Merge pull request #1677 from hectorj2f/change_max_allowed_build_age

scan: make max db allowed build age configurable

Author: rawlingsj

docs/cmd/wolfictl_scan.md

@@ -94,18 +94,19 @@ wolfictl scan package1 package2 --remote
 ### Options
 
 ```
-  -a, --advisories-repo-dir string   directory containing the advisories repository
-  -f, --advisory-filter string       exclude vulnerability matches that are referenced from the specified set of advisories (resolved|all|concluded)
-      --build-log                    treat input as a package build log file (or a directory that contains a packages.log file)
-  -D, --disable-sbom-cache           don't use the SBOM cache
-      --distro string                distro to use during vulnerability matching (default "wolfi")
-  -h, --help                         help for scan
-      --local-file-grype-db string   import a local grype db file
-  -o, --output string                output format (outline|json), defaults to outline
-  -r, --remote                       treat input(s) as the name(s) of package(s) in the Wolfi package repository to download and scan the latest versions of
-      --require-zero                 exit 1 if any vulnerabilities are found
-  -s, --sbom                         treat input(s) as SBOM(s) of APK(s) instead of as actual APK(s)
-      --use-cpes                     turn on all CPE matching in Grype
+  -a, --advisories-repo-dir string       directory containing the advisories repository
+  -f, --advisory-filter string           exclude vulnerability matches that are referenced from the specified set of advisories (resolved|all|concluded)
+      --build-log                        treat input as a package build log file (or a directory that contains a packages.log file)
+  -D, --disable-sbom-cache               don't use the SBOM cache
+      --distro string                    distro to use during vulnerability matching (default "wolfi")
+  -h, --help                             help for scan
+      --local-file-grype-db string       import a local grype db file
+      --max-allowed-built-age duration   Max allowed age for vulnerability database, age being the time since it was built. Default max age is 120h (or five days) (default 120h0m0s)
+  -o, --output string                    output format (outline|json), defaults to outline
+  -r, --remote                           treat input(s) as the name(s) of package(s) in the Wolfi package repository to download and scan the latest versions of
+      --require-zero                     exit 1 if any vulnerabilities are found
+  -s, --sbom                             treat input(s) as SBOM(s) of APK(s) instead of as actual APK(s)
+      --use-cpes                         turn on all CPE matching in Grype
 ```
 
 ### Options inherited from parent commands

docs/man/man1/wolfictl-scan.1

@@ -134,6 +134,10 @@ found and the \-\-require\-zero flag is specified.
 \fB\-\-local\-file\-grype\-db\fP=""
     import a local grype db file
 
+.PP
+\fB\-\-max\-allowed\-built\-age\fP=120h0m0s
+    Max allowed age for vulnerability database, age being the time since it was built. Default max age is 120h (or five days)
+
 .PP
 \fB\-o\fP, \fB\-\-output\fP=""
     output format (outline|json), defaults to outline

go.mod

@@ -68,6 +68,7 @@ require (
 require (
 	github.com/anchore/go-logger v0.0.0-20250318195838-07ae343dd722
 	github.com/chainguard-dev/advisory-schema v0.37.12
+	github.com/hako/durafmt v0.0.0-20210608085754-5c1018a4e16b
 	github.com/spf13/afero v1.14.0
 )
 
@@ -206,7 +207,6 @@ require (
 	github.com/grpc-ecosystem/go-grpc-middleware v1.4.0 // indirect
 	github.com/grpc-ecosystem/go-grpc-prometheus v1.2.1-0.20210315223345-82c243799c99 // indirect
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3 // indirect
-	github.com/hako/durafmt v0.0.0-20210608085754-5c1018a4e16b // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-getter v1.7.8 // indirect

pkg/cli/scan.go

@@ -14,6 +14,7 @@ import (
 	"sort"
 	"strings"
 	"sync"
+	"time"
 
 	"chainguard.dev/apko/pkg/apk/apk"
 	"chainguard.dev/apko/pkg/apk/auth"
@@ -235,6 +236,9 @@ func scanEverything(ctx context.Context, p *scanParams, inputs []string, advGett
 	opts := scan.DefaultOptions
 	opts.UseCPEs = p.useCPEMatching
 	opts.PathOfDatabaseArchiveToImport = p.localDBFilePath
+	if p.dbMaxAllowedBuildAge > 0 {
+		opts.MaxAllowedBuildAge = p.dbMaxAllowedBuildAge
+	}
 
 	// Immediately start a goroutine, so we can initialize the vulnerability database.
 	// Once that's finished, we will start to pull sboms off of done as they become ready.
@@ -338,6 +342,7 @@ type scanParams struct {
 	disableSBOMCache     bool
 	remoteScanning       bool
 	useCPEMatching       bool
+	dbMaxAllowedBuildAge time.Duration
 }
 
 func (p *scanParams) addFlagsTo(cmd *cobra.Command) {
@@ -352,6 +357,7 @@ func (p *scanParams) addFlagsTo(cmd *cobra.Command) {
 	cmd.Flags().BoolVarP(&p.disableSBOMCache, "disable-sbom-cache", "D", false, "don't use the SBOM cache")
 	cmd.Flags().BoolVarP(&p.remoteScanning, "remote", "r", false, "treat input(s) as the name(s) of package(s) in the Wolfi package repository to download and scan the latest versions of")
 	cmd.Flags().BoolVar(&p.useCPEMatching, "use-cpes", false, "turn on all CPE matching in Grype")
+	cmd.Flags().DurationVar(&p.dbMaxAllowedBuildAge, "max-allowed-built-age", 120*time.Hour, "Max allowed age for vulnerability database, age being the time since it was built. Default max age is 120h (or five days)")
 }
 
 func (p *scanParams) resolveInputsToScan(ctx context.Context, args []string) (inputs []string, cleanup func() error, err error) {

pkg/scan/apk.go

@@ -37,13 +37,16 @@ import (
 	sbomSyft "github.com/anchore/syft/syft/sbom"
 	"github.com/chainguard-dev/clog"
 	"github.com/charmbracelet/log"
+	"github.com/hako/durafmt"
 	"github.com/spf13/afero"
 	anchorelogger "github.com/wolfi-dev/wolfictl/pkg/anchorelog"
 	"github.com/wolfi-dev/wolfictl/pkg/sbom"
 )
 
 const (
 	mavenSearchBaseURL = "https://search.maven.org/solrsearch/select"
+
+	maxRecommendedBuildAge = 48 * time.Hour
 )
 
 var DefaultGrypeDBDir = path.Join(xdg.CacheHome, "wolfictl", "grype", "db")
@@ -166,14 +169,23 @@ type Options struct {
 	// except for testing purposes.
 	DisableDatabaseAgeValidation bool
 
+	// MaxAllowedBuildAge defines the maximum allowed age for the vulnerability database.
+	// If the database is older than this duration, it will be considered invalid unless
+	// DisableDatabaseAgeValidation is set to true. If not specified, the default value
+	// of 48 hours will be used.
+	MaxAllowedBuildAge time.Duration
+
 	// DisableSBOMCache controls whether the scanner will cache SBOMs generated from
 	// APKs. If true, the scanner will not cache SBOMs or use existing cached SBOMs.
 	DisableSBOMCache bool
 }
 
 // DefaultOptions is the recommended default configuration for a new Scanner.
 // These options are suitable for most use scanning cases.
-var DefaultOptions = Options{}
+var DefaultOptions = Options{
+	// TODO(hectorj2f): This is a temporary change to 120h, ideally we recommend to set that maximum built age to 48h.
+	MaxAllowedBuildAge: 120 * time.Hour,
+}
 
 // NewScanner initializes the grype DB for reuse across multiple scans.
 func NewScanner(opts Options) (*Scanner, error) {
@@ -182,11 +194,16 @@ func NewScanner(opts Options) (*Scanner, error) {
 		dbDestDir = DefaultGrypeDBDir
 	}
 
+	maxAllowedBuildAge := opts.MaxAllowedBuildAge
+	if maxAllowedBuildAge == 0 {
+		maxAllowedBuildAge = 120 * time.Hour
+	}
+
 	installCfg := installation.Config{
 		DBRootDir:               dbDestDir,
 		ValidateChecksum:        true,
 		ValidateAge:             !opts.DisableDatabaseAgeValidation,
-		MaxAllowedBuiltAge:      48 * time.Hour,
+		MaxAllowedBuiltAge:      maxAllowedBuildAge,
 		UpdateCheckMaxFrequency: 1 * time.Hour,
 	}
 
@@ -230,6 +247,14 @@ func NewScanner(opts Options) (*Scanner, error) {
 		return nil, fmt.Errorf("failed to load vulnerability database: %w", err)
 	}
 
+	// built time is defined in UTC,
+	// we should compare it against UTC
+	now := time.Now().UTC()
+	age := now.Sub(dbStatus.Built)
+	if age > maxRecommendedBuildAge {
+		fmt.Fprintf(os.Stdout, "WARNING: the vulnerability database was built %s ago (max allowed age is %s but the recommended value is %s)\n", durafmt.ParseShort(age), durafmt.ParseShort(maxAllowedBuildAge), durafmt.ParseShort(maxRecommendedBuildAge))
+	}
+
 	if checksum == "" {
 		metadata, err := v6.ReadImportMetadata(afero.NewOsFs(), filepath.Dir(dbStatus.Path))
 		if err != nil {