Anchore Open Source Weekly Report
This report covers the community activity in Anchore Open Source Projects from May 26, 2025 to May 30, 2025.
Executive Summary
The Anchore Open Source team addressed 12 issues and pull requests this week, focusing primarily on stability improvements and bug fixes. A critical performance regression in Syft’s GraalVM native image cataloger was quickly identified and resolved after community reports of significant scanning delays. Community contributions included security hardening improvements for container images and documentation updates.
Weekly Metrics
| Metric | Community | Staff | Total |
|---|---|---|---|
| Issues Closed | 1 | 0 | 1 |
| Pull Requests Merged | 5 | 6 | 11 |
| Bug Fixes | 4 | 2 | 6 |
| Enhancements | 1 | 1 | 2 |
| Documentation Updates | 1 | 0 | 1 |
| Other | 1 | 3 | 4 |
Key Achievements
1. Critical Performance Regression Fixed in Syft
A severe performance issue was reported and quickly resolved where the GraalVM native image cataloger was adding 3-6 hours to Syft scan times in versions 1.25.0 and later. Issue #3942 was caused by PR #3805 incorrectly processing all executables instead of only GraalVM native images. The fix was implemented via PR #3944, which reverted the problematic changes to restore normal scanning performance.
2. Container Security Hardening Improvements
Community contributor MikeTheCyberGuy submitted PR #3936 to harden Syft’s container image by adding a non-root user and dropping root privileges. This defense-in-depth improvement enhances the security posture of containerized Syft deployments. The contribution was part of addressing a private security advisory focused on hardening rather than vulnerability remediation.
3. Terraform Provider Lock File Parsing Fix
Community contributor Thomas Gosteli provided PR #3934 to fix an issue where Terraform provider lock entries incorrectly required constraints. This fix improves Syft’s ability to accurately parse Terraform lock files and generate complete SBOMs for infrastructure-as-code projects.
4. Generic Cataloger Release Override Support
PR #3937 from community contributor Andy Blair added the ability to override release information in the generic cataloger. This enhancement provides more flexibility when cataloging packages that may not have standard release metadata, improving SBOM accuracy for edge cases.
5. Grype JSON Output Consistency Improvement
PR #2692 fixed an issue where Grype’s db search commands with JSON output weren’t consistently showing results. This improvement ensures reliable programmatic access to vulnerability database search functionality.
6. Documentation Updates for Azure Linux
Community contributor Patrick Burke submitted PR #2684 updating documentation to reflect that CBL-Mariner is now known as Azure Linux. This keeps the documentation current with Microsoft’s rebranding of their Linux distribution.
Note: This report is based on issues and pull requests closed during May 26-30, 2025. Additional work is ongoing in open issues and pull requests not covered in this report.
Want to get involved? Visit anchore.com/opensource to learn how you can contribute to Anchore’s open source projects!