Here’s a summary of the Anchore Open Source Team’s gardening session on September 11, 2025.
Hello everyone!
Here are the notes from our latest open-source gardening session. This week, the team included Alan Pope, Alex Goodman, Christopher Phillips, Dan Nurmi, and Keith Zantow. We covered recent service updates, some tricky .NET issues, and brainstormed how to track dependencies in GitHub Actions.
You can join us live every Thursday, and we also host a community meeting every two weeks where you can bring your own topics for discussion.
Alex kicked things off with a PSA about a recent incident with the Grype DB. On September 10th, the database was published without approximately 15,000 NVD data overrides that the team curates to improve matching accuracy (e.g., adding missing CPEs). This led to a temporary increase in false positives for some users. The issue was quickly noticed by the community, and the team has since remediated it. The team gave a shout-out to the community for their vigilance in spotting and reporting these kinds of issues so promptly.
The team reviewed a user’s question about the best way to generate a minimal SPDX SBOM that contains only Package URLs (PURLs). The consensus was that post-processing the output would be a better approach than creating a custom template, especially to ensure the resulting SBOM remains compliant with the SPDX spec.
Dan pointed out that Syft already has a purl-list output format, and Alex confirmed that Syft can also convert a PURL list back into a valid SPDX document, which was a feature he was happy to learn about.
This led to a fascinating discussion about quality gates within the Vunnel and Grype projects. These automated tests currently run on full container images to ensure vulnerability matching is accurate, but this can be slow. Alex mentioned the team is planning to shift these quality gates to use PURL lists as the unit of work instead of entire SBOMs. This would allow for much faster and more focused testing by using a minimal set of PURLs to verify specific matching behaviors, rather than processing all the packages in a large base image.
Chris shared another PSA for users of the cyclonedx-cli validation tool. If a Syft-generated SBOM contains the Smail-GPL license, the validator may incorrectly flag the document as invalid.
The issue is not with Syft. Syft uses an automated bot to stay up-to-date with the very latest SPDX license list. The problem lies with the cyclonedx-cli tool, which has an outdated license list baked into its binary and hasn’t had a new release in a while. An issue has been filed with the CycloneDX CLI project, and a fix is expected in their next release.
The team tackled a feature request to create an SBOM for GitHub Actions workflows, including all their transitive dependencies.
The team confirmed that Syft can already scan a .github directory and identify the GitHub Actions and workflows being used, creating basic SBOM entries for them. However, the user’s request goes deeper: they want Syft to recursively analyze the actions themselves to find their dependencies. This is complex because a GitHub Action can be:
- A composite action that calls other actions.
- A JavaScript action with its dependencies in
node_modules.
- A container action running in a Docker image.
Fully supporting this would require Syft to perform “online” tasks like cloning repositories or pulling container images during a scan, which is a significant architectural change. Dan suggested a potential workaround: using a tool like act to first download all the components of a workflow into a local directory, which Syft could then scan.
Outcome: The team decided to post a comment on the issue explaining Syft’s current capabilities and outlining the complexities of a fully recursive scan.
A user reported that tab-completion for Grype commands is broken in zsh. The team confirmed this is a known issue and likely affects other shells, not just zsh.
All command-line functionality, including completions, is handled by the popular spf13/cobra library. Alex noted that this would be a good opportunity not only to fix the bug but also to enhance the completion logic for both Syft and Grype, such as adding the ability to auto-complete local container image names.
Outcome: The issue requires further investigation.
This was a quick check-in on an older issue where users occasionally get a 504 Gateway Timeout error when downloading the Grype DB. The team had previously discussed potential solutions like implementing a single retry on failure. The user who originally reported this was present at the community meeting earlier in the day but didn’t bring it up, which suggests it may not be a frequent problem.
Outcome: The team will follow up with the user to understand how often this still occurs.
A Collection of .NET Issues
The team spent a significant amount of time triaging a set of related issues concerning .NET support in Syft, most of which were submitted by community member Wes.
-
Syft Issue #4166: False positives on .NET packages that are part of the runtime
Syft is currently reporting some packages that are included as part of the .NET runtime itself, leading to false positives. The discussion identified that a type: "runtimepack" field within the deps.json file could be the key to filtering these out. It appears Syft might be ignoring this field.
Outcome: This seems like a promising and straightforward fix.
-
Syft Issue #4162: Add .NET deps.json metadata to CycloneDX JSON
This issue provides a clear suggestion for how to better populate the metadata component in the CycloneDX format for .NET packages, improving the richness of the SBOM.
Outcome: The team agreed this is a great, low-effort enhancement. Chris and Alan marked it as a good first issue for new contributors.
-
Syft Issue #4167: Add config option to disable .NET DLL parsing
For performance reasons, a user requested an option to disable the parsing of .dll files. On very large projects, like the .NET SDK itself, this process can be time-consuming. The current .NET cataloger combines logic for parsing manifest files (like deps.json) and binary PE files (.dlls), and there is no way to turn off just the binary parsing part.
Outcome: The team agreed to add a new configuration option to allow users to disable this.
Side Discussion: Improving Table Output
The discussion on the performance of scanning large .NET projects led to a broader conversation about improving the terminal UI for both Syft and Grype. The team expressed a desire for more powerful table output configurations, such as sorting packages by ecosystem type. Alan suggested the idea of a fully interactive TUI (Text-based User Interface). While the idea was met with some excitement, Chris cautioned that building and maintaining a good TUI is a massive undertaking that can often eclipse the core work of a project, with Alex also citing his experience building the dive tool.
Hello everyone!
Starts at 2015-09-11T19:00:00Z for about an hour.