We’re back with the Anchore Open Source team running a live stream to discuss issues, pull requests, and future roadmap planning in our SBOM and vulnerability tools.
Starts at 2025-07-03T19:00:00Z for about an hour.
Expect engineering and project management discussions, a bit of GitHub issue gardening on Syft, Grype, and the rest of the family.
Join us today for a relaxed, educational, and productive live stream.
Topics
Issues - Open issues with “needs-discussion” label
Pull Requests - Open PRs with “needs-discussion” label
Here are the notes from our latest “Open Source Gardening” session, where we triaged bugs, discussed pull requests, and worked on improving our open-source tools.
The team, including discussed a bug in Syft where the syft attest command fails to create a binary relationship for the subject, resulting in an incomplete attestation. This was identified as a good first issue for a new contributor to pick up. The problem lies in the relationship creation process, which needs to be corrected to ensure the generated attestations are accurate and complete.
Next, the team looked at a feature request for Grype. The request is to display the license of each package that has a vulnerability. This would provide users with more context about the packages they are using and their associated licenses, which is particularly useful when a vulnerable package is found. The team agreed this would be a valuable addition to Grype’s output.
Towards the end of the stream, the team reviewed a pull request for Vunnel. This PR adds a new data source for the National Vulnerability Database (NVD). The team was pleased to see this community contribution and, after a brief review, decided to merge it. This enhancement will allow Vunnel to pull in even more vulnerability data, making Grype’s scans more comprehensive.
We hope this summary is helpful. We encourage you to get involved in our projects on GitHub. See you at the next live stream!