Customize your scan vulnerability database

Veracode downloads the Grype database when the veracode scan command is run. Grype updates the downloaded database daily. Veracode uses this database for subsequent scans. When a newer version of the Grype database is released, the database is downloaded again, replacing the older one on the local system. You can host this database at a preferred location and fetch it during a scan.

Important

If you change the location of the Grype database, ensure that you keep it updated.

To host the Grype database on your local system, follow these steps:

1. Update Veracode CLI to version 2.41.0 or later.

2. Download the latest.json file, which is the Grype database, from https://grype.anchore.io/databases/v6/latest.json.

3. Host the database on a port.

   Example:

   To host the database on port 8000 using Python, run:

    python3 -m http.server 8000

   Once hosted, latest.json is reachable from the port. For example, if you hosted the database on port 8000, you can access it at http://localhost:8000/latest.json Note that there are other ways to host the database.

4. Set the environment variable VULNERABILITY_DB_ENDPOINT to store the location of the hosted database.

   Example:

   If you hosted the database on port 8000 in your local system, run:

    export VULNERABILITY_DB_ENDPOINT=http://localhost:8000/latest.json

5. Run a container scan in debug mode to check if the database is displayed in the output. In this example, where you hosted the database on port 8000 in your local system, the output should include the following log: DBG grype db listing url url=http://localhost:8080