Anchore Open Source Weekly Report
This report covers the community activity in Anchore Open Source Projects from March 31, 2025 to April 4, 2025.
Executive Summary
The Anchore Open Source team had a productive week, closing 17 issues and pull requests across their projects. A key focus was enhancing Python package license detection in Syft, with expanded capabilities to identify unclaimed license files. Community engagement remained strong with 6 community-originated issues and PRs addressed, including significant progress on implementing a new exit code feature for Grype’s fail-on functionality.
Weekly Metrics
| Metric | Community | Staff | Total |
|---|---|---|---|
| Issues Closed | 4 | 1 | 5 |
| Pull Requests Merged | 2 | 10 | 12 |
| Bug Fixes | 2 | 3 | 5 |
| Enhancements | 4 | 7 | 11 |
| Documentation Updates | 0 | 0 | 0 |
| Other | 0 | 1 | 1 |
Key Achievements
1. Enhanced Python License Detection in Syft
PR #3779 expanded Syft’s Python license scanning capabilities to cover unclaimed license files. This addresses a long-standing community issue (#2624) where license files in Python packages without explicit metadata references weren’t being properly detected. This enhancement improves SBOM accuracy for Python projects by detecting and classifying license files even when not referenced in package metadata.
2. Improved Fail-On Error Handling in Grype
Community contributor Alexandre Barone made significant progress with PR #2575, implementing a different exit code (2) for --fail-on errors in Grype. This enhancement helps distinguish between different types of failures during vulnerability scanning, making it easier to integrate Grype into CI/CD pipelines with more nuanced error handling capabilities. This work builds on foundational changes to the Clio library’s error handling (PR #110).
3. GitHub Actions Integration in Vunnel
PR #807 added support for the GitHub Actions ecosystem within the GitHub provider. This enhancement allows for better integration with GitHub Actions workflows and improves vulnerability detection for GitHub Action-specific components, expanding Anchore’s coverage across development toolchains.
4. R Language Cataloging Enhancements
PR #3774 added directory tag support to the R cataloger in Syft. This improvement enhances Syft’s ability to accurately identify and catalog R language packages, addressing edge cases and improving SBOM completeness for R-based projects.
5. Grype Database Improvements
Several enhancements to Grype’s database functionality were implemented, including PR #552 which added an option to always publish databases under their schema directory, and PR #553 which added support for CVSS v4 vectors, improving vulnerability scoring accuracy.
Note: This report is based on issues and pull requests closed during March 31-April 4, 2025. Additional work is ongoing in open issues and pull requests not covered in this report.
Want to get involved? Visit anchore.com/opensource to learn how you can contribute to Anchore’s open source projects!