Anchore Open Source Weekly Report
This report covers the community activity in Anchore Open Source Projects from August 11, 2025 to August 17, 2025.
Executive Summary
The Anchore Open Source ecosystem experienced steady development momentum this week with 30 issues and pull requests successfully resolved across the project portfolio. Community engagement was particularly notable with important contributions including modernized GoReleaser configurations and critical bug fixes for OpenSSL version parsing. The team delivered significant enhancements to license handling capabilities and addressed several long-standing community requests, including improved SPDX license ID recognition and package supplier configuration options.
Weekly Metrics
| Metric | Community | Staff | Total |
|---|---|---|---|
| Issues Closed | 6 | 2 | 8 |
| Pull Requests Merged | 5 | 17 | 22 |
| Bug Fixes | 6 | 6 | 12 |
| Enhancements | 4 | 8 | 12 |
| Maintenance/Chores | 1 | 6 | 7 |
| Other | 0 | 1 | 1 |
Key Achievements
1. Enhanced License Construction with URL Lookup Support
Christopher Angelo Phillips delivered PR #4132 implementing a significant enhancement to Syft’s license construction capabilities. This improvement enables license lookup by URL, addressing the long-standing issue #3186 where Syft would sometimes report URLs instead of proper license values when scanning JAR files. The enhancement also resolves CycloneDX schema validation issues reported in #1964, ensuring generated SBOMs comply with format specifications.
2. Package Supplier Configuration Feature Added
PR #4131 introduced the ability for users to specify package supplier information through a new --package-supplier flag. This feature addresses community request #3098 from Przemysław Czuj, enabling proper supplier attribution in SPDX documents generated by CLI. The implementation includes JSON schema updates and provides a foundation for enhanced compliance reporting capabilities.
3. OpenSSL Version Parsing Bug Fixed
Community contributor honigbot provided PR #4106 fixing a critical issue with OpenSSL patch version parsing. The fix enables support for multiple letters in OpenSSL patch versions, ensuring accurate version identification for OpenSSL installations with complex versioning schemes. This improvement enhances vulnerability scanning accuracy for systems using OpenSSL.
4. Node.js Package.json Authors Support Enhanced
After nearly two years of community collaboration, PR #4003 from Alan Pope was merged, adding comprehensive support for authors, contributors, and maintainers fields in package.json files. This enhancement addresses the critical legal compliance issue raised in #2250, ensuring proper attribution information is captured in software bill of materials for JavaScript projects.
5. CSAF VEX Support Implementation
A long-awaited enhancement from Juan Ariza Toledano and the Bitnami team reached completion with PR #1826, implementing CSAF (Common Security Advisory Framework) support in Grype. This feature expands Grype’s VEX (Vulnerability Exploitability eXchange) capabilities beyond OpenVEX format, enabling integration with CSAF-based vulnerability advisory systems.
6. Database and Infrastructure Improvements
Multiple enhancements were delivered across the ecosystem, including Debian version transitions (PRs #2861, #628), Ubuntu release mapping updates (#844), and database compression optimizations (#632). These improvements ensure continued accuracy in vulnerability detection across evolving Linux distributions.
7. Grant License Analysis Performance Optimization
PR #237 introduced the --disable-file-search flag, significantly improving performance for users who only need license information from packages rather than comprehensive filesystem scanning. This enhancement reduces processing time while maintaining accuracy for common license compliance workflows.
Community Contributions
The Anchore team benefited from strong community engagement this week:
- honigbot contributed an important OpenSSL version parsing fix after sustained collaboration
- Alan Pope delivered the long-awaited package.json authors support enhancement
- Juan Ariza Toledano completed extensive work on CSAF VEX support
- Emmanuel Ferdman modernized GoReleaser configurations across the ecosystem
- Tom Paz attempted to contribute Yocto cataloger functionality
- Joshua Kugler and Olison Sturm participated in the community meeting to discuss ongoing contributions
The weekly Open Source Community Meeting saw productive discussions about pull requests and ongoing development efforts, demonstrating continued community investment in the project.
Note: This report is based on issues and pull requests closed during August 11-17, 2025. Additional work is ongoing in open issues and pull requests not covered in this report.
Want to get involved? Visit anchore.com/opensource to learn how you can contribute to Anchore’s open source projects!