-
Notifications
You must be signed in to change notification settings - Fork 743
Open
Labels
bugSomething isn't workingSomething isn't working
Description
What happened:
When scanning the following minimal example SBOM, grype does not detect the single component's pedigree ancestor, and thus doesn't search for its vulnerabilities. However, when declaring it as a separate component, it does, so it's not a scanning issue.
What you expected to happen:
Pedigree ancestor components (at least) to be parsed/detected. This is important for declaring forks.
How to reproduce it (as minimally and precisely as possible):
{
"$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.6",
"serialNumber": "urn:uuid:58add206-0731-11f1-a9d3-703217923a24",
"version": 1,
"components": [
{
"bom-ref": "pkg:golang/gitlab.acme.com/3rdparty/cryptofork@v0.37.0",
"type": "library",
"name": "gitlab.acme.com/3rdparty/cryptofork",
"version": "v0.37.0",
"cpe": "cpe:2.3:a:3rdparty:cryptofork:v0.37.0:*:*:*:*:*:*:*",
"purl": "pkg:golang/gitlab.acme.com/3rdparty/cryptofork@v0.37.0",
"pedigree": {
"ancestors": [
{
"bom-ref": "pkg:golang/golang.org/x/crypto@v0.37.0",
"type": "library",
"name": "golang.org/x/crypto",
"version": "v0.37.0",
"cpe": "cpe:2.3:a:golang:crypto:v0.37.0:*:*:*:*:go:*:*",
"purl": "pkg:golang/golang.org/x/crypto@v0.37.0"
}
]
}
}
]
}GRYPE_MATCH_GOLANG_USING_CPES=true GRYPE_PRETTY=true grype -vv --add-cpes-if-none -o table sbom:pedigree.cdx.json
...
[0000] INFO found 0 vulnerability matches across 1 packages
[0000] DEBUG ├── fixed: 0
[0000] DEBUG ├── ignored: 0 (due to user-provided rule)
[0000] DEBUG ├── dropped: 0 (due to hard-coded correction)
[0000] DEBUG └── matched: 0
[0000] DEBUG ├── unknown: 0
[0000] DEBUG ├── negligible: 0
[0000] DEBUG ├── low: 0
[0000] DEBUG ├── medium: 0
[0000] DEBUG ├── high: 0
[0000] DEBUG └── critical: 0
[0000] INFO found vulnerability matches time=3.68992ms{
"$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.6",
"serialNumber": "urn:uuid:58add206-0731-11f1-a9d3-703217923a24",
"version": 1,
"components": [
{
"bom-ref": "pkg:golang/gitlab.acme.com/3rdparty/cryptofork@v0.37.0",
"type": "library",
"name": "gitlab.acme.com/3rdparty/cryptofork",
"version": "v0.37.0",
"cpe": "cpe:2.3:a:3rdparty:cryptofork:v0.37.0:*:*:*:*:*:*:*",
"purl": "pkg:golang/gitlab.acme.com/3rdparty/cryptofork@v0.37.0",
"pedigree": {
"ancestors": [
{
"bom-ref": "pkg:golang/golang.org/x/crypto@v0.37.0",
"type": "library",
"name": "golang.org/x/crypto",
"version": "v0.37.0",
"cpe": "cpe:2.3:a:golang:crypto:v0.37.0:*:*:*:*:go:*:*",
"purl": "pkg:golang/golang.org/x/crypto@v0.37.0"
}
]
}
},
{
"bom-ref": "pkg:golang/golang.org/x/crypto@v0.37.0",
"type": "library",
"name": "golang.org/x/crypto",
"version": "v0.37.0",
"cpe": "cpe:2.3:a:golang:crypto:v0.37.0:*:*:*:*:go:*:*",
"purl": "pkg:golang/golang.org/x/crypto@v0.37.0"
}
]
}GRYPE_MATCH_GOLANG_USING_CPES=true GRYPE_PRETTY=true grype -vv --add-cpes-if-none -o table sbom:pedigree.cdx.json
...
[0000] DEBUG found 4 vulnerabilities package=pkg:golang/golang.org/x/crypto@v0.37.0
[0000] INFO found 4 vulnerability matches across 2 packages
[0000] DEBUG ├── fixed: 4
[0000] DEBUG ├── ignored: 0 (due to user-provided rule)
[0000] DEBUG ├── dropped: 0 (due to hard-coded correction)
[0000] DEBUG └── matched: 4
[0000] DEBUG ├── unknown: 0
[0000] DEBUG ├── negligible: 0
[0000] DEBUG ├── low: 0
[0000] DEBUG ├── medium: 3
[0000] DEBUG ├── high: 1
[0000] DEBUG └── critical: 0
[0000] INFO found vulnerability matches time=10.811351ms
NAME INSTALLED FIXED IN TYPE VULNERABILITY SEVERITY EPSS RISK
golang.org/x/crypto v0.37.0 0.45.0 go-module GHSA-j5w8-q4qc-rx2x Medium < 0.1% (24th) < 0.1
golang.org/x/crypto v0.37.0 0.43.0 go-module CVE-2025-47913 High < 0.1% (9th) < 0.1
golang.org/x/crypto v0.37.0 0.45.0 go-module CVE-2025-47914 Medium < 0.1% (4th) < 0.1
golang.org/x/crypto v0.37.0 0.45.0 go-module GHSA-f6x5-jh6r-wrfv Medium < 0.1% (4th) < 0.1Anything else we need to know?:
Environment: Ubuntu 24.04
❯ grype version
Application: grype
Version: 0.108.0
BuildDate: 2026-02-10T18:34:25Z
GitCommit: 425dd9cce9ebbb695bd7ca79d7e0eb22e2b4116a
GitDescription: v0.108.0
Platform: linux/amd64
GoVersion: go1.25.6
Compiler: gc
Syft Version: v1.42.0
Supported DB Schema: 6Reactions are currently unavailable
Metadata
Metadata
Assignees
Labels
bugSomething isn't workingSomething isn't working
Type
Projects
Status
No status