This report covers the community activity in Anchore Open Source Projects from July 21, 2025 to July 27, 2025.
Executive Summary
Week 30 proved to be exceptionally productive for the Anchore ecosystem, with 22 issues and pull requests successfully resolved across the project portfolio. The highlight of the week was the long-awaited integration of snap package scanning support in Grype, addressing a community request that had been pending since 2022. Additionally, comprehensive Red Hat Enterprise Linux Extended Update Support (EUS) capabilities were rolled out across multiple repositories, significantly enhancing vulnerability detection for enterprise environments.
Weekly Metrics
| Metric | Community | Staff | Total |
|---|---|---|---|
| Issues Closed | 5 | 3 | 8 |
| Pull Requests Merged | 3 | 19 | 22 |
| Bug Fixes | 4 | 8 | 12 |
| Enhancements | 3 | 4 | 7 |
| Infrastructure Updates | 1 | 7 | 8 |
| Other | 0 | 3 | 3 |
Key Achievements
1. Snap Package Scanning Support Arrives in Grype
After nearly three years of community requests, PR #2821 successfully introduced snap package scanning capabilities to Grype. This implementation allows users to scan snap packages directly as a source, eliminating the need for manual extraction processes. The feature includes proper handling of region-locked snaps and provides meaningful error messages when issues occur, resolving the original community request from issue #1088 dating back to 2022.
2. Comprehensive RHEL EUS Support Implementation
A coordinated effort across multiple repositories delivered extensive Red Hat Enterprise Linux Extended Update Support (EUS) capabilities. Key implementations included PR #2787 which enables Grype to consider RHEL EUS fix information during vulnerability matching, PR #540 adding EUS data support to the vulnerability database, and PR #796 incorporating EUS data collection. This comprehensive enhancement addresses long-standing community needs for accurate vulnerability detection in enterprise RHEL environments, particularly resolving issues raised in #2446.
3. Enhanced JVM Detection and Classification Accuracy
Significant improvements to Java Virtual Machine detection were delivered through PR #4046, which aligns binary Java detection with the JVM cataloger and adds support for IBM JDK implementations. This enhancement addresses community-reported issues around incorrect classification of different JDK vendors, particularly the problem where Azul JDK installations were being misidentified as Oracle JRE, as documented in issue #3893.
4. Critical Database and CPE Association Bug Fixes
Community contributor Christoph Reiter (lazka) identified a critical bug in the vulnerability database where CPE version constraints were being incorrectly associated, leading to false positives for CVE-2004-0377. The issue was quickly addressed through PR #609, which fixed the incorrect associations between affected ranges and CPE identifiers. This rapid response demonstrates the project’s commitment to maintaining data accuracy and addressing community-reported issues promptly.
5. Enhanced Action Error Handling and User Experience
Multiple improvements were made to the GitHub Actions integration, including PR #491 which ensures that stderr output is properly displayed for non-zero exit codes, addressing issue #390. Community contributor Jérémy Jourdan (kema-dev) also contributed PR #427 adding configuration file input support, enhancing the flexibility of the scan action for CI/CD workflows.
6. Structured Output Enhancement for Vunnel
Community contributor James Gardner (jamestexas) delivered PR #825, implementing a --json flag for the status command to provide structured output. This enhancement improves integration capabilities and makes it easier to programmatically interact with Vunnel’s status information, particularly valuable for automated monitoring and reporting systems.
Community Contributions
The Anchore team continues to benefit from active community engagement across multiple projects:
-
James Gardner enhanced Vunnel’s CLI capabilities with structured JSON output for status commands
-
Jérémy Jourdan contributed configuration file input support to the scan action after months of development
-
Carlos Tadeu Panato Junior modernized the grype-db project by updating GoReleaser to v2 and fixing deprecated configurations
-
Christoph Reiter identified and reported critical CPE association bugs, leading to improved database accuracy
-
Multiple contributors provided detailed feedback on JVM detection issues, helping to refine the implementation
Note: This report is based on issues and pull requests closed during July 21-27, 2025. Additional work is ongoing in open issues and pull requests not covered in this report.
Want to get involved? Visit anchore.com/opensource to learn how you can contribute to Anchore’s open source projects!