Will Murphy

Hi @Alphasite, thanks for the detailed report! You are right that a symlink update or rename would probably be more atomic, but we've had issues in the past, for example...

This is an enhancement we'd love to see. There are basically 2 steps to adding this: Add the data to the database Grype downloads, and change Grype to interpret the...

Hi @TimBrown1611 thanks for those links. If https://github.com/endoflife-date/endoflife.date/pull/2080 is merged and does include identifiers for packages, we might be able to build something here.

Hi @tomersein! You're right that hooking up a new type of data all the way through grype matching might be difficult, but if you want to help I think starting...

@wagoodman @kzantow does it make sense to try to do this as part of schema v6? EDIT: we discussed this offline, and this can be done before or after grype...

Adding quick repro steps to this: Dockerfile: ``` Dockerfile FROM alpine:latest RUN apk add py3-jmespath==1.0.1-r3 ``` build it: ``` docker build . -t localhost/grype2348 ``` scan it: ``` grype localhost/grype2348...

Hi @jneate thanks for the PR! My concern here is that NVD doesn't consistently use `versionEndExcluding` to mean, "fixed in the next version. For example, at https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2023-21930, we can see:...

Before merging, we want to do two things: (edit - I'm doing these things) 1. Run some experiments or code review to be sure that this won't cause wrong fixed-in...

This pr is blocked on https://github.com/anchore/syft/issues/1562 - we need to clarify the UX and policies around execing tools on the host system running Syft before we can move forward here....

The upcoming grype-db schema v6 will add these fields: https://github.com/anchore/grype/blob/5dc2d2ee1a6eb3cdc141f74c1b16d5bda58197dc/grype/db/v6/models.go#L161-L167 So this work is now unblocked. After v6 is adopted, changes will be needed in anchore/vunnel and anchore/grype-db to ensure...