grype icon indicating copy to clipboard operation
grype copied to clipboard
verified publisher icon anchore

Add published field in output

Open enzofrnt opened this issue 1 year ago • 5 comments

What would you like to be added?

It would be great and helpful to include the discovery date of vulnerabilities in the JSON output from Grype.

Why is this needed?

This feature is needed because some users may require information about when a vulnerability was first discovered. Knowing the discovery date can help in:

  • Assessing the urgency of mitigation based on how long the vulnerability has been known.
  • Prioritizing patches by understanding if a vulnerability is recent or has been around for a while.
  • Compliance and reporting, as some security frameworks require tracking the lifecycle of vulnerabilities.
  • Security audits, where teams need historical context on vulnerabilities affecting their systems.

enzofrnt avatar Feb 27 '25 13:02 enzofrnt

The upcoming grype-db schema v6 will add these fields:

https://github.com/anchore/grype/blob/5dc2d2ee1a6eb3cdc141f74c1b16d5bda58197dc/grype/db/v6/models.go#L161-L167

So this work is now unblocked. After v6 is adopted, changes will be needed in anchore/vunnel and anchore/grype-db to ensure the field is populated. I'm marking this as ready, since it's able to be worked on today. When someone starts working on a particular Vunnel provider, please open an issue to in Vunnel for that provider and link it here.

willmurphyscode avatar Mar 03 '25 15:03 willmurphyscode

Nice! Could you provide us with documentation about the schema, including version 6 and older ones?

Having access to proper documentation would help us accurately interpret the return values of Grype. Without this, every user is left to decipher Grype’s output on their own, which can lead to inconsistencies, misunderstandings, and potential misinterpretations of vulnerabilities.

In a cybersecurity-focused application like Grype, where precision and clarity are crucial, the absence of structured schema documentation can hinder effective usage. Providing official documentation would not only enhance user experience but also ensure that security professionals can rely on Grype’s output without ambiguity.

Would it be possible to make this available?

enzofrnt avatar Mar 05 '25 15:03 enzofrnt

The upcoming grype-db schema v6 will add these fields:

grype/grype/db/v6/models.go

Lines 161 to 167 in 5dc2d2e

PublishedDate *time.Time gorm:"column:published_date;index"

// ModifiedDate is the date the vulnerability record was last modified ModifiedDate *time.Time gorm:"column:modified_date;index"

// WithdrawnDate is the date the vulnerability record was withdrawn WithdrawnDate *time.Time gorm:"column:withdrawn_date;index" So this work is now unblocked. After v6 is adopted, changes will be needed in anchore/vunnel and anchore/grype-db to ensure the field is populated. I'm marking this as ready, since it's able to be worked on today. When someone starts working on a particular Vunnel provider, please open an issue to in Vunnel for that provider and link it here.

@willmurphyscode

once this is done you can send a message here, I might have time to implement it. regarding the vunnel provider - not sure how complex it is, in case it is easy if you can provide some instructions i can try and write it.

tomersein avatar Mar 11 '25 07:03 tomersein

Hi @tomersein great question! This work is indeed unblocked.

The next thing that needs to be done is to actually fetch this data from our various data sources in vunnel. That work is tracked at https://github.com/anchore/vunnel/issues/742. We'd be very grateful if you wanted to pick up one of those vulnerability providers, and we can discuss which one or how to go about doing the work on anchore/vunnel#742. Thanks!

willmurphyscode avatar Mar 11 '25 18:03 willmurphyscode

HI, any news ?

enzofrnt avatar Mar 25 '25 08:03 enzofrnt