August 15th | Open Source Gardening | Live Stream

We ended up discussing the following issues:

Syft

• Missing dependency relationships between direct dependencies and transient dependencies in NPM packages · Issue #3109 · anchore/syft · GitHub
• Wrong CPEs generated for OpenSSL by dotnet cataloguer · Issue #3120 · anchore/syft · GitHub
• Support generating sbom for specific pnpm workspace packages · Issue #2574 · anchore/syft · GitHub
• Dependency graph of BOMs generated with Syft is incomplete due to missing root node · Issue #3071 · anchore/syft · GitHub

Grype

• Filter output by severity · Issue #2006 · anchore/grype · GitHub - discussion continuing at How can we make Grype's output more focused?

We then rolled the and picked up a few for a brief discussion.

• Add option to exclude packages introduced from a base layer · Issue #1809 · anchore/syft · GitHub
• Automatic feedback of scan results as PR comment · Issue #162 · anchore/scan-action · GitHub
• False positive: GHSA-ggxm-pgc9-g7fp (CVE-2021-31799) in SLES 15.5 · Issue #1893 · anchore/grype · GitHub