Open-Source Wikis

/

Grype

/

Grype

/

Glossary

anchore/grype

Glossary

Project-specific terms used throughout the codebase and in this wiki.

Term Definition
Catalog The set of packages discovered by Syft from a target. Grype consumes a catalog to drive matching.
CPE Common Platform Enumeration. A structured identifier for software (e.g. cpe:2.3:a:openssl:openssl:3.0.14:*:*:*:*:*). Used by NVD-derived data.
Curator Component in grype/db/v6/installation that owns the local copy of vulnerability.db: download, validation, status, deletion.
Decorator Optional vulnerability metadata added on top of the core record. Currently CISA KEV and EPSS are implemented in VulnerabilityDecoratorStore.
Direct match A match between a vulnerability and the package the user actually installed (vs. an upstream source package). See match.ExactDirectMatch.
Distribution (DB) The mechanism for fetching the vulnerability DB archive from a CDN (grype/db/v6/distribution).
Ecosystem A package universe: apk, dpkg, rpm, java/maven, npm, pypi, gem, go, cargo, nuget, hex, msrc, etc. Each ecosystem has its own matcher under grype/matcher/.
EOL distro A Linux distribution past its end-of-life date. Grype warns when packages come from one. Implemented in vulnerability_matcher.go::eolTracker.
EPSS Exploit Prediction Scoring System. A daily-updated probability that a vulnerability will be exploited in the wild.
Fix state One of fixed, not-fixed, wont-fix, unknown. Drives --only-fixed/--only-not-fixed flags.
Fingerprint A composite key for a Match: (vulnerabilityID, vulnerabilityNamespace, packageID, fixVersions). Defined in grype/match/fingerprint.go.
Hydrate Post-build step that runs migrations and indexes on a freshly-built DB without re-importing data (grype/db/v6/db.go::Hydrater).
Ignore rule A user-provided rule (match.IgnoreRule) that moves a match to the ignored set. Configurable by vulnerability ID, package name/version/location, fix state, VEX status, or match type.
Indirect match A match made via an upstream/source package (e.g. matching linux-kernel-headers because of its upstream kernel). See match.ExactIndirectMatch.
KEV CISA Known Exploited Vulnerabilities catalog. Used as a decorator.
MSRC Microsoft Security Response Center matcher (grype/matcher/msrc/) — handles Windows KB advisories.
Namespace The data source a vulnerability came from (e.g. nvd:cpe, redhat:distro:redhat:8, github:language:python).
PURL Package URL. A canonical identifier for a software package (e.g. pkg:apk/openssl@3.2.1?distro=alpine-3.20.3).
Provider (DB) A data feed contributing vulnerability records to the DB build (e.g. nvd, alpine, debian, github). Tracked in grype/db/v6/provider_store.go.
Provider (vulnerability) The runtime interface (vulnerability.Provider) abstracting a vulnerability source — usually the v6 DB reader.
SARIF Static Analysis Results Interchange Format — a JSON output supported by GitHub code scanning.
SBOM Software Bill of Materials. Grype consumes Syft, SPDX, and CycloneDX SBOMs.
SchemaVer Schema versioning scheme (model.revision.addition) used by the DB. See grype/db/v6/db.go.
Stereoscope Anchore's container image library; Grype uses it transitively via Syft.
Stock matcher The fallback matcher (grype/matcher/stock) used for package types without an ecosystem-specific matcher.
Syft Anchore's package cataloger. Grype imports github.com/anchore/syft and uses it for both cataloging and SBOM parsing.
VEX Vulnerability Exploitability eXchange. Documents that filter or augment scan results based on vendor analysis. Grype supports OpenVEX and CSAF (grype/vex/).
VulnerabilityDB / vulnerability.db The SQLite file shipped by Anchore, holding vulnerability + affected-package + CPE + decorator data for a given schema.
vunnel The upstream tool that produces normalized vulnerability JSON for grype-db to ingest. Referenced from Taskfile.yaml::regenerate-fixtures.
Yardstick The quality-gate harness in test/quality/ that compares Grype output against labeled vulnerability data.

Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.

Glossary – Grype wiki | Factory