This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Capabilities

Summary of package analysis and vulnerability scanning capabilities across ecosystems

Capabilities describe the cross-cutting features available across Anchore’s tools:

Package analysis: What Syft can catalog from package manifests, lock files, and installed packages
Vulnerability scanning: What Grype can detect using vulnerability databases and matching rules

These capabilities are ecosystem-specific. For example, Python’s capabilities differ from Go’s, and Ubuntu’s capabilities differ from Alpine’s.

Default capabilities do not require to be online or have special configuration (other than having a vulnerability DB downloaded). Some capabilities may be conditionally supported, requiring additional configuration or online access to function.

Show me the data!

This page explains how to interpret the capabilities tables found on each ecosystem-specific capability pages.

There are separate overviews of supported pacakge ecosystems as well as supported Operating Systems.

Vulnerability scanning capabilities

Vulnerability data source qualities vary in the information they provide and how to interpret them correctly.

Disclosure and fix information

In terms of disclosures and fixes, each data source can be described along the following dimensions:

Independent Disclosure: Whether the advisory discloses the vulnerability regardless of fix availability. Sources with this capability report vulnerabilities even when no fix is available yet.
Disclosure Date: Whether the data source provides the date when a vulnerability was first publicly disclosed. This helps you understand the timeline of vulnerability exposure.
Fix Versions: Whether the data source specifies which package versions contain fixes for a vulnerability. This allows Grype to determine if an installed package version is vulnerable or fixed.
Fix Date: Whether the advisory includes a date when the fix was made available. This helps you understand the timeline of vulnerability remediation.

Track by source package

Some ecosystems have parent packages where the source code for the current package is maintained. For example, the libcrypto for debian is part of the larger openssl package (where openssl is denoted as the origin package). The same is true for redhat-based packages, except the parent package is denoted as the srcrpm package.

Ecosystems like this have vulnerabilities are often disclosed and fixed at the parent package level (origin and srcrpm). More critically, the parent packages are often not installed on the system, making it impossible to directly detect vulnerabilities against them. There tends to be package metadata on the downstream package that denotes the parent package name and version, which Syft can extract during package analysis.

Package analysis capabilities

Dependencies

We describe Syft’s ability to capture dependency information in the following dimentions:

Depth: How far into the true dependency graph we are able to discover package nodes.
- direct: only captures dependencies explicitly declared by the project, but not necessarily dependencies of those dependencies
- transitive: all possible depths of dependencies are captured
Edges: Whether we are able to capture relationships between packages, and if so, describe the topology of those relationships.
- flat: we can capture the root package relative to all other dependencies, but are unaware of relationships between dependencies (a simple star topology, where all dependencies point to the root package)
- complete: all possible relationships between packages are captured (the full dependency graph)
Kinds: The types of dependencies we are able to capture.
- runtime: dependencies required for the package to function at runtime
- dev: dependencies required for development

Licenses

Indicates whether Syft can detect and catalog license information from package metadata. When supported, Syft extracts license declarations from package manifests, metadata files, or installed package databases.

Package manager features

Syft can extract various package manager metadata beyond basic package information:

Files: Whether Syft can catalog the list of files that are part of a package installation. This provides visibility into all files installed by the package manager.
Digests: Whether Syft can capture file checksums (digests/hashes) for individual files within a package. This enables integrity verification of installed files. Note: this is not necessarily the actual hash of the file, but instead the claims made by the package manager about those files. We capture actual file hashes in the files section of the SBOM.
Integrity Hash: Whether Syft can capture a single package-level integrity hash used by package managers to verify the package archive itself (for example, the https://go.dev/ref/mod#go-sum-files for go packages).

Next steps

Explore capabilities for specific ecosystems using the navigation menu
Learn about Supported ecosystems for package analysis
Learn about Supported operating systems
Learn details about all supported data sources

1 - Supported operating systems

A high-level summary of which OS’s are supported

Syft and Grype support several operating systems for package cataloging and vulnerability detection. The table below shows which OS versions are supported and where Grype’s vulnerability data comes from.

Operating System	Supported Versions	Vunnel Provider	Data Source
Alpine Linux	`3.2+`, `edge`	`alpine`	Alpine SecDB
Amazon Linux	`2`, `2022`, `2023`	`amazon`	Amazon Linux Security Center
Azure Linux	`3.0`	`mariner`	Microsoft CBL-Mariner OVAL
CentOS	`5`, `6`, `7`, `8`	`rhel`	Red Hat Security Data API
Chainguard OS	`rolling`	`chainguard`	Chainguard Security
Debian	`7` (wheezy), `8` (jessie), `9` (stretch), `10` (buster), `11` (bullseye), `12` (bookworm), `13` (trixie), `14`, `unstable`	`debian`	Debian Security Tracker
Echo OS	`rolling`	`echo`	ECHO Security
CBL-Mariner	`1.0`, `2.0`	`mariner`	Microsoft CBL-Mariner OVAL
MinimOS	`rolling`	`minimos`	MINIMOS Security
Oracle Linux	`5`, `6`, `7`, `8`, `9`, `10`	`oracle`	Oracle Linux Security
Raspberry Pi OS	`7` (wheezy), `8` (jessie), `9` (stretch), `10` (buster), `11` (bullseye), `12` (bookworm), `13` (trixie), `14`, `unstable`	`debian`	Debian Security Tracker
Red Hat Enterprise Linux	`5`, `6`, `7`, `8`, `9`, `10` EUS: `5.9`, `6.4+`, `7`, `8.1`, `8.2`, `8.4`, `8.6`, `8.8`, `9`	`rhel`	Red Hat Security Data API
Rocky Linux	`5`, `6`, `7`, `8`, `9`, `10`	`rhel`	Red Hat Security Data API
SUSE Linux Enterprise Server	`11`, `12`, `15`	`sles`	SUSE Security OVAL
Ubuntu	`12.04` (precise), `12.10` (quantal), `13.04` (raring), `14.04` (trusty), `14.10` (utopic), `15.04` (vivid), `15.10` (wily), `16.04` (xenial), `16.10` (yakkety), `17.04` (zesty), `17.10` (artful), `18.04` (bionic), `18.10` (cosmic), `19.04` (disco), `19.10` (eoan), `20.04` (focal), `20.10` (groovy), `21.04` (hirsute), `21.10` (impish), `22.04` (jammy), `22.10` (kinetic), `23.04` (lunar), `23.10` (mantic), `24.04` (noble), `24.10` (oracular), `25.04` (plucky), `25.10`	`ubuntu`	Ubuntu CVE Tracker
Wolfi	`rolling`	`wolfi`	Wolfi Security

2 - Supported package ecosystems

A high-level summary of all package detection capabilities across ecosystems

The table below shows which ecosystems support package analysis and vulnerability scanning.

What do these columns mean?

For a detailed explanation of the columns in the table, please see the Capabilities overview.

Ecosystem	Cataloger + Evidence	Licenses	Dependencies	Files
Ai	gguf-cataloger `*.gguf`
ALPM	alpm-db-cataloger `var/lib/pacman/local/**/desc`
APK	apk-db-cataloger `lib/apk/db/installed`
Binary	binary-classifier-cataloger arangodb-binary`arangosh` bash-binary`bash` busybox-binary`busybox` chrome-binary`chrome` consul-binary`consul` curl-binary`curl` dart-binary`dart` elixir-binary`elixir` elixir-library`elixir/ebin/elixir.app` erlang-alpine-binary`beam.smp` erlang-binary`erlexec` erlang-library`liberts_internal.a` ffmpeg-binary`ffmpeg` ffmpeg-library`libav`, `libswresample` fluent-bit-binary`fluent-bit` gcc-binary`gcc` go-binary`go` go-binary-hint`VERSION` gzip-binary`gzip` haproxy-binary`haproxy` hashicorp-vault-binary`vault` haskell-cabal-binary`cabal` haskell-ghc-binary`ghc` haskell-stack-binary`stack` helm`helm` httpd-binary`httpd` java-binary`java` java-jdb-binary`jdb` jq-binary`jq` julia-binary`libjulia-internal.so` lighttpd-binary`lighttpd` mariadb-binary`{mariadb,mysql}` memcached-binary`memcached` mysql-binary`mysql` nginx-binary`nginx` nodejs-binary`node` openssl-binary`openssl` perl-binary`perl` php-composer-binary`composer` postgresql-binary`postgres` proftpd-binary`proftpd` pypy-binary-lib`libpypy.so` python-binary`python` python-binary-lib`libpython.so` redis-binary`redis-server` ruby-binary`ruby` rust-standard-library-linux`libstd-.so` rust-standard-library-macos`libstd-.dylib` sqlcipher-binary`sqlcipher` swipl-binary`swipl` traefik-binary`traefik` util-linux-binary`getopt` wordpress-cli-binary`wp` xtrabackup-binary`xtrabackup` xz-binary`xz` zstd-binary`zstd`
	elf-binary-package-cataloger `application/x-executable`, `application/x-mach-binary`, `application/x-elf`, `application/x-sharedlib`, `application/vnd.microsoft.portable-executable` (mimetype)
	pe-binary-package-cataloger `.dll`, `.exe`
Bitnami	bitnami-cataloger `/opt/bitnami/*/.spdx-.spdx`
C/C++	conan-cataloger `conan.lock`
	conan-cataloger `conanfile.txt`
	conan-info-cataloger `conaninfo.txt`
Conda	conda-meta-cataloger `conda-meta/*.json`
Dart	dart-pubspec-cataloger `pubspec.yml`, `pubspec.yaml`
Dart	dart-pubspec-lock-cataloger `pubspec.lock`
DPKG	deb-archive-cataloger `*.deb`
DPKG	dpkg-db-cataloger `lib/dpkg/status`, `lib/dpkg/status.d/`, `lib/opkg/info/.control`, `lib/opkg/status`
Elixir	elixir-mix-lock-cataloger `mix.lock`
Erlang	erlang-otp-application-cataloger `*.app`
Erlang	erlang-rebar-lock-cataloger `rebar.lock`
GitHub Actions	github-action-workflow-usage-cataloger `.github/workflows/.yaml`, `.github/workflows/.yml`
	github-actions-usage-cataloger `.github/actions//action.yml`, `.github/actions//action.yaml`
	github-actions-usage-cataloger `.github/workflows/.yaml`, `.github/workflows/.yml`
Go	go-module-binary-cataloger `application/x-executable`, `application/x-mach-binary`, `application/x-elf`, `application/x-sharedlib`, `application/vnd.microsoft.portable-executable`, `application/x-executable` (mimetype)
Go	go-module-file-cataloger `go.mod`
Haskell	haskell-cataloger `cabal.project.freeze`
	haskell-cataloger `stack.yaml.lock`
	haskell-cataloger `stack.yaml`
Homebrew	homebrew-cataloger `Cellar///.brew/.rb`, `Library/Taps///Formula/.rb`
Java	graalvm-native-image-cataloger `application/x-executable`, `application/x-mach-binary`, `application/x-elf`, `application/x-sharedlib`, `application/vnd.microsoft.portable-executable` (mimetype)
	java-archive-cataloger `.jar`, `.war`, `.ear`, `.par`, `.sar`, `.nar`, `.jpi`, `.hpi`, `.kar`, `.lpkg`
	java-archive-cataloger `*.zip`
	java-archive-cataloger `.tar`, `.tar.gz`, `.tgz`, `.tar.bz`, `.tar.bz2`, `.tbz`, `.tbz2`, `.tar.br`, `.tbr`, `.tar.lz4`, `.tlz4`, `.tar.sz`, `.tsz`, `.tar.xz`, `.txz`, `.tar.zst`, `.tzst`, `.tar.zstd`, `*.tzstd`
	java-gradle-lockfile-cataloger `gradle.lockfile*`
	java-jvm-cataloger `release`
	java-pom-cataloger `*pom.xml`
JavaScript	javascript-lock-cataloger `pnpm-lock.yaml`
	javascript-lock-cataloger `yarn.lock`
	javascript-lock-cataloger `package-lock.json`
	javascript-package-cataloger `package.json`
Linux	linux-kernel-cataloger `kernel`, `kernel-`, `vmlinux`, `vmlinux-`, `vmlinuz`, `vmlinuz-`, `lib/modules//.ko`
Lua	lua-rock-cataloger `*.rockspec`
.NET	dotnet-deps-binary-cataloger `.deps.json`, `.dll`, `*.exe`
	dotnet-deps-cataloger deprecated `*.deps.json`
	dotnet-packages-lock-cataloger `packages.lock.json`
	dotnet-portable-executable-cataloger deprecated `.dll`, `.exe`
Nix	nix-cataloger `nix/var/nix/db/db.sqlite`, `nix/store/`, `nix/store/.drv`
Nix	nix-store-cataloger deprecated `nix/store/`, `nix/store/.drv`
OCaml	opam-cataloger `*opam`
PHP	php-composer-installed-cataloger `installed.json`
	php-composer-lock-cataloger `composer.lock`
	php-interpreter-cataloger `php//.so`, `php-fpm`, `apache/*/libphp.so`
	php-pear-serialized-cataloger `php/.registry/*/.reg`
	php-pecl-serialized-cataloger deprecated `php/.registry/.channel./.reg`
Portage	portage-cataloger `var/db/pkg///CONTENTS`
Prolog	swipl-pack-cataloger `pack.pl`
Python	python-installed-package-cataloger `.egg-info`, `dist-info/METADATA`, `egg-info/PKG-INFO`, `DIST-INFO/METADATA`, `*EGG-INFO/PKG-INFO`
	python-package-cataloger `pdm.lock`
	python-package-cataloger `uv.lock`
	python-package-cataloger `setup.py`
	python-package-cataloger `Pipfile.lock`
	python-package-cataloger `poetry.lock`
	python-package-cataloger `requirements.txt`
R	r-package-cataloger `DESCRIPTION`
RPM	rpm-archive-cataloger `*.rpm`
	rpm-db-cataloger `var/lib/rpmmanifest/container-manifest-2`
	rpm-db-cataloger `{var/lib,usr/share,usr/lib/sysimage}/rpm/{Packages,Packages.db,rpmdb.sqlite}`
Ruby	ruby-gemfile-cataloger `Gemfile.lock`
	ruby-gemspec-cataloger `*.gemspec`
	ruby-installed-gemspec-cataloger `specifications/*/.gemspec`
Rust	cargo-auditable-binary-cataloger `application/x-executable`, `application/x-mach-binary`, `application/x-elf`, `application/x-sharedlib`, `application/vnd.microsoft.portable-executable`, `application/x-executable` (mimetype)
Rust	rust-cargo-lock-cataloger `Cargo.lock`
SBOM	sbom-cataloger `.syft.json`, `.bom.`, `.bom`, `bom`, `.sbom.`, `.sbom`, `sbom`, `.cdx.`, `.cdx`, `.spdx.`, `*.spdx`
Snap	snap-cataloger `snap/snapcraft.yaml`
	snap-cataloger `snap/manifest.yaml`
	snap-cataloger `doc/linux-modules-*/changelog.Debian.gz`
	snap-cataloger `usr/share/snappy/dpkg.yaml`
	snap-cataloger `meta/snap.yaml`
Swift	cocoapods-cataloger `Podfile.lock`
Swift	swift-package-manager-cataloger `Package.resolved`, `.package.resolved`
Terraform	terraform-lock-cataloger `.terraform.lock.hcl`
WordPress	wordpress-plugins-cataloger `wp-content/plugins//.php`

Legend:

: Supported by default
: Conditionally supported (requires configuration)
(empty): Not supported

3 - ALPM

ALPM package format used by Arch-based Linux distributions

Package analysis

Cataloger + Evidence	License	Dependencies			Package Manager Claims
Cataloger + Evidence	License	Depth	Edges	Kinds	Files	Digests	Integrity Hash
alpm-db-cataloger `var/lib/pacman/local/**/desc`		Transitive	Complete	Runtime

Vulnerability scanning

Data Source	Disclosures		Fixes		Track by Source Package
Data Source	Affected	Date	Versions	Date	Track by Source Package
National Vulnerability Database (NVD)

Operating systems

Operating System	Supported Versions	Provider	Data Source
Arch Linux	minimal support (CPE-based)	`nvd`	National Vulnerability Database (NVD)

Contributing

Interested in contributing vulnerability scanning support?

Feel free to add a new vunnel provider for Arch-based distributions. See the existing issue in the Vunnel repository.

Next steps

4 - AI

AI model analysis and vulnerability scanning capabilities

Package analysis

Cataloger + Evidence	License	Dependencies			Package Manager Claims
Cataloger + Evidence	License	Depth	Edges	Kinds	Files	Digests	Integrity Hash
gguf-cataloger `*.gguf`

Vulnerability scanning

Unsupported at this time.

Next steps

5 - APK

APK package format analysis and vulnerability scanning capabilities

Package analysis

Cataloger + Evidence	License	Dependencies			Package Manager Claims
Cataloger + Evidence	License	Depth	Edges	Kinds	Files	Digests	Integrity Hash
apk-db-cataloger `lib/apk/db/installed`		Transitive	Complete	Runtime

Vulnerability scanning

Data Source	Disclosures		Fixes		Track by Source Package
Data Source	Affected	Date	Versions	Date	Track by Source Package
Alpine SecDB
National Vulnerability Database (NVD)
Chainguard Security
MINIMOS Security
Wolfi Security

The APK vulnerability matcher searches all data sources for upstream packages, including NVD.

Operating systems

Operating System	Supported Versions	Provider	Data Source
Alpine Linux	`3.2+`, `edge`	`alpine`	Alpine SecDB
Chainguard OS	`rolling`	`chainguard`	Chainguard Security
MinimOS	`rolling`	`minimos`	MINIMOS Security
Wolfi	`rolling`	`wolfi`	Wolfi Security

The APK vulnerability database (a.k.a. “SecDB”) includes data from the Alpine Security Tracker, which provides fix information for known vulnerabilities that affect Alpine Linux packages. This database only includes vulnerabilities that have fixes available and does not track unfixed vulnerabilities. The maintainers of the SecDB intend for the primary source of truth for disclosures to be the National Vulnerability Database (NVD).

This is true of other APK vulnerability data sources as well (such as Chainguard, Wolfi, and MinimOS).

Next steps

6 - Binary

Binary package analysis and vulnerability scanning capabilities

File analysis

Within the .files[].executable sections of the Syft JSON there is an analysis of what features and claims were found within a binary file.

This includes:

Imported libraries (use of shared libraries)
Exported symbols
Security features (like NX, PIE, RELRO, etc)

Security features that can be detected include:

if debugging symbols have been stripped
presence of Stack Canaries to protect against stack smashing (which lead to buffer overflows)
NoExecute (NX) bit support to prevent execution of code on the stack or heap
Relocation Read-Only (RelRO) to protect the Global Offset Table (GOT) from being overwritten (can be “partial” or “full”)
Position Independent Executable (PIE) support such that offsets are used instead of absolute addresses
if it is a Dynamic Shared Object (DSO) (not a security feature, but important for analysis)
LLVM SafeStack partitioning is in use, which separates unsafe stack objects from safe stack objects to mitigate stack-based memory corruption vulnerabilities
LLVM Control Flow Integrity (CFI) is in use, which adds runtime checks to ensure that indirect function calls only target valid functions, helping to prevent control-flow hijacking attacks
Clang Fortified Builds is enabled, which adds additional runtime checks for certain standard library functions to detect buffer overflows and other memory errors

When it comes to shared library requirement claims and exported symbol claims, these are used by Syft to:

associate file-to-file relationships (in the case of executables/shared libraries being distributed without a package manager)
associate file-to-package relationships (when an executable imports a shared library that is managed by a package manager)

Syft can synthesize a dependency graph from the imported libraries and exported symbols found within a set of binaries, even if all package manager information has been removed, allowing for a more complete SBOM to be generated. In a mixed case, where there are some packages managed by package managers and some binaries without package manager metadata, Syft can still use the binary analysis to fill in the gaps. Package-level relationships are preferred over file-level relationships when both are available, which simplifies the dependency graph.

Package analysis

ELF package notes

Syft is capable of looking at ELF formatted binaries, specifically the .note.package note, that are formatted using the convention established by the systemd project. This spec requires a PE/COFF section that wraps a json payload describing the package metadata for the binary, however, syft does not require the PE/COFF wrapping and can extract the json payload directly from the ELF note.

Here’s an example of what the json payload looks like:

{
  "name": "my-application",
  "version": "1.2.3",
  "purl": "pkg:deb/debian/my-application@1.2.3?arch=amd64&distro=debian-12",
  "cpe": "cpe:2.3:a:vendor:my-application:1.2.3:*:*:*:*:*:*:*",
  "license": "Apache-2.0",
  "type": "deb"
}

Which, if stored in payload.json, can be injected into an existing ELF binary using the following command:

objcopy --add-section .note.package=payload.json --set-section-flags .note.package=noload,readonly

Known patterns

Cataloger + Evidence	License	Dependencies			Package Manager Claims
Cataloger + Evidence	License	Depth	Edges	Kinds	Files	Digests	Integrity Hash
binary-classifier-cataloger (see table below)
elf-binary-package-cataloger `application/x-executable`, `application/x-mach-binary`, `application/x-elf`, `application/x-sharedlib`, `application/vnd.microsoft.portable-executable` (mimetype)
pe-binary-package-cataloger `.dll`, `.exe`

Binary Package Details

Class	Files	PURL	CPEs
arangodb-binary	`arangosh`	`pkg:generic/arangodb`	`cpe:2.3:a:arangodb:arangodb::::::::`
bash-binary	`bash`	`pkg:generic/bash`	`cpe:2.3:a:gnu:bash::::::::`
busybox-binary	`busybox`	`pkg:generic/busybox`	`cpe:2.3:a:busybox:busybox::::::::`
chrome-binary	`chrome`	`pkg:generic/chrome`	`cpe:2.3:a:google:chrome::::::::`
consul-binary	`consul`	`pkg:golang/github.com/hashicorp/consul`	`cpe:2.3:a:hashicorp:consul::::::::`
curl-binary	`curl`	`pkg:generic/curl`	`cpe:2.3:a:haxx:curl::::::::`
dart-binary	`dart`	`pkg:generic/dart`	`cpe:2.3:a:dart:dart_software_development_kit::::::::`
elixir-binary	`elixir`	`pkg:generic/elixir`	`cpe:2.3:a:elixir-lang:elixir::::::::`
elixir-library	`elixir/ebin/elixir.app`	`pkg:generic/elixir`	`cpe:2.3:a:elixir-lang:elixir::::::::`
erlang-alpine-binary	`beam.smp`	`pkg:generic/erlang`	`cpe:2.3:a:erlang:erlang/otp::::::::`
erlang-binary	`erlexec`	`pkg:generic/erlang`	`cpe:2.3:a:erlang:erlang/otp::::::::`
erlang-library	`liberts_internal.a`	`pkg:generic/erlang`	`cpe:2.3:a:erlang:erlang/otp::::::::`
ffmpeg-binary	`ffmpeg`	`pkg:generic/ffmpeg`	`cpe:2.3:a:ffmpeg:ffmpeg::::::::`
ffmpeg-library	`libav*`	`pkg:generic/ffmpeg`	`cpe:2.3:a:ffmpeg:ffmpeg::::::::`
ffmpeg-library	`libswresample*`	`pkg:generic/ffmpeg`	`cpe:2.3:a:ffmpeg:ffmpeg::::::::`
fluent-bit-binary	`fluent-bit`	`pkg:github/fluent/fluent-bit`	`cpe:2.3:a:treasuredata:fluent_bit::::::::`
gcc-binary	`gcc`	`pkg:generic/gcc`	`cpe:2.3:a:gnu:gcc::::::::`
go-binary	`go`	`pkg:generic/go`	`cpe:2.3:a:golang:go::::::::`
go-binary-hint	`VERSION*`	`pkg:generic/go`	`cpe:2.3:a:golang:go::::::::`
gzip-binary	`gzip`	`pkg:generic/gzip`	`cpe:2.3:a:gnu:gzip::::::::`
haproxy-binary	`haproxy`	`pkg:generic/haproxy`	`cpe:2.3:a:haproxy:haproxy::::::::`
hashicorp-vault-binary	`vault`	`pkg:golang/github.com/hashicorp/vault`	`cpe:2.3:a:hashicorp:vault::::::::`
haskell-cabal-binary	`cabal`	`pkg:generic/haskell/cabal`	`cpe:2.3:a:haskell:cabal::::::::`
haskell-ghc-binary	`ghc*`	`pkg:generic/haskell/ghc`	`cpe:2.3:a:haskell:ghc::::::::`
haskell-stack-binary	`stack`	`pkg:generic/haskell/stack`	`cpe:2.3:a:haskell:stack::::::::`
helm	`helm`	`pkg:golang/helm.sh/helm`	`cpe:2.3:a:helm:helm::::::::`
httpd-binary	`httpd`	`pkg:generic/httpd`	`cpe:2.3:a:apache:http_server::::::::`
java-binary	`java`	`pkg:generic/oracle/graalvm` `pkg:generic/azul/zulu` `pkg:generic/oracle/openjdk` `pkg:generic/oracle/openjdk` `pkg:generic/ibm/java` `pkg:generic/oracle/jre` `pkg:generic/oracle/jre`	`cpe:2.3:a:oracle:graalvm::::::::` `cpe:2.3:a:azul:zulu::::::::` `cpe:2.3:a:oracle:openjdk:{{.primary}}:update{{.update}}::::::` `cpe:2.3:a:oracle:openjdk::::::::` `cpe:2.3:a:ibm:java::::::::` `cpe:2.3:a:oracle:jre::::::::` `cpe:2.3:a:oracle:jre::::::::`
java-jdb-binary	`jdb`	`pkg:generic/oracle/graalvm` `pkg:generic/azul/zulu` `pkg:generic/oracle/openjdk` `pkg:generic/ibm/java_sdk` `pkg:generic/oracle/openjdk` `pkg:generic/oracle/jdk`	`cpe:2.3:a:oracle:graalvm_for_jdk::::::::` `cpe:2.3:a:azul:zulu::::::::` `cpe:2.3:a:oracle:openjdk::::::::` `cpe:2.3:a:ibm:java_sdk::::::::` `cpe:2.3:a:oracle:openjdk::::::::` `cpe:2.3:a:oracle:jdk::::::::`
jq-binary	`jq`	`pkg:generic/jq`	`cpe:2.3:a:jqlang:jq::::::::`
julia-binary	`libjulia-internal.so`	`pkg:generic/julia`	`cpe:2.3:a:julialang:julia::::::::`
lighttpd-binary	`lighttpd`	`pkg:generic/lighttpd`	`cpe:2.3:a:lighttpd:lighttpd::::::::`
mariadb-binary	`{mariadb,mysql}`	`pkg:generic/mariadb`	`cpe:2.3:a:mariadb:mariadb::::::::`
memcached-binary	`memcached`	`pkg:generic/memcached`	`cpe:2.3:a:memcached:memcached::::::::`
mysql-binary	`mysql`	`pkg:generic/mysql`	`cpe:2.3:a:oracle:mysql::::::::`
mysql-binary	`mysql`	`pkg:generic/percona-server`	`cpe:2.3:a:oracle:mysql::::::::` `cpe:2.3:a:percona:percona_server::::::::`
mysql-binary	`mysql`	`pkg:generic/percona-xtradb-cluster`	`cpe:2.3:a:oracle:mysql::::::::` `cpe:2.3:a:percona:percona_server::::::::` `cpe:2.3:a:percona:xtradb_cluster::::::::`
nginx-binary	`nginx`	`pkg:generic/nginx`	`cpe:2.3:a:f5:nginx::::::::` `cpe:2.3:a:nginx:nginx::::::::`
nodejs-binary	`node`	`pkg:generic/node`	`cpe:2.3:a:nodejs:node.js::::::::`
openssl-binary	`openssl`	`pkg:generic/openssl`	`cpe:2.3:a:openssl:openssl::::::::`
perl-binary	`perl`	`pkg:generic/perl`	`cpe:2.3:a:perl:perl::::::::`
php-composer-binary	`composer*`	`pkg:generic/composer`	`cpe:2.3:a:getcomposer:composer::::::::`
postgresql-binary	`postgres`	`pkg:generic/postgresql`	`cpe:2.3:a:postgresql:postgresql::::::::`
proftpd-binary	`proftpd`	`pkg:generic/proftpd`	`cpe:2.3:a:proftpd:proftpd::::::::`
pypy-binary-lib	`libpypy.so`	`pkg:generic/pypy`	-
python-binary	`python*`	`pkg:generic/python`	`cpe:2.3:a:python_software_foundation:python::::::::` `cpe:2.3:a:python:python::::::::`
python-binary-lib	`libpython.so`	`pkg:generic/python`	`cpe:2.3:a:python_software_foundation:python::::::::` `cpe:2.3:a:python:python::::::::`
redis-binary	`redis-server`	`pkg:generic/redis`	`cpe:2.3:a:redislabs:redis::::::::` `cpe:2.3:a:redis:redis::::::::`
ruby-binary	`ruby`	`pkg:generic/ruby`	`cpe:2.3:a:ruby-lang:ruby::::::::`
rust-standard-library-linux	`libstd-*.so`	`pkg:generic/rust`	`cpe:2.3:a:rust-lang:rust::::::::`
rust-standard-library-macos	`libstd-*.dylib`	`pkg:generic/rust`	`cpe:2.3:a:rust-lang:rust::::::::`
sqlcipher-binary	`sqlcipher`	`pkg:generic/sqlcipher`	`cpe:2.3:a:zetetic:sqlcipher::::::::`
swipl-binary	`swipl`	`pkg:generic/swipl`	`cpe:2.3:a:erlang:erlang/otp::::::::`
traefik-binary	`traefik`	`pkg:generic/traefik`	`cpe:2.3:a:traefik:traefik::::::::`
util-linux-binary	`getopt`	`pkg:generic/util-linux`	`cpe:2.3:a:kernel:util-linux::::::::`
wordpress-cli-binary	`wp`	`pkg:generic/wp-cli`	`cpe:2.3:a:wp-cli:wp-cli::::::::`
xtrabackup-binary	`xtrabackup`	`pkg:generic/percona-xtrabackup`	`cpe:2.3:a:percona:xtrabackup::::::::`
xz-binary	`xz`	`pkg:generic/xz`	`cpe:2.3:a:tukaani:xz::::::::`
zstd-binary	`zstd`	`pkg:generic/zstd`	`cpe:2.3:a:facebook:zstandard::::::::`

Vulnerability scanning

Data Source	Disclosures		Fixes		Track by Source Package
Data Source	Affected	Date	Versions	Date	Track by Source Package
National Vulnerability Database (NVD)

Grype Configuration

Configuration Key	Description
`match.stock.using-cpes`	Use CPE package identifiers to find vulnerabilities

Next steps

7 - Bitnami

Bitnami package analysis and vulnerability scanning capabilities

Package analysis

Cataloger + Evidence	License	Dependencies			Package Manager Claims
Cataloger + Evidence	License	Depth	Edges	Kinds	Files	Digests	Integrity Hash
bitnami-cataloger `/opt/bitnami/*/.spdx-.spdx`		Transitive	Complete	Runtime

Since all package data is gathered from SPDX SBOMs, the quality of the package analysis is dependent on the quality of the provided SBOMs.

Vulnerability scanning

Data Source	Disclosures		Fixes		Track by Source Package
Data Source	Affected	Date	Versions	Date	Track by Source Package
Bitnami Vulnerability Database

Next steps

8 - Conda

Conda package analysis and vulnerability scanning capabilities

Package analysis

Cataloger + Evidence	License	Dependencies			Package Manager Claims
Cataloger + Evidence	License	Depth	Edges	Kinds	Files	Digests	Integrity Hash
conda-meta-cataloger `conda-meta/*.json`		Direct		Runtime

Vulnerability scanning

Data Source	Disclosures		Fixes		Track by Source Package
Data Source	Affected	Date	Versions	Date	Track by Source Package
National Vulnerability Database (NVD)

Grype Configuration

Configuration Key	Description
`match.stock.using-cpes`	Use CPE package identifiers to find vulnerabilities

Next steps

9 - C/C++

C/C++ package analysis and vulnerability scanning capabilities

Package analysis

Cataloger + Evidence	License	Dependencies			Package Manager Claims
Cataloger + Evidence	License	Depth	Edges	Kinds	Files	Digests	Integrity Hash
conan-cataloger `conan.lock`		Transitive		Runtime, Build
conan-cataloger `conanfile.txt`		Direct		Runtime
conan-info-cataloger `conaninfo.txt`		Direct	Flat	Runtime

We support package detection for v1 and v2 formatted conan.lock files.

Vulnerability scanning

Data Source	Disclosures		Fixes		Track by Source Package
Data Source	Affected	Date	Versions	Date	Track by Source Package
National Vulnerability Database (NVD)

Grype Configuration

Configuration Key	Description
`match.stock.using-cpes`	Use CPE package identifiers to find vulnerabilities

Next steps

10 - Dart

Dart package analysis and vulnerability scanning capabilities

Package analysis

Cataloger + Evidence	License	Dependencies			Package Manager Claims
Cataloger + Evidence	License	Depth	Edges	Kinds	Files	Digests	Integrity Hash
dart-pubspec-cataloger `pubspec.yml`, `pubspec.yaml`		Direct		Runtime
dart-pubspec-lock-cataloger `pubspec.lock`		Transitive		Runtime, Dev

Vulnerability scanning

Data Source	Disclosures		Fixes		Track by Source Package
Data Source	Affected	Date	Versions	Date	Track by Source Package
National Vulnerability Database (NVD)

Grype Configuration

Configuration Key	Description
`match.stock.using-cpes`	Use CPE package identifiers to find vulnerabilities

Next steps

11 - DPKG

Debian package format used by Debian-based Linux distributions

Package analysis

Cataloger + Evidence	License	Dependencies			Package Manager Claims
Cataloger + Evidence	License	Depth	Edges	Kinds	Files	Digests	Integrity Hash
deb-archive-cataloger `*.deb`
dpkg-db-cataloger `lib/dpkg/status`, `lib/dpkg/status.d/`, `lib/opkg/info/.control`, `lib/opkg/status`		Transitive	Complete	Runtime

There is additional functionality for:

the detection of OpenWrt’s OPKG packages
the detection of Google Distroless image debian-based packages

Vulnerability scanning

Data Source	Disclosures		Fixes		Track by Source Package
Data Source	Affected	Date	Versions	Date	Track by Source Package
Debian Security Tracker (DSA, DLA)
ECHO Security
Ubuntu CVE Tracker (USN)

Operating systems

Operating System	Supported Versions	Provider	Data Source
Debian	`7` (wheezy), `8` (jessie), `9` (stretch), `10` (buster), `11` (bullseye), `12` (bookworm), `13` (trixie), `14`, `unstable`	`debian`	Debian Security Tracker
Echo OS	`rolling`	`echo`	ECHO Security
Raspberry Pi OS	`7` (wheezy), `8` (jessie), `9` (stretch), `10` (buster), `11` (bullseye), `12` (bookworm), `13` (trixie), `14`, `unstable`	`debian`	Debian Security Tracker
Ubuntu	`12.04` (precise), `12.10` (quantal), `13.04` (raring), `14.04` (trusty), `14.10` (utopic), `15.04` (vivid), `15.10` (wily), `16.04` (xenial), `16.10` (yakkety), `17.04` (zesty), `17.10` (artful), `18.04` (bionic), `18.10` (cosmic), `19.04` (disco), `19.10` (eoan), `20.04` (focal), `20.10` (groovy), `21.04` (hirsute), `21.10` (impish), `22.04` (jammy), `22.10` (kinetic), `23.04` (lunar), `23.10` (mantic), `24.04` (noble), `24.10` (oracular), `25.04` (plucky), `25.10`	`ubuntu`	Ubuntu CVE Tracker

Next steps

12 - .NET

.NET package analysis and vulnerability scanning capabilities

Package analysis

Cataloger + Evidence	License	Dependencies			Package Manager Claims
Cataloger + Evidence	License	Depth	Edges	Kinds	Files	Digests	Integrity Hash
dotnet-deps-binary-cataloger `.deps.json`, `.dll`, `*.exe`		Transitive	Complete	Runtime
dotnet-deps-cataloger deprecated `*.deps.json`		Transitive	Complete	Runtime
dotnet-packages-lock-cataloger `packages.lock.json`		Transitive	Complete	Runtime, Dev, Build
dotnet-portable-executable-cataloger deprecated `.dll`, `.exe`

Syft Configuration

Configuration Key	Description
`dotnet.dep-packages-must-claim-dll`	Allows for deps.json packages to be included only if there is a runtime/resource DLL claimed in the deps.json targets section. This does not require such claimed DLLs to exist on disk. The behavior of this
`dotnet.dep-packages-must-have-dll`	Allows for deps.json packages to be included only if there is a DLL on disk for that package.
`dotnet.propagate-dll-claims-to-parents`	Allows for deps.json packages to be included if any child (transitive) package claims a DLL. This applies to both the claims configuration and evidence-on-disk configurations.
`dotnet.relax-dll-claims-when-bundling-detected`	Will look for indications of IL bundle tooling via deps.json package names and, if found (and this config option is enabled), will relax the DepPackagesMustClaimDLL value to `false` only in those cases.

When scanning a .NET application evidence from deps.json (compiler output) as well as any built binaries are used together to identify packages. This way we can enrich missing data from any one source and synthesize a more complete and accurate package graph.

Vulnerability scanning

Data Source	Disclosures		Fixes		Track by Source Package
Data Source	Affected	Date	Versions	Date	Track by Source Package
GitHub Security Advisories (GHSA)
National Vulnerability Database (NVD)

Grype Configuration

Configuration Key	Description
`match.dotnet.using-cpes`	Use CPE package identifiers to find vulnerabilities

Next steps

13 - Elixir

Elixir package analysis and vulnerability scanning capabilities

Package analysis

Cataloger + Evidence	License	Dependencies			Package Manager Claims
Cataloger + Evidence	License	Depth	Edges	Kinds	Files	Digests	Integrity Hash
elixir-mix-lock-cataloger `mix.lock`		Transitive		Runtime, Dev

Vulnerability scanning

Data Source	Disclosures		Fixes		Track by Source Package
Data Source	Affected	Date	Versions	Date	Track by Source Package
National Vulnerability Database (NVD)

Grype Configuration

Configuration Key	Description
`match.stock.using-cpes`	Use CPE package identifiers to find vulnerabilities

Next steps

14 - Erlang

Erlang package analysis and vulnerability scanning capabilities

Package analysis

Cataloger + Evidence	License	Dependencies			Package Manager Claims
Cataloger + Evidence	License	Depth	Edges	Kinds	Files	Digests	Integrity Hash
erlang-otp-application-cataloger `*.app`		Direct		Runtime, Dev
erlang-rebar-lock-cataloger `rebar.lock`		Direct		Runtime, Dev

Vulnerability scanning

Data Source	Disclosures		Fixes		Track by Source Package
Data Source	Affected	Date	Versions	Date	Track by Source Package
National Vulnerability Database (NVD)

Grype Configuration

Configuration Key	Description
`match.stock.using-cpes`	Use CPE package identifiers to find vulnerabilities

Next steps

15 - GitHub Actions

GitHub Actions package analysis and vulnerability scanning capabilities

Package analysis

Cataloger + Evidence	License	Dependencies			Package Manager Claims
Cataloger + Evidence	License	Depth	Edges	Kinds	Files	Digests	Integrity Hash
github-action-workflow-usage-cataloger `.github/workflows/.yaml`, `.github/workflows/.yml`
github-actions-usage-cataloger `.github/actions//action.yml`, `.github/actions//action.yaml`
github-actions-usage-cataloger `.github/workflows/.yaml`, `.github/workflows/.yml`

Vulnerability scanning

Data Source	Disclosures		Fixes		Track by Source Package
Data Source	Affected	Date	Versions	Date	Track by Source Package
GitHub Security Advisories (GHSA)

Next steps

16 - Go

Go package analysis and vulnerability scanning capabilities

Package analysis

Cataloger + Evidence	License	Dependencies			Package Manager Claims
Cataloger + Evidence	License	Depth	Edges	Kinds	Files	Digests	Integrity Hash
go-module-binary-cataloger `application/x-executable`, `application/x-mach-binary`, `application/x-elf`, `application/x-sharedlib`, `application/vnd.microsoft.portable-executable`, `application/x-executable` (mimetype)		Transitive	Flat	Runtime, Dev
go-module-file-cataloger `go.mod`		Transitive	Flat	Runtime, Dev

Syft Configuration

Configuration Key	Description
`golang.local-mod-cache-dir`	Specifies the location of the local go module cache directory. When not set, syft will attempt to discover the GOPATH env or default to $HOME/go.
`golang.local-vendor-dir`	Specifies the location of the local vendor directory. When not set, syft will search for a vendor directory relative to the go.mod file.
`golang.no-proxy`	Is a list of glob patterns that match go module names that should not be fetched from the go proxy. When not set, syft will use the GOPRIVATE and GONOPROXY env vars.
`golang.proxy`	Is a list of go module proxies to use when fetching go module metadata and licenses. When not set, syft will use the GOPROXY env or default to https://proxy.golang.org,direct.
`golang.search-local-mod-cache-licenses`	Enables searching for go package licenses in the local GOPATH mod cache.
`golang.search-local-vendor-licenses`	Enables searching for go package licenses in the local vendor directory relative to the go.mod file.
`golang.search-remote-licenses`	Enables downloading go package licenses from the upstream go proxy (typically proxy.golang.org).

Version detection for binaries

When Syft scans a Go binary, the main module often has version (devel) because Go doesn’t embed version information by default. Syft attempts to detect the actual version using three strategies (configurable via golang.main-module-version.*):

From ldflags (enabled by default): Looks for version strings passed during build like -ldflags="-X main.version=v1.2.3". Supports common patterns: *.version=, *.gitTag=, *.release=, etc.
From build settings (enabled by default): Uses VCS metadata (commit hash and timestamp) embedded by Go 1.18+ to generate a pseudo-version like v0.0.0-20230101120000-abcdef123456.
From contents (disabled by default): Scans binary contents for version string patterns. Can produce false positives.

Best practice: Use -ldflags when building to embed your version explicitly.

Example:

go build -ldflags="-X main.version=v1.2.3"

This ensures Syft (and Grype) can accurately identify your application version for vulnerability matching.

Standard library

Syft automatically creates a stdlib package for each Go binary, representing the Go standard library version used to compile it. The version is extracted from the binary’s build metadata (e.g., go1.22.2). This enables Grype to check for vulnerabilities reported against the go standard library.

Why this matters: Vulnerabilities in the Go compiler (like CVEs affecting the crypto library or net/http) can affect your application even if your code doesn’t directly use those packages.

Vulnerability scanning

Data Source	Disclosures		Fixes		Track by Source Package
Data Source	Affected	Date	Versions	Date	Track by Source Package
GitHub Security Advisories (GHSA)
National Vulnerability Database (NVD)

Grype Configuration

Configuration Key	Description
`match.golang.using-cpes`	Use CPE package identifiers to find vulnerabilities
`match.golang.always-use-cpe-for-stdlib`	use CPE matching to find vulnerabilities for the Go standard library
`match.golang.allow-main-module-pseudo-version-comparison`	allow comparison between main module pseudo-versions (e.g. v0.0.0-20240413-2b432cf643...)

Main module filtering

Grype skips vulnerability matching for packages that match all these conditions:

Package name equals the main module name (from the SBOM metadata)
Package version is unreliable:
- When allow-main-module-pseudo-version-comparison is false (default): version starts with v0.0.0- or is (devel)
- When allow-main-module-pseudo-version-comparison is true: version is (devel) only

This filtering exists because Go doesn’t have a standard way to embed the main module’s version into compiled binaries (see golang/go#50603). Pseudo-versions in compiled binaries are often unreliable for vulnerability matching.

You can disable this filtering with the allow-main-module-pseudo-version-comparison configuration option.

Troubleshooting

No vulnerabilities found for main module

Cause: The main module has a pseudo-version (v0.0.0-*) or (devel), which Grype filters by default.

Solution: Enable pseudo-version matching in your Grype configuration:

match:
  golang:
    allow-main-module-pseudo-version-comparison: true

Note

This may produce false positives. Use properly versioned builds when possible.

No vulnerabilities found for stdlib

Possible causes:

Missing CPEs: Verify Syft generates CPEs with generate-cpes: true in .syft.yaml
CPE matching disabled: Ensure always-use-cpe-for-stdlib: true in Grype config (default)
Incorrect version format: Stdlib version should be go1.18.3, not v1.18.3 (file a Syft bug if incorrect)

Next steps

17 - Haskell

Haskell package analysis and vulnerability scanning capabilities

Package analysis

Cataloger + Evidence	License	Dependencies			Package Manager Claims
Cataloger + Evidence	License	Depth	Edges	Kinds	Files	Digests	Integrity Hash
haskell-cataloger `cabal.project.freeze`		Transitive		Runtime, Dev
haskell-cataloger `stack.yaml.lock`		Transitive		Runtime, Dev
haskell-cataloger `stack.yaml`		Direct		Runtime, Dev

Vulnerability scanning

Data Source	Disclosures		Fixes		Track by Source Package
Data Source	Affected	Date	Versions	Date	Track by Source Package
National Vulnerability Database (NVD)

Grype Configuration

Configuration Key	Description
`match.stock.using-cpes`	Use CPE package identifiers to find vulnerabilities

Next steps

18 - Homebrew

Homebrew package analysis and vulnerability scanning capabilities

Package analysis

Cataloger + Evidence	License	Dependencies			Package Manager Claims
Cataloger + Evidence	License	Depth	Edges	Kinds	Files	Digests	Integrity Hash
homebrew-cataloger `Cellar///.brew/.rb`, `Library/Taps///Formula/.rb`

Vulnerability scanning

Data Source	Disclosures		Fixes		Track by Source Package
Data Source	Affected	Date	Versions	Date	Track by Source Package
National Vulnerability Database (NVD)

Grype Configuration

Configuration Key	Description
`match.stock.using-cpes`	Use CPE package identifiers to find vulnerabilities

Next steps

19 - Java

Java package analysis and vulnerability scanning capabilities

Package analysis

Cataloger + Evidence	License	Dependencies			Package Manager Claims
Cataloger + Evidence	License	Depth	Edges	Kinds	Files	Digests	Integrity Hash
graalvm-native-image-cataloger `application/x-executable`, `application/x-mach-binary`, `application/x-elf`, `application/x-sharedlib`, `application/vnd.microsoft.portable-executable` (mimetype)		Transitive	Complete	Runtime, Dev
java-archive-cataloger `.jar`, `.war`, `.ear`, `.par`, `.sar`, `.nar`, `.jpi`, `.hpi`, `.kar`, `.lpkg`		Transitive	Complete	Runtime, Dev
java-archive-cataloger `*.zip`		Transitive	Complete	Runtime, Dev
java-archive-cataloger `.tar`, `.tar.gz`, `.tgz`, `.tar.bz`, `.tar.bz2`, `.tbz`, `.tbz2`, `.tar.br`, `.tbr`, `.tar.lz4`, `.tlz4`, `.tar.sz`, `.tsz`, `.tar.xz`, `.txz`, `.tar.zst`, `.tzst`, `.tar.zstd`, `*.tzstd`		Transitive	Complete	Runtime, Dev
java-gradle-lockfile-cataloger `gradle.lockfile*`		Transitive		Runtime, Dev
java-jvm-cataloger `release`		Transitive		Runtime, Dev
java-pom-cataloger `*pom.xml`		Direct	Complete	Runtime, Dev

Syft Configuration

Configuration Key	Description
`java.maven-local-repository-dir`	Specifies the location of the local maven repository. When not set, defaults to ~/.m2/repository.
`java.maven-url`	Specifies the base URL(s) to use for fetching POMs and metadata from maven central or other repositories. When not set, defaults to https://repo1.maven.org/maven2.
`java.max-parent-recursive-depth`	Limits how many parent POMs will be fetched recursively before stopping. This prevents infinite loops or excessively deep parent chains.
`java.resolve-transitive-dependencies`	Enables resolving transitive dependencies for java packages found within archives.
`java.use-maven-local-repository`	Enables searching the local maven repository (~/.m2/repository by default) for parent POMs and other metadata.
`java.use-network`	Enables network operations for java package metadata enrichment, such as fetching parent POMs and license information.

Vulnerability scanning

Data Source	Disclosures		Fixes		Track by Source Package
Data Source	Affected	Date	Versions	Date	Track by Source Package
GitHub Security Advisories (GHSA)
National Vulnerability Database (NVD)

Grype Configuration

Configuration Key	Description
`match.java.using-cpes`	Use CPE package identifiers to find vulnerabilities

Next steps

20 - JavaScript

JavaScript package analysis and vulnerability scanning capabilities

Package analysis

Cataloger + Evidence	License	Dependencies			Package Manager Claims
Cataloger + Evidence	License	Depth	Edges	Kinds	Files	Digests	Integrity Hash
javascript-lock-cataloger `pnpm-lock.yaml`		Transitive		Runtime
javascript-lock-cataloger `yarn.lock`		Transitive		Runtime, Dev
javascript-lock-cataloger `package-lock.json`		Transitive		Runtime
javascript-package-cataloger `package.json`		Direct		Runtime

Syft Configuration

Configuration Key	Description
`javascript.include-dev-dependencies`	Controls whether development dependencies should be included in the catalog results, in addition to production dependencies.
`javascript.npm-base-url`	Specifies the base URL for the NPM registry API used when searching for remote license information.
`javascript.search-remote-licenses`	Enables querying the NPM registry API to retrieve license information for packages that are missing license data in their local metadata.

Vulnerability scanning

Data Source	Disclosures		Fixes		Track by Source Package
Data Source	Affected	Date	Versions	Date	Track by Source Package
GitHub Security Advisories (GHSA)
National Vulnerability Database (NVD)

Grype Configuration

Configuration Key	Description
`match.javascript.using-cpes`	Use CPE package identifiers to find vulnerabilities

Next steps

21 - Linux Kernel

Linux kernel archive and module analysis and vulnerability scanning capabilities

Package analysis

Cataloger + Evidence	License	Dependencies			Package Manager Claims
Cataloger + Evidence	License	Depth	Edges	Kinds	Files	Digests	Integrity Hash
linux-kernel-cataloger `kernel`, `kernel-`, `vmlinux`, `vmlinux-`, `vmlinuz`, `vmlinuz-`, `lib/modules//.ko`

Syft Configuration

Configuration Key	Description
`linux-kernel.catalog-modules`	Enables cataloging linux kernel modules (*.ko files) in addition to the kernel itself.

Vulnerability scanning

Data Source	Disclosures		Fixes		Track by Source Package
Data Source	Affected	Date	Versions	Date	Track by Source Package
National Vulnerability Database (NVD)

Grype Configuration

Configuration Key	Description
`match.stock.using-cpes`	Use CPE package identifiers to find vulnerabilities

Next steps

22 - Lua

Lua package analysis and vulnerability scanning capabilities

Package analysis

Cataloger + Evidence	License	Dependencies			Package Manager Claims
Cataloger + Evidence	License	Depth	Edges	Kinds	Files	Digests	Integrity Hash
lua-rock-cataloger `*.rockspec`

Vulnerability scanning

Data Source	Disclosures		Fixes		Track by Source Package
Data Source	Affected	Date	Versions	Date	Track by Source Package
National Vulnerability Database (NVD)

Grype Configuration

Configuration Key	Description
`match.stock.using-cpes`	Use CPE package identifiers to find vulnerabilities

Next steps

23 - Nix

Nix package analysis and vulnerability scanning capabilities

Package analysis

Cataloger + Evidence	License	Dependencies			Package Manager Claims
Cataloger + Evidence	License	Depth	Edges	Kinds	Files	Digests	Integrity Hash
nix-cataloger `nix/var/nix/db/db.sqlite`, `nix/store/`, `nix/store/.drv`		Transitive	Complete	Runtime
nix-store-cataloger deprecated `nix/store/`, `nix/store/.drv`		Transitive	Complete	Runtime

Syft Configuration

Configuration Key	Description
`nix.capture-owned-files`	Determines whether to record the list of files owned by each Nix package discovered in the store. Recording owned files provides more detailed information but increases processing time and memory usage.

Vulnerability scanning

Data Source	Disclosures		Fixes		Track by Source Package
Data Source	Affected	Date	Versions	Date	Track by Source Package
National Vulnerability Database (NVD)

Grype Configuration

Configuration Key	Description
`match.stock.using-cpes`	Use CPE package identifiers to find vulnerabilities

Next steps

24 - OCaml

OCaml package analysis and vulnerability scanning capabilities

Package analysis

Cataloger + Evidence	License	Dependencies			Package Manager Claims
Cataloger + Evidence	License	Depth	Edges	Kinds	Files	Digests	Integrity Hash
opam-cataloger `*opam`		Direct		Runtime

Vulnerability scanning

Data Source	Disclosures		Fixes		Track by Source Package
Data Source	Affected	Date	Versions	Date	Track by Source Package
National Vulnerability Database (NVD)

Grype Configuration

Configuration Key	Description
`match.stock.using-cpes`	Use CPE package identifiers to find vulnerabilities

Next steps

25 - PHP

PHP package analysis and vulnerability scanning capabilities

Package analysis

Cataloger + Evidence	License	Dependencies			Package Manager Claims
Cataloger + Evidence	License	Depth	Edges	Kinds	Files	Digests	Integrity Hash
php-composer-installed-cataloger `installed.json`		Transitive		Runtime, Dev
php-composer-lock-cataloger `composer.lock`		Transitive		Runtime
php-interpreter-cataloger `php//.so`, `php-fpm`, `apache/*/libphp.so`		Direct	Flat	Runtime
php-pear-serialized-cataloger `php/.registry/*/.reg`		Direct		Runtime
php-pecl-serialized-cataloger deprecated `php/.registry/.channel./.reg`		Direct		Runtime

Vulnerability scanning

Data Source	Disclosures		Fixes		Track by Source Package
Data Source	Affected	Date	Versions	Date	Track by Source Package
National Vulnerability Database (NVD)

Grype Configuration

Configuration Key	Description
`match.stock.using-cpes`	Use CPE package identifiers to find vulnerabilities

Next steps

26 - Portage

Portage package format used by Gentoo-based Linux distributions

Package analysis

Cataloger + Evidence	License	Dependencies			Package Manager Claims
Cataloger + Evidence	License	Depth	Edges	Kinds	Files	Digests	Integrity Hash
portage-cataloger `var/db/pkg///CONTENTS`		Direct		Runtime

Vulnerability scanning

Data Source	Disclosures		Fixes		Track by Source Package
Data Source	Affected	Date	Versions	Date	Track by Source Package
National Vulnerability Database (NVD)

Operating systems

Operating System	Supported Versions	Provider	Data Source
Gentoo Linux	minimal support (CPE-based)	`nvd`	National Vulnerability Database (NVD)

Next steps

27 - Prolog

Prolog package analysis and vulnerability scanning capabilities

Package analysis

Cataloger + Evidence	License	Dependencies			Package Manager Claims
Cataloger + Evidence	License	Depth	Edges	Kinds	Files	Digests	Integrity Hash
swipl-pack-cataloger `pack.pl`		Direct		Runtime, Dev

Vulnerability scanning

Data Source	Disclosures		Fixes		Track by Source Package
Data Source	Affected	Date	Versions	Date	Track by Source Package
National Vulnerability Database (NVD)

Grype Configuration

Configuration Key	Description
`match.stock.using-cpes`	Use CPE package identifiers to find vulnerabilities

Next steps

28 - Python

Python package analysis and vulnerability scanning capabilities

Package analysis

Cataloger + Evidence	License	Dependencies			Package Manager Claims
Cataloger + Evidence	License	Depth	Edges	Kinds	Files	Digests	Integrity Hash
python-installed-package-cataloger `.egg-info`, `dist-info/METADATA`, `egg-info/PKG-INFO`, `DIST-INFO/METADATA`, `*EGG-INFO/PKG-INFO`		Direct	Complete	Runtime
python-package-cataloger `pdm.lock`		Transitive	Complete	Runtime, Dev, Optional
python-package-cataloger `uv.lock`		Transitive	Complete	Runtime, Dev, Optional
python-package-cataloger `setup.py`		Direct
python-package-cataloger `Pipfile.lock`		Transitive		Runtime
python-package-cataloger `poetry.lock`		Transitive	Complete	Runtime, Dev, Optional
python-package-cataloger `requirements.txt`		Direct		Any

Syft Configuration

Configuration Key	Description
`python.guess-unpinned-requirements`	Attempts to infer package versions from version constraints when no explicit version is specified in requirements files.
`python.pypi-base-url`	Specifies the base URL for the Pypi registry API used when searching for remote license information.
`python.search-remote-licenses`	Enables querying the NPM registry API to retrieve license information for packages that are missing license data in their local metadata.

Vulnerability scanning

Data Source	Disclosures		Fixes		Track by Source Package
Data Source	Affected	Date	Versions	Date	Track by Source Package
GitHub Security Advisories (GHSA)
National Vulnerability Database (NVD)

Grype Configuration

Configuration Key	Description
`match.python.using-cpes`	Use CPE package identifiers to find vulnerabilities

Next steps

29 - R

R package analysis and vulnerability scanning capabilities

Package analysis

Cataloger + Evidence	License	Dependencies			Package Manager Claims
Cataloger + Evidence	License	Depth	Edges	Kinds	Files	Digests	Integrity Hash
r-package-cataloger `DESCRIPTION`

Vulnerability scanning

Data Source	Disclosures		Fixes		Track by Source Package
Data Source	Affected	Date	Versions	Date	Track by Source Package
National Vulnerability Database (NVD)

Grype Configuration

Configuration Key	Description
`match.stock.using-cpes`	Use CPE package identifiers to find vulnerabilities

Next steps

30 - RPM

Red Hat Package Manager format used by Red Hat-based Linux distributions

Package analysis

Cataloger + Evidence	License	Dependencies			Package Manager Claims
Cataloger + Evidence	License	Depth	Edges	Kinds	Files	Digests	Integrity Hash
rpm-archive-cataloger `*.rpm`
rpm-db-cataloger `var/lib/rpmmanifest/container-manifest-2`		Transitive		Runtime
rpm-db-cataloger `{var/lib,usr/share,usr/lib/sysimage}/rpm/{Packages,Packages.db,rpmdb.sqlite}`		Transitive	Complete	Runtime

Vulnerability scanning

Data Source	Disclosures		Fixes		Track by Source Package
Data Source	Affected	Date	Versions	Date	Track by Source Package
AlmaLinux OSV Database (ALSA)
Amazon Linux Security Center (ALAS)
Microsoft AzureLinux OVAL
Red Hat Security Data API (RHSA)
National Vulnerability Database (NVD)
Microsoft CBL-Mariner OVAL
Oracle Linux Security (ELSA)
SUSE Security OVAL (SUSE-SU)

Operating systems

Operating System	Supported Versions	Provider	Data Source
AlmaLinux	`8`, `9`, `10`	`alma`	AlmaLinux OSV Database
Amazon Linux	`2`, `2022`, `2023`	`amazon`	Amazon Linux Security Center
Azure Linux	`3.0`	`mariner`	Microsoft CBL-Mariner OVAL
CentOS	`5`, `6`, `7`, `8`	`rhel`	Red Hat Security Data API
Fedora	minimal support (CPE-based)	`nvd`	National Vulnerability Database (NVD)
CBL-Mariner	`1.0`, `2.0`	`mariner`	Microsoft CBL-Mariner OVAL
OpenSUSE Leap	minimal support (CPE-based)	`nvd`	National Vulnerability Database (NVD)
Oracle Linux	`5`, `6`, `7`, `8`, `9`, `10`	`oracle`	Oracle Linux Security
Photon OS	minimal support (CPE-based)	`nvd`	National Vulnerability Database (NVD)
Red Hat Enterprise Linux	`5`, `6`, `7`, `8`, `9`, `10` EUS: `5.9`, `6.4+`, `7`, `8.1`, `8.2`, `8.4`, `8.6`, `8.8`, `9`	`rhel`	Red Hat Security Data API
Rocky Linux	`5`, `6`, `7`, `8`, `9`, `10`	`rhel`	Red Hat Security Data API
SUSE Linux Enterprise Server	`11`, `12`, `15`	`sles`	SUSE Security OVAL

Next steps

31 - Ruby

Ruby package analysis and vulnerability scanning capabilities

Package analysis

Cataloger + Evidence	License	Dependencies			Package Manager Claims
Cataloger + Evidence	License	Depth	Edges	Kinds	Files	Digests	Integrity Hash
ruby-gemfile-cataloger `Gemfile.lock`		Transitive		Runtime, Dev
ruby-gemspec-cataloger `*.gemspec`		Direct		Runtime
ruby-installed-gemspec-cataloger `specifications/*/.gemspec`		Transitive		Runtime

Vulnerability scanning

Data Source	Disclosures		Fixes		Track by Source Package
Data Source	Affected	Date	Versions	Date	Track by Source Package
GitHub Security Advisories (GHSA)
National Vulnerability Database (NVD)

Grype Configuration

Configuration Key	Description
`match.ruby.using-cpes`	Use CPE package identifiers to find vulnerabilities

Next steps

32 - Rust

Rust package analysis and vulnerability scanning capabilities

Package analysis

Cataloger + Evidence	License	Dependencies			Package Manager Claims
Cataloger + Evidence	License	Depth	Edges	Kinds	Files	Digests	Integrity Hash
cargo-auditable-binary-cataloger `application/x-executable`, `application/x-mach-binary`, `application/x-elf`, `application/x-sharedlib`, `application/vnd.microsoft.portable-executable`, `application/x-executable` (mimetype)		Transitive	Complete	Runtime
rust-cargo-lock-cataloger `Cargo.lock`		Transitive	Complete	Runtime, Dev, Build

Vulnerability scanning

Data Source	Disclosures		Fixes		Track by Source Package
Data Source	Affected	Date	Versions	Date	Track by Source Package
GitHub Security Advisories (GHSA)
National Vulnerability Database (NVD)

Grype Configuration

Configuration Key	Description
`match.rust.using-cpes`	Use CPE package identifiers to find vulnerabilities

Next steps

33 - SBOM

SBOM package analysis and vulnerability scanning capabilities

Package analysis

Cataloger + Evidence	License	Dependencies			Package Manager Claims
Cataloger + Evidence	License	Depth	Edges	Kinds	Files	Digests	Integrity Hash
sbom-cataloger `.syft.json`, `.bom.`, `.bom`, `bom`, `.sbom.`, `.sbom`, `sbom`, `.cdx.`, `.cdx`, `.spdx.`, `*.spdx`

Vulnerability scanning

Data Source	Disclosures		Fixes		Track by Source Package
Data Source	Affected	Date	Versions	Date	Track by Source Package
National Vulnerability Database (NVD)

Grype Configuration

Configuration Key	Description
`match.stock.using-cpes`	Use CPE package identifiers to find vulnerabilities

Next steps

34 - Snap

Snap package analysis and vulnerability scanning capabilities

Package analysis

Cataloger + Evidence	License	Dependencies			Package Manager Claims
Cataloger + Evidence	License	Depth	Edges	Kinds	Files	Digests	Integrity Hash
snap-cataloger `snap/snapcraft.yaml`
snap-cataloger `snap/manifest.yaml`
snap-cataloger `doc/linux-modules-*/changelog.Debian.gz`
snap-cataloger `usr/share/snappy/dpkg.yaml`
snap-cataloger `meta/snap.yaml`

Vulnerability scanning

Data Source	Disclosures		Fixes		Track by Source Package
Data Source	Affected	Date	Versions	Date	Track by Source Package
National Vulnerability Database (NVD)

Grype Configuration

Configuration Key	Description
`match.stock.using-cpes`	Use CPE package identifiers to find vulnerabilities

Next steps

35 - Swift

Swift package analysis and vulnerability scanning capabilities

Package analysis

Cataloger + Evidence	License	Dependencies			Package Manager Claims
Cataloger + Evidence	License	Depth	Edges	Kinds	Files	Digests	Integrity Hash
cocoapods-cataloger `Podfile.lock`		Transitive		Runtime
swift-package-manager-cataloger `Package.resolved`, `.package.resolved`		Transitive		Runtime

Vulnerability scanning

Data Source	Disclosures		Fixes		Track by Source Package
Data Source	Affected	Date	Versions	Date	Track by Source Package
National Vulnerability Database (NVD)

Grype Configuration

Configuration Key	Description
`match.stock.using-cpes`	Use CPE package identifiers to find vulnerabilities

Next steps

36 - Terraform

Terraform package analysis and vulnerability scanning capabilities

Package analysis

Cataloger + Evidence	License	Dependencies			Package Manager Claims
Cataloger + Evidence	License	Depth	Edges	Kinds	Files	Digests	Integrity Hash
terraform-lock-cataloger `.terraform.lock.hcl`		Direct		Runtime

Vulnerability scanning

Data Source	Disclosures		Fixes		Track by Source Package
Data Source	Affected	Date	Versions	Date	Track by Source Package
National Vulnerability Database (NVD)

Grype Configuration

Configuration Key	Description
`match.stock.using-cpes`	Use CPE package identifiers to find vulnerabilities

Next steps

37 - Wordpress

Wordpress package analysis and vulnerability scanning capabilities

Package analysis

Cataloger + Evidence	License	Dependencies			Package Manager Claims
Cataloger + Evidence	License	Depth	Edges	Kinds	Files	Digests	Integrity Hash
wordpress-plugins-cataloger `wp-content/plugins//.php`

Vulnerability scanning

Data Source	Disclosures		Fixes		Track by Source Package
Data Source	Affected	Date	Versions	Date	Track by Source Package
National Vulnerability Database (NVD)

Grype Configuration

Configuration Key	Description
`match.stock.using-cpes`	Use CPE package identifiers to find vulnerabilities