better errors needed when database can't get updated #265
Description
What happened: While running CI tests, got problems when the database check ran:
go run ../../main.go ubuntu:latest -vv -o cyclonedx > bom.xml
[0000] DEBUG Application config:
configpath: ""
presenteropt: 3
output: cyclonedx
scopeopt: Squashed
scope: Squashed
quiet: false
log:
structured: false
levelopt: debug
level: ""
filelocation: ""
clioptions:
configpath: ""
verbosity: 2
db:
dir: /home/runner/.cache/grype/db
updateurl: https://toolbox-data.anchore.io/grype/databases/listing.json
autoupdate: true
validatebyhashonstart: false
dev:
profilecpu: false
checkforappupdate: true
failon: ""
failonseverity: null
[0000] DEBUG No new grype update available
[0000] DEBUG gathering packages
[0000] DEBUG image: source=DockerDaemon location=ubuntu:latest from-lib=stereoscope
[0000] DEBUG loading DB
[0000] DEBUG checking for available database updates
[0000] DEBUG pulling docker image="ubuntu:latest" from-lib=stereoscope
[0000] DEBUG using docker config="/home/runner/.docker/config.json" from-lib=stereoscope
[0000] DEBUG using docker credentials for "index.docker.io" from-lib=stereoscope
[0000] INFO unable to check for vulnerability database update
[0000] DEBUG check for vulnerability update failed: no db candidates with correct version available (maybe there is an application update available?)
[0000] ERROR failed to load vulnerability db: vulnerability database is corrupt (run db update to correct): database metadata not found: /home/runner/.cache/grype/db
exit status 1
What you expected to happen:
It seems that the error involves several different problems, not sure which one is to blame for the underlying issue. These is a list of things (depending on what the problem is) I would expect:
- If grype is "unable to check for vulnerability database update" then this must be an error, not an INFO level entry
- if the update fails, this should also be an ERROR level message, not DEBUG.
- If there are "no db candidates with correct version available" I would expect information as to what is "the correct version"
- I would prefer removing open questions that a user (myself) can't answer: "maybe there is an application update available?" doesn't help me understand what is going on. What does "application update" mean in this case? Actionable messages or clarifying notifications would be better
- It doesn't seem like the database is corrupt because the error message is "metadata not found". Which one is it? Is it metadata not found or database corrupt?
How to reproduce it (as minimally and precisely as possible):
Re-running the Github action for the unit tests resolved this, can't really see how to reproduce it
Anything else we need to know?:
This was hit while trying to get a Github workflow running for the v2-schema branch that is bumping the new schema version (2)
Environment:
- Output of
grype version: - OS (e.g:
cat /etc/os-releaseor similar):