I’m trying to build and run grype as an dll (try and reduce memory)
however, I can’t find a public function of grype which we can give him a string of an .tar file and get the vulnerability results.
can you think on any idea which I can accomplish it?
Hi @TimBrown1611 you can see what Grype itself is doing here:
There are a number of concerns that come together to turn a string that represents a path to a tarball into a list of vulnerabilities. You can see basically that grype is:
Passing the input to Syft to ask what’s in the package
Checking for updates to the Grype database and downloading them if necessary
Matching packages from the SBOM to vulnerabilities from the database
Figuring out what output format is requested and serializing the output
There’s not a single function that is exported that does exactly all of that in that way, and I don’t think it would help you if there was; it would probably have very similar performance characteristics to just running Grype.
I think the first way to reduce Grype’s memory footprint is to run it on an SBOM, not a tarball. Something like:
This way, you end up having the memory needed to index the file system only in the Syft process, and the memory needed to match the packages and the vulnerabilities up only in the Grype process.