Open-Source Wikis

/

Grype

/

Fun facts

anchore/grype

Fun facts

Light trivia gathered while spelunking the Grype codebase.

The longest file is bigger than it looks

grype/db/v6/vulnerability_test.go weighs in at 30,279 lines. The longest non-test file (grype/db/v6/models.go) clocks in at 31,189 lines — but it's mostly GORM struct definitions, not algorithmic complexity. The longest "real" Go file is grype/vulnerability_matcher.go at ~24K lines, and even that contains substantial setup/teardown for the per-package match orchestration.

ASCII tree characters in your logs

grype/vulnerability_matcher.go defines:

const (
    branch = "├──"
    leaf   = "└──"
)

These are used to print scan summaries as a textual tree:

found N vulnerability matches across M packages
  ├── fixed: ...
  ├── ignored: ...
  ├── dropped: ...
  └── matched: ...

The same characters re-appear in cmd/grype/cli/commands/root.go when the DB load summary is logged.

opensuse-leap is a special-cased string

grype/distro/distro.go::ParseDistroString has explicit code for opensuse-leap because it is the only common distro ID that contains a hyphen. Without the special case, a user input like opensuse-leap-15 would be parsed as opensuse + leap-15.

SchemaVer in the wild

The DB schema uses SchemaVer — a niche scheme that distinguishes:

  • Model: breaking schema changes (today: 6).
  • Revision: changes that may break some historical data (today: 1).
  • Addition: changes that are backward-compatible (today: 4).

This lets the v6 model handle minor extensions (KEV, EPSS, CWE, EOL dates) without bumping a major version.

A gem of a comment

In cmd/grype/cli/commands/root.go:

// packages are grype.Package, not syft.Package
// the SBOM is returned for downstream formatting concerns
// grype uses the SBOM in combination with syft formatters to produce cycloneDX
// with vulnerability information appended

This is the most concise possible description of why Grype keeps a parallel pkg.Package type alongside Syft's: matchers need fields Syft doesn't carry (e.g. MetadataType discriminators specific to vulnerability matching), but the SBOM is still preserved end-to-end so the CycloneDX presenter can reconstruct a complete BOM with vulnerabilities attached.

The CI environment fights back

In cmd/grype/cli/cli.go, there's a stealth environWithoutCI type whose only job is to hide the CI environment variable from lipgloss/termenv when deciding whether to render colors. Without it, color rendering would be silently disabled in many CI environments — even when developers have explicitly opted into a richer UI. The lengths developers go to so their terminal output looks pretty.

Dependabot's outsized footprint

About 28% of the project's commits were authored by dependabot[bot]. For a tool whose value depends on staying current with vulnerability feeds, package format libraries, and Go itself, that's a feature, not a bug.

Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.

Fun facts – Grype wiki | Factory