feat(scan/apk): Respect GRYPE_DB_MAX_ALLOWED_BUILT_AGE

There was about a one hour window of time where I couldn't scan Hadoop
or gRPC while working through vulnerabilities without possibly building
the database locally (because it hadn't been updated yet) so I took a
quick look at how we handle this in wolfictl and found it deviates from
the behavior in grype

Similar to grype, respect GRYPE_DB_MAX_ALLOWED_BUILT_AGE so that users
can set this to whatever their preferred duration is. Default to 24
hours

Signed-off-by: RJ Sampson <[email protected]>

Author: EyeCantCU

pkg/scan/apk.go

@@ -139,11 +139,23 @@ func NewScanner(opts Options) (*Scanner, error) {
 		dbDestDir = DefaultGrypeDBDir
 	}
 
+	// Default to 24 hours if GRYPE_DB_MAX_ALLOWED_BUILT_AGE is unset
+	maxAllowedBuiltAge := 24 * time.Hour
+
+	grypeMaxAllowedBuiltAge := os.Getenv("GRYPE_DB_MAX_ALLOWED_BUILT_AGE")
+	if grypeMaxAllowedBuiltAge != "" {
+		parseMaxAllowedBuiltAge, err := time.ParseDuration(grypeMaxAllowedBuiltAge)
+		if err != nil {
+			return nil, fmt.Errorf("could not parse GRYPE_DB_MAX_ALLOWED_BUILT_AGE: %w", err)
+		}
+		maxAllowedBuiltAge = parseMaxAllowedBuiltAge
+	}
+
 	installCfg := installation.Config{
 		DBRootDir:               dbDestDir,
 		ValidateChecksum:        true,
 		ValidateAge:             !opts.DisableDatabaseAgeValidation,
-		MaxAllowedBuiltAge:      24 * time.Hour,
+		MaxAllowedBuiltAge:      maxAllowedBuiltAge,
 		UpdateCheckMaxFrequency: 1 * time.Hour,
 	}