Anchore Open Source Weekly Report
This report covers the community activity in Anchore Open Source Projects from April 9, 2025 to April 11, 2025.
Executive Summary
The Anchore Open Source team had a productive week closing 23 issues and pull requests, with significant database improvements in Grype, including support for matching distributions without versions and importing databases directly from URLs. Community engagement remained strong with 8 community-originated issues and PRs closed, notably progress on the SARIF format support which enhances vulnerability reporting in CI/CD pipelines.
Weekly Metrics
| Metric | Community | Staff | Total |
|---|---|---|---|
| Issues Closed | 6 | 2 | 8 |
| Pull Requests Merged | 2 | 13 | 15 |
| Bug Fixes | 5 | 5 | 10 |
| Enhancements | 3 | 7 | 10 |
| Documentation Updates | 0 | 0 | 0 |
| Other | 0 | 3 | 3 |
Key Achievements
1. SARIF Result Level Support
PR #2571 from community contributor Borja Domínguez adds the SARIF result level field to Grype’s output. This enhancement improves compliance with the SARIF specification, making it easier to integrate Grype’s results with other tools that consume SARIF format. The implementation maps Grype’s severity levels (Unknown, Negligible, Low, Medium, High, Critical) to appropriate SARIF levels (note, warning, error), providing better classification of vulnerabilities in CI/CD pipelines.
2. Grype Database Improvements
Several significant improvements were made to Grype’s database functionality:
- PR #2591 added support for specifying distributions without versions, improving vulnerability matching capabilities
- PR #2590 implemented recovery from panics within matchers, increasing resilience
- PR #2589 fixed the severity field in
db search vulncommand
3. Fixed Daily Database Update Issue
Issue #2593 regarding a missing Grype DB update was promptly identified and resolved. Community member Philip Roche reported that the daily vulnerability database update was missing, and the team quickly investigated and fixed the issue with PR #556, ensuring timely vulnerability data updates.
4. Resolved False Positives and Negatives
Multiple long-standing false positive and false negative issues were resolved, improving scanning accuracy:
- Issue #1693 regarding System.Data.SqlClient vulnerability detection was fixed
- Issue #1559 addressing CVE-2023-4863 detection in Ubuntu images was resolved
- Issue #1543 related to false positives in Guava package was fixed
- Issue #1405 concerning false positives for the Ruby gem webrick was addressed
5. Consistency Improvement for File Operations
Community contributor Joe Ton submitted PR #2579 to replace os.ReadDir with afero.ReadDir for consistency across the codebase. This improvement aims to standardize the file system operations used throughout the Anchore ecosystem, with the contributor offering to extend this change to other repositories where needed.
Note: This report is based on issues and pull requests closed during April 9-11, 2025. Additional work is ongoing in open issues and pull requests not covered in this report.
Want to get involved? Visit anchore.com/opensource to learn how you can contribute to Anchore’s open source projects!