Anchore Open Source Weekly Report
This report covers the community activity in Anchore Open Source Projects from March 16, 2025 to March 21, 2025.
Executive Summary
The Anchore Open Source team had a productive week closing 23 issues and pull requests, with significant database improvements in Grype, including support for importing from URLs and matching distros without version specification.
Community engagement remained strong with 8 community-originated issues and PRs closed, notably progress on the Bitnami OSV schema support which will enhance vulnerability detection capabilities.
Weekly Metrics
| Metric | Community | Staff | Total |
|---|---|---|---|
| Issues Closed | 6 | 2 | 8 |
| Pull Requests Merged | 2 | 13 | 15 |
| Bug Fixes | 5 | 5 | 10 |
| Enhancements | 3 | 7 | 10 |
| Documentation Updates | 0 | 0 | 0 |
| Other | 0 | 3 | 3 |
Key Achievements
1. Debian Archive Cataloger Added to Syft
PR #3704 adds a Debian archive (.deb) file cataloger to Syft, addressing a long-standing feature request (#3315). This enhancement allows users to directly analyze .deb files similarly to how RPM files were already supported, expanding Syft’s package analysis capabilities.
2. Grype Database Improvements
Several significant improvements were made to Grype’s database functionality:
- PR #2534 added support for specifying distributions without versions, improving vulnerability matching capabilities
- PR #2532 implemented the ability to import databases directly from URLs, addressing community request #2134
- PR #2529 enhanced DB metadata regarding data provenance
3. Progress on Bitnami Vulnerability Provider
Significant progress was made on the Bitnami OSV schema support (PR #217), with active collaboration between the Anchore team and Bitnami contributors. This implementation will allow Grype to detect vulnerabilities in Bitnami packages, expanding coverage and improving security scanning capabilities.
4. Fix for Singularity Image Scanning Issue
Issue #3651 regarding runaway memory use when scanning Singularity images was resolved. The fix addressed an infinite loop in the JavaScript package.json parser when processing Singularity files, which was caused by an upstream bug in the squashfs library.
5. Dependency Management Improvements
Multiple PRs across the Anchore ecosystem (#3748, #2550, #391, #105) removed mitchellh dependencies, streamlining the codebase and updating dependency management.
Community Contributions
The Anchore team continues to collaborate with community contributors on several important initiatives:
- Bitnami team members (Juan Ariza Toledano and team) made significant progress on OSV schema support for vulnerability detection
- Matt Moore contributed a PR to set GGCR user agent in Stereoscope, improving container registry interactions
- Ryan Hopkins’ GitLab cataloger PR received guidance from the Anchore team for implementation
Looking Forward
The team is focusing on improving database version support, expanding cataloger capabilities, and enhancing vulnerability detection across different package types. The collaboration with Bitnami is progressing well and will bring improved vulnerability detection for Bitnami packages in the near future.
Note: This report is based on issues and pull requests closed during March 14-21, 2025. Additional work is ongoing in open issues and pull requests not covered in this report.
Want to get involved? Visit anchore.com/opensource to learn how you can contribute to Anchore’s open source projects!