Open-Source Wikis

/

Grype

/

Reference

/

Data models

anchore/grype

Data models

The shapes that cross Grype's external API surface.

JSON output

The canonical output schema is defined in grype/presenter/models/. The top-level shape:

{
  "matches": [Match, ...],
  "ignoredMatches": [IgnoredMatch, ...],
  "source": Source,
  "distro": Distro,
  "descriptor": {
    "name": "grype",
    "version": "<semver>",
    "configuration": Configuration,
    "db": DBStatus
  }
}

A representative matches[i]:

{
  "vulnerability": {
    "id": "CVE-2024-12345",
    "dataSource": "https://...",
    "namespace": "nvd:cpe",
    "severity": "High",
    "urls": [...],
    "description": "...",
    "cvss": [...],
    "fix": { "versions": ["1.2.4"], "state": "fixed" },
    "advisories": [...],
    "epss": [...],
    "kev": [...]
  },
  "relatedVulnerabilities": [...],
  "matchDetails": [
    {
      "type": "exact-direct-match",
      "matcher": "stock-matcher",
      "searchedBy": { "...": "..." },
      "found": { "...": "..." },
      "fix": { "...": "..." }
    }
  ],
  "artifact": {
    "name": "...",
    "version": "...",
    "type": "...",
    "locations": [...],
    "language": "...",
    "licenses": [...],
    "cpes": [...],
    "purl": "..."
  }
}

The schema is generated from the model types via cmd/grype/cli/commands/internal/jsonschema/. task generate-json-schema regenerates it; task check-json-schema-drift validates that the committed schema matches the current code.

Match details

Each matchDetails[i].type is one of:

  • exact-direct-match — the vulnerability matched the package directly.
  • exact-indirect-match — matched via an upstream/source package.
  • cpe-match — matched via CPE (typically NVD).
  • fuzzy-match — approximate version comparison (rare).

Ignored matches

ignoredMatches[i] has the same shape as a regular match, plus appliedIgnoreRules — the array of rules that caused the suppression. Useful for auditing.

Database descriptor

{
  "schemaVersion": "6",
  "from": "https://grype.anchore.io/databases/v6/listing.json",
  "built": "2026-04-29T00:00:00Z",
  "path": "/home/.../vulnerability.db",
  "valid": true,
}

Output formats and their shape

Format Schema source
json grype/presenter/models/ (this page).
cyclonedx-json / cyclonedx-xml CycloneDX 1.6 with vulnerabilities array.
embedded-cyclonedx-vex-json/xml CycloneDX with VEX statements per vulnerability.
sarif SARIF 2.1.0.
template User-supplied; receives models.Document.
table Not structured.

Internal models (not part of the public API)

  • pkg.Package, pkg.Contextgrype/pkg/. Internal to the matcher pipeline.
  • match.Match, match.Matchesgrype/match/. Internal.
  • vulnerability.Vulnerabilitygrype/vulnerability/vulnerability.go. Internal; presenters convert to models.*.
  • DB models (GORM) — grype/db/v6/models.go. Persisted, not directly exposed.
  • DB blobs — grype/db/v6/blobs.go. Persisted JSON blobs; their schemas are also generated under grype/db/v6/schema/ and validated by task check-db-schema-drift.

The clear separation between internal models and the public JSON model means matcher refactors don't cascade into public-API breaks.

Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.

Data models – Grype wiki | Factory