Anchore Open Source Weekly Report
This report covers the community activity in Anchore Open Source Projects from May 13, 2025 to May 17, 2025.
Executive Summary
The Anchore ecosystem saw significant progress this week with 28 issues and pull requests closed across the project portfolio. A major improvement to package location data landed in Syft, allowing users to accurately track the layers where packages first appeared in container images.
Community engagement remained strong with multiple contributions, including a fix for OpenJDK detection when using file sources and progress on several long-standing pull requests such as the Redis PECL cataloger and Dart package support.
Weekly Metrics
| Metric | Community | Staff | Total |
|---|---|---|---|
| Issues Closed | 6 | 5 | 11 |
| Pull Requests Merged | 6 | 11 | 17 |
| Bug Fixes | 8 | 7 | 15 |
| Enhancements | 3 | 4 | 7 |
| Documentation Updates | 1 | 0 | 1 |
| Other | 0 | 5 | 5 |
Key Achievements
1. Improved Container Layer Attribution in Syft
PR #3858 implemented a significant enhancement to order package locations by container layer, fulfilling a long-standing feature request from 2021. This improvement allows users to identify exactly which layer a package was first introduced in, making it easier to understand container lineage and optimize Dockerfiles by identifying where vulnerable packages enter the build process.
2. Added Support for Distinguishing OpenJDK vs JDK When Using File Sources
Community contributor adammcclenaghan provided PR #3895 that fixes a bug where Syft was unable to properly distinguish between OpenJDK and Oracle’s JDK implementations when using file sources. This enhancement improves the accuracy of Java ecosystem scanning, particularly in container images and file system analysis.
3. Improved License Detection for Non-SPDX Licenses
Several PRs (#3876, #3888) enhanced Syft’s license recognition capabilities, especially for dpkg packages with license agreements. This work addresses a community-reported issue where full license text was being included without recognition of the license type, improving compliance reporting.
4. Fixed Version Prefix Check for Package Exclusions in Grype
PR #2653 by westonsteimel corrected an issue with the version prefix check used when excluding overlapping packages in Grype. This fix helps prevent false positives when packages with similar names but different versions are being analyzed, improving the overall accuracy of vulnerability detection.
5. Added Support for PURL List Input/Output Format
PR #3853 added support for PURL (Package URL) list input and output formats, enhancing Syft’s interoperability with other tools in the software supply chain security ecosystem. This feature allows for easier sharing of package information between different analysis tools that support the PURL standard.
6. Fixed a Critical PHP Extension False Positive
Work continued on PR #2585 to address false positives with the PHP Redis PECL extension, which was incorrectly triggering Redis server vulnerabilities. The implementation creates a dedicated PHP interpreter cataloger to correctly identify PHP extensions and differentiate them from similarly named server components.
7. Moved Forward with Dart Package Cataloger Support
After extensive collaboration, PR #3292 from community contributor LaurentGoderre was merged, adding support for Dart’s pubspec package format. This enhancement expands Syft’s ecosystem coverage to include Dart packages, enabling more comprehensive software bill of materials (SBOM) generation for projects built with Flutter and Dart.
Note: This report is based on issues and pull requests closed during May 13-17, 2025. Additional work is ongoing in open issues and pull requests not covered in this report.
Want to get involved? Visit anchore.com/opensource to learn how you can contribute to Anchore’s open source projects!