Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix empty cve results due to grype db cache staleness #13544

Merged
merged 1 commit into from
Aug 22, 2024
Merged

fix empty cve results due to grype db cache staleness #13544

merged 1 commit into from
Aug 22, 2024
+2 −2

Conversation

saisatishkarra
Copy link
Contributor

Summary

This should fix the issue where the scan job doesn't report any vulnerabilities due to caching issues of grype db which results in staleness.

Screenshot 2024-08-21 at 11 54 53 PM

Checklist

  • The Pull Request has tests
  • A changelog file has been created under changelog/unreleased/kong or skip-changelog label added on PR if changelog is unnecessary. README.md
  • There is a user-facing docs PR against https://github.com/Kong/docs.konghq.com - PUT DOCS PR HERE

Issue reference

Fix #[issue number]

@github-actions github-actions bot added the chore Not part of the core functionality of kong, but still needed label Aug 22, 2024
@saisatishkarra
Copy link
Contributor Author

saisatishkarra commented Aug 22, 2024
edited
Loading

@windmgc / @curiositycasualty / @Water-Melon / @AndyZhang0707

Github doesn't provide a way to save / overwrite same cache key. Hence this unique short-term cache keys are used for this approach. Refer Kong/public-shared-actions#147 for errors encountered trying to update same cache key when multiple workflows / jobs are trying to access it.

This approach generates grype db cache (~ 150mb) using cache_grype_<github.run_id>-<github..run_attempt> which can result in a lot of short term unique caches and quickly hit cache limit of 10GB. Github however rotates unused cache in 7 days. If GH cache is being exhausted; consider using GH extension to delete cache on PR closed
Screenshot 2024-08-22 at 2 16 20 AM

LMK if this works / can be tuned here.

As an alternative, I can add an input parameter to skip caching grype db completely and rely on making the network calls to external CDN. Grype updated their CDN as per this post and the shared action can be updated to skip caching when explicitly set for GW to entirely rely on Grype new CDN

FYI: @pankajmouriyakong / @amankong

@windmgc windmgc merged commit dfc6029 into master Aug 22, 2024
22 checks passed
@windmgc windmgc deleted the fix/stale-grype-db-cache branch August 22, 2024 08:09
@AndyZhang0707 AndyZhang0707 added this to the 3.8.0 milestone Aug 22, 2024
github-actions bot pushed a commit that referenced this pull request Aug 22, 2024
@saisatishkarra @github-actions
chore(ci): fix empty cve results due to grype db cache staleness (#13544
9a95ce0 
)

(cherry picked from commit dfc6029)
@team-gateway-bot team-gateway-bot mentioned this pull request Aug 22, 2024
Merged
3 tasks
@team-gateway-bot
Copy link
Collaborator

Successfully created backport PR for release/3.8.x:

windmgc pushed a commit that referenced this pull request Aug 23, 2024
@saisatishkarra @windmgc
chore(ci): fix empty cve results due to grype db cache staleness (#13544
d190bcf 
)

(cherry picked from commit dfc6029)
@kikito kikito added the cherry-pick kong-ee schedule this PR for cherry-picking to kong/kong-ee label Nov 4, 2024
@team-gateway-bot
Copy link
Collaborator

Cherry-pick failed for master, because it was unable to cherry-pick the commit(s).

Please cherry-pick the changes locally.

git remote add upstream https://github.com/kong/kong-ee
git fetch upstream master
git worktree add -d .worktree/cherry-pick-13544-to-master-to-upstream upstream/master
cd .worktree/cherry-pick-13544-to-master-to-upstream
git checkout -b cherry-pick-13544-to-master-to-upstream
ancref=$(git merge-base 61e82aaaf10a1bf7a221811953c53d1530e3d1a3 42548e0fa65a2c8af8a00775fc091ef42c539c8c)
git cherry-pick -x $ancref..42548e0fa65a2c8af8a00775fc091ef42c539c8c

@team-gateway-bot
Copy link
Collaborator

Backport failed for release/3.8.x, because it was unable to cherry-pick the commit(s).

Please cherry-pick the changes locally and resolve any conflicts.

git fetch origin release/3.8.x
git worktree add -d .worktree/backport-13544-to-release/3.8.x origin/release/3.8.x
cd .worktree/backport-13544-to-release/3.8.x
git switch --create backport-13544-to-release/3.8.x
git cherry-pick -x dfc6029b2adabae38fbad57cbd8eb1a4f065bd3e

@github-actions github-actions bot added incomplete-cherry-pick A cherry-pick was incomplete and needs manual intervention incomplete-backport labels Nov 4, 2024
@kikito kikito removed incomplete-backport incomplete-cherry-pick A cherry-pick was incomplete and needs manual intervention labels Nov 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@windmgc windmgc windmgc approved these changes

@Water-Melon Water-Melon Water-Melon approved these changes

@AndyZhang0707 AndyZhang0707 Awaiting requested review from AndyZhang0707

@curiositycasualty curiositycasualty Awaiting requested review from curiositycasualty

Assignees

@saisatishkarra saisatishkarra

Labels
backport release/3.8.x cherry-pick kong-ee schedule this PR for cherry-picking to kong/kong-ee chore Not part of the core functionality of kong, but still needed size/XS skip-changelog
Projects
None yet
Milestone
3.8.0
Development

Successfully merging this pull request may close these issues.
6 participants
@saisatishkarra @team-gateway-bot @windmgc @Water-Melon @kikito @AndyZhang0707