes, this will be in grype db schema v6 for providers that we can easily get the data from.

@wagoodman wagoodman moved this from Ready to In Progress in OSS Nov 14, 2024
@wagoodman wagoodman self-assigned this Nov 14, 2024
@wagoodman wagoodman added this to the DB v6 milestone Nov 14, 2024
@wagoodman
Copy link
Contributor

For NVD and GHSA this will be in the DB v6 work, which is in progress now. I expect PRs that implement this to land soon, but we won't switch to using the v6 schema for probably another 2 months (+/- a margin).

@tomersein
Copy link
Contributor

great news! @wagoodman
however, this schema will make the DB to be "half stated", meaning some of the vulnerabilities will have updated timestamp field, and the other will not have.
moreover, since there are plans to remove grype db diff, I wonder if any other solution will be provided to monitor modified vulnerabilities in the DB? @wagoodman (since other sources like ubuntu, debian, rpm, etc. doesn't report on modifications).

@wagoodman
Copy link
Contributor

wagoodman commented Nov 14, 2024

We'll be plumbing through the upstream data sources that do support these fields (this work will be tracked here #2259 anchore/vunnel#742 ) which will be closely related to #2129. If we cannot reliably plumb date information then we will need to refigure a plan for DB diff.

@tomersein
Copy link
Contributor

great! @wagoodman
please consider not to deprecate the grype db diff (I saw it was moved to 'legacy' folder) before we have a state for vulnerabilities :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
Status: In Progress
Development

No branches or pull requests

4 participants