Dan Luhring
Dan Luhring
Let's do it! We've talked before about the possibility of re-hydrating artifacts from SBOMs. (This came up in an `sget` conversation a couple times, I think). I think it's super...
Let's re-open this, with the goal of providing better guidance to folks working in air-gapped environments
I think there might be two separate workflows we could outline for users: 1. Fetching the database in advance, and ensuring that it's placed in Grype's cache directory ahead of...
Thanks for the report @emosbaugh! There's definitely something missing here. Just for some clarity, the "FIXED-IN" column shows versions of the _identified package_ (e.g. `musl`), rather than of the underlying...
Hi @Product, can you share what's in the `./tidb/` directory? That would help us figure out what's going on here.
Hi @enggabhishekshinde, thanks for reporting this. This looks like the same kind of issue we're seeing in #192. ### More details I pulled the JAR you mentioned from here: https://repo1.maven.org/maven2/org/springframework/spring-core/4.1.6.RELEASE/spring-core-4.1.6.RELEASE.jar...
>By the way, grype is quickly becoming better, good job :) Thanks @Karreg! 😍 I think this is another case of how we generate CPEs with subselections of words in...
Adding a link to the related (and currently ongoing) thread in our community Slack: https://anchorecommunity.slack.com/archives/C027JE5M345/p1629141976015600 We can update this issue when we get more clarity on an acceptable path forward.
Follow up on this — there's a few action items to note: ### Re: wrong digest in CycloneDX (this issue) Confirmed. In CycloneDX output, Grype sets the `bom.metadata.component.version` field to...
Hi @turbobobbytraykov! For the table output (along with the other built-in formats), Grype doesn't use the template engine. Grype's code to generate table output is here: https://github.com/anchore/grype/blob/main/grype/presenter/table/presenter.go >I am composing...