anchore · vaibhav-rf · Mar 14, 2026 · Mar 16, 2026 · Mar 19, 2026 · Mar 31, 2026
diff --git a/cmd/grype/cli/commands/root.go b/cmd/grype/cli/commands/root.go
@@ -221,12 +221,14 @@ func runGrype(ctx context.Context, app clio.Application, opts *options.Grype, us
 		return fmt.Errorf("failed to create VEX processor: %w", err)
 	}
 
+	matchers := getMatchers(opts, pkgContext)
+
 	vulnMatcher := grype.VulnerabilityMatcher{
 		VulnerabilityProvider: vp,
 		IgnoreRules:           opts.Ignore,
 		NormalizeByCVE:        opts.ByCVE,
 		FailSeverity:          opts.FailOnSeverity(),
-		Matchers:              getMatchers(opts),
+		Matchers:              matchers,
 		VexProcessor:          vexProcessor,
 		Alerts: grype.AlertsConfig{
 			EnableEOLDistroWarnings: opts.Alerts.EnableEOLDistroWarnings,
@@ -392,8 +394,8 @@ func getMatcherConfig(opts *options.Grype) matcher.Config {
 	}
 }
 
-func getMatchers(opts *options.Grype) []match.Matcher {
-	return matcher.NewDefaultMatchers(getMatcherConfig(opts))
+func getMatchers(opts *options.Grype, pkgContext pkg.Context) []match.Matcher {
+	return matcher.ApplySelectionPolicy(matcher.NewDefaultMatchers(getMatcherConfig(opts)), pkgContext)
 }
 
 func getProviderConfig(opts *options.Grype) pkg.ProviderConfig {

diff --git a/grype/db/internal/provider/unmarshal/os_vulnerability.go b/grype/db/internal/provider/unmarshal/os_vulnerability.go
@@ -14,6 +14,7 @@ type OSFixedIn struct {
 	Module         *string `json:"Module,omitempty"`
 	Name           string  `json:"Name"`
 	NamespaceName  string  `json:"NamespaceName"`
+	Identifier     string  `json:"Identifier,omitempty"`
 	VendorAdvisory struct {
 		AdvisorySummary []struct {
 			ID   string `json:"ID"`

diff --git a/grype/db/v6/build/transformers/os/testdata/rapidfort-redhat-9.json b/grype/db/v6/build/transformers/os/testdata/rapidfort-redhat-9.json
@@ -0,0 +1,44 @@
+[
+  {
+    "Vulnerability": {
+      "CVSS": [],
+      "Description": "curl wildcard certificate validation issue",
+      "FixedIn": [
+        {
+          "Identifier": "el9",
+          "Name": "curl",
+          "NamespaceName": "rapidfort-redhat:9",
+          "Version": "None",
+          "VersionFormat": "rpm",
+          "VulnerableRange": ">= 0",
+          "VendorAdvisory": {
+            "AdvisorySummary": [
+              {
+                "ID": "RHSA-TEST-EL9",
+                "Link": "https://access.redhat.com/errata/RHSA-TEST-EL9"
+              }
+            ],
+            "NoAdvisory": false
+          }
+        },
+        {
+          "Identifier": "fc36",
+          "Name": "curl",
+          "NamespaceName": "rapidfort-redhat:9",
+          "Version": "7.78.0-4.fc36",
+          "VersionFormat": "rpm",
+          "VulnerableRange": ">= 0, < 7.78.0-4.fc36",
+          "Available": {
+            "Date": "2024-01-01T00:00:00Z",
+            "Kind": "advisory"
+          }
+        }
+      ],
+      "Link": "https://www.cve.org/CVERecord?id=CVE-2014-0139",
+      "Metadata": {},
+      "Name": "CVE-2014-0139",
+      "NamespaceName": "rapidfort-redhat:9",
+      "Severity": "Low"
+    }
+  }
+]
diff --git a/grype/db/v6/build/transformers/os/testdata/rapidfort-ubuntu-20.04.json b/grype/db/v6/build/transformers/os/testdata/rapidfort-ubuntu-20.04.json
@@ -0,0 +1,26 @@
+[
+  {
+    "Vulnerability": {
+      "CVSS": [],
+      "Description": "curl: OAUTH2 bearer bypass in connection re-use",
+      "FixedIn": [
+        {
+          "Name": "curl",
+          "NamespaceName": "rapidfort-ubuntu:20.04",
+          "Version": "7.68.0-1ubuntu2.10",
+          "VersionFormat": "dpkg",
+          "VulnerableRange": ">= 7.68.0, < 7.68.0-1ubuntu2.10",
+          "Available": {
+            "Date": "2022-05-01T00:00:00Z",
+            "Kind": "advisory"
+          }
+        }
+      ],
+      "Link": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22576",
+      "Metadata": {},
+      "Name": "CVE-2022-22576",
+      "NamespaceName": "rapidfort-ubuntu:20.04",
+      "Severity": "Medium"
+    }
+  }
+]
diff --git a/grype/db/v6/build/transformers/os/transform.go b/grype/db/v6/build/transformers/os/transform.go
@@ -163,6 +163,21 @@ func getFix(fixedInEntry unmarshal.OSFixedIn) *db.Fix {
 	}
 
 	var refs []db.Reference
+	if fixedInEntry.Identifier != "" {
+		rid := releaseIdentifierReferenceID(fixedInEntry.Identifier)
+		refURL := rid
+		for _, adv := range advisoryOrder {
+			if adv.link != "" {
+				refURL = adv.link
+				break
+			}
+		}
+		refs = append(refs, db.Reference{
+			ID:   rid,
+			URL:  refURL, // prefer vendor advisory URL; else rid so toAdvisories includes the ref
+			Tags: []string{db.AdvisoryReferenceTag},
+		})
+	}
 	for _, adv := range advisoryOrder {
 		refs = append(refs, db.Reference{
 			ID:   adv.id,
@@ -204,6 +219,10 @@ func getFixAvailability(fixedInEntry unmarshal.OSFixedIn) *db.FixAvailability {
 	}
 }
 
+func releaseIdentifierReferenceID(identifier string) string {
+	return "release-identifier:" + strings.ToLower(strings.TrimSpace(identifier))
+}
+
 func enforceConstraint(fixedVersion, vulnerableRange, format, vulnerabilityID string) string {
 	if len(vulnerableRange) > 0 {
 		return vulnerableRange
@@ -243,14 +262,15 @@ func deriveConstraintFromFix(fixVersion, vulnerabilityID string) string {
 }
 
 type groupIndex struct {
-	name      string
-	id        string
-	osName    string
-	osVersion string
-	osChannel string
-	hasModule bool
-	module    string
-	format    string
+	name       string
+	id         string
+	osName     string
+	osVersion  string
+	osChannel  string
+	identifier string
+	hasModule  bool
+	module     string
+	format     string
 }
 
 func groupFixedIns(vuln unmarshal.OSVulnerability) map[groupIndex][]unmarshal.OSFixedIn {
@@ -263,14 +283,15 @@ func groupFixedIns(vuln unmarshal.OSVulnerability) map[groupIndex][]unmarshal.OS
 			mod = *fixedIn.Module
 		}
 		g := groupIndex{
-			name:      fixedIn.Name,
-			id:        oi.id,
-			osName:    oi.name,
-			osVersion: oi.version,
-			osChannel: oi.channel,
-			hasModule: fixedIn.Module != nil,
-			module:    mod,
-			format:    fixedIn.VersionFormat,
+			name:       fixedIn.Name,
+			id:         oi.id,
+			osName:     oi.name,
+			osVersion:  oi.version,
+			osChannel:  oi.channel,
+			identifier: fixedIn.Identifier,
+			hasModule:  fixedIn.Module != nil,
+			module:     mod,
+			format:     fixedIn.VersionFormat,
 		}
 
 		grouped[g] = append(grouped[g], fixedIn)
@@ -290,6 +311,12 @@ func getPackageType(osName string) pkg.Type {
 		return pkg.ApkPkg
 	case "windows":
 		return pkg.KbPkg
+	case "rapidfort-ubuntu":
+		return pkg.DebPkg
+	case "rapidfort-alpine":
+		return pkg.ApkPkg
+	case "rapidfort-redhat":
+		return pkg.RpmPkg
 	}
 
 	return ""