From b202e3969f2ba89259ecc7a56626257c5cfaf590 Mon Sep 17 00:00:00 2001
From: RJ Sampson <rj.sampson@chainguard.dev>
Date: Thu, 13 Mar 2025 23:02:59 -0600
Subject: [PATCH] feat(scan/apk): Respect GRYPE_DB_MAX_ALLOWED_BUILT_AGE

There was about a one hour window of time where I couldn't scan Hadoop
or gRPC while working through vulnerabilities without possibly building
the database locally (because it hadn't been updated yet) so I took a
quick look at how we handle this in wolfictl and found it deviates from
the behavior in grype

Similar to grype, respect GRYPE_DB_MAX_ALLOWED_BUILT_AGE so that users
can set this to whatever their preferred duration is. Default to 24
hours

Signed-off-by: RJ Sampson <rj.sampson@chainguard.dev>
---
 pkg/scan/apk.go | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/pkg/scan/apk.go b/pkg/scan/apk.go
index b23a92e79..80641cea5 100644
--- a/pkg/scan/apk.go
+++ b/pkg/scan/apk.go
@@ -139,11 +139,23 @@ func NewScanner(opts Options) (*Scanner, error) {
 		dbDestDir = DefaultGrypeDBDir
 	}
 
+	// Default to 24 hours if GRYPE_DB_MAX_ALLOWED_BUILT_AGE is unset
+	maxAllowedBuiltAge := 24 * time.Hour
+
+	grypeMaxAllowedBuiltAge := os.Getenv("GRYPE_DB_MAX_ALLOWED_BUILT_AGE")
+	if grypeMaxAllowedBuiltAge != "" {
+		parseMaxAllowedBuiltAge, err := time.ParseDuration(grypeMaxAllowedBuiltAge)
+		if err != nil {
+			return nil, fmt.Errorf("could not parse GRYPE_DB_MAX_ALLOWED_BUILT_AGE: %w", err)
+		}
+		maxAllowedBuiltAge = parseMaxAllowedBuiltAge
+	}
+
 	installCfg := installation.Config{
 		DBRootDir:               dbDestDir,
 		ValidateChecksum:        true,
 		ValidateAge:             !opts.DisableDatabaseAgeValidation,
-		MaxAllowedBuiltAge:      24 * time.Hour,
+		MaxAllowedBuiltAge:      maxAllowedBuiltAge,
 		UpdateCheckMaxFrequency: 1 * time.Hour,
 	}