Will Murphy

Notes from a quick discussion: - Generally, Syft surfaces the best information it can; excluding certain packages seems contrary to this - Syft _does_ provide a way of excluding files....

Some of the GHSAs in the wolfi feed are unreviewed: https://github.com/advisories/GHSA-22q4-f5r6-3xqw for example. Even with a simple fix at https://github.com/anchore/grype-db/blob/5098116a9fee3be0f1497a186b37271208ea1e4e/pkg/process/v6/writer.go#L132 to include GHSA severities in addition to CVE severities, severities...

We discussed this during our [community live stream](https://anchorecommunity.discourse.group/t/june-19th-open-source-gardening-live-stream/458?u=willmurphy) today, and it decided that during vunnel build time, the wolfi provider should call github security advisories to see what CVEs they...

Thanks @samueloph! I've added `needs-discussion` so that we can talk at an upcoming community meeting about how best to implement this. Right now, there isn't a "default template," but rather...

We discussed this at our [livestream community gardening on 10 October 2024](https://anchorecommunity.discourse.group/t/october-10th-open-source-gardening-live-stream/171). Some notes: 1. We do not want to write Go templating language that writes JSON - we want...

@popey maybe https://hub.docker.com/r/linuxserver/ffmpeg/tags would be a good source to find an image for a full fixture? Basically a full fixture is instructions that say, "to really test this binary matcher,...

@TimBrown1611 can you confirm that this is still happening? There has been some work in Syft to make the JAR/WAR cataloging more deterministic. If it is still happening, can you...

@jkugler absolutely! We would love a PR for this.

@dependabot rebase

Hi @ADorigi thanks for the quick work here! We need a couple things before we can merge it. 1. Can you clean up static analysis so that it passes? I...