Grype can't update DB in docker volume (regression)

[Bergstein]

What happened:
grype db update doesn't work if database in volume.
[0011] ERROR unable to update vulnerability database: unable to activate new vulnerability database: rename /tmp/grype-db-download2458041976 /tmp/grype/6: invalid cross-device link

What you expected to happen:
0.87.0 - works
0.88.0 - fails
0.89.0 - fails

How to reproduce it (as minimally and precisely as possible):
docker run --rm -it -e GRYPE_DB_CACHE_DIR=/tmp/grype --volume cache-grype:/tmp/grype anchore/grype:v0.87.0 db update - OK

docker run --rm -it -e GRYPE_DB_CACHE_DIR=/tmp/grype --volume cache-grype:/tmp/grype anchore/grype:v0.88.0 db update - NOT OK

docker run --rm -it -e GRYPE_DB_CACHE_DIR=/tmp/grype --volume cache-grype:/tmp/grype anchore/grype:v0.89.0 db update - NOT OK

docker run --rm -it anchore/grype:v0.89.0 db update - OK
docker run --rm -it anchore/grype:v0.88.0 db update - OK
docker run --rm -it anchore/grype:v0.87.0 db update - OK

Environment:

• Image from dockerhub (and self-built too):
• Ubuntu

[popey]

Thanks for the issue report @Bergstein

Confirmed here:

 docker run --rm -it -e GRYPE_DB_CACHE_DIR=/tmp/grype --volume cache-grype:/tmp/grype anchore/grype:v0.89.0 -vvv db update
[0000]  INFO grype version: 0.89.0
[0000] DEBUG config:
  log:
      quiet: false
      level: trace
      file: ""
  dev:
      profile: none
  db:
      cache-dir: /tmp/grype
      update-url: https://grype.anchore.io/databases
      ca-cert: ""
      auto-update: true
      validate-by-hash-on-start: true
      validate-age: true
      max-allowed-built-age: 120h0m0s
      require-update-check: true
      update-available-timeout: 30s
      update-download-timeout: 5m0s
      max-update-check-frequency: 2h0m0s
  exp: {}
  dev:
      db:
          debug: false
[0000] DEBUG checking for available database updates
[0000] DEBUG cannot find existing metadata, using update...
[0000] DEBUG database update available: DB(version=v6.0.2 built=2025-03-08T04:06:26Z)
[0000]  INFO downloading new vulnerability DB
[0012] DEBUG using writable DB statements path=/tmp/grype-db-download1167578756/vulnerability.db
[0012] DEBUG applying DB migrations path=/tmp/grype-db-download1167578756/vulnerability.db
[0019] TRACE captured DB digest digest=xxh64:97c65c2bbfbe66f6
[0019] DEBUG moved database directory to activate error=rename /tmp/grype-db-download1167578756 /tmp/grype/6: invalid cross-device link from=/tmp/grype-db-download1167578756 to=/tmp/grype/6
[0019] TRACE worker stopped component=eventloop
[0019] TRACE signal exit component=eventloop
[0019] ERROR unable to update vulnerability database: unable to activate new vulnerability database: rename /tmp/grype-db-download1167578756 /tmp/grype/6: invalid cross-device link

[kzantow]

It sounds like we should create the temp download directory in the GRYPE_DB_CACHE_DIR, although a quick scan through the code makes me think that was already the intention here. It looks like we should just not be using the filepath.Dir on this. This seems like a simple fix -- PRs are always welcome, if someone is able to get to this before I do!

[Maarc]

Hi there,

I ran into same issue as I tried to update Grype to its latest version.

In case anyone is interested, here is how I got it running again. I stopped using the "GRYPE_DB_CACHE_DIR" folder and used this trick:

docker run --name Grype anchore/grype:v0.89.1 db update
docker cp Grype:/.cache/grype/db/6 /MY_LOCAL_GRYPE_DB_CACHE_DIR/
docker rm Grype

[mirekphd]

I confirm the regression. It appeared in a well-tested script scanning all latestml/ and previously mirekphd/ containers (including separate scans on their base images) for roughly 3 years now. In it the anchore/grype:latest container is run under a non-root user, but root requirement is unlikely to be the reason, as the database write error (if it is indeed the reason) occurs in the /tmp dir (writable by anybody):

17:47:59  [0000]  INFO grype version: 0.89.1
17:47:59  [0000]  INFO downloading new vulnerability DB
17:47:59  [0000]  WARN error updating db error=unable to update vulnerability database: unable to create db client temp dir: mkdir /tmp/grype-db-download1144497972: permission denied 
[..]
17:47:59  [0129] ERROR failed to load vulnerability db: database does not exist
17:47:59  
17:47:59  Value returned by the Grype script: 1
17:47:59  Command exited with non-zero status 1 

I also confirm that reverting to anchore/grype:v0.87.0 is the simplest effective workaround (but not a long-term solution - Grype would become a vulnerable Achilles' heel in such a setup:).