Anchore Open Source Weekly Report
This report covers the community activity in Anchore Open Source Projects from September 7, 2025 to September 13, 2025.
Executive Summary
The Anchore Open Source ecosystem had a productive week with 11 community-originated issues and pull requests closed, alongside 14 staff-contributed items. Key highlights include the addition of CycloneDX modularityLabel support for RPM packages, improvements to GraalVM native image location tracking, and critical fixes for container platform variant handling. The team also addressed several false positive vulnerability reports and database update issues, demonstrating strong responsiveness to community feedback.
Weekly Metrics
| Metric | Community | Staff | Total |
|---|---|---|---|
| Issues Closed | 5 | 0 | 5 |
| Pull Requests Merged | 6 | 14 | 20 |
| Bug Fixes | 3 | 8 | 11 |
| Enhancements | 3 | 3 | 6 |
| Documentation Updates | 0 | 0 | 0 |
| Other | 0 | 3 | 3 |
Key Achievements
1. Enhanced CycloneDX Support for RPM Packages
Community contributor Rafał Maj (@sfc-gh-rmaj), from Snowflake submitted PR #4212 adding cyclonedx:"modularityLabel" support for RpmDBEntry. This enhancement improves SBOM generation compatibility with CycloneDX format specifications for RPM-based systems, enabling better integration with downstream tools that consume CycloneDX SBOMs.
2. Improved GraalVM Native Image Package Location Tracking
Oracle contributor Joel Rudsberg (@rudsberg) delivered PR #4186 that adds location metadata to packages extracted from GraalVM native images. This enhancement allows users to trace packages back to their specific native image executable, significantly improving vulnerability identification and debugging capabilities for GraalVM-based applications.
3. Critical Container Platform Variant Handling Fix
Yahoo! Senior Security Engineer Nathanael Burton (@mathrock) resolved a critical issue with PR #455 that fixed platform variant handling in container registry operations. The fix addresses problems where Syft would fail when scanning images with specific platform variants (e.g., linux/arm/v7), ensuring better compatibility with multi-architecture container setups.
4. Vulnerability Database False Positive Resolution
Multiple false positive vulnerability reports were quickly addressed this week. Elementary Senior Software Engineer, John Gauthier (@jgauth) reported Redis CVE false positives in issue #2932, which the team rapidly resolved by updating the vulnerability database with corrected CPE data. Similarly, APK vulnerability detection issues reported in grype-db issue #681 were traced to a vunnel configuration problem and promptly fixed.
5. Major VEX and Unaffected Package Support Implementation
Two significant enhancements landed this week that expand Grype’s vulnerability handling capabilities. PR #2886 from Chainguard’s Zackary Crosley (@CrosleyZack) implements support for using unaffected package data to automatically remove inappropriate vulnerabilities from scan results. Additionally, comprehensive OpenVEX format support was added through coordinated efforts across multiple repositories, enabling better integration with vendor-specific security advisories.
6. NTIA SBOM Standards Compliance Clarification
Recent community member (@wagner-robert) raised issue #4205 about CISA’s recent SBOM standardization guidance and NTIA compliance. The team clarified that Syft already supports NTIA minimum elements, pointing users to existing functionality and configuration options while acknowledging ongoing work to improve compliance across all supported ecosystems.
Note: This report is based on issues and pull requests closed during September 7-13, 2025. Additional work is ongoing in open issues and pull requests not covered in this report.
Want to get involved? Visit anchore.com/opensource to learn how you can contribute to Anchore’s open source projects!