Database vulnerability throttling

In the last few days, our pipelines are timing out everywhere during the grype scan. The cause is that when grype is downloading the database, the first 125MB go fast, but when the database is larger than that, the download speed is throttle to ridiculous speed, taking like an hour or more to complete.
This can be reproduce with just curl, so it is not grype specific, but the host where the database is:

curl -LO https://toolbox-data.anchore.io/grype/databases/vulnerability-db_v5_2024-08-13T01:31:28Z_1723556154.tar.gz

It is not always the case, that same download worked fine the next day.

This is the first time we encounter this. Not sure if it is a new anchore policy or if some new limit we have been reached.

Is this an existing or new limit documented somewhere? Grype states in the documentation that we shouldn’t be managing our own database but perhaps that’s the recommended thing to do if it is used more often?

Any clarification on this topic would be helpful. Thank you.

Hi @carlosrodfern

Thanks for letting us know, and sorry you’re getting issues with the database download.

There is indeed an open issue on this topic. Grype scan command appears to hang when downloading db or listing file · Issue #1731 · anchore/grype · GitHub

1 Like

Hi @carlosrodfern - this slowdown appears to be behavior of the CDN. It is not an intentional limit created by the Grype team. We are actively researching how to improve CDN performance.

Thanks for the detailed information that the first 125 MB are faster - that helps our investigation.

1 Like

Thank for the quick reply. Yes, the first 125MB going fast was pretty consistent. Then, it throttles to KB speed. When it happens again, I’ll try to confirm this behavior, and get more details :+1:

2 Likes

For those affected by this issue, the team made some changes to the way the grype vulnerability database is served late last night (UK time). So runs should now no longer exhibit the same network stalling.

Please do report if you see any further issues.

Hi – as noted, we made a change to the database hosting on Friday. For more information, see: Grype Vulnerability Hosting Update

1 Like