anchore/grype
Glossary
Project-specific terms used throughout the codebase and in this wiki.
| Term | Definition |
|---|---|
| Catalog | The set of packages discovered by Syft from a target. Grype consumes a catalog to drive matching. |
| CPE | Common Platform Enumeration. A structured identifier for software (e.g. cpe:2.3:a:openssl:openssl:3.0.14:*:*:*:*:*). Used by NVD-derived data. |
| Curator | Component in grype/db/v6/installation that owns the local copy of vulnerability.db: download, validation, status, deletion. |
| Decorator | Optional vulnerability metadata added on top of the core record. Currently CISA KEV and EPSS are implemented in VulnerabilityDecoratorStore. |
| Direct match | A match between a vulnerability and the package the user actually installed (vs. an upstream source package). See match.ExactDirectMatch. |
| Distribution (DB) | The mechanism for fetching the vulnerability DB archive from a CDN (grype/db/v6/distribution). |
| Ecosystem | A package universe: apk, dpkg, rpm, java/maven, npm, pypi, gem, go, cargo, nuget, hex, msrc, etc. Each ecosystem has its own matcher under grype/matcher/. |
| EOL distro | A Linux distribution past its end-of-life date. Grype warns when packages come from one. Implemented in vulnerability_matcher.go::eolTracker. |
| EPSS | Exploit Prediction Scoring System. A daily-updated probability that a vulnerability will be exploited in the wild. |
| Fix state | One of fixed, not-fixed, wont-fix, unknown. Drives --only-fixed/--only-not-fixed flags. |
| Fingerprint | A composite key for a Match: (vulnerabilityID, vulnerabilityNamespace, packageID, fixVersions). Defined in grype/match/fingerprint.go. |
| Hydrate | Post-build step that runs migrations and indexes on a freshly-built DB without re-importing data (grype/db/v6/db.go::Hydrater). |
| Ignore rule | A user-provided rule (match.IgnoreRule) that moves a match to the ignored set. Configurable by vulnerability ID, package name/version/location, fix state, VEX status, or match type. |
| Indirect match | A match made via an upstream/source package (e.g. matching linux-kernel-headers because of its upstream kernel). See match.ExactIndirectMatch. |
| KEV | CISA Known Exploited Vulnerabilities catalog. Used as a decorator. |
| MSRC | Microsoft Security Response Center matcher (grype/matcher/msrc/) — handles Windows KB advisories. |
| Namespace | The data source a vulnerability came from (e.g. nvd:cpe, redhat:distro:redhat:8, github:language:python). |
| PURL | Package URL. A canonical identifier for a software package (e.g. pkg:apk/openssl@3.2.1?distro=alpine-3.20.3). |
| Provider (DB) | A data feed contributing vulnerability records to the DB build (e.g. nvd, alpine, debian, github). Tracked in grype/db/v6/provider_store.go. |
| Provider (vulnerability) | The runtime interface (vulnerability.Provider) abstracting a vulnerability source — usually the v6 DB reader. |
| SARIF | Static Analysis Results Interchange Format — a JSON output supported by GitHub code scanning. |
| SBOM | Software Bill of Materials. Grype consumes Syft, SPDX, and CycloneDX SBOMs. |
| SchemaVer | Schema versioning scheme (model.revision.addition) used by the DB. See grype/db/v6/db.go. |
| Stereoscope | Anchore's container image library; Grype uses it transitively via Syft. |
| Stock matcher | The fallback matcher (grype/matcher/stock) used for package types without an ecosystem-specific matcher. |
| Syft | Anchore's package cataloger. Grype imports github.com/anchore/syft and uses it for both cataloging and SBOM parsing. |
| VEX | Vulnerability Exploitability eXchange. Documents that filter or augment scan results based on vendor analysis. Grype supports OpenVEX and CSAF (grype/vex/). |
VulnerabilityDB / vulnerability.db |
The SQLite file shipped by Anchore, holding vulnerability + affected-package + CPE + decorator data for a given schema. |
| vunnel | The upstream tool that produces normalized vulnerability JSON for grype-db to ingest. Referenced from Taskfile.yaml::regenerate-fixtures. |
| Yardstick | The quality-gate harness in test/quality/ that compares Grype output against labeled vulnerability data. |
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.