Anchore Open Source Weekly Report

This report covers the community activity in Anchore Open Source Projects from June 30, 2025 to July 6, 2025.

Executive Summary

What a busy week it’s been in Anchore Open Source land! The team and our fantastic community contributors knocked out 20 issues and pull requests across the ecosystem. We made some really solid progress on those pesky CPE (Common Platform Enumeration) handling issues that have been causing both false positives and malformed output headaches. The community stepped up big time with some cracking enhancements – notably getting EPSS and KEV integration working in CycloneDX vulnerability ratings. Oh, and we fixed Python 3.13 support in Vunnel after accidentally breaking it (oops!).

Weekly Metrics

Key Achievements

1. CPE Handling Gets Some Much-Needed Love

We tackled several gnarly CPE-related issues this week that were making vulnerability detection less accurate than we’d like. westonsteimel was on the ball with Issue #2770, quickly spotting and fixing a dodgy CPE configuration in NVD that was causing CVE-2023-3079 to falsely match against Linux kernel (vmlinuz). We also sorted out Issue #2767 where Grype’s database search was spitting out malformed CPE output, with PR #2769 fixing the underlying CPE string formatting. Much better!

2. Better CPE Target Software Field Handling

Here’s an interesting one – Issue #2768 highlighted how Grype was missing vulnerabilities for CPEs with target_sw fields that didn’t match known package types. willmurphyscode came to the rescue with PR #2772, making sure we preserve that target software information even when we can’t figure out the package type. This should help with vulnerability coverage in more specialized software environments.

3. CycloneDX Gets EPSS and KEV Integration

Big shoutout to AlinaPodoba for delivering PR #2765! They successfully added EPSS (Exploit Prediction Scoring System) scores and KEV (Known Exploited Vulnerabilities) indicators as CycloneDX vulnerability ratings entries. Originally requested way back in Issue #2695, this enhancement gives you much better context about whether a vulnerability is likely to be exploited or is already being exploited in the wild. Really useful stuff!

4. Python 3.13 Support Back in Business

Turns out we accidentally broke Python 3.13 builds in Vunnel 0.32.0 with some overly strict version constraints. chenrui333 spotted this in Issue #809 and quickly provided PR #823 to loosen up those Python constraints. Python 3.13 users, you’re welcome!

5. Critical Vulnerability Range Fix

wagoodman delivered a crucial fix with PR #2759 – we weren’t properly handling vulnerabilities that don’t specify version ranges. The fix ensures these vulnerabilities are correctly treated as always applicable, which prevents those nasty false negatives where we might miss actual security issues.

6. Database and Infrastructure Polish

We’ve been doing some housekeeping behind the scenes. PR #2758 fixed database hydration issues when clients have shiny new features, PR #2761 added emergency release capabilities (because sometimes you need to ship fixes fast), and PR #4042 updated Syft’s test infrastructure to use the latest test-fixture-cache.

7. Community-Driven Maintenance

Our community contributors continue to keep things tidy with cpanato upgrading Syft’s tablewriter dependency in PR #3990 to use the new API, and emmanuel-ferdman replacing some deprecated GoReleaser configurations in Grype with PR #2729. These might seem like small changes, but they keep everything running smoothly.

Note: This report covers issues and pull requests closed during June 30 - July 6, 2025. There’s plenty more happening in our open issues and pull requests that didn’t make it into this week’s roundup.

Fancy getting involved? Head over to anchore.com/opensource to see how you can contribute to Anchore’s open source projects. We’d love to have you on board!