October 17th | Open Source Gardening | Live Stream

Hello everyone!

Every Thursday, the Anchore Open Source team runs a live stream to discuss issues, pull requests and future planning in our SBOM and vulnerability tools.

Starts at 2024-10-17T19:00:00Z for about an hour.

Expect engineering and project management discussions, a bit of GitHub issue gardening on Syft, Grype, and the rest of the family.

Join us today for a relaxed, educational and productive live stream.

If you’d like to join us on the Zoom call to discuss any relevant topics, DM me right here in Discourse for the link.

Topics

• Updates - If there’s any important news about the tools, we’ll usually start there.
• Needs discussion - issues and pull requests marked ‘needs-discussion’.
• Any other issues or pulls that need our collective brains
• Questions from the audience

Here’s some handy repo-specific links:

• ND = Marked “Needs discussion”
• Open = All other issues and PRs that are open

(number is quantity at time of posting)

Project	Issues (ND)	PRs (ND)	Issues (Open)	PRs (Open)
syft	16	0	361	30
grype	12	0	254	17
grant	0	0	16	1
sbom-action	0	0	11	3
scan-action	0	0	17	2
grype-db	0	0	12	3
vunnel	0	0	27	6
quill	0	0	12	13

@popey I wanted to bring How to act on go-module vulnerabilities? up as a discussion topic. It’s labeled as discuss but that doesn’t make it automatically show up in the post here.

This we discussed this week:

• 00:05: How to act on go-module vulnerabilities?
• 00:29: Possiblity to run Syft on a Dockerfile · Issue #1074 · anchore/syft · GitHub
• 00:37: MySQL binary classifier should distinguish between MySQL Cluster (ndb) and MySQL · Issue #3297 · anchore/syft · GitHub
• 00:44: Issue with embedded components when scanning SBOM for vulnerabilities. · Issue #872 · anchore/grype · GitHub
  • Add config for CPE part filtering by wagoodman · Pull Request #410 · anchore/grype-db · GitHub
• 00:56: Support keyless attestation · Issue #311 · anchore/sbom-action · GitHub