Anchore Open Source Weekly Report
This report covers the community activity in Anchore Open Source Projects from April 21, 2025 to April 25, 2025.
Executive Summary
This week saw substantial contributions to the Anchore ecosystem with 18 issues and pull requests resolved across various projects. The team delivered significant enhancements to Syft’s .NET cataloging capabilities, including improved detection of JavaScript assets in .NET projects and better handling of dependencies. Notable community contributions came from VictorHuu, who fixed several regex patterns, and adammcclenaghan, who implemented performance improvements. A new Grype release (v0.91.2) was also shipped to address critical vulnerability detection issues.
Weekly Metrics
| Metric | Community | Staff | Total |
|---|---|---|---|
| Issues Closed | 7 | 1 | 8 |
| Pull Requests Merged | 8 | 2 | 10 |
| Bug Fixes | 9 | 2 | 11 |
| Enhancements | 5 | 1 | 6 |
| Documentation Updates | 0 | 1 | 1 |
| Other | 1 | 0 | 1 |
Key Achievements
1. Enhanced .NET Cataloging Capabilities in Syft
Multiple PRs (#3821, #3822, #3825) improved .NET package detection, with significant enhancements for handling dependencies from deps.json files. PR #3825 particularly added support for detecting JavaScript assets in .NET projects using libman, expanding Syft’s ecosystem coverage. These improvements ensure more accurate identification of dependencies in complex .NET applications.
2. Critical Bug Fix for Grype Vulnerability Detection
PR #2610 addressed a significant issue where Grype stopped reporting certain vulnerabilities after v0.87.0. This fix, which uses package language to search when type is unknown, was shipped in the v0.91.2 release. The community actively helped test and validate this fix, which restores Grype’s ability to detect important vulnerabilities like those in Newtonsoft.Json and Npgsql packages.
3. Added Support for Chrome Binary Detection
After nearly 8 months of work, PR #3136 from community contributor lem-onade was merged, adding support for Chrome binary detection in Syft. This enhancement addresses a long-standing community request (#3174) and allows Syft to identify Chrome binaries installed by various means, including through Puppeteer, improving SBOM completeness for web-related projects.
4. Performance Improvements for SBOM Generation
Community contributor adammcclenaghan delivered several performance-focused improvements, including PR #3795 which adds support for skipping archive extraction with file sources, and PR #3796 which improves performance by allowing optional skipping of license scanning. These enhancements significantly reduce processing time for large scans where full license information isn’t required.
5. Improved File Matching and Pattern Recognition
Community contributor VictorHuu provided several fixes (#3820, #3817, #3757) to enhance file matching and regex pattern detection. These fixes improve Syft’s ability to detect various software versions, including golang tip images and fluent-bit, by making the file resolver support prefix matching of files and adjusting regex detection patterns.
Note: This report is based on issues and pull requests closed during April 21-25, 2025. Additional work is ongoing in open issues and pull requests not covered in this report.
Want to get involved? Visit anchore.com/opensource to learn how you can contribute to Anchore’s open source projects!