grype
grype copied to clipboard
anchore
A vulnerability scanner for container images and filesystems
**What happened**: Used grype to scan a vulnerable jar. **What you expected to happen**: Grype scan to detect vulnerabilities in the jar. **How to reproduce it (as minimally and precisely...
Given a set of [VEX statements](https://github.com/openvex/spec/blob/main/OPENVEX-SPEC.md#the-vex-statement), which represents status assessments relative to a vulnerability matched with a product, it would be ideal to filter grype results down to useful or...
Based on the later discussion in https://github.com/anchore/grype/issues/1314, it looks like our Docker image for Grype does not support running as a non-root user. There are some possible ways we could...
Bitnami is providing vulnerability matching data for their contianers, which have embedded SPDX documents outlining the contained components: https://github.com/bitnami/vulndb . This could be leveraged in order to improve matching in...
Today syft has an SBOM cataloger that is on by default. In the use case of syft, which is to create an SBOM, this being on by default is useful...
**What happened**: When scan a container that has xalan-2.7.1.redhat-00013.jar listed. /modules/system/layers/base/.overlays/layer-base-jboss-eap-/org/apache/xalan/main/xalan- 2.7.1.redhat-00013.jar It links to CVE-2022-34169. **What you expected to happen**: According to Red Hat JBOSS EAP, xalan- 2.7.1.redhat-00013.jar, CVE-2022-34169...
**What happened**: I have gradle java project that is using jetty server: ``` | +--- org.eclipse.jetty:jetty-bom:11.0.16 | | +--- org.eclipse.jetty:jetty-webapp:11.0.16 (c) | | +--- org.eclipse.jetty:jetty-servlet:11.0.16 (c) | | +--- org.eclipse.jetty:jetty-xml:11.0.16...
**What happened**: Grype report vulnerability, because Syft list rpm 4.14.3 but that version the OS distributor's already released fixes. $ syft | grep rpm python3-rpm 4.14.3-150300.55.1 rpm rpm 4.14.3 python...
While looking into #964, @spiffcs [discovered](https://github.com/anchore/grype/issues/964#issuecomment-1289285954) that when Grype started using Alpine's secdb data for edge, Grype began surfacing additional vulnerability matches that hadn't shown up before. This indicates an...
## Summary The alpine matcher needs to be updated to behave a little differently from the other distro specific matchers. [Secdb](https://secdb.alpinelinux.org/) is a collection of records that denotes if a...
