Adding support for container first distro: 0-deb

Grype
1

Hi Anchore team,

We at KoalaLab(https://www.koalalab.com) have built a container first distro: 0-deb. The idea is to package upstream sources as per debian standards but with minimalism and container in mind. We use this distro to create container images with precise SBOM control for our users.

Our users are now requesting integration with various scanners and we have already tested grype’s integration with our security advisory in our development environment by making required changes to vunnel, grype and grype-db.

However, there are a few things that aren’t super clear to us. Does anchore/grype rely on data from our security advisory to report a new vulnerability in our container images/packages? e.g. a new vulnerability say CVE-2025-19876 is found in busybox 1.37.0 and latest version for busybox package by 0-deb is 1:1.37.0-6koala1. Will grype start reporting this vulnerability in our packages as soon as the NVD data is ingested into grype’s db or will it only report this cve in 0-deb package once we publish this data in our security advisory.

Right now, in our development environment, we are observing that unless it is part of our security advisory, grype isn’t mapping the package to corresponding NVD cves.

1 Like
2

Hi @abhishek! Today we have a few different matchers, as it sounds like you are aware and each one is responsible for handling one or more package types. The result of this is, for example all deb type packages are handled by the Debian matcher and look for only OS vulnerabilities and do not fall back to NVD. This is definitely a problem, and we plan on changing this as we move to a stable Grype 1.0 API, but today that’s how it works.

One thing we could probably do in the shorter term is just update the debian matcher to intelligently perform an NVD search in some scenarios as appropriate.

3

Hi @kzantow , thanks for your response. This is really helpful and explains the current scenario. We weren’t able to pinpoint the issue on the matcher and were trying to figure out where are we going wrong. We will watch out for Grype 1.0 release.

Meanwhile, I will finish the 0-deb integration into Grype and raise PRs.