Anchore Open Source Weekly Report
This report covers the community activity in Anchore Open Source Projects from March 9, 2025 to March 15, 2025.
Executive Summary
The Anchore Open Source team had a productive week closing 27 issues and pull requests, with significant improvements to Grype’s database functionality, including support for specifying distributions without version information and improved data source metadata. Community engagement was strong with 14 community-originated issues and PRs closed, notably the long-awaited Bitnami OSV schema support which enhances vulnerability detection capabilities across the ecosystem.
Weekly Metrics
| Metric | Community | Staff | Total |
|---|---|---|---|
| Issues Closed | 8 | 1 | 9 |
| Pull Requests Merged | 6 | 12 | 18 |
| Bug Fixes | 8 | 3 | 11 |
| Enhancements | 1 | 3 | 4 |
| Documentation Updates | 0 | 0 | 0 |
| Other | 5 | 7 | 12 |
Key Achievements
1. Bitnami Vulnerability Provider Integration
After over a year of collaboration, PR #512 from Juan Ariza Toledano adds Bitnami as a new provider to Anchore’s vulnerability database. This significant contribution enables Grype to detect vulnerabilities specific to Bitnami packages, expanding coverage and improving security scanning capabilities for users of Bitnami container images.
2. Grype Database Improvements
Several significant enhancements were made to Grype’s database functionality:
- PR #2516 added support for specifying distributions without versions, improving vulnerability matching capabilities
- PR #2523 improved vulnerability metadata by populating the DataSource field with reference URLs, enhancing traceability
3. Fix for Singularity Image Scanning Issue
PR #379 addressed a critical issue with Singularity image scanning by updating to the latest sylabs squashfs library (v1.0.5). This fix resolves memory issues and improves reliability when scanning Singularity container images.
4. Dart SDK Package Version Detection
A long-standing issue (#3158) regarding incorrect version detection for Dart SDK dependencies was resolved in PR #3572. This fix enables Syft to correctly identify and report versions for Flutter and other Dart SDK packages, improving SBOM accuracy for Dart/Flutter applications.
5. Performance Improvements
Multiple PRs focused on performance enhancements:
- PR #3730 refined the
containsPathfunction to reduce memory allocation in Syft - PR #382 improved glob search performance, enhancing scanning speed
Community Contributions
The Anchore team continues to collaborate with community contributors on several important initiatives:
- Juan Ariza Toledano and the Bitnami team completed support for OSV schema, enabling vulnerability detection for Bitnami packages
- Sven Gregori fixed Dart SDK package version detection, improving SBOM accuracy for Flutter applications
- Yoav Alon contributed performance improvements to reduce memory usage in Syft
- Dan Luhring fixed Java vulnerability detection to properly handle Maven search errors
Looking Forward
The team is focusing on expanding vulnerability detection coverage, improving performance, and enhancing the accuracy of package detection. The successful integration of the Bitnami provider represents significant progress in broadening vulnerability detection capabilities.
Note: This report is based on issues and pull requests closed during March 9-15, 2025. Additional work is ongoing in open issues and pull requests not covered in this report.
Want to get involved? Visit anchore.com/opensource to learn how you can contribute to Anchore’s open source projects!