Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Read Connection Timeout - Downloading Grype DB #306

Open
saisatishkarra opened this issue Apr 23, 2024 · 3 comments
Open

Read Connection Timeout - Downloading Grype DB #306

saisatishkarra opened this issue Apr 23, 2024 · 3 comments

Comments

@saisatishkarra
Copy link

saisatishkarra commented Apr 23, 2024
edited

Issue

Recently in our CI, we have been experiencing grype db tcp read timeouts while downloading the db as part of using the action. This is leading to delayed and failed CVE scanning / additional time for the build pipelines to complete.

Screenshot 2024-04-23 at 2 07 58 PM

Version

Grype version: v0.74.4
Action Version: anchore/scan-action@v3.6.4

Observation

  • This seems to be intermittent but more frequently lately (~2 weeks) and doesn't seem to be specific the above versions.

Expectation

  1. What is the default behavior when the GRYPE_DB_AUTO_UPDATE: false is set ? Does the action fail or run on first and subsequent invocations assuming no other DB is imported manually? (Eg: When invoked multiple times within the same pipeline job?) - Testing it seems it did fail (Refer screenshots in below comment)
  2. Can the action be enhanced to always check DB status and only download latest DB even for a specific case where GRYPE_DB_AUTO_UPDATE: false && DB_STATUS=invalid for first invocation of action within a single job?
  3. Are there any other recommendations to avoid the timeout issue / delayed scanning time? (Eg: How to increase / override the db.update-download-timeout parameter in config across multiple repos using a shared workflow of this action?)
@saisatishkarra
Copy link
Author

Screenshot 2024-04-23 at 4 30 05 PM Screenshot 2024-04-23 at 4 30 38 PM

@saisatishkarra saisatishkarra mentioned this issue Apr 23, 2024
Merged
@kzantow
Copy link
Contributor

kzantow commented Apr 23, 2024

I think you're confusing two options, @saisatishkarra. The scan-action does download a grype database each time it's run. It has GRYPE_CHECK_FOR_APP_UPDATE set to false, so it doesn't check to see if there is a new version of Grype itself.

We have had some reports of the database (and listing file) downloads being flaky over the past few weeks. These are hosted on CDN, outside of our control for the most part. We have been able to sporadically reproduce problems and have provided as much information as we can to the CDN provider, but haven't been able to identify what the issue is nor have we been able to get any resolution.

@saisatishkarra
Copy link
Author

saisatishkarra commented Apr 24, 2024
edited

My concern is mostly around the flaky CDN downloads for the DB update every time the scan-action is run. Is there a public CDN metrics status page for the grype db downloads to monitor / subscribe?

I am also interested on how to maintain db in a offline environment and specify it as an input for the action to import it without having to pull from the online network for every run? Any pointers to use and scale this offline approach across multiple repository pipelines is appreciated.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kzantow @saisatishkarra