Anchore Open Source Weekly Report
This report covers the community activity in Anchore Open Source Projects from March 23, 2025 to March 29, 2025.
Executive Summary
The Anchore Open Source team had a productive week, resolving a total of 25 issues and pull requests across various projects. Significant improvements were made to .NET ecosystem support in Syft with the merging of the deps.json and PE binary catalogers, which addresses long-standing package identification issues. Community engagement continued to be strong with multiple community members contributing to discussions around .NET package identification and helping to test parallelized file hashing improvements.
Weekly Metrics
| Metric | Community | Staff | Total |
|---|---|---|---|
| Issues Closed | 7 | 4 | 11 |
| Pull Requests Merged | 1 | 13 | 14 |
| Bug Fixes | 6 | 5 | 11 |
| Enhancements | 1 | 9 | 10 |
| Documentation Updates | 0 | 0 | 0 |
| Other | 1 | 3 | 4 |
Key Achievements
1. Merged .NET deps.json and PE Binary Catalogers
PR #3563 merges the .NET deps.json and PE binary catalogers, addressing a long-standing need to improve package identification in the .NET ecosystem. This enhancement ensures that deps.json information is prioritized over binary information, reducing duplicate package entries and improving accuracy. The PR also introduces new configuration options to control how deps.json packages are included based on associated DLLs, enabling more accurate vulnerability scanning of .NET applications.
2. Better .NET Runtime Package Representation
PRs #3768 and #3764 improve how .NET runtime packages are represented and enhance CPE generation for .NET packages. These changes address several community reported issues (#3282, #2347) regarding incorrect package identification and version information in .NET applications, particularly for runtime components.
3. Database Improvements for Grype
Several PRs (#547, #546, #544) enhanced Grype’s database functionality, including improved CPE part handling and NVD node configuration parsing. PR #2556 also improved detection of Alpine:edge and Debian:sid distributions using a data-driven approach, enhancing vulnerability matching accuracy.
4. Vunnel Enhancements for RHEL Provider
PRs #804 and #802 added functionality to skip downloads in the RHEL vulnerability provider, which can significantly improve performance when only metadata updates are needed. This enhancement offers more flexibility in how vulnerability data is processed and updated.
5. Community Collaboration on .NET Ecosystem Issues
Several community-reported issues regarding .NET package identification (#3707, #3282, #2697, #2347 were addressed through the cataloger merger and improvements. Community members provided valuable insights into PE file analysis and .NET package structure, contributing to a better understanding of the complex .NET ecosystem and leading to more accurate SBOM generation.
Community Contributions
The Anchore team continues to collaborate with community contributors on several important initiatives:
- Community members provided detailed feedback on .NET package identification issues, sharing important insights about PE file analysis and package versioning
- Community testing confirmed significant performance improvements from PR #3636, which implements parallel file hashing
- Community-reported issues with dotnet-deps-cataloger handling of ASP.NET 6.0 were addressed through the cataloger merger
Note: This report is based on issues and pull requests closed during March 23-29, 2025. Additional work is ongoing in open issues and pull requests not covered in this report.
Want to get involved? Visit anchore.com/opensource to learn how you can contribute to Anchore’s open source projects!