Hi team,
Currently I’m implementing grype to perform the proper security scanning for my containers.
One specific CVE ( CVE-2024-42516) for apache httpd was recently published on Jul 10th and got updated by Jul 15 (the CVSS score was added), the scans I executed during the timeframe of Jul 10th to Jul 14th didnt show me the CVE until I ran scans on Jul 15th when the record was updated.
I did perform a db update every day.
Is this an usual behavior of grype?
Hi, a CVE from NVD won’t show up in grype until CPEs are added to the configuration. NVD has not been handling these in any reasonable amount of time for the majority of entries since last year so we have to do it ourselves. I added the CPEs for these in our data in updates 2025-07-14 · anchore/cve-data-enrichment@14553d9 · GitHub on 14th July, so yeah it would have then been published in the grype database starting 15th July
That CVSS was added that day is just a coincidence