Hello everyone!

We’re back with the Anchore Open Source team running a live stream to discuss issues, pull requests, and future roadmap planning in our SBOM and vulnerability tools.

Starts at 2025-07-24T19:00:00Z for about an hour.

Expect engineering and project management discussions, a bit of GitHub issue gardening on Syft, Grype, and the rest of the family.

Join us today for a relaxed, educational, and productive live stream.

Topics

• Issues - Open issues with “needs-discussion” label
• Pull Requests - Open PRs with “needs-discussion” label
• Discourse topics - Open topics from General Syft and Grype with few or no replies
• Questions from the audience

Hello! Here is a summary of the discussions from the Anchore Open Source Team’s live stream on July 24th.

How to do Vulnerability Scanning with Nix SBOMs

At around the 2 minute and 18 second mark, the team discussed the challenges of vulnerability scanning for Nix/NixOS systems. The conversation referenced a Discourse thread on the NixOS forum. The main challenge is that Nix builds packages in a unique way, which can make it difficult for standard vulnerability scanners to identify installed packages and their versions accurately. The team likely discussed how Syft could be improved to better support Nix, and how Grype could then use that information to provide more accurate vulnerability reports.

Add an option to fail on vulnerabilities without VEX statements

The team then moved on to discuss a feature request for Grype, issue #2813. This issue, raised at approximately the 8 minute and 31 second mark, suggests adding a new flag to Grype that would cause a scan to fail if it finds a vulnerability for which there is no corresponding VEX (Vulnerability Exploitability eXchange) statement.

This would be useful for teams that want to enforce a policy where every discovered vulnerability must be addressed, either by fixing it or by documenting why it’s not a threat in a VEX file. This would help to ensure that all vulnerabilities are accounted for and that the security posture of the application is clear.

Improve JVM Scan Accuracy for JDK and JRE Detection

Later in the stream, at roughly the 45 minute and 28 second mark, the discussion turned to Syft and an issue related to its Java scanning capabilities, issue #4071. The issue highlights several areas where Syft’s accuracy could be improved when scanning for Java installations:

• Distinguishing between OpenJDK and Oracle JDK: Syft sometimes misidentifies Oracle JREs as OpenJDK.

• Duplicate JDK detection: When scanning a JDK folder, Syft can report two JDK versions.

• Incorrect JRE classification: Syft may misclassify some JREs.

The team likely discussed potential solutions to these problems, such as improving how Syft parses version information from Java binaries and release files.