feat: enable v6 database

README.md

@@ -212,11 +212,17 @@ grype --add-cpes-if-none --distro alpine:3.10 sbom:some-alpine-3.10.spdx.json
 
 ### Supported versions
 
-Any version of Grype before v0.51.0 (Oct 2022) is not supported. Unsupported releases will not receive any software updates or
+Software updates are always applied to the latest version of Grype; fixes are not backported to any previous versions of Grype.
+
+In terms of database updates, any version of Grype before v0.51.0 (Oct 2022, before schema v5) will not receive 
 vulnerability database updates. You can still build vulnerability databases for unsupported Grype releases by using previous
 releases of [vunnel](https://github.com/anchore/vunnel) to gather the upstream data and [grype-db](https://github.com/anchore/grype-db)
 to build databases for unsupported schemas.
 
+Only the latest database schema is considered to be supported. When a new database schema is introduced then the one it replaces is
+marked as deprecated. Deprecated schemas will continue to receive updates for at least one year after they are marked
+as deprecated at which point they will no longer be supported.
+
 ### Working with attestations
 Grype supports scanning SBOMs as input via stdin. Users can use [cosign](https://github.com/sigstore/cosign) to verify attestations
 with an SBOM as its content to scan an image for vulnerabilities:
@@ -515,32 +521,33 @@ By default, Grype automatically manages this database for you. Grype checks for
 
 Grype's vulnerability database is a SQLite file, named `vulnerability.db`. Updates to the database are atomic: the entire database is replaced and then treated as "readonly" by Grype.
 
-Grype's first step in a database update is discovering databases that are available for retrieval. Grype does this by requesting a "listing file" from a public endpoint:
+Grype's first step in a database update is discovering databases that are available for retrieval. Grype does this by requesting a "latest database file" from a public endpoint:
 
-`https://toolbox-data.anchore.io/grype/databases/listing.json`
+https://grype.anchore.io/databases/v6/latest.json
 
-The listing file contains entries for every database that's available for download.
+The latest database file contains an entry for the most recent database available for download.
 
-Here's an example of an entry in the listing file:
+Here's an example of an entry in the latest database file:
 
 ```json
 {
-  "built": "2021-10-21T08:13:41Z",
-  "version": 3,
-  "url": "https://toolbox-data.anchore.io/grype/databases/vulnerability-db_v3_2021-10-21T08:13:41Z.tar.gz",
-  "checksum": "sha256:8c99fb4e516f10b304f026267c2a73a474e2df878a59bf688cfb0f094bfe7a91"
+  "status": "active",
+  "schemaVersion": "6.0.0",
+  "built": "2025-02-11T04:06:41Z",
+  "path": "vulnerability-db_v6.0.0_2025-02-11T01:30:51Z_1739246801.tar.zst",
+  "checksum": "sha256:79bfa04265c5a32d21773ad0da1bda13c31e932fa1e1422db635c8d714038868"
 }
 ```
 
-With this information, Grype can select the correct database (the most recently built database with the current schema version), download the database, and verify the database's integrity using the listed `checksum` value.
+With this information, Grype can find the most recently built database with the current schema version, download the database, and verify the database's integrity using the `checksum` value.
 
 ### Managing Grype's database
 
 > **Note:** During normal usage, _there is no need for users to manage Grype's database!_ Grype manages its database behind the scenes. However, for users that need more control, Grype provides options to manage the database more explicitly.
 
 #### Local database cache directory
 
-By default, the database is cached on the local filesystem in the directory `$XDG_CACHE_HOME/grype/db/<SCHEMA-VERSION>/`. For example, on macOS, the database would be stored in `~/Library/Caches/grype/db/3/`. (For more information on XDG paths, refer to the [XDG Base Directory Specification](https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html).)
+By default, the database is cached on the local filesystem in the directory `$XDG_CACHE_HOME/grype/db/<SCHEMA-VERSION>/`. For example, on macOS, the database would be stored in `~/Library/Caches/grype/db/6/`. (For more information on XDG paths, refer to the [XDG Base Directory Specification](https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html).)
 
 You can set the cache directory path using the environment variable `GRYPE_DB_CACHE_DIR`. If setting that variable alone does not work, then the `TMPDIR` environment variable might also need to be set.
 
@@ -550,11 +557,13 @@ Grype needs up-to-date vulnerability information to provide accurate matches. By
 
 #### Offline and air-gapped environments
 
-By default, Grype checks for a new database on every run, by making a network call over the Internet. You can tell Grype not to perform this check by setting the environment variable `GRYPE_DB_AUTO_UPDATE` to `false`.
+By default, Grype checks for a new database on every run, by making a network request over the internet.
+You can tell Grype not to perform this check by setting the environment variable `GRYPE_DB_AUTO_UPDATE` to `false`.
 
-As long as you place Grype's `vulnerability.db` and `metadata.json` files in the cache directory for the expected schema version, Grype has no need to access the network. Additionally, you can get a listing of the database archives available for download from the `grype db list` command in an online environment, download the database archive, transfer it to your offline environment, and use `grype db import <db-archive-path>` to use the given database in an offline capacity.
+As long as you place Grype's `vulnerability.db` and `import.json` files in the cache directory for the expected schema version, Grype has no need to access the network.
+Additionally, you can get a reference to the latest database archive for download from the `grype db list` command in an online environment, download the database archive, transfer it to your offline environment, and use `grype db import <db-archive-path>` to use the given database in an offline capacity.
 
-If you would like to distribute your own Grype databases internally without needing to use `db import` manually you can leverage Grype's DB update mechanism. To do this you can craft your own `listing.json` file similar to the one found publically (see `grype db list -o raw` for an example of our public `listing.json` file) and change the download URL to point to an internal endpoint (e.g. a private S3 bucket, an internal file server, etc). Any internal installation of Grype can receive database updates automatically by configuring the `db.update-url` (same as the `GRYPE_DB_UPDATE_URL` environment variable) to point to the hosted `listing.json` file you've crafted.
+If you would like to distribute your own Grype databases internally without needing to use `db import` manually you can leverage Grype's DB update mechanism. To do this you can craft your own `latest.json` file similar to the public "latest database file" and change the download URL to point to an internal endpoint (e.g. a private S3 bucket, an internal file server, etc.). Any internal installation of Grype can receive database updates automatically by configuring the `db.update-url` (same as the `GRYPE_DB_UPDATE_URL` environment variable) to point to the hosted `latest.json` file you've crafted.
 
 #### CLI commands for database management
 
@@ -566,7 +575,7 @@ Grype provides database-specific CLI commands for users that want to control the
 
 `grype db update` — ensure the latest database has been downloaded to the cache directory (Grype performs this operation at the beginning of every scan by default)
 
-`grype db list` — download the listing file configured at `db.update-url` and show databases that are available for download
+`grype db list` — download the latest database file configured at `db.update-url` and show the database available for download
 
 `grype db import` — provide grype with a database archive to explicitly use (useful for offline DB updates)
 
@@ -758,7 +767,7 @@ db:
 
   # URL of the vulnerability database
   # same as GRYPE_DB_UPDATE_URL env var
-  update-url: "https://toolbox-data.anchore.io/grype/databases/listing.json"
+  update-url: "https://grype.anchore.io/databases"
 
   # it ensures db build is no older than the max-allowed-built-age
   # set to false to disable check

Taskfile.yaml

@@ -105,7 +105,7 @@ tasks:
   update-quality-gate-db:
     desc: Update pinned version of quality gate database
     cmds:
-      - cmd: "go run cmd/grype/main.go db list -o json | jq -r .[0].url > test/quality/test-db-url"
+      - cmd: "go run cmd/grype/main.go db list -o json | jq -r '.[0].path' > test/quality/test-db"
         silent: true
 
   list-tools:

cmd/grype/cli/cli.go

@@ -10,7 +10,7 @@ import (
 	"github.com/anchore/grype/cmd/grype/cli/commands"
 	grypeHandler "github.com/anchore/grype/cmd/grype/cli/ui"
 	"github.com/anchore/grype/cmd/grype/internal/ui"
-	"github.com/anchore/grype/grype/db"
+	v6 "github.com/anchore/grype/grype/db/v6"
 	"github.com/anchore/grype/internal/bus"
 	"github.com/anchore/grype/internal/log"
 	"github.com/anchore/grype/internal/redact"
@@ -106,5 +106,5 @@ func syftVersion() (string, any) {
 }
 
 func dbVersion() (string, any) {
-	return "Supported DB Schema", db.SchemaVersion
+	return "Supported DB Schema", v6.ModelVersion
 }

cmd/grype/cli/commands/db.go

@@ -21,7 +21,6 @@ func DB(app clio.Application) *cobra.Command {
 	db.AddCommand(
 		DBCheck(app),
 		DBDelete(app),
-		DBDiff(app),
 		DBImport(app),
 		DBList(app),
 		DBStatus(app),

cmd/grype/cli/commands/db_check.go

@@ -10,7 +10,6 @@ import (
 
 	"github.com/anchore/clio"
 	"github.com/anchore/grype/cmd/grype/cli/options"
-	legacyDistribution "github.com/anchore/grype/grype/db/v5/distribution"
 	db "github.com/anchore/grype/grype/db/v6"
 	"github.com/anchore/grype/grype/db/v6/distribution"
 	"github.com/anchore/grype/internal/log"
@@ -61,13 +60,6 @@ func DBCheck(app clio.Application) *cobra.Command {
 }
 
 func runDBCheck(opts dbCheckOptions) error {
-	if opts.DatabaseCommand.Experimental.DBv6 {
-		return newDBCheck(opts)
-	}
-	return legacyDBCheck(opts)
-}
-
-func newDBCheck(opts dbCheckOptions) error {
 	client, err := distribution.NewClient(opts.ToClientConfig())
 	if err != nil {
 		return fmt.Errorf("unable to create distribution client: %w", err)
@@ -138,61 +130,3 @@ func presentNewDBCheck(format string, writer io.Writer, updateAvailable bool, cu
 	}
 	return nil
 }
-
-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-// all legacy processing below ////////////////////////////////////////////////////////////////////////////////////////
-
-type legacyDBCheckJSON struct {
-	CurrentDB       *legacyDistribution.Metadata     `json:"currentDB"`
-	CandidateDB     *legacyDistribution.ListingEntry `json:"candidateDB"`
-	UpdateAvailable bool                             `json:"updateAvailable"`
-}
-
-func legacyDBCheck(opts dbCheckOptions) error {
-	dbCurator, err := legacyDistribution.NewCurator(opts.ToLegacyCuratorConfig())
-	if err != nil {
-		return err
-	}
-
-	updateAvailable, currentDBMetadata, updateDBEntry, err := dbCurator.IsUpdateAvailable()
-	if err != nil {
-		return fmt.Errorf("unable to check for vulnerability database update: %+v", err)
-	}
-
-	switch opts.Output {
-	case textOutputFormat:
-		if currentDBMetadata != nil {
-			fmt.Printf("Current DB version %d was built on %s\n", currentDBMetadata.Version, currentDBMetadata.Built.String())
-		}
-
-		if !updateAvailable {
-			fmt.Println("No update available")
-			return nil
-		}
-
-		fmt.Printf("Updated DB version %d was built on %s\n", updateDBEntry.Version, updateDBEntry.Built.String())
-		fmt.Printf("Updated DB URL: %s\n", updateDBEntry.URL.String())
-		fmt.Println("You can run 'grype db update' to update to the latest db")
-	case jsonOutputFormat:
-		data := legacyDBCheckJSON{
-			CurrentDB:       currentDBMetadata,
-			CandidateDB:     updateDBEntry,
-			UpdateAvailable: updateAvailable,
-		}
-
-		enc := json.NewEncoder(os.Stdout)
-		enc.SetEscapeHTML(false)
-		enc.SetIndent("", " ")
-		if err := enc.Encode(&data); err != nil {
-			return fmt.Errorf("failed to db listing information: %+v", err)
-		}
-	default:
-		return fmt.Errorf("unsupported output format: %s", opts.Output)
-	}
-
-	if updateAvailable {
-		os.Exit(exitCodeOnDBUpgradeAvailable) //nolint:gocritic
-	}
-
-	return nil
-}

cmd/grype/cli/commands/db_delete.go

@@ -7,7 +7,6 @@ import (
 
 	"github.com/anchore/clio"
 	"github.com/anchore/grype/cmd/grype/cli/options"
-	legacyDistribution "github.com/anchore/grype/grype/db/v5/distribution"
 	"github.com/anchore/grype/grype/db/v6/distribution"
 	"github.com/anchore/grype/grype/db/v6/installation"
 )
@@ -34,13 +33,6 @@ func DBDelete(app clio.Application) *cobra.Command {
 }
 
 func runDBDelete(opts options.DatabaseCommand) error {
-	if opts.Experimental.DBv6 {
-		return newDBDelete(opts)
-	}
-	return legacyDBDelete(opts)
-}
-
-func newDBDelete(opts options.DatabaseCommand) error {
 	client, err := distribution.NewClient(opts.ToClientConfig())
 	if err != nil {
 		return fmt.Errorf("unable to create distribution client: %w", err)
@@ -56,15 +48,3 @@ func newDBDelete(opts options.DatabaseCommand) error {
 
 	return stderrPrintLnf("Vulnerability database deleted")
 }
-
-func legacyDBDelete(opts options.DatabaseCommand) error {
-	dbCurator, err := legacyDistribution.NewCurator(opts.ToLegacyCuratorConfig())
-	if err != nil {
-		return err
-	}
-	if err := dbCurator.Delete(); err != nil {
-		return fmt.Errorf("unable to delete vulnerability database: %+v", err)
-	}
-
-	return stderrPrintLnf("Vulnerability database deleted")
-}