Skip to content

feat: package db diff for v6#3277

Open
kzantow wants to merge 2 commits intoanchore:mainfrom
kzantow-anchore:feat/db-diff-v6
Open

feat: package db diff for v6#3277
kzantow wants to merge 2 commits intoanchore:mainfrom
kzantow-anchore:feat/db-diff-v6

Conversation

@kzantow
Copy link
Contributor

@kzantow kzantow commented Mar 11, 2026
edited
Loading

This PR adds a db diff command that implements package-based diffing between two Grype v6 databases.

The grype db diff <db1> <db2> command in this PR operates by comparing two grype databases from the perspective of "what changes have affected matching of specific packages" -- in other words: any data change that will result in a vulnerability being returned differently for a specific package should be returned as either an addition, modification, or removal. For example: if a vulnerability is added, it should would expectedly show up in the added section, whereas if a vulnerability has had the version constraints modified, it would be considered modified, and similarly if a vulnerability for a specific package in a specific ecosystem / provider has been removed, it would show up in the removed section.

The output is currently defined in the db-diff schema, for example:

{
  "schema": "anchore.io/schema/grype/db-diff/json/0.5.0/results",
  "databases": {
    "before": {
      "buildTimestamp": "2026-02-07T06:24:08Z",
      "modelVersion": "v6.1.4",
      "revision": 1,
      "checksum": "xxh64:a2fac5f546c7b9b7"
    },
    "after": {
      "buildTimestamp": "2026-02-09T06:37:39Z",
      "modelVersion": "v6.1.4",
      "revision": 1,
      "checksum": "xxh64:3ea413099fbdbe37"
    }
  },
  "packages": [
    {
      "ecosystem": "apk",
      "name": "cloudflared-fips",
      "vulnerabilities": {
        "added": [
          {
            "provider": "chainguard",
            "id": "CVE-2025-58063"
          },
        ]
      }
    },
    {
      "ecosystem": "apk",
      "name": "glibc-2.41",
      "vulnerabilities": {
        "modified": [
          {
            "provider": "secureos",
            "id": "CVE-2025-5702"
          },
...

In order to get reasonable performance , a series of temp tables and views are created in the "old" database. These can be written to the database directly using the environment variable GRYPE_DEV_DB_DEBUG=true for further investigation about the results.

kzantow added 2 commits March 11, 2026 10:01
@kzantow
feat: package db diff for v6
683a745 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
@kzantow
chore: update schema
b13c767 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kzantow