Will Murphy

Met with @joshbressers about this issue this morning, and we think that, basically, we need to special-case OpenJDK 8 versions in Syft's CPE generation: ``` ❯ syft -q -o json...

Hi @audunmo! Thanks for the feature request! I didn't know about `vcpkg`, but we're definitely open to supporting it. We'd happily accept a contribution, or we can put this in...

@wagoodman when syft is being used online, it might also be possible for us to compute a SHA of the artifact and use it to search Maven Central for the...

Hi @sekveaja, The GHSA match is based on Grype finding the NPM package `ip`, and comparing that against published GitHub security advisories, and finding GHSA-78xj-cgh5-2h22. If SUSE hasn't published anything...

Hi @JordanFaust, Would you mind providing more detail in your repro steps? I have never used Nix before, and I don't know how to get into a situation where I...

Thanks @JordanFaust ! What the "distro" tests are doing is testing Grype's ability to detect what distro the image it's scanning is based on. The tests are defined here: https://github.com/anchore/grype/blob/834793100e7dc1455b2b7b9998a10434d99bf6e9/grype/distro/distro_test.go#L109...

Thanks for taking a look @06kellyjac! I haven't found an easy way to enable Grype's normal logging during a test run, so it might make sense to do a quick...

I think this issue has the same root cause as https://github.com/anchore/syft/issues/2894, which is more obviously a bug in Syft.

Hi @JordanFaust and @06kellyjac I believe https://github.com/anchore/syft/pull/2918, released in https://github.com/anchore/syft/releases/tag/v1.6.0 (which is now a couple behind - latest is https://github.com/anchore/syft/releases/tag/v1.8.0) fixed this. Would you mind re-testing? Please let us know...

Hi @willyw0nka! Thanks for the request. Do you have a specific example of `syft -o json | grype` doing the wrong thing, or particular config you wish was available? Not...