Hello,
First of all, thank you for the work you are doing around open-source tools for vulnerability and SBOM management.
The Grype database you use is very powerful, but its usage is currently limited to a SQLite database. Do you think it would be possible for the database to be inserted into, or even directly created in, a database such as PostgreSQL or MariaDB?
This would be really interesting to simplify interactions with the database in certain contexts.
What do you think?
As far as I know that is not currently possible, since Grype directly uses SQLite in some places. However, Grype uses GORM and uses queries that are fairly standard, so most of the database interaction should work with other databases.
I’m curious what difficulty you have with SQLite? If it’s just a matter of querying, you could probably import the whole thing into another RDBMS.
Importing the whole thing is a possibility, but probably not as clean as a direct import into the database with direct updates. The difficulty is that I would like to create direct relationships between elements in my database and elements in the Grype database, and having two SQLite databases, or one SQLite and another type, doesn’t seem like the best idea for maintainability.
Sorry I don’t have any ideal solutions for what you’re trying to do. One of the distinct problems is that every Grype db has different IDs for what would otherwise be identical rows. It’s possible you could use foreign data wrappers but because of the row ID changing between builds, this would not help a lot. I think your best bet might be to come up with some sort of ETL procedure that gives you the data you’re most interested in.