Anchore Open Source Weekly Report - Week 35, 2025
This report covers the community activity in Anchore Open Source Projects from August 19, 2025 to August 30, 2025.
Community Team Meeting
Before we get into the “meat and potatoes” of code changes last week, I wanted to highlight last week’s Community Meeting.
We hold these ‘open hours’ style Zoom calls every 2 weeks on Thursday at . Everyone is welcome to bring topics. Check the calendar for the schedule, and agenda doc to add or view proposed topics for the next call. Join this group to get edit rights on that doc.
Last week was especially busy with community regular, Gabriel Rau (@gabetrau) joined us again discuss their ongoing Vcpkg Cataloger work. Nils Lamot (@nlamot) was in attendance to discuss SPDX decoding in Syft issue 4028 and their pull request #4153.
We were also joined by Hala Ali - a PHD student, currently working on a thesis that includes coverage of Software Composition Analysis and vulnerability detection tools like Syft & Grype. Finally, Dave Welch (@dwelch2344) from HeroDevs joined the call to engage in discussions with the team, and other attendees.
I know the team find these sessions incredibly valuable, not only as a high-bandwidth way to communicate with the community, but also to get a sense-check of how people are using & abusing our tools, and where we may have gaps in our code, processes, or documentation. More on that, another time.
Back to our usual update…
Executive Summary
The Anchore Open Source ecosystem saw significant development momentum this week with 34 issues and pull requests successfully resolved across the project portfolio. Community engagement was strong with several critical bug reports leading to important fixes, while the team delivered enhancements including a comprehensive Go source cataloger overhaul and the FFmpeg binary detection capability. Notable infrastructure improvements included extensive fix date processing implementations across multiple vulnerability data providers and enhanced Raspbian support for vulnerability matching.
Weekly Metrics
| Metric | Community | Staff | Total |
|---|---|---|---|
| Issues Closed | 5 | 2 | 7 |
| Pull Requests Merged | 2 | 25 | 27 |
| Bug Fixes | 5 | 8 | 13 |
| Enhancements | 2 | 12 | 14 |
| Database/Infrastructure Updates | 0 | 5 | 5 |
| Other | 0 | 2 | 2 |
Key Achievements
1. YAML Library Migration for Better Maintenance
Community contributor n-bes provided PR #4157 migrating Syft to use the official go.yaml.in/yaml library, improving long-term maintainability and addressing dependency management concerns. This change ensures Syft uses well-supported YAML parsing libraries backed by the official YAML project organization.
1. Go Source Cataloger Major Enhancement
Christopher Angelo Phillips delivered PR #4127, implementing a comprehensive overhaul that combines Go module file and Go source discovery into a single cataloger. This enhancement addresses long-standing issues #3451 and #432 by enabling Syft to catalog the entire build list for Go projects beyond just packages listed in go.mod. The implementation includes new metadata types and schema updates, significantly improving Go ecosystem coverage.
2. Community Bug Resolution and Reproducibility Improvements
The team successfully resolved several community-reported issues, including CVE detection problems in Apache Tomcat (issue #2881) and Grafana version misdetection (issue #2783). Additionally, community contributor gabetrau’s long-standing work on configurable timestamps (PR #2724) was merged, addressing the reproducibility concerns raised in issue #522 by Furkan Türkal.
3. Comprehensive Fix Date Processing Infrastructure
Alex Goodman led an extensive effort implementing fix date processing across multiple vulnerability data providers in Vunnel, with over 15 coordinated pull requests covering NVD (#861), Red Hat (#864), Ubuntu (#856), Alpine (#853), Wolfi/Chainguard (#854), and other major Linux distributions. This infrastructure enhancement provides more accurate temporal vulnerability information, improving fix availability reporting across the ecosystem.
4. Raspbian Vulnerability Matching Support Added
Weston Steimel delivered PR #2893 implementing comprehensive Raspbian support for vulnerability matching. This enhancement expands Grype’s coverage to include Raspberry Pi OS distributions, addressing a significant gap for IoT and embedded systems security scanning.
5. FFmpeg Binary Detection Finally Arrives
Alan Pope’s PR #3994 was successfully merged, adding comprehensive FFmpeg binary cataloger support to Syft. Community member Jeongho10 had originally reported this gap in issue #3988, highlighting that FFmpeg binaries weren’t being recognized as components. The implementation includes full fixture testing against multiple FFmpeg versions and architectures, resolving a blind spot in binary detection.
Note: This report is based on issues and pull requests closed during August 19-30, 2025. Additional work is ongoing in open issues and pull requests not covered in this report.
Want to get involved? Visit anchore.com/opensource to learn how you can contribute to Anchore’s open source projects!