Skip to content

Grype ignores pedigree ancestors components #3236

New issue
New issue
Open
Open
Grype ignores pedigree ancestors components#3236
Labels
bugSomething isn't working
@vanntile

Description

@vanntile
vanntile
opened on Feb 16, 2026

What happened:

When scanning the following minimal example SBOM, grype does not detect the single component's pedigree ancestor, and thus doesn't search for its vulnerabilities. However, when declaring it as a separate component, it does, so it's not a scanning issue.

What you expected to happen:

Pedigree ancestor components (at least) to be parsed/detected. This is important for declaring forks.

How to reproduce it (as minimally and precisely as possible):

{
  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "serialNumber": "urn:uuid:58add206-0731-11f1-a9d3-703217923a24",
  "version": 1,
  "components": [
    {
      "bom-ref": "pkg:golang/gitlab.acme.com/3rdparty/cryptofork@v0.37.0",
      "type": "library",
      "name": "gitlab.acme.com/3rdparty/cryptofork",
      "version": "v0.37.0",
      "cpe": "cpe:2.3:a:3rdparty:cryptofork:v0.37.0:*:*:*:*:*:*:*",
      "purl": "pkg:golang/gitlab.acme.com/3rdparty/cryptofork@v0.37.0",
      "pedigree": {
        "ancestors": [
          {
            "bom-ref": "pkg:golang/golang.org/x/crypto@v0.37.0",
            "type": "library",
            "name": "golang.org/x/crypto",
            "version": "v0.37.0",
            "cpe": "cpe:2.3:a:golang:crypto:v0.37.0:*:*:*:*:go:*:*",
            "purl": "pkg:golang/golang.org/x/crypto@v0.37.0"
          }
        ]
      }
    }
  ]
}
GRYPE_MATCH_GOLANG_USING_CPES=true GRYPE_PRETTY=true grype -vv --add-cpes-if-none -o table sbom:pedigree.cdx.json
...
[0000]  INFO found 0 vulnerability matches across 1 packages
[0000] DEBUG   ├── fixed: 0
[0000] DEBUG   ├── ignored: 0 (due to user-provided rule)
[0000] DEBUG   ├── dropped: 0 (due to hard-coded correction)
[0000] DEBUG   └── matched: 0
[0000] DEBUG       ├── unknown: 0
[0000] DEBUG       ├── negligible: 0
[0000] DEBUG       ├── low: 0
[0000] DEBUG       ├── medium: 0
[0000] DEBUG       ├── high: 0
[0000] DEBUG       └── critical: 0
[0000]  INFO found vulnerability matches time=3.68992ms
{
  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "serialNumber": "urn:uuid:58add206-0731-11f1-a9d3-703217923a24",
  "version": 1,
  "components": [
    {
      "bom-ref": "pkg:golang/gitlab.acme.com/3rdparty/cryptofork@v0.37.0",
      "type": "library",
      "name": "gitlab.acme.com/3rdparty/cryptofork",
      "version": "v0.37.0",
      "cpe": "cpe:2.3:a:3rdparty:cryptofork:v0.37.0:*:*:*:*:*:*:*",
      "purl": "pkg:golang/gitlab.acme.com/3rdparty/cryptofork@v0.37.0",
      "pedigree": {
        "ancestors": [
          {
            "bom-ref": "pkg:golang/golang.org/x/crypto@v0.37.0",
            "type": "library",
            "name": "golang.org/x/crypto",
            "version": "v0.37.0",
            "cpe": "cpe:2.3:a:golang:crypto:v0.37.0:*:*:*:*:go:*:*",
            "purl": "pkg:golang/golang.org/x/crypto@v0.37.0"
          }
        ]
      }
    },
    {
      "bom-ref": "pkg:golang/golang.org/x/crypto@v0.37.0",
      "type": "library",
      "name": "golang.org/x/crypto",
      "version": "v0.37.0",
      "cpe": "cpe:2.3:a:golang:crypto:v0.37.0:*:*:*:*:go:*:*",
      "purl": "pkg:golang/golang.org/x/crypto@v0.37.0"
    }
  ]
}
GRYPE_MATCH_GOLANG_USING_CPES=true GRYPE_PRETTY=true grype -vv --add-cpes-if-none -o table sbom:pedigree.cdx.json
...
[0000] DEBUG found 4 vulnerabilities package=pkg:golang/golang.org/x/crypto@v0.37.0
[0000]  INFO found 4 vulnerability matches across 2 packages
[0000] DEBUG   ├── fixed: 4
[0000] DEBUG   ├── ignored: 0 (due to user-provided rule)
[0000] DEBUG   ├── dropped: 0 (due to hard-coded correction)
[0000] DEBUG   └── matched: 4
[0000] DEBUG       ├── unknown: 0
[0000] DEBUG       ├── negligible: 0
[0000] DEBUG       ├── low: 0
[0000] DEBUG       ├── medium: 3
[0000] DEBUG       ├── high: 1
[0000] DEBUG       └── critical: 0
[0000]  INFO found vulnerability matches time=10.811351ms
NAME                 INSTALLED  FIXED IN  TYPE       VULNERABILITY        SEVERITY  EPSS           RISK
golang.org/x/crypto  v0.37.0    0.45.0    go-module  GHSA-j5w8-q4qc-rx2x  Medium    < 0.1% (24th)  < 0.1
golang.org/x/crypto  v0.37.0    0.43.0    go-module  CVE-2025-47913       High      < 0.1% (9th)   < 0.1
golang.org/x/crypto  v0.37.0    0.45.0    go-module  CVE-2025-47914       Medium    < 0.1% (4th)   < 0.1
golang.org/x/crypto  v0.37.0    0.45.0    go-module  GHSA-f6x5-jh6r-wrfv  Medium    < 0.1% (4th)   < 0.1

Anything else we need to know?:

Environment: Ubuntu 24.04

❯ grype version
Application:         grype
Version:             0.108.0
BuildDate:           2026-02-10T18:34:25Z
GitCommit:           425dd9cce9ebbb695bd7ca79d7e0eb22e2b4116a
GitDescription:      v0.108.0
Platform:            linux/amd64
GoVersion:           go1.25.6
Compiler:            gc
Syft Version:        v1.42.0
Supported DB Schema: 6

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    OSS

    Status

    No status

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions