I am working on adding an OpenVEX feed from Chainguard to help filter out false positive vulnerability results in Chainguard Libraries. So far, I have PRs adding OpenVEX parsing to vunnel and store as data.Entry’s in grype-db. The next step, as discussed with @wagoodman via email the next step appears to be updated MatchPackageByEcosystemPackageName to return this information in the match.IgnoreFilter. Looking at my database, I can see the information being stored across blobs, affected_package_handles, packages, and vulnerability_handles. However, when I run grype on a directory with just a python virutalenv with urllib3 installed, I don’t see the entry from the vex feed. I set GRYPE_DB_CACHE_DIR to point to the directory containing my locally compiled grype-db. What am I missing?
Even after changing the query to just:
vulns, err := provider.FindVulnerabilities(
search.ByEcosystem(p.Language, p.Type),
search.ByPackageName("urllib3"),
)
I don’t see anything corresponding to the vex feed. Is there some other query I need to do?
I don’t have a ton of context on what you’re doing, but the way to get a locally built database to be used by grype is to run grype db import /path/to/vulnerability.db. You can use GRYPE_DB_CACHE_DIR to point to a directory where you want it stored and to avoid overriding the normal grype db stored in the user’s cache directory. (The import step rebuilds some indexes and things, so it’s how you should manually pull in a database even if it’s already close to where it goes.)
If you’re working in a Vunnel development shell (you ran make dev provider=wolfi or similar in the Vunnel directory), then the make target make update-db will re-run the configured vunnel providers, rebuild the grype database, and have the locally built grype import the new database.
It appears for some reason it only would ever refer to ~/.cache/grype/vunlerability.db, so I had to copy my local database there and set GRYPE_DB_VALIDATE_BY_HASH_ON_START="false" so it would use the database