Grype Vulnerability Database Hosting Update

Announcements
1

Hi all,

On Friday, we fixed an issue causing slow downloads of the Grype vulnerability database. Grype’s default behavior will pick up the fix; there’s no need to change Grype’s configuration or update Grype.

In recent months some of our users have reported intermittent, but ongoing issues retrieving the Grype vulnerability database. On Friday, we had a spike in traffic that allowed us to be able to reproduce this and implement a change to the primary database hosting, which should have fixed the issues without any changes required for Grype users.

Unfortunately, the issue has recently become more widespread. Until recently, this was hard for the team to reproduce, which made it frustratingly difficult to debug and resolve. The issues can be summarized as:

Part of the solution involved changing the primary database hosting to utilize what we believe is a more appropriate delivery solution; the main change you might notice is that databases are hosted on grype.anchore.io/databases instead of toolbox-data.anchore.io/grype/databases. The metadata files grype consumes are still on toolbox-data.anchore.io, while the vulnerability database is hosted on the new host grype.anchore.io. So, currently access to both hosts is required by Grype. If your organization has strict firewall rules, we recommend allowing access to the anchore.io domain from hosts running Anchore OSS tools.

We endeavored to keep the change as minimal for users as possible. However, this change means some users may need to adjust firewall rules to access the new host.

Our monitoring indicates that all traffic has switched over relatively seamlessly, and end users should not need to take any action at this time. We will continue monitoring this and shortly provide a more in-depth look at what we’ve changed.

2 Likes