Dan Nurmi

**What happened**: On RPM-based systems where appstream/modules are supported (e.g. centos stream, rhel/ubi), false positive vulnerabilities can be reported due to the system using 'latest fix' version information across different...

Description is unclear for vulnerabilities/stale_feed_data trigger/gate, when fired against an image with a distro/version that doesn't have a feed data source

6

Currently, when a policy evaluation is performed against an image that reports a distro/version that doesn't match a synced (or existing) OS feed, the output to the user can be...

Due to duplicate CVE records in the data feed, anchore CLI versions < 1.1.1 may incorrectly merge new CVE data with old CVE data, leading to the resulting output for...

Currently, anchore tool cleans up all working dir (tmpdir) artifacts upon failure - suggest leaving the artifacts if --debug is passed to the CLI for debugging purposes

Would be good for anchore to include a tool for listing together all the names a particular container image has that is referencable by the tool (repo, repo:tag, short ID,...

some initial work on a prototype EPSS vunnel provider, which produces records like: ``` sqlite> select * from results limit 1; id|record cve-1999-0001|{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/epss/schema-1.0.0.json","identifier":"cve-1999-0001","item":{"cve":"CVE-1999-0001","epss":"0.00383","percentile":"0.73278","date":"2024-07-18"}} ``` using daily published CSV bundles from...