Skip to content

feat: populate package architecture for matching#3504

Merged
willmurphyscode merged 6 commits into
anchore:mainfrom
willmurphyscode:architecture-qualifier
Jul 2, 2026
Merged

feat: populate package architecture for matching#3504
willmurphyscode merged 6 commits into
anchore:mainfrom
willmurphyscode:architecture-qualifier

Conversation

@willmurphyscode

@willmurphyscode willmurphyscode commented Jun 12, 2026

Copy link
Copy Markdown
Contributor

Enable matchers to filter on architecture-specific vulnerabilities or fixes.

There are basically three changes here: First, wire up the package collection creator to populate architecture on the packages when an image is scanned or an sbom is loaded in Grype. Second, wire up the architecture package qualifier so that if a vulnerability or fix specifies that it is only applicable to a particular architecture, the matchers will respect this, and third, in the RPM matcher, specify arch=src when synthesizing the upstream package to search by (rather than letting it inherit the binary package's architecture).

The qualifier logic is like this: If either the package or the DB record has a blank architecture, the filtering is a noop. If the package has a specific architecture and the DB record has 'src', the package is qualified, because a disclosure or fix in a src RPM for example is assumed to affect things built from it. If the DB record and the package both have specific binary architectures, but they don't match, e.g. x86_64 != aarch64, the package is not qualified and filters out. Architecture qualifiers are canonicalized at match time so, for example, an RPM that has x86_64 architecture is a qualified package on a vuln that affects "amd64" processors (assuming distro and everything else line up). This canonicalization is probably more important for future expansion since a given distro will probably use the same architecture strings as their own package manager.

Hummingbird also has a special "binary-no-arch-specified" architecture that means, "this is not a src RPM". That is so that in Hummingbird data, if we have a package that says, 'upstream=glibc' in its PURL, and we have a glibc vuln against the binary but not the src RPM, we can fitler out this false positive. If a DB record has 'binary-no-arch-specified' as its architecture, any package that has any non-src architecture (or a blank architecture) is qualified, but src architecture is not.

Note that this could use anchore/syft#4977 but there's no need to couple them.

Comment thread grype/matcher/rpm/matcher.go
Comment thread grype/pkg/purl_provider.go Outdated

func purlEnhancers(applyChannel func(*distro.Distro) bool) []Enhancer {
return []Enhancer{setUpstreamsFromPURL, setDistroFromPURL(applyChannel)}
return []Enhancer{setUpstreamsFromPURL, setArchFromPURL, setDistroFromPURL(applyChannel)}

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From @wagoodman this should be added to types where it matters as well, like

type RpmMetadata struct {
explicitly instead of https://github.com/anchore/syft/pull/4977/changes which is messy because Syft packages don't have necessarily exactly one architecture (e.g. macho binaries).

Comment thread grype/pkg/purl_provider.go Outdated
return d
}

func setArchFromPURL(out *Package, purl packageurl.PackageURL, _ syftPkg.Package) {

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Additionally, we should set this in metadata things: https://github.com/anchore/grype/blob/main/grype/pkg/apk_metadata.go#L12 for example written to here (and analogous changes for the RPM stuff.)

We might not need a PURL enhancer if we do it that way.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Might be worth setting arch in here: https://github.com/anchore/syft/blob/main/syft/format/internal/backfill.go#L37 - otherwise we do need the enhancer in grype.

Comment thread grype/pkg/qualifier/architecture/qualifier.go Outdated
Comment thread grype/pkg/qualifier/architecture/qualifier.go
Enable matchers to filter on architecture-specific vulnerabilities or
fixes.

There are basically three changes here: First, wire up the package
collection creator to populate architecture on the packages when an
image is scanned or an sbom is loaded in Grype. Second, wire up the
architecture package qualifier so that if a vulnerability or fix
specifies that it is only applicable to a particular architecture, the
matchers will respect this, and third, in the RPM matcher, specify
`arch=src` when synthesizing the upstream package to search by (rather
than letting it inherit the binary package's architecture).

The qualifier logic is like this: If either the package or the DB record
has a blank architecture, the filtering is a noop. If the package has a
specific architecture and the DB record has 'src', the package is
qualified, because a disclosure or fix in a src RPM for example is
assumed to affect things built from it. If the DB record and the package
both have specific binary architectures, but they don't match, e.g.
x86_64 != aarch64, the package is not qualified and filters out.
Architecture qualifiers are canonicalized at match time so, for example,
an RPM that has x86_64 architecture is a qualified package on a vuln
that affects "amd64" processors (assuming distro and everything else
line up). This canonicalization is probably more important for future
expansion since a given distro will probably use the same architecture
strings as their own package manager.

Hummingbird also has a special "binary-no-arch-specified" architecture
that means, "this is not a src RPM". That is so that in Hummingbird
data, if we have a package that says, 'upstream=glibc' in its PURL, and
we have a glibc vuln against the binary but not the src RPM, we can
fitler out this false positive. If a DB record has
'binary-no-arch-specified' as its architecture, any package that has any
non-src architecture (or a blank architecture) is qualified, but src
architecture is not.

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
OracleLinux had some existing false positives where the x86_64 package
was fixed in an earlier version of the RPM than the aarch64 version,
resulting in false positives when Grype checked against the aarch64
version. Add a dbtest for this scenario and update the RPM matcher and
OS transformer to fix this case.

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
// defaultAliases maps each non-canonical architecture spelling to its canonical token. The
// canonical token is arbitrary (we use the Go/OCI spelling); only equivalence matters, so a
// canonical spelling (e.g. "amd64") is intentionally absent and resolves to itself.
var defaultAliases = map[string]string{

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does "all" : "noarch" belong in here?

search.ByPackageName(upstreamPkg.Name),
search.ByDistro(rhelCompatibleDistro),
internal.OnlyQualifiedPackages(upstreamPkg),
internal.SourceOrUnspecifiedArch(),

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought this helper was used only in hummingbird. Why the alma diff?


for _, indirectPackage := range pkg.UpstreamPackages(p) {
indirectMatches, ignores, err := m.findMatches(provider, indirectPackage, internal.SourceOrUnspecifiedArch())
// An rpm's upstream is its source rpm, so tag the synthesized package "src". The

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Clean up this comment as this is now done in the helper.

Comment thread grype/db/v6/blobs.go
// entry matches any binary package but rejects the rpm matcher's synthesized "src" upstream,
// so providers that disclose at binary granularity (e.g. hummingbird CSAF VEX) avoid
// FP-matching unrelated sibling binaries built from the same source.
Architecture *string `json:"architecture,omitempty"`

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This already shipped as a string, but maybe missed opportunity to do a Set[string] so that we could check "intersection of package arch with vuln arch is not empty" instead of equality.

var defaultAliases = map[string]string{
"x86_64": "amd64",
"x64": "amd64",
"aarch64": "arm64",

@willmurphyscode willmurphyscode Jun 29, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What about like arm64/v8? That's a thing that can be passed to --platform on docker CLI for example.

Also "architecture" and "platform" are not exactly this same thing and this conflates them?

Comment thread grype/db/v6/models.go
// fold to "amd64"). The architecture qualifier reads this table at match time so cross-dialect
// arch comparisons don't drop real matches; the data lives in the DB rather than the grype
// binary so the folding can change without a release. See pkg/qualifier/architecture.
type ArchitectureAlias struct {

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this complete? Do we need an "is platform independent" bool column or something? Right now the source code knows that noarch and all mean "this thing applies across all architectures" but the database doesn't?

We think that this case be added later if need be, and that it is probably not necessary.

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
@willmurphyscode willmurphyscode marked this pull request as ready for review June 30, 2026 13:19
}
tmp.CPEs = updatedCPEs

setSrcArchOnUpstream(&tmp)

@wagoodman wagoodman Jul 1, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This overrides any architectures that could be explicitly provided. I see that this is intentional, but does this consider that there might be instances where the vuln data is more specific than src? (say with hummingbird) .... there is a good chance this is a non-issue

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well actually, doesn't oracle provider per-binary-per-arch NERVA's?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So the idea here is that the upstream package is always a source RPM. This actually fixes false positives in Hummingbird and is an intentional and necessary part of this PR.

Consider this scan:

syft -q -o json quay.io/hummingbird/postgresql:latest@sha256:6eefb14bced346a8583011f84dd71de8249af74c060369be6ad73891b2a768f0 | jq '.artifacts[] | .purl' | rg glibc

which produces:

"pkg:rpm/redhat/glibc@2.42-10.1.hum1?arch=aarch64&distro=hummingbird-20251124&upstream=glibc-2.42-10.1.hum1.src.rpm"
"pkg:rpm/redhat/glibc-common@2.42-10.1.hum1?arch=aarch64&distro=hummingbird-20251124&upstream=glibc-2.42-10.1.hum1.src.rpm"
"pkg:rpm/redhat/glibc-langpack-en@2.42-10.1.hum1?arch=aarch64&distro=hummingbird-20251124&upstream=glibc-2.42-10.1.hum1.src.rpm"

And this CSAF VEX:

      "product_status": {
        "fixed": [
          "hummingbird-1:glibc-0:2.42-12.hum1", // binary rpm
          "hummingbird-1:glibc-0:2.42-12.hum1.src", // src rpm, removed intentionally in datat processing
         ...

In this case, glibc-langpack-en has the upstream glibc, and the binary glibc is vulnerable. However, before this change, glibc-langpack-en could be reported as vulnerable because its upstream has the same name as a vulnerable binary. However, that would be considered an FP. This is a change to allow us to consider upstream matching still, but only if the upstream package is a src rpm, so that marking a binary rpm that has the same name as a bunch of source rpm's upstream (like glibc) doesn't produce a wave of FPs.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well actually, doesn't oracle provider per-binary-per-arch NERVA's?

I don't think anyone has architecture on their src RPMs, and upstream will always be a src rpm? But I confess I don't completely understand the comment.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@wagoodman I don't think this matters on oracle. the OVAL files seem to list every binary RPM anyway, and I don't think the notion of a non src upstream makes sense. This only sets arch on upstreams.

// defaultAliases maps each non-canonical architecture spelling to its canonical token. The
// canonical token is arbitrary (we use the Go/OCI spelling); only equivalence matters, so a
// canonical spelling (e.g. "amd64") is intentionally absent and resolves to itself.
var defaultAliases = map[string]string{

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just want to state clearly but this isn't a comment to address, but instead a specific feature designed in: the DB is authoritative over clients, so newer clients that have old DBs might run into issues, but in these cases we expect folks to update their dbs. This is a nice feature of using the DB since DBs ship nightly instead of needing to upgrade the client.

Comment thread grype/pkg/rpm_metadata.go
// pkg/qualifier/architecture to match a package against the architecture a vulnerability
// entry applies to. Cross-dialect aliases (amd64↔x86_64, ...) are reconciled there, so
// this is intentionally a raw string rather than an enum.
Arch string `json:"architecture" cyclonedx:"architecture"`

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit, this could have omitempty

@wagoodman wagoodman moved this from In Progress to In Review in OSS Jul 2, 2026
@willmurphyscode willmurphyscode merged commit 4dd09a7 into anchore:main Jul 2, 2026
11 checks passed
@github-project-automation github-project-automation Bot moved this from In Review to Done in OSS Jul 2, 2026
vaibhav-rf pushed a commit to vaibhav-rf/grype that referenced this pull request Jul 6, 2026
* give install script uploader contents: read (anchore#3489)

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

* Govulndb OSV transformer (anchore#3485)

* govulndb osv

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

* add fixed dates to govulndb osv transformer

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

* enforce lowercase ids on cache

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

---------

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

* chore(deps): update tool versions (anchore#3488)

Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>

* chore(deps): update quality gate database (anchore#3478)

Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>

* feat(scan): add support for a Zarf scan target (anchore#3366)

Signed-off-by: Brandt Keller <brandt.keller@defenseunicorns.com>

* fix: respect withdrawn status of Go Vuln DB OSV records (anchore#3495)

Otherwise we get false positives. Includes a matcher test to assert that
Grype does not find withdrawn go vulns.

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

* chore(deps): update anchore dependencies (anchore#3487)

Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>

* test: add test fixtures for multi RHSA records from vunnel (anchore#3480)

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

* fix: avoid panic on invalid RHEL version IDs (anchore#3490)

Signed-off-by: Jeremy Spilman <jeremy.spilman@anchore.com>

* chore(deps): bump the actions-minor-patch group across 2 directories with 7 updates (anchore#3503)

Bumps the actions-minor-patch group with 6 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [anchore/workflows/.github/workflows/codeql.yaml](https://github.com/anchore/workflows) | `0.7.0` | `0.7.2` |
| [anchore/workflows/.github/workflows/check-version-available.yaml](https://github.com/anchore/workflows) | `0.7.0` | `0.7.2` |
| [anchore/workflows/.github/workflows/check-gate.yaml](https://github.com/anchore/workflows) | `0.7.0` | `0.7.2` |
| [actions/checkout](https://github.com/actions/checkout) | `6.0.2` | `6.0.3` |
| [anchore/workflows/.github/workflows/release-install-script.yaml](https://github.com/anchore/workflows) | `0.7.0` | `0.7.2` |
| [github/codeql-action](https://github.com/github/codeql-action) | `4.36.0` | `4.36.2` |

Bumps the actions-minor-patch group with 1 update in the /.github/actions/bootstrap directory: [anchore/go-make](https://github.com/anchore/go-make).


Updates `anchore/workflows/.github/workflows/codeql.yaml` from 0.7.0 to 0.7.2
- [Release notes](https://github.com/anchore/workflows/releases)
- [Commits](anchore/workflows@b3e328b...b0c30a8)

Updates `anchore/workflows/.github/workflows/check-version-available.yaml` from 0.7.0 to 0.7.2
- [Release notes](https://github.com/anchore/workflows/releases)
- [Commits](anchore/workflows@b3e328b...b0c30a8)

Updates `anchore/workflows/.github/workflows/check-gate.yaml` from 0.7.0 to 0.7.2
- [Release notes](https://github.com/anchore/workflows/releases)
- [Commits](anchore/workflows@b3e328b...b0c30a8)

Updates `actions/checkout` from 6.0.2 to 6.0.3
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@de0fac2...df4cb1c)

Updates `anchore/workflows/.github/workflows/release-install-script.yaml` from 0.7.0 to 0.7.2
- [Release notes](https://github.com/anchore/workflows/releases)
- [Commits](anchore/workflows@b3e328b...b0c30a8)

Updates `github/codeql-action` from 4.36.0 to 4.36.2
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@7211b7c...8aad20d)

Updates `anchore/go-make` from 0.5.0 to 0.6.0
- [Release notes](https://github.com/anchore/go-make/releases)
- [Commits](anchore/go-make@9de27be...39fe5f7)

---
updated-dependencies:
- dependency-name: anchore/workflows/.github/workflows/codeql.yaml
  dependency-version: 0.7.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions-minor-patch
- dependency-name: anchore/workflows/.github/workflows/check-version-available.yaml
  dependency-version: 0.7.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions-minor-patch
- dependency-name: anchore/workflows/.github/workflows/check-gate.yaml
  dependency-version: 0.7.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions-minor-patch
- dependency-name: actions/checkout
  dependency-version: 6.0.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions-minor-patch
- dependency-name: anchore/workflows/.github/workflows/release-install-script.yaml
  dependency-version: 0.7.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions-minor-patch
- dependency-name: github/codeql-action
  dependency-version: 4.36.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions-minor-patch
- dependency-name: anchore/go-make
  dependency-version: 0.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions-minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* exclude linux-kbuild deb indirect matches by default (anchore#3506)

Signed-off-by: Weston Steimel <author@code.w.steimel.me.uk>

* Add OSV Model generator (anchore#3499)

* Add OSV Model generator

Previously, there was an OSV scanner repository that exported a
models.Vulnerability struct we could use. That repository deprecated
their exported models and the models in grype are falling behind.
Therefore, add a generator target that generates our own models based on
the latest v1 JSON scehma from the official OSV spec repository. In this
way automation can PR new models in.

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

* less coupled generator

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

* parse severity as singular and drop entry type

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* Remove v1 from file names

If we need a v2 model, we should have a package with v2 in the path so
that both can be imported. v1 in a filename is just noise.

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

---------

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>

* chore(deps): bump github.com/anchore/go-make (anchore#3502)

Bumps the go-minor-patch group with 1 update in the /.make directory: [github.com/anchore/go-make](https://github.com/anchore/go-make).


Updates `github.com/anchore/go-make` from 0.5.0 to 0.6.0
- [Release notes](https://github.com/anchore/go-make/releases)
- [Commits](anchore/go-make@v0.5.0...v0.6.0)

---
updated-dependencies:
- dependency-name: github.com/anchore/go-make
  dependency-version: 0.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go-minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* fix(go-vulndb): merge in custom ranges when applicable (anchore#3514)

* fix(go-vulndb): merge in custom ranges when applicable

Go OSV data has the standard OSV ranges, but also has custom ranges.
Packages that do non-standard go versioning, for example by pushing a
tag that starts with v2.x.y but not adding a /v2 in their module path,
get relegated to the custom ranges field. In other words, there is one
affected range for "strictly go versioning compliant versions" and
another set of ranges for "version control tags that are not perfectly
compliant".

Previously, Grype just ignore this second bucket of version ranges,
resulting in a meaningful number of false positives. Fix this by, if
custom ranges are present, stripping out unbounded (e.g. > 0) ranges
from the regular ranges and then unioning the two range sets.

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

* cleanup: avoid double parsing ranges, clean up comments

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

* fix up go vuln db transformer

Includes using mapstructure to deserialize custom fields, and some
readability refactors.

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

---------

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

* fix: disable go stdlib CPE matching by default. (anchore#3517)

Previously, because GHSA does not cover the go stdlib, in order to avoid
false negatives on the go stdlib, CPE matching had to be used. However,
grype now includes the Go Vuln DB data it its database, which does
include the stdlib as if a regular go module, so this CPE fallback can
be disabled by default, fixing many false positives.

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

* chore(deps): bump the go-minor-patch group across 1 directory with 2 updates (anchore#3518)

Bumps the go-minor-patch group with 2 updates in the / directory: [golang.org/x/text](https://github.com/golang/text) and [golang.org/x/tools](https://github.com/golang/tools).


Updates `golang.org/x/text` from 0.37.0 to 0.38.0
- [Release notes](https://github.com/golang/text/releases)
- [Commits](golang/text@v0.37.0...v0.38.0)

Updates `golang.org/x/tools` from 0.45.0 to 0.46.0
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](golang/tools@v0.45.0...v0.46.0)

---
updated-dependencies:
- dependency-name: golang.org/x/text
  dependency-version: 0.38.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go-minor-patch
- dependency-name: golang.org/x/tools
  dependency-version: 0.46.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go-minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* fix(hummingbird): mark hummingbird distro as rolling (anchore#3521)

Previous hummingbird work incorrectly marked only the search side
(data.go) as having a rolling label. Therefore also mark hummingbird as
a rolling distro at database creation time.

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

* refactor release pipeline: TAG_TOKEN, skip-checks gate, go-make bump, dependabot/zizmor/gci cleanup (anchore#3524)

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* chore(deps): bump github.com/containerd/containerd/v2 (anchore#3525)

Bumps [github.com/containerd/containerd/v2](https://github.com/containerd/containerd) from 2.3.1 to 2.3.2.
- [Release notes](https://github.com/containerd/containerd/releases)
- [Changelog](https://github.com/containerd/containerd/blob/main/RELEASES.md)
- [Commits](containerd/containerd@v2.3.1...v2.3.2)

---
updated-dependencies:
- dependency-name: github.com/containerd/containerd/v2
  dependency-version: 2.3.2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* fix(govulndb): mix floors from custom ranges as appropriate (anchore#3522)

Previously, lower and upper bounds on vulnerable windows would be ORed
together if part of the range was reported in osv standard affected
events and the other part was reported in OSV ecosystem-specific
custom_ranges events. Fix the merge logic so that floors from the custom
ranges have the correct effect.

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

* fix(govulndb): only emit records for stdlib (anchore#3527)

* fix(govulndb): only emit records for stdlib

For third party go packages, go vuln db has some very strange version
ranges, and this has caused a number of false positive reports.
Additionally, for most of them, Grype currently reports both a GHSA and
a GO record, resulting in user confusion.

However, there is one key class of record available in the go vuln db
that is not in GHSA: records affecting the go stdlib itself (that is,
the core parts of the langage that are statically linked into every go
binary).

Therefore, for now, emit only records relating to the go stdlib. Future
enhancements can pull in additional data related to third party go
packages in go vuln db.

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

* Clean up some additional test fixtures

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

---------

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

* Update go-make to v0.8.0 (anchore#3528)

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* chore(units): account for changes in Syft and fix stale listing file (anchore#3532)

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

* feat(govulndb): emit golang.org/x/net vulns from govlundb (anchore#3534)

These packages are not covered by GHSA and generally have well-formed
versions, so emit them.

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

* chore(deps): update anchore dependencies (anchore#3498)

Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>

* chore(deps): bump actions/checkout from 6.0.3 to 7.0.0 (anchore#3535)

Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.3 to 7.0.0.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@df4cb1c...9c091bb)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 7.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): update quality gate database (anchore#3543)

Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>

* feat: populate package architecture for matching (anchore#3504)

* feat: populate package architecture for matching

Enable matchers to filter on architecture-specific vulnerabilities or
fixes.

There are basically three changes here: First, wire up the package
collection creator to populate architecture on the packages when an
image is scanned or an sbom is loaded in Grype. Second, wire up the
architecture package qualifier so that if a vulnerability or fix
specifies that it is only applicable to a particular architecture, the
matchers will respect this, and third, in the RPM matcher, specify
`arch=src` when synthesizing the upstream package to search by (rather
than letting it inherit the binary package's architecture).

The qualifier logic is like this: If either the package or the DB record
has a blank architecture, the filtering is a noop. If the package has a
specific architecture and the DB record has 'src', the package is
qualified, because a disclosure or fix in a src RPM for example is
assumed to affect things built from it. If the DB record and the package
both have specific binary architectures, but they don't match, e.g.
x86_64 != aarch64, the package is not qualified and filters out.
Architecture qualifiers are canonicalized at match time so, for example,
an RPM that has x86_64 architecture is a qualified package on a vuln
that affects "amd64" processors (assuming distro and everything else
line up). This canonicalization is probably more important for future
expansion since a given distro will probably use the same architecture
strings as their own package manager.

Hummingbird also has a special "binary-no-arch-specified" architecture
that means, "this is not a src RPM". That is so that in Hummingbird
data, if we have a package that says, 'upstream=glibc' in its PURL, and
we have a glibc vuln against the binary but not the src RPM, we can
fitler out this false positive. If a DB record has
'binary-no-arch-specified' as its architecture, any package that has any
non-src architecture (or a blank architecture) is qualified, but src
architecture is not.

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

* Make architecture aliases data driven

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

* handle noarch / all arch

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

* Wire up end-to-end architecture specific matching for OL

OracleLinux had some existing false positives where the x86_64 package
was fixed in an earlier version of the RPM than the aarch64 version,
resulting in false positives when Grype checked against the aarch64
version. Add a dbtest for this scenario and update the RPM matcher and
OS transformer to fix this case.

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

* move setting src arch on upstream to helper

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

* exhaustive tests for package arch qualifier

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

---------

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

* fix(zarf): swap warn messages for debug (anchore#3545)

Signed-off-by: Brandt Keller <brandt.keller@defenseunicorns.com>

* chore(deps): bump anchore/workflows/.github/workflows/check-version-available.yaml (anchore#3547)

Bumps [anchore/workflows/.github/workflows/check-version-available.yaml](https://github.com/anchore/workflows) from 0.7.2 to 0.8.0.
- [Release notes](https://github.com/anchore/workflows/releases)
- [Commits](anchore/workflows@b0c30a8...7212994)

---
updated-dependencies:
- dependency-name: anchore/workflows/.github/workflows/check-version-available.yaml
  dependency-version: 0.8.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump zizmorcore/zizmor-action from 0.5.6 to 0.5.7 (anchore#3549)

Bumps [zizmorcore/zizmor-action](https://github.com/zizmorcore/zizmor-action) from 0.5.6 to 0.5.7.
- [Release notes](https://github.com/zizmorcore/zizmor-action/releases)
- [Commits](zizmorcore/zizmor-action@5f14fd0...192e21d)

---
updated-dependencies:
- dependency-name: zizmorcore/zizmor-action
  dependency-version: 0.5.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anchore/workflows/.github/workflows/codeql.yaml (anchore#3548)

Bumps [anchore/workflows/.github/workflows/codeql.yaml](https://github.com/anchore/workflows) from 0.7.2 to 0.8.0.
- [Release notes](https://github.com/anchore/workflows/releases)
- [Commits](anchore/workflows@b0c30a8...7212994)

---
updated-dependencies:
- dependency-name: anchore/workflows/.github/workflows/codeql.yaml
  dependency-version: 0.8.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump golang.org/x/tools from 0.46.0 to 0.47.0 (anchore#3550)

Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.46.0 to 0.47.0.
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](golang/tools@v0.46.0...v0.47.0)

---
updated-dependencies:
- dependency-name: golang.org/x/tools
  dependency-version: 0.47.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/cache/restore in /.github/actions/bootstrap (anchore#3556)

Bumps [actions/cache/restore](https://github.com/actions/cache) from 5.0.5 to 6.1.0.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](actions/cache@27d5ce7...55cc834)

---
updated-dependencies:
- dependency-name: actions/cache/restore
  dependency-version: 6.1.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/cache from 5.0.5 to 6.1.0 (anchore#3551)

Bumps [actions/cache](https://github.com/actions/cache) from 5.0.5 to 6.1.0.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](actions/cache@27d5ce7...55cc834)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-version: 6.1.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anchore/go-make/.github/actions/setup (anchore#3555)

Bumps [anchore/go-make/.github/actions/setup](https://github.com/anchore/go-make) from 0.6.0 to 0.8.0.
- [Release notes](https://github.com/anchore/go-make/releases)
- [Commits](anchore/go-make@39fe5f7...430e217)

---
updated-dependencies:
- dependency-name: anchore/go-make/.github/actions/setup
  dependency-version: 0.8.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/cache in /.github/actions/bootstrap (anchore#3558)

Bumps [actions/cache](https://github.com/actions/cache) from 5.0.5 to 6.1.0.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](actions/cache@27d5ce7...55cc834)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-version: 6.1.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump gorm.io/gorm from 1.31.1 to 1.31.2 (anchore#3557)

Bumps [gorm.io/gorm](https://github.com/go-gorm/gorm) from 1.31.1 to 1.31.2.
- [Release notes](https://github.com/go-gorm/gorm/releases)
- [Commits](go-gorm/gorm@v1.31.1...v1.31.2)

---
updated-dependencies:
- dependency-name: gorm.io/gorm
  dependency-version: 1.31.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

---------

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
Signed-off-by: Brandt Keller <brandt.keller@defenseunicorns.com>
Signed-off-by: Jeremy Spilman <jeremy.spilman@anchore.com>
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Weston Steimel <author@code.w.steimel.me.uk>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Will Murphy <willmurphyscode@users.noreply.github.com>
Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@anchore.com>
Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
Co-authored-by: Brandt Keller <43887158+brandtkeller@users.noreply.github.com>
Co-authored-by: Jeremy Spilman <jeremy.spilman@anchore.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Weston Steimel <author@code.w.steimel.me.uk>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
rfJanit added a commit to rfJanit/grype that referenced this pull request Jul 6, 2026
* give install script uploader contents: read (anchore#3489)

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

* Govulndb OSV transformer (anchore#3485)

* govulndb osv

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

* add fixed dates to govulndb osv transformer

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

* enforce lowercase ids on cache

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

---------

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

* chore(deps): update tool versions (anchore#3488)

Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>

* chore(deps): update quality gate database (anchore#3478)

Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>

* feat(scan): add support for a Zarf scan target (anchore#3366)

Signed-off-by: Brandt Keller <brandt.keller@defenseunicorns.com>

* fix: respect withdrawn status of Go Vuln DB OSV records (anchore#3495)

Otherwise we get false positives. Includes a matcher test to assert that
Grype does not find withdrawn go vulns.

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

* chore(deps): update anchore dependencies (anchore#3487)

Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>

* test: add test fixtures for multi RHSA records from vunnel (anchore#3480)

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

* fix: avoid panic on invalid RHEL version IDs (anchore#3490)

Signed-off-by: Jeremy Spilman <jeremy.spilman@anchore.com>

* chore(deps): bump the actions-minor-patch group across 2 directories with 7 updates (anchore#3503)

Bumps the actions-minor-patch group with 6 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [anchore/workflows/.github/workflows/codeql.yaml](https://github.com/anchore/workflows) | `0.7.0` | `0.7.2` |
| [anchore/workflows/.github/workflows/check-version-available.yaml](https://github.com/anchore/workflows) | `0.7.0` | `0.7.2` |
| [anchore/workflows/.github/workflows/check-gate.yaml](https://github.com/anchore/workflows) | `0.7.0` | `0.7.2` |
| [actions/checkout](https://github.com/actions/checkout) | `6.0.2` | `6.0.3` |
| [anchore/workflows/.github/workflows/release-install-script.yaml](https://github.com/anchore/workflows) | `0.7.0` | `0.7.2` |
| [github/codeql-action](https://github.com/github/codeql-action) | `4.36.0` | `4.36.2` |

Bumps the actions-minor-patch group with 1 update in the /.github/actions/bootstrap directory: [anchore/go-make](https://github.com/anchore/go-make).


Updates `anchore/workflows/.github/workflows/codeql.yaml` from 0.7.0 to 0.7.2
- [Release notes](https://github.com/anchore/workflows/releases)
- [Commits](anchore/workflows@b3e328b...b0c30a8)

Updates `anchore/workflows/.github/workflows/check-version-available.yaml` from 0.7.0 to 0.7.2
- [Release notes](https://github.com/anchore/workflows/releases)
- [Commits](anchore/workflows@b3e328b...b0c30a8)

Updates `anchore/workflows/.github/workflows/check-gate.yaml` from 0.7.0 to 0.7.2
- [Release notes](https://github.com/anchore/workflows/releases)
- [Commits](anchore/workflows@b3e328b...b0c30a8)

Updates `actions/checkout` from 6.0.2 to 6.0.3
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@de0fac2...df4cb1c)

Updates `anchore/workflows/.github/workflows/release-install-script.yaml` from 0.7.0 to 0.7.2
- [Release notes](https://github.com/anchore/workflows/releases)
- [Commits](anchore/workflows@b3e328b...b0c30a8)

Updates `github/codeql-action` from 4.36.0 to 4.36.2
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@7211b7c...8aad20d)

Updates `anchore/go-make` from 0.5.0 to 0.6.0
- [Release notes](https://github.com/anchore/go-make/releases)
- [Commits](anchore/go-make@9de27be...39fe5f7)

---
updated-dependencies:
- dependency-name: anchore/workflows/.github/workflows/codeql.yaml
  dependency-version: 0.7.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions-minor-patch
- dependency-name: anchore/workflows/.github/workflows/check-version-available.yaml
  dependency-version: 0.7.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions-minor-patch
- dependency-name: anchore/workflows/.github/workflows/check-gate.yaml
  dependency-version: 0.7.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions-minor-patch
- dependency-name: actions/checkout
  dependency-version: 6.0.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions-minor-patch
- dependency-name: anchore/workflows/.github/workflows/release-install-script.yaml
  dependency-version: 0.7.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions-minor-patch
- dependency-name: github/codeql-action
  dependency-version: 4.36.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions-minor-patch
- dependency-name: anchore/go-make
  dependency-version: 0.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions-minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* exclude linux-kbuild deb indirect matches by default (anchore#3506)

Signed-off-by: Weston Steimel <author@code.w.steimel.me.uk>

* Add OSV Model generator (anchore#3499)

* Add OSV Model generator

Previously, there was an OSV scanner repository that exported a
models.Vulnerability struct we could use. That repository deprecated
their exported models and the models in grype are falling behind.
Therefore, add a generator target that generates our own models based on
the latest v1 JSON scehma from the official OSV spec repository. In this
way automation can PR new models in.

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

* less coupled generator

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

* parse severity as singular and drop entry type

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* Remove v1 from file names

If we need a v2 model, we should have a package with v2 in the path so
that both can be imported. v1 in a filename is just noise.

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

---------

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>

* chore(deps): bump github.com/anchore/go-make (anchore#3502)

Bumps the go-minor-patch group with 1 update in the /.make directory: [github.com/anchore/go-make](https://github.com/anchore/go-make).


Updates `github.com/anchore/go-make` from 0.5.0 to 0.6.0
- [Release notes](https://github.com/anchore/go-make/releases)
- [Commits](anchore/go-make@v0.5.0...v0.6.0)

---
updated-dependencies:
- dependency-name: github.com/anchore/go-make
  dependency-version: 0.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go-minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* fix(go-vulndb): merge in custom ranges when applicable (anchore#3514)

* fix(go-vulndb): merge in custom ranges when applicable

Go OSV data has the standard OSV ranges, but also has custom ranges.
Packages that do non-standard go versioning, for example by pushing a
tag that starts with v2.x.y but not adding a /v2 in their module path,
get relegated to the custom ranges field. In other words, there is one
affected range for "strictly go versioning compliant versions" and
another set of ranges for "version control tags that are not perfectly
compliant".

Previously, Grype just ignore this second bucket of version ranges,
resulting in a meaningful number of false positives. Fix this by, if
custom ranges are present, stripping out unbounded (e.g. > 0) ranges
from the regular ranges and then unioning the two range sets.

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

* cleanup: avoid double parsing ranges, clean up comments

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

* fix up go vuln db transformer

Includes using mapstructure to deserialize custom fields, and some
readability refactors.

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

---------

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

* fix: disable go stdlib CPE matching by default. (anchore#3517)

Previously, because GHSA does not cover the go stdlib, in order to avoid
false negatives on the go stdlib, CPE matching had to be used. However,
grype now includes the Go Vuln DB data it its database, which does
include the stdlib as if a regular go module, so this CPE fallback can
be disabled by default, fixing many false positives.

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

* chore(deps): bump the go-minor-patch group across 1 directory with 2 updates (anchore#3518)

Bumps the go-minor-patch group with 2 updates in the / directory: [golang.org/x/text](https://github.com/golang/text) and [golang.org/x/tools](https://github.com/golang/tools).


Updates `golang.org/x/text` from 0.37.0 to 0.38.0
- [Release notes](https://github.com/golang/text/releases)
- [Commits](golang/text@v0.37.0...v0.38.0)

Updates `golang.org/x/tools` from 0.45.0 to 0.46.0
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](golang/tools@v0.45.0...v0.46.0)

---
updated-dependencies:
- dependency-name: golang.org/x/text
  dependency-version: 0.38.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go-minor-patch
- dependency-name: golang.org/x/tools
  dependency-version: 0.46.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go-minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* fix(hummingbird): mark hummingbird distro as rolling (anchore#3521)

Previous hummingbird work incorrectly marked only the search side
(data.go) as having a rolling label. Therefore also mark hummingbird as
a rolling distro at database creation time.

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

* refactor release pipeline: TAG_TOKEN, skip-checks gate, go-make bump, dependabot/zizmor/gci cleanup (anchore#3524)

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* chore(deps): bump github.com/containerd/containerd/v2 (anchore#3525)

Bumps [github.com/containerd/containerd/v2](https://github.com/containerd/containerd) from 2.3.1 to 2.3.2.
- [Release notes](https://github.com/containerd/containerd/releases)
- [Changelog](https://github.com/containerd/containerd/blob/main/RELEASES.md)
- [Commits](containerd/containerd@v2.3.1...v2.3.2)

---
updated-dependencies:
- dependency-name: github.com/containerd/containerd/v2
  dependency-version: 2.3.2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* fix(govulndb): mix floors from custom ranges as appropriate (anchore#3522)

Previously, lower and upper bounds on vulnerable windows would be ORed
together if part of the range was reported in osv standard affected
events and the other part was reported in OSV ecosystem-specific
custom_ranges events. Fix the merge logic so that floors from the custom
ranges have the correct effect.

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

* fix(govulndb): only emit records for stdlib (anchore#3527)

* fix(govulndb): only emit records for stdlib

For third party go packages, go vuln db has some very strange version
ranges, and this has caused a number of false positive reports.
Additionally, for most of them, Grype currently reports both a GHSA and
a GO record, resulting in user confusion.

However, there is one key class of record available in the go vuln db
that is not in GHSA: records affecting the go stdlib itself (that is,
the core parts of the langage that are statically linked into every go
binary).

Therefore, for now, emit only records relating to the go stdlib. Future
enhancements can pull in additional data related to third party go
packages in go vuln db.

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

* Clean up some additional test fixtures

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

---------

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

* Update go-make to v0.8.0 (anchore#3528)

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* chore(units): account for changes in Syft and fix stale listing file (anchore#3532)

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

* feat(govulndb): emit golang.org/x/net vulns from govlundb (anchore#3534)

These packages are not covered by GHSA and generally have well-formed
versions, so emit them.

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

* chore(deps): update anchore dependencies (anchore#3498)

Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>

* chore(deps): bump actions/checkout from 6.0.3 to 7.0.0 (anchore#3535)

Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.3 to 7.0.0.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@df4cb1c...9c091bb)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 7.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): update quality gate database (anchore#3543)

Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>

* feat: populate package architecture for matching (anchore#3504)

* feat: populate package architecture for matching

Enable matchers to filter on architecture-specific vulnerabilities or
fixes.

There are basically three changes here: First, wire up the package
collection creator to populate architecture on the packages when an
image is scanned or an sbom is loaded in Grype. Second, wire up the
architecture package qualifier so that if a vulnerability or fix
specifies that it is only applicable to a particular architecture, the
matchers will respect this, and third, in the RPM matcher, specify
`arch=src` when synthesizing the upstream package to search by (rather
than letting it inherit the binary package's architecture).

The qualifier logic is like this: If either the package or the DB record
has a blank architecture, the filtering is a noop. If the package has a
specific architecture and the DB record has 'src', the package is
qualified, because a disclosure or fix in a src RPM for example is
assumed to affect things built from it. If the DB record and the package
both have specific binary architectures, but they don't match, e.g.
x86_64 != aarch64, the package is not qualified and filters out.
Architecture qualifiers are canonicalized at match time so, for example,
an RPM that has x86_64 architecture is a qualified package on a vuln
that affects "amd64" processors (assuming distro and everything else
line up). This canonicalization is probably more important for future
expansion since a given distro will probably use the same architecture
strings as their own package manager.

Hummingbird also has a special "binary-no-arch-specified" architecture
that means, "this is not a src RPM". That is so that in Hummingbird
data, if we have a package that says, 'upstream=glibc' in its PURL, and
we have a glibc vuln against the binary but not the src RPM, we can
fitler out this false positive. If a DB record has
'binary-no-arch-specified' as its architecture, any package that has any
non-src architecture (or a blank architecture) is qualified, but src
architecture is not.

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

* Make architecture aliases data driven

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

* handle noarch / all arch

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

* Wire up end-to-end architecture specific matching for OL

OracleLinux had some existing false positives where the x86_64 package
was fixed in an earlier version of the RPM than the aarch64 version,
resulting in false positives when Grype checked against the aarch64
version. Add a dbtest for this scenario and update the RPM matcher and
OS transformer to fix this case.

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

* move setting src arch on upstream to helper

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

* exhaustive tests for package arch qualifier

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

---------

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

* fix(zarf): swap warn messages for debug (anchore#3545)

Signed-off-by: Brandt Keller <brandt.keller@defenseunicorns.com>

* chore(deps): bump anchore/workflows/.github/workflows/check-version-available.yaml (anchore#3547)

Bumps [anchore/workflows/.github/workflows/check-version-available.yaml](https://github.com/anchore/workflows) from 0.7.2 to 0.8.0.
- [Release notes](https://github.com/anchore/workflows/releases)
- [Commits](anchore/workflows@b0c30a8...7212994)

---
updated-dependencies:
- dependency-name: anchore/workflows/.github/workflows/check-version-available.yaml
  dependency-version: 0.8.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump zizmorcore/zizmor-action from 0.5.6 to 0.5.7 (anchore#3549)

Bumps [zizmorcore/zizmor-action](https://github.com/zizmorcore/zizmor-action) from 0.5.6 to 0.5.7.
- [Release notes](https://github.com/zizmorcore/zizmor-action/releases)
- [Commits](zizmorcore/zizmor-action@5f14fd0...192e21d)

---
updated-dependencies:
- dependency-name: zizmorcore/zizmor-action
  dependency-version: 0.5.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anchore/workflows/.github/workflows/codeql.yaml (anchore#3548)

Bumps [anchore/workflows/.github/workflows/codeql.yaml](https://github.com/anchore/workflows) from 0.7.2 to 0.8.0.
- [Release notes](https://github.com/anchore/workflows/releases)
- [Commits](anchore/workflows@b0c30a8...7212994)

---
updated-dependencies:
- dependency-name: anchore/workflows/.github/workflows/codeql.yaml
  dependency-version: 0.8.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump golang.org/x/tools from 0.46.0 to 0.47.0 (anchore#3550)

Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.46.0 to 0.47.0.
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](golang/tools@v0.46.0...v0.47.0)

---
updated-dependencies:
- dependency-name: golang.org/x/tools
  dependency-version: 0.47.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/cache/restore in /.github/actions/bootstrap (anchore#3556)

Bumps [actions/cache/restore](https://github.com/actions/cache) from 5.0.5 to 6.1.0.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](actions/cache@27d5ce7...55cc834)

---
updated-dependencies:
- dependency-name: actions/cache/restore
  dependency-version: 6.1.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/cache from 5.0.5 to 6.1.0 (anchore#3551)

Bumps [actions/cache](https://github.com/actions/cache) from 5.0.5 to 6.1.0.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](actions/cache@27d5ce7...55cc834)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-version: 6.1.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump anchore/go-make/.github/actions/setup (anchore#3555)

Bumps [anchore/go-make/.github/actions/setup](https://github.com/anchore/go-make) from 0.6.0 to 0.8.0.
- [Release notes](https://github.com/anchore/go-make/releases)
- [Commits](anchore/go-make@39fe5f7...430e217)

---
updated-dependencies:
- dependency-name: anchore/go-make/.github/actions/setup
  dependency-version: 0.8.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump actions/cache in /.github/actions/bootstrap (anchore#3558)

Bumps [actions/cache](https://github.com/actions/cache) from 5.0.5 to 6.1.0.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](actions/cache@27d5ce7...55cc834)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-version: 6.1.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump gorm.io/gorm from 1.31.1 to 1.31.2 (anchore#3557)

Bumps [gorm.io/gorm](https://github.com/go-gorm/gorm) from 1.31.1 to 1.31.2.
- [Release notes](https://github.com/go-gorm/gorm/releases)
- [Commits](go-gorm/gorm@v1.31.1...v1.31.2)

---
updated-dependencies:
- dependency-name: gorm.io/gorm
  dependency-version: 1.31.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

---------

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
Signed-off-by: Brandt Keller <brandt.keller@defenseunicorns.com>
Signed-off-by: Jeremy Spilman <jeremy.spilman@anchore.com>
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Weston Steimel <author@code.w.steimel.me.uk>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Will Murphy <willmurphyscode@users.noreply.github.com>
Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@anchore.com>
Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
Co-authored-by: Brandt Keller <43887158+brandtkeller@users.noreply.github.com>
Co-authored-by: Jeremy Spilman <jeremy.spilman@anchore.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Weston Steimel <author@code.w.steimel.me.uk>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>

Signed-off-by: Janit Lodha <janit.lodha@rapidfort.com>
vaibhav-rf added a commit to vaibhav-rf/grype that referenced this pull request Jul 6, 2026
* give install script uploader contents: read (anchore#3489)



* Govulndb OSV transformer (anchore#3485)

* govulndb osv



* add fixed dates to govulndb osv transformer



* enforce lowercase ids on cache



---------



* chore(deps): update tool versions (anchore#3488)




* chore(deps): update quality gate database (anchore#3478)




* feat(scan): add support for a Zarf scan target (anchore#3366)



* fix: respect withdrawn status of Go Vuln DB OSV records (anchore#3495)

Otherwise we get false positives. Includes a matcher test to assert that
Grype does not find withdrawn go vulns.



* chore(deps): update anchore dependencies (anchore#3487)




* test: add test fixtures for multi RHSA records from vunnel (anchore#3480)



* fix: avoid panic on invalid RHEL version IDs (anchore#3490)



* chore(deps): bump the actions-minor-patch group across 2 directories with 7 updates (anchore#3503)

Bumps the actions-minor-patch group with 6 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [anchore/workflows/.github/workflows/codeql.yaml](https://github.com/anchore/workflows) | `0.7.0` | `0.7.2` |
| [anchore/workflows/.github/workflows/check-version-available.yaml](https://github.com/anchore/workflows) | `0.7.0` | `0.7.2` |
| [anchore/workflows/.github/workflows/check-gate.yaml](https://github.com/anchore/workflows) | `0.7.0` | `0.7.2` |
| [actions/checkout](https://github.com/actions/checkout) | `6.0.2` | `6.0.3` |
| [anchore/workflows/.github/workflows/release-install-script.yaml](https://github.com/anchore/workflows) | `0.7.0` | `0.7.2` |
| [github/codeql-action](https://github.com/github/codeql-action) | `4.36.0` | `4.36.2` |

Bumps the actions-minor-patch group with 1 update in the /.github/actions/bootstrap directory: [anchore/go-make](https://github.com/anchore/go-make).


Updates `anchore/workflows/.github/workflows/codeql.yaml` from 0.7.0 to 0.7.2
- [Release notes](https://github.com/anchore/workflows/releases)
- [Commits](anchore/workflows@b3e328b...b0c30a8)

Updates `anchore/workflows/.github/workflows/check-version-available.yaml` from 0.7.0 to 0.7.2
- [Release notes](https://github.com/anchore/workflows/releases)
- [Commits](anchore/workflows@b3e328b...b0c30a8)

Updates `anchore/workflows/.github/workflows/check-gate.yaml` from 0.7.0 to 0.7.2
- [Release notes](https://github.com/anchore/workflows/releases)
- [Commits](anchore/workflows@b3e328b...b0c30a8)

Updates `actions/checkout` from 6.0.2 to 6.0.3
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@de0fac2...df4cb1c)

Updates `anchore/workflows/.github/workflows/release-install-script.yaml` from 0.7.0 to 0.7.2
- [Release notes](https://github.com/anchore/workflows/releases)
- [Commits](anchore/workflows@b3e328b...b0c30a8)

Updates `github/codeql-action` from 4.36.0 to 4.36.2
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@7211b7c...8aad20d)

Updates `anchore/go-make` from 0.5.0 to 0.6.0
- [Release notes](https://github.com/anchore/go-make/releases)
- [Commits](anchore/go-make@9de27be...39fe5f7)

---
updated-dependencies:
- dependency-name: anchore/workflows/.github/workflows/codeql.yaml
  dependency-version: 0.7.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions-minor-patch
- dependency-name: anchore/workflows/.github/workflows/check-version-available.yaml
  dependency-version: 0.7.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions-minor-patch
- dependency-name: anchore/workflows/.github/workflows/check-gate.yaml
  dependency-version: 0.7.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions-minor-patch
- dependency-name: actions/checkout
  dependency-version: 6.0.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions-minor-patch
- dependency-name: anchore/workflows/.github/workflows/release-install-script.yaml
  dependency-version: 0.7.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions-minor-patch
- dependency-name: github/codeql-action
  dependency-version: 4.36.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions-minor-patch
- dependency-name: anchore/go-make
  dependency-version: 0.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions-minor-patch
...




* exclude linux-kbuild deb indirect matches by default (anchore#3506)



* Add OSV Model generator (anchore#3499)

* Add OSV Model generator

Previously, there was an OSV scanner repository that exported a
models.Vulnerability struct we could use. That repository deprecated
their exported models and the models in grype are falling behind.
Therefore, add a generator target that generates our own models based on
the latest v1 JSON scehma from the official OSV spec repository. In this
way automation can PR new models in.



* less coupled generator



* parse severity as singular and drop entry type



* Remove v1 from file names

If we need a v2 model, we should have a package with v2 in the path so
that both can be imported. v1 in a filename is just noise.



---------





* chore(deps): bump github.com/anchore/go-make (anchore#3502)

Bumps the go-minor-patch group with 1 update in the /.make directory: [github.com/anchore/go-make](https://github.com/anchore/go-make).


Updates `github.com/anchore/go-make` from 0.5.0 to 0.6.0
- [Release notes](https://github.com/anchore/go-make/releases)
- [Commits](anchore/go-make@v0.5.0...v0.6.0)

---
updated-dependencies:
- dependency-name: github.com/anchore/go-make
  dependency-version: 0.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go-minor-patch
...




* fix(go-vulndb): merge in custom ranges when applicable (anchore#3514)

* fix(go-vulndb): merge in custom ranges when applicable

Go OSV data has the standard OSV ranges, but also has custom ranges.
Packages that do non-standard go versioning, for example by pushing a
tag that starts with v2.x.y but not adding a /v2 in their module path,
get relegated to the custom ranges field. In other words, there is one
affected range for "strictly go versioning compliant versions" and
another set of ranges for "version control tags that are not perfectly
compliant".

Previously, Grype just ignore this second bucket of version ranges,
resulting in a meaningful number of false positives. Fix this by, if
custom ranges are present, stripping out unbounded (e.g. > 0) ranges
from the regular ranges and then unioning the two range sets.



* cleanup: avoid double parsing ranges, clean up comments



* fix up go vuln db transformer

Includes using mapstructure to deserialize custom fields, and some
readability refactors.



---------



* fix: disable go stdlib CPE matching by default. (anchore#3517)

Previously, because GHSA does not cover the go stdlib, in order to avoid
false negatives on the go stdlib, CPE matching had to be used. However,
grype now includes the Go Vuln DB data it its database, which does
include the stdlib as if a regular go module, so this CPE fallback can
be disabled by default, fixing many false positives.



* chore(deps): bump the go-minor-patch group across 1 directory with 2 updates (anchore#3518)

Bumps the go-minor-patch group with 2 updates in the / directory: [golang.org/x/text](https://github.com/golang/text) and [golang.org/x/tools](https://github.com/golang/tools).


Updates `golang.org/x/text` from 0.37.0 to 0.38.0
- [Release notes](https://github.com/golang/text/releases)
- [Commits](golang/text@v0.37.0...v0.38.0)

Updates `golang.org/x/tools` from 0.45.0 to 0.46.0
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](golang/tools@v0.45.0...v0.46.0)

---
updated-dependencies:
- dependency-name: golang.org/x/text
  dependency-version: 0.38.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go-minor-patch
- dependency-name: golang.org/x/tools
  dependency-version: 0.46.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go-minor-patch
...




* fix(hummingbird): mark hummingbird distro as rolling (anchore#3521)

Previous hummingbird work incorrectly marked only the search side
(data.go) as having a rolling label. Therefore also mark hummingbird as
a rolling distro at database creation time.



* refactor release pipeline: TAG_TOKEN, skip-checks gate, go-make bump, dependabot/zizmor/gci cleanup (anchore#3524)



* chore(deps): bump github.com/containerd/containerd/v2 (anchore#3525)

Bumps [github.com/containerd/containerd/v2](https://github.com/containerd/containerd) from 2.3.1 to 2.3.2.
- [Release notes](https://github.com/containerd/containerd/releases)
- [Changelog](https://github.com/containerd/containerd/blob/main/RELEASES.md)
- [Commits](containerd/containerd@v2.3.1...v2.3.2)

---
updated-dependencies:
- dependency-name: github.com/containerd/containerd/v2
  dependency-version: 2.3.2
  dependency-type: indirect
...




* fix(govulndb): mix floors from custom ranges as appropriate (anchore#3522)

Previously, lower and upper bounds on vulnerable windows would be ORed
together if part of the range was reported in osv standard affected
events and the other part was reported in OSV ecosystem-specific
custom_ranges events. Fix the merge logic so that floors from the custom
ranges have the correct effect.



* fix(govulndb): only emit records for stdlib (anchore#3527)

* fix(govulndb): only emit records for stdlib

For third party go packages, go vuln db has some very strange version
ranges, and this has caused a number of false positive reports.
Additionally, for most of them, Grype currently reports both a GHSA and
a GO record, resulting in user confusion.

However, there is one key class of record available in the go vuln db
that is not in GHSA: records affecting the go stdlib itself (that is,
the core parts of the langage that are statically linked into every go
binary).

Therefore, for now, emit only records relating to the go stdlib. Future
enhancements can pull in additional data related to third party go
packages in go vuln db.



* Clean up some additional test fixtures



---------



* Update go-make to v0.8.0 (anchore#3528)



* chore(units): account for changes in Syft and fix stale listing file (anchore#3532)



* feat(govulndb): emit golang.org/x/net vulns from govlundb (anchore#3534)

These packages are not covered by GHSA and generally have well-formed
versions, so emit them.



* chore(deps): update anchore dependencies (anchore#3498)




* chore(deps): bump actions/checkout from 6.0.3 to 7.0.0 (anchore#3535)

Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.3 to 7.0.0.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@df4cb1c...9c091bb)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 7.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...




* chore(deps): update quality gate database (anchore#3543)




* feat: populate package architecture for matching (anchore#3504)

* feat: populate package architecture for matching

Enable matchers to filter on architecture-specific vulnerabilities or
fixes.

There are basically three changes here: First, wire up the package
collection creator to populate architecture on the packages when an
image is scanned or an sbom is loaded in Grype. Second, wire up the
architecture package qualifier so that if a vulnerability or fix
specifies that it is only applicable to a particular architecture, the
matchers will respect this, and third, in the RPM matcher, specify
`arch=src` when synthesizing the upstream package to search by (rather
than letting it inherit the binary package's architecture).

The qualifier logic is like this: If either the package or the DB record
has a blank architecture, the filtering is a noop. If the package has a
specific architecture and the DB record has 'src', the package is
qualified, because a disclosure or fix in a src RPM for example is
assumed to affect things built from it. If the DB record and the package
both have specific binary architectures, but they don't match, e.g.
x86_64 != aarch64, the package is not qualified and filters out.
Architecture qualifiers are canonicalized at match time so, for example,
an RPM that has x86_64 architecture is a qualified package on a vuln
that affects "amd64" processors (assuming distro and everything else
line up). This canonicalization is probably more important for future
expansion since a given distro will probably use the same architecture
strings as their own package manager.

Hummingbird also has a special "binary-no-arch-specified" architecture
that means, "this is not a src RPM". That is so that in Hummingbird
data, if we have a package that says, 'upstream=glibc' in its PURL, and
we have a glibc vuln against the binary but not the src RPM, we can
fitler out this false positive. If a DB record has
'binary-no-arch-specified' as its architecture, any package that has any
non-src architecture (or a blank architecture) is qualified, but src
architecture is not.



* Make architecture aliases data driven



* handle noarch / all arch



* Wire up end-to-end architecture specific matching for OL

OracleLinux had some existing false positives where the x86_64 package
was fixed in an earlier version of the RPM than the aarch64 version,
resulting in false positives when Grype checked against the aarch64
version. Add a dbtest for this scenario and update the RPM matcher and
OS transformer to fix this case.



* move setting src arch on upstream to helper



* exhaustive tests for package arch qualifier



---------



* fix(zarf): swap warn messages for debug (anchore#3545)



* chore(deps): bump anchore/workflows/.github/workflows/check-version-available.yaml (anchore#3547)

Bumps [anchore/workflows/.github/workflows/check-version-available.yaml](https://github.com/anchore/workflows) from 0.7.2 to 0.8.0.
- [Release notes](https://github.com/anchore/workflows/releases)
- [Commits](anchore/workflows@b0c30a8...7212994)

---
updated-dependencies:
- dependency-name: anchore/workflows/.github/workflows/check-version-available.yaml
  dependency-version: 0.8.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...




* chore(deps): bump zizmorcore/zizmor-action from 0.5.6 to 0.5.7 (anchore#3549)

Bumps [zizmorcore/zizmor-action](https://github.com/zizmorcore/zizmor-action) from 0.5.6 to 0.5.7.
- [Release notes](https://github.com/zizmorcore/zizmor-action/releases)
- [Commits](zizmorcore/zizmor-action@5f14fd0...192e21d)

---
updated-dependencies:
- dependency-name: zizmorcore/zizmor-action
  dependency-version: 0.5.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
...




* chore(deps): bump anchore/workflows/.github/workflows/codeql.yaml (anchore#3548)

Bumps [anchore/workflows/.github/workflows/codeql.yaml](https://github.com/anchore/workflows) from 0.7.2 to 0.8.0.
- [Release notes](https://github.com/anchore/workflows/releases)
- [Commits](anchore/workflows@b0c30a8...7212994)

---
updated-dependencies:
- dependency-name: anchore/workflows/.github/workflows/codeql.yaml
  dependency-version: 0.8.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...




* chore(deps): bump golang.org/x/tools from 0.46.0 to 0.47.0 (anchore#3550)

Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.46.0 to 0.47.0.
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](golang/tools@v0.46.0...v0.47.0)

---
updated-dependencies:
- dependency-name: golang.org/x/tools
  dependency-version: 0.47.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...




* chore(deps): bump actions/cache/restore in /.github/actions/bootstrap (anchore#3556)

Bumps [actions/cache/restore](https://github.com/actions/cache) from 5.0.5 to 6.1.0.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](actions/cache@27d5ce7...55cc834)

---
updated-dependencies:
- dependency-name: actions/cache/restore
  dependency-version: 6.1.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...




* chore(deps): bump actions/cache from 5.0.5 to 6.1.0 (anchore#3551)

Bumps [actions/cache](https://github.com/actions/cache) from 5.0.5 to 6.1.0.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](actions/cache@27d5ce7...55cc834)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-version: 6.1.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...




* chore(deps): bump anchore/go-make/.github/actions/setup (anchore#3555)

Bumps [anchore/go-make/.github/actions/setup](https://github.com/anchore/go-make) from 0.6.0 to 0.8.0.
- [Release notes](https://github.com/anchore/go-make/releases)
- [Commits](anchore/go-make@39fe5f7...430e217)

---
updated-dependencies:
- dependency-name: anchore/go-make/.github/actions/setup
  dependency-version: 0.8.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...




* chore(deps): bump actions/cache in /.github/actions/bootstrap (anchore#3558)

Bumps [actions/cache](https://github.com/actions/cache) from 5.0.5 to 6.1.0.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](actions/cache@27d5ce7...55cc834)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-version: 6.1.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...




* chore(deps): bump gorm.io/gorm from 1.31.1 to 1.31.2 (anchore#3557)

Bumps [gorm.io/gorm](https://github.com/go-gorm/gorm) from 1.31.1 to 1.31.2.
- [Release notes](https://github.com/go-gorm/gorm/releases)
- [Commits](go-gorm/gorm@v1.31.1...v1.31.2)

---
updated-dependencies:
- dependency-name: gorm.io/gorm
  dependency-version: 1.31.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...




---------

Signed-off-by: Janit Lodha <janit.lodha@rapidfort.com>
Signed-off-by: Vaibhav Thatai <vaibhav@rapidfort.com>
Co-authored-by: Vaibhav Thatai <vaibhav@rapidfort.com>
spiffcs added a commit that referenced this pull request Jul 7, 2026
* origin/main:
  chore(deps): bump gorm.io/gorm from 1.31.1 to 1.31.2 (#3557)
  chore(deps): bump actions/cache in /.github/actions/bootstrap (#3558)
  chore(deps): bump anchore/go-make/.github/actions/setup (#3555)
  chore(deps): bump actions/cache from 5.0.5 to 6.1.0 (#3551)
  chore(deps): bump actions/cache/restore in /.github/actions/bootstrap (#3556)
  chore(deps): bump golang.org/x/tools from 0.46.0 to 0.47.0 (#3550)
  chore(deps): bump anchore/workflows/.github/workflows/codeql.yaml (#3548)
  chore(deps): bump zizmorcore/zizmor-action from 0.5.6 to 0.5.7 (#3549)
  chore(deps): bump anchore/workflows/.github/workflows/check-version-available.yaml (#3547)
  fix(zarf): swap warn messages for debug (#3545)
  feat: populate package architecture for matching (#3504)
  chore(deps): update quality gate database (#3543)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: Done

Development

Successfully merging this pull request may close these issues.

2 participants