Anchore Open Source Weekly Report
This report covers the community activity in Anchore Open Source Projects from April 29, 2025 to May 2, 2025.
Executive Summary
This week, the Anchore community tackled 15 issues and PRs, with notable improvements to license handling in Syft and Golang package namespace handling in Grype. Community contributors drove significant changes with enhancements such as improved detection of Erlang binaries in Alpine Linux and resolving ancestral symlinks correctly. The team also fixed a critical bug affecting Package URL (PURL) handling for Golang packages, ensuring proper vulnerability detection.
Weekly Metrics
| Metric | Community | Staff | Total |
|---|---|---|---|
| Issues Closed | 7 | 1 | 8 |
| Pull Requests Merged | 5 | 2 | 7 |
| Bug Fixes | 6 | 1 | 7 |
| Enhancements | 3 | 1 | 4 |
| Documentation Updates | 0 | 0 | 0 |
| Other | 3 | 1 | 4 |
Key Achievements
1. Full License String Preservation in SPDX Output (Syft)
PR #3844 addressed a community-requested feature to preserve full license strings in SPDX output rather than using hash-based identifiers. Previously, license strings exceeding 64 characters were converted to LicenseRef-<hash> format, making it difficult for users to understand the original license information. This enhancement improves license transparency and makes license data more usable for downstream consumers, stemming from community issue #3780.
2. Improved Golang Package Namespace Handling in Grype
PR #2586 from community contributor @goatwu1993, with additional work from staff, fixed a critical issue with Package URL (PURL) decoding for Golang packages. Previously, Grype was incorrectly extracting package names without their namespace, resulting in failed vulnerability detection for packages like k8s.io/ingress-nginx. The fix ensures that both namespace and name are properly used for Golang packages, significantly improving vulnerability detection capabilities for the Go ecosystem.
3. Enhanced Path Handling for Symlinks in Syft
Community contributor @VictorHuu provided PR #3783 to fix ancestral symlink resolution in Syft. This addresses issue #3614 where the directory indexer would fail when encountering symlinks within the path during scanning. The implementation correctly handles ancestor path relationships, allowing Syft to properly catalog content in directories accessed via symlinks, improving scan reliability in complex file systems.
4. Support for PHP PEAR Packages in Syft
After a year-long development cycle, PR #2775 from community contributor @LaurentGoderre was merged, adding support for PHP PEAR packages in Syft. This enhancement expands Syft’s ecosystem coverage to include this important PHP package manager, enabling more comprehensive software bill of materials (SBOM) generation for PHP projects.
5. Erlang Binary Detection Improvements in Alpine Linux
PR #3839 from community contributor @avodotiiets enhanced Syft’s ability to detect Erlang binaries in Alpine Linux environments. This fix improves package identification accuracy for Erlang/OTP applications in Alpine-based containers, addressing an edge case in package detection.
Note: This report is based on issues and pull requests closed during April 29-May 2, 2025. Additional work is ongoing in open issues and pull requests not covered in this report.
Want to get involved? Visit anchore.com/opensource to learn how you can contribute to Anchore’s open source projects!