Dan Luhring

Linking to the issue for keyless support in Syft: https://github.com/anchore/syft/issues/835

Sorry @caarlos0, I missed your earlier comment. From what I understand, using `docker_signs` would work, in that the image is already published. Regarding whether or not to wait on https://github.com/anchore/syft/issues/835,...

>So we can probably close this, correct? Correct. And I agree with you that perhaps this could be documented, if there's not a named section that refers to this specific...

I think that works! Since it's related to both signing and SBOMs, maybe we could also link to that new section from [here](https://github.com/goreleaser/goreleaser/blob/main/www/docs/customization/sbom.md).

Yes, great idea! Let's open a Syft issue for that

Closed by https://github.com/chainguard-dev/apko/pull/309 (thanks @puerco!)

Could this be handled with ignore rules? Looks like there's a related solution in place here for other vulnerabilities: https://github.com/anchore/grype/blob/main/grype/match/explicit_ignores.go#L17-L18

If you all are open to a hard-coded fix for this in the meantime, I'm happy to submit a PR!

We can double-check this, but I believe the issue is the upstream NVD data itself. In GitHub’s data, they declare explicitly what the “FixedIn” version is for a reported vulnerability...

I think this issue is worth re-opening for discussion! @jneate's [comment](https://github.com/anchore/grype/issues/1329#issuecomment-1583594072) is correct: if you look at NVD's raw data, contrary to [what I said a few years back](https://github.com/anchore/grype/issues/236#issuecomment-782113283), there...