Anchore Open Source Weekly Report, Week 25, 2025

Anchore Open Source Weekly Report

This report covers the community activity in Anchore Open Source Projects from June 16, 2025 to June 20, 2025.

Executive Summary

The Anchore Open Source projects saw focused development activity this week with 14 issues and pull requests resolved across the ecosystem. Key work included significant refactoring of Grype’s version handling system, improvements to CPE segment escaping for better vulnerability matching, and VEX document processing fixes. The team also addressed several long-standing community issues around false positives and automated review suggestions.

Weekly Metrics

Metric Community Staff Total
Issues Closed 3 0 3
Pull Requests Merged 1 8 9
Bug Fixes 2 4 6
Enhancements 1 3 4
Documentation Updates 0 0 0
Other 1 1 2

Key Achievements

1. Major Version Package Refactoring in Grype

Staff member Alex Goodman delivered a comprehensive refactoring of Grype’s version handling system through PR #2735. This significant internal improvement streamlines how Grype processes and compares package versions across different ecosystems, laying groundwork for more accurate vulnerability matching. The refactoring also included additional cleanup work in PR #2740 to further optimize version processing.

2. Enhanced CPE Segment Escaping for Better Vulnerability Detection

Keith Zantow fixed a critical issue with CPE (Common Platform Enumeration) segment escaping in PR #2731. This improvement ensures that special characters in package names and versions are properly escaped when generating CPEs, leading to more accurate vulnerability matching and fewer false negatives in security scanning.

3. VEX Document Processing Bug Fixed

Will Murphy addressed a long-standing issue where VEX (Vulnerability Exploitability eXchange) documents weren’t being processed correctly when other ignore rules were configured. PR #2741 fixes the logic to ensure VEX ignore rules are always applied, resolving community issue #1836 that had been affecting users trying to suppress vulnerabilities using VEX documents.

4. Package Specifier Overrides Added for Multiple Package Types

Weston Steimel expanded Grype’s flexibility by adding package specifier overrides for kb, dpkg, and apkg package types in PR #2742. This enhancement allows for more granular control over how vulnerabilities are matched for these specific package ecosystems, improving accuracy for users working with Knowledge Base, Debian, and Alpine packages.

5. Community Issues Resolution

The team successfully closed several community-reported issues this week. Issue #2652 regarding a CVE-2024-3094 false positive was resolved after investigation showed the issue could not be reproduced. Additionally, issue #2292 about false positives on custom Python packages was confirmed fixed in the latest Grype version.

6. Automated Review Tool Decision

After thorough evaluation and community discussion, the team decided not to implement automated PR reviews using coderabbit.ai (issue #2607). The decision was based on concerns about noise in review comments, security implications of write permissions, and the potential for automated suggestions to create contributor frustration or discourage thorough human review.


Note: This report is based on issues and pull requests closed during June 16-20, 2025. Additional work is ongoing in open issues and pull requests not covered in this report.

Want to get involved? Visit anchore.com/opensource to learn how you can contribute to Anchore’s open source projects!