Anchore Open Source Weekly Report

This report covers the community activity in Anchore Open Source Projects from March 2, 2025 to March 8, 2025.

Executive Summary

The Anchore Open Source community had a productive week, closing 12 issues and merging 23 pull requests, with significant contributions from both community members and staff. Community engagement was strong with 5 community-originated PRs merged and 11 issues resolved, including enhancements to GraalVM Native Image support and improved vulnerability remediation guidance. The staff team delivered several important improvements to Grype’s database functionality and fixed critical bugs in Syft’s package detection.

Weekly Metrics

Key Achievements

1. GraalVM Native Image Support Enhancement

PR #3647 from community contributor Joel Rudsberg added support for extracting symbols in the .dynsym section for GraalVM Native Images. This enhancement enables Syft to extract SBOMs from applications built with newer versions of Oracle GraalVM Native Image, addressing a limitation that prevented proper analysis of these artifacts. The implementation allows for broader coverage of Java applications built with this increasingly popular technology.

2. Vulnerability Fix Version Suggestion Improvement

PR #2271 from community contributor @tomersein added functionality to highlight the most appropriate fixed version when multiple fixes are available for a vulnerability. This enhancement makes Grype’s output more actionable by clearly identifying the recommended upgrade path for each vulnerability, especially valuable in cases like JVM vulnerabilities where numerous fixed versions across different release lines might be available.

3. Grype Database Improvement

PR #2508 added support for reading vulnerability database listings from local filesystem, enhancing Grype’s flexibility for air-gapped environments and custom database sources. This feature addresses a long-standing user request (#2507) to enable offline usage of Grype with locally managed vulnerability databases.

4. Fluent Bit Binary Detection Enhancement

PR #3701 fixed the regular expression pattern used for detecting Fluent Bit binaries, improving support for development and release candidate versions. This enhancement addresses a long-standing community request (#3133) to properly identify all variants of Fluent Bit, ensuring more comprehensive SBOM generation.

5. Fix for JavaScript Package Processing Issue

PR #3700 resolved an issue with JavaScript package detection where Syft would read multiple package.json files, leading to memory issues when scanning Singularity images. This fix prevents a potential infinite loop in the JavaScript package cataloger, addressing an issue that could cause runaway memory consumption in certain cases.

Community Contributions

The Anchore team continues to collaborate effectively with community contributors:

• GraalVM Native Image support enhancement by Joel Rudsberg enables scanning of Oracle GraalVM Native Images with embedded SBOMs
• Suggested version fix implementation by @tomersein improves vulnerability remediation guidance
• URI validation fixes by Stef Graces ensure proper handling of download locations in SPDX documents
• Documentation improvements to Grype DB by Patrick Smyth enhance the user experience

Looking Forward

The team is making significant progress on the Grype v6 database schema, which will provide improved vulnerability matching capabilities and performance. The KEV and EPSS integration (#2481) will enable better vulnerability prioritization by exposing data about known exploited vulnerabilities and exploit likelihood.

Note: This report is based on issues and pull requests closed during March 2-8, 2025. Additional work is ongoing in open issues and pull requests not covered in this report.

Want to get involved? Visit anchore.com/opensource to learn how you can contribute to Anchore’s open source projects!