Anchore Open Source Weekly Report
This report covers the community activity in Anchore Open Source Projects from May 5, 2025 to May 9, 2025.
Executive Summary
This week marks significant progress across Anchore’s open source projects with 21 issues and pull requests successfully closed. The Anchore team resolved a longstanding race condition in Syft’s generic cataloger, addressed .NET packages duplication issues, and fixed several false positives in Grype. Community engagement remained strong, with key contributions including upgrading Syft’s base Docker image, improvements to error propagation, and continued work on the “deep-squashed” scanning feature that enhances layer attribution in container analysis.
Weekly Metrics
| Metric | Community | Staff | Total |
|---|---|---|---|
| Issues Closed | 7 | 5 | 12 |
| Pull Requests Merged | 5 | 4 | 9 |
| Bug Fixes | 5 | 5 | 10 |
| Enhancements | 6 | 3 | 9 |
| Documentation Updates | 0 | 0 | 0 |
| Other | 1 | 1 | 2 |
Key Achievements
1. Fixed Race Condition in Syft’s Generic Cataloger
PR #3875 resolved a critical race condition in Syft’s generic cataloger that was causing segmentation faults during parallel operations. This issue, reported in #3872, was identified using Go’s race detector and addressed by properly coordinating access to shared error information. The fix enhances Syft’s stability during high concurrency operations, preventing crashes when scanning large files.
2. Improved .NET Package Consistency in Syft
PR #3869 addressed a critical issue where Syft would sometimes create duplicate packages when scanning .NET applications. The fix ensures consistent package identification by merging multiple targets for the same .NET package, improving SBOM accuracy and eliminating variations between consecutive scans of the same image. Community testing confirmed the fix eliminates non-deterministic SBOM generation that previously occurred with .NET applications.
3. Base Docker Image Upgrade Contribution
Community contributor bgoareguer submitted PR #3862, which upgraded Syft’s base Docker image to gcr.io/distroless/static-debian12. This enhancement improves security posture and performance for users running Syft in containerized environments, particularly in CI/CD pipelines. The change addresses the feature request in issue #3840.
4. Deep-Squashed Layer Analysis Contribution Merged
After months of community collaboration, PR #3138 from contributor tomersein was merged, introducing a powerful new “deep-squashed” scope option. This feature allows users to track exactly which layer a package was first added to in a container image while still focusing only on packages visible in the final layer. The enhancement helps users better understand their container lineage and more effectively troubleshoot vulnerabilities by identifying the exact build stage where vulnerable packages were introduced.
5. Error Propagation Enhancement
PR #3845 from community contributor Rupikz improved error handling in Syft’s FileSourceProvider by properly propagating errors instead of just logging warnings. This enhancement addresses issue #3831 and enables better error visibility and handling in downstream systems that use Syft as a library, allowing for more robust integration of Syft into larger toolchains.
Community Contributions
The Anchore team continues to work closely with community contributors on several important initiatives:
- bgoareguer provided an important Docker base image upgrade that enhances security and performance
- tomersein’s work on deep-squashed image scanning was merged after months of collaboration and refinement
- Rupikz contributed improvements to error propagation, enhancing Syft’s reliability as a library
- VictorHuu and jneate offered contributions to Go binary analysis and package ID persistence respectively
Note: This report is based on issues and pull requests closed during May 5-9, 2025. Additional work is ongoing in open issues and pull requests not covered in this report.
Want to get involved? Visit anchore.com/opensource to learn how you can contribute to Anchore’s open source projects!