Will Murphy

> I'm not sure I understand completely understand the notion of affected/unaffected packages. Is this the same as vulnerable/not vulnerable packages? These are literally types in Grype, basically an unaffected...

@chait-slim I left some feedback on those PRs.

It looks like Bitnami and Chainguard are available now. The fix date data for rocky isn't, but we expect to add fix dates to it in the future.

My mistake! I've updated the title. Fix dates are still a work in progress, and I expect these will be added as the work progresses.

Based on some experimentation, this change is insufficient as is: Consider two version numbers: ``` [root@19ac959dacf7 /]# rpmdev-vercmp 3:10.3.28-1.module_el8.3.0+757+d382997d 3:10.3.28-1.module+el8.3.0+10472+7adc332a 3:10.3.28-1.module_el8.3.0+757+d382997d < 3:10.3.28-1.module+el8.3.0+10472+7adc332a ``` This is correct! build 757 is...

Hi @damaoooo thank you for the issue! We've discussed similar ideas before. The main limitation to implementing this is that many CVEs do not come with a machine-readable description of...

Here's a summary of what we decided: 1. Go is probably the right language for this because Go binaries have pretty good symbol information, and the Go ecosystem already publishes...

https://github.com/anchore/grype/issues/1782 is a type of false positive that could be fixed by the go approach, because the stdlib package `cmd/go` shouldn't be present in the eventual binary.

We discussed this at our [weekly livestream](https://anchorecommunity.discourse.group/t/october-9th-open-source-gardening-live-stream/574?u=willmurphy), for folks who missed the community call.

We discussed this at a [recent livestream](https://anchorecommunity.discourse.group/t/october-2nd-open-source-gardening-live-stream/572?u=willmurphy). Some remarks: 1. RPMs and dpkgs handle this by adding an epoch (e.g. `0:` versions are all lower than `1:`). It would be...