Will Murphy

@westonsteimel Thanks! For `version_constraint: < 0`, what should the `fix_state` be? All the 4 we have right now (`unknown`, `fixed`, `not-fixed`, and `wont-fix`) seem not quite applicable to the situation....

@henrysachs That's a great question, thanks! I can see how packages with a lot of major versions, you could see negative matches from 10 years ago, and that would be...

> but I also thought about how this is complementary to the vex format. I know this is probably more for vulnerabilities where no patches are available but maybe this...

@wagoodman is this still an issue? I haven't noticed slow executions except in cases where the new DB was actually downloaded.

Hi @josetirablaz, The repro steps above no longer result in this false positive. That's because Grype, by default, uses PURLs and not CPEs to match language packages - you can...

@tomerse-sg, if both executables are go programs, is there a reason to embed one via `go:embed` instead of making one depend on the other as a normal go package? It's...

Note to reviewers: This looks like a special case of https://github.com/anchore/syft/issues/1562, and we should consider the configuration and user experience Syft would need if there were multiple such implementations, e.g....

Hi @atl-mk, thanks for the detailed info! I've been able to reproduce the issue and have an idea for the fix, and will add this to our backlog. Details below:...

Hi @Joerki, Thanks for the detailed issue report. The specific issue you reported, where Syft was incorrectly computing the path on the host to golang proxy cache, was fixed by...

I was also able reproduce this. It looks like syft is detecting the dependencies (because they show up in `o json`), but isn't writing them down in cyclonedx-json. Moving to...