We’re back with the Anchore Open Source team running a live stream to discuss issues, pull requests, and future roadmap planning in our SBOM and vulnerability tools.
Starts at 2025-08-14T19:00:00Z for about an hour.
Expect engineering and project management discussions, a bit of GitHub issue gardening on Syft, Grype, and the rest of the family.
Join us today for a relaxed, educational, and productive live stream.
Topics
Issues - Open issues with “needs-discussion” label
Pull Requests - Open PRs with “needs-discussion” label
Here’s the summary from our “Open Source Gardening” live stream on August 14th. We triaged a few issues and pull requests for Syft, Grype, and had a great discussion at the end about a contribution to Grant.
Thanks to everyone who joined us live, including Henry, Esme, and Josh in the chat!
Discussion: Chris (spiffcs) kicked things off with a pull request that fixes an issue with handling Windows UNC paths (e.g., \\localhost\c$\...). He has reviewed the code and confirmed it looks good. The changes are correctly guarded behind a runtime check for the Windows OS, so there’s no risk of impacting users on Linux or macOS. The main question was whether this would conflict with the ongoing work Keith (kzantow) is doing on cross-builds for Windows.
Outcome: Since Keith wasn’t on the stream, Chris will follow up with him offline. Assuming there are no conflicts, this PR will be merged.
Discussion: This pull request aims to replace our internal fork of the archiver library with the newer, maintained archives/archiver. The team provided some history on why the fork exists: we originally forked mholt/archiver to patch a “zip slip” vulnerability after a fix couldn’t be merged upstream in a timely manner. The original upstream project is now archived, so moving to a maintained library is a welcome contribution.
Side-bar: Alan (popey) asked about the general problem of knowledge being siloed with a single long-time developer. Will (willmurphyscode) clarified that the issue isn’t that only Alex can review it, but that getting anyone else up to speed with the deep historical and security context would be very time-consuming.
Outcome: This change is significant and has security implications, so it requires a thorough review from Alex (wagoodman), who has the most context. The team will revisit this PR when he is available.
Discussion: This PR introduces options to make the SPDX SBOM output deterministic, meaning you get a byte-for-byte identical file for the same scan input. Chris confirmed that this is an opt-in feature and doesn’t change the default behavior. The two non-deterministic elements in SPDX output are the created timestamp and the documentNamespace UUID. This PR allows a user to provide a fixed timestamp and generates a deterministic UUID based on the SBOM’s content (files, packages, and licenses).
Side-bar: This led to a great discussion about reproducible builds. Josh Bressers from Anchore noted in the chat that this feature is highly desirable for reproducible builds, enabling a “trust but verify” workflow where anyone can regenerate an SBOM and confirm it matches the original. The team also briefly compared this with the CycloneDX specification, which explicitly states that every generated SBOM should have a unique serial number, even if the content is identical.
Outcome: The team agrees the functionality is valuable. There were two action items:
The configuration option (deterministic-uuid) is a bit confusing. Chris will work with the contributor to rename it to be more descriptive of its effect on the SPDX document namespace.
Dan (nurmi) raised an excellent point about ensuring the inputs used to generate the deterministic UUID are comprehensive enough to avoid hash collisions between different SBOMs. The team will do a deeper review of this implementation before merging.
Discussion: A user reported a false positive in Grype caused by a PURL (Package URL) that Syft generated for a Go package. The PURL includes a subpath (e.g., .../vault#api/auth/kubernetes@v1.14.0). While this is technically allowed by the PURL specification, it’s problematic because the subpath (api/auth/kubernetes) is a separate, nested Go module inside the main vault repository, complete with its own go.mod file. Vulnerabilities for the parent vault module do not necessarily apply to this distinct submodule, leading to the false positive.
Outcome: This issue raised deeper questions.
Should Syft identify the nested module as a separate package with its own PURL, rather than using a subpath?
Regardless of what Syft does, should Grype be able to correctly interpret and match PURLs with Go subpaths?
The team concluded that more investigation is needed into Syft’s PURL generation logic for Go modules before a decision can be made.
Discussion: In the last few minutes, Henry in the chat asked for clarification on the status of Grant. He was interested in contributing to this issue but was concerned about a potential rewrite making his work obsolete.
Outcome: Chris cleared up a misunderstanding, confirming there are no plans for a major rewrite of Grant. He explained the planned sequence of work: first, a new version of Syft with improved Go license data will be released and pulled into Grant. Then, a pending PR to improve Grant’s performance will be merged. After that, the codebase will be in a stable state to work on this new feature. Chris offered to connect with Henry directly to coordinate the contribution, a suggestion Alan enthusiastically supported as a great way to collaborate.
Hello everyone!
Starts at 2025-08-14T19:00:00Z for about an hour.