anchore · wagoodman · Jul 22, 2025 · Mar 18, 2025 · Jun 30, 2025 · Jul 7, 2025
diff --git a/.gitignore b/.gitignore
@@ -1,3 +1,7 @@
+# AI
+.claude
+CLAUDE.md
+
 # note: you cannot add exceptions for nested paths. You have to add patterns for each parent path as a pattern and specific exceptions for those parents
 # this dance here is to ignore everything in /data but still include the symlink at /data/yardstick/labels
 /data/*

diff --git a/go.mod b/go.mod
@@ -8,8 +8,8 @@ require (
 	github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d
 	github.com/adrg/xdg v0.5.3
 	github.com/anchore/go-logger v0.0.0-20250318195838-07ae343dd722
-	github.com/anchore/grype v0.96.0
-	github.com/anchore/syft v1.28.0
+	github.com/anchore/grype v0.96.2-0.20250722133216-a5ead76b4b85
+	github.com/anchore/syft v1.29.0
 	github.com/araddon/dateparse v0.0.0-20210429162001-6b43995a97de
 	github.com/dave/jennifer v1.7.1
 	github.com/dustin/go-humanize v1.0.1
@@ -83,7 +83,7 @@ require (
 	github.com/anchore/go-sync v0.0.0-20250326131806-4eda43a485b6 // indirect
 	github.com/anchore/go-version v1.2.2-0.20210903204242-51efa5b487c4 // indirect
 	github.com/anchore/packageurl-go v0.1.1-0.20250220190351-d62adb6e1115 // indirect
-	github.com/anchore/stereoscope v0.1.6 // indirect
+	github.com/anchore/stereoscope v0.1.7-0.20250716200927-94c6f92877d4 // indirect
 	github.com/andybalholm/brotli v1.1.2-0.20250424173009-453214e765f3 // indirect
 	github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
 	github.com/aquasecurity/go-pep440-version v0.0.1 // indirect
@@ -95,7 +95,7 @@ require (
 	github.com/bitnami/go-version v0.0.0-20250131085805-b1f57a8634ef // indirect
 	github.com/blakesmith/ar v0.0.0-20190502131153-809d4375e1fb // indirect
 	github.com/bmatcuk/doublestar/v2 v2.0.4 // indirect
-	github.com/bmatcuk/doublestar/v4 v4.8.1 // indirect
+	github.com/bmatcuk/doublestar/v4 v4.9.0 // indirect
 	github.com/bodgit/plumbing v1.3.0 // indirect
 	github.com/bodgit/sevenzip v1.6.0 // indirect
 	github.com/bodgit/windows v1.0.1 // indirect
@@ -151,7 +151,7 @@ require (
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-restruct/restruct v1.2.0-alpha // indirect
-	github.com/go-viper/mapstructure/v2 v2.3.0 // indirect
+	github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
 	github.com/goccy/go-yaml v1.18.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/gohugoio/hashstructure v0.5.0 // indirect
@@ -168,7 +168,7 @@ require (
 	github.com/hashicorp/go-safetemp v1.0.0 // indirect
 	github.com/hashicorp/go-version v1.7.0 // indirect
 	github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect
-	github.com/hashicorp/hcl/v2 v2.23.0 // indirect
+	github.com/hashicorp/hcl/v2 v2.24.0 // indirect
 	github.com/huandu/xstrings v1.5.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
@@ -250,7 +250,7 @@ require (
 	github.com/xanzy/ssh-agent v0.3.3 // indirect
 	github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
-	github.com/zclconf/go-cty v1.14.0 // indirect
+	github.com/zclconf/go-cty v1.16.3 // indirect
 	go.opencensus.io v0.24.0 // indirect
 	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
 	go.opentelemetry.io/contrib/detectors/gcp v1.31.0 // indirect

diff --git a/go.sum b/go.sum
@@ -707,14 +707,14 @@ github.com/anchore/go-testutils v0.0.0-20200925183923-d5f45b0d3c04 h1:VzprUTpc0v
 github.com/anchore/go-testutils v0.0.0-20200925183923-d5f45b0d3c04/go.mod h1:6dK64g27Qi1qGQZ67gFmBFvEHScy0/C8qhQhNe5B5pQ=
 github.com/anchore/go-version v1.2.2-0.20210903204242-51efa5b487c4 h1:rmZG77uXgE+o2gozGEBoUMpX27lsku+xrMwlmBZJtbg=
 github.com/anchore/go-version v1.2.2-0.20210903204242-51efa5b487c4/go.mod h1:Bkc+JYWjMCF8OyZ340IMSIi2Ebf3uwByOk6ho4wne1E=
-github.com/anchore/grype v0.96.0 h1:AxRc/i9npF1tGMeW87CTpGXXXkZA3FUS6wimt7kqRp0=
-github.com/anchore/grype v0.96.0/go.mod h1:C4G3Bo5V7fH11xAGdjhRrroYLkw+fmXWpQyuggqVuiM=
+github.com/anchore/grype v0.96.2-0.20250722133216-a5ead76b4b85 h1:pB34dZkCC2N+y3y2XLmUZs5KzXs0pIaG7p+Mv9gIt3c=
+github.com/anchore/grype v0.96.2-0.20250722133216-a5ead76b4b85/go.mod h1:PgWmh2BY/54VHbHOoe3t+iaMp5LonK/MS2WLILfVFjk=
 github.com/anchore/packageurl-go v0.1.1-0.20250220190351-d62adb6e1115 h1:ZyRCmiEjnoGJZ1+Ah0ZZ/mKKqNhGcUZBl0s7PTTDzvY=
 github.com/anchore/packageurl-go v0.1.1-0.20250220190351-d62adb6e1115/go.mod h1:KoYIv7tdP5+CC9VGkeZV4/vGCKsY55VvoG+5dadg4YI=
-github.com/anchore/stereoscope v0.1.6 h1:DxaPHugD9EndPxOaIMaEYjHJJURjKNaHzD1NyQUUmdU=
-github.com/anchore/stereoscope v0.1.6/go.mod h1:ejAlYkAb/cRvSMlxQlrG2dMruqQpcJAh4w2Fu02FEYQ=
-github.com/anchore/syft v1.28.0 h1:uLdCvWNb2btvCyfIawWOsXD238v6eDTaz5RTfS2lMqA=
-github.com/anchore/syft v1.28.0/go.mod h1:jGpfAy5lRvOUrOxWAfbbu9t3TK8VwJpAAJHz6HFQofw=
+github.com/anchore/stereoscope v0.1.7-0.20250716200927-94c6f92877d4 h1:5UGwBBUAK8i06gDA5JD74vT3qcz4lR7BfLXudpD5y8w=
+github.com/anchore/stereoscope v0.1.7-0.20250716200927-94c6f92877d4/go.mod h1:ejAlYkAb/cRvSMlxQlrG2dMruqQpcJAh4w2Fu02FEYQ=
+github.com/anchore/syft v1.29.0 h1:zQqajGHCX4vO2uaybjdSXL8q3uxXepo1s7ySIK+i5v4=
+github.com/anchore/syft v1.29.0/go.mod h1:nXCGVo6kikMi74cXrvYlSSbv/zP8mR4PuMwpUn0vSZ4=
 github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8=
 github.com/andybalholm/brotli v1.0.4/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig=
 github.com/andybalholm/brotli v1.1.2-0.20250424173009-453214e765f3 h1:8PmGpDEZl9yDpcdEr6Odf23feCxK3LNUNMxjXg41pZQ=
@@ -761,8 +761,8 @@ github.com/blakesmith/ar v0.0.0-20190502131153-809d4375e1fb h1:m935MPodAbYS46DG4
 github.com/blakesmith/ar v0.0.0-20190502131153-809d4375e1fb/go.mod h1:PkYb9DJNAwrSvRx5DYA+gUcOIgTGVMNkfSCbZM8cWpI=
 github.com/bmatcuk/doublestar/v2 v2.0.4 h1:6I6oUiT/sU27eE2OFcWqBhL1SwjyvQuOssxT4a1yidI=
 github.com/bmatcuk/doublestar/v2 v2.0.4/go.mod h1:QMmcs3H2AUQICWhfzLXz+IYln8lRQmTZRptLie8RgRw=
-github.com/bmatcuk/doublestar/v4 v4.8.1 h1:54Bopc5c2cAvhLRAzqOGCYHYyhcDHsFF4wWIR5wKP38=
-github.com/bmatcuk/doublestar/v4 v4.8.1/go.mod h1:xBQ8jztBU6kakFMg+8WGxn0c6z1fTSPVIjEY1Wr7jzc=
+github.com/bmatcuk/doublestar/v4 v4.9.0 h1:DBvuZxjdKkRP/dr4GVV4w2fnmrk5Hxc90T51LZjv0JA=
+github.com/bmatcuk/doublestar/v4 v4.9.0/go.mod h1:xBQ8jztBU6kakFMg+8WGxn0c6z1fTSPVIjEY1Wr7jzc=
 github.com/bodgit/plumbing v1.3.0 h1:pf9Itz1JOQgn7vEOE7v7nlEfBykYqvUYioC61TwWCFU=
 github.com/bodgit/plumbing v1.3.0/go.mod h1:JOTb4XiRu5xfnmdnDJo6GmSbSbtSyufrsyZFByMtKEs=
 github.com/bodgit/sevenzip v1.6.0 h1:a4R0Wu6/P1o1pP/3VV++aEOcyeBxeO/xE2Y9NSTrr6A=
@@ -1002,8 +1002,8 @@ github.com/go-sql-driver/mysql v1.6.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LB
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
 github.com/go-test/deep v1.1.1 h1:0r/53hagsehfO4bzD2Pgr/+RgHqhmf+k1Bpse2cTu1U=
 github.com/go-test/deep v1.1.1/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE=
-github.com/go-viper/mapstructure/v2 v2.3.0 h1:27XbWsHIqhbdR5TIC911OfYvgSaW93HM+dX7970Q7jk=
-github.com/go-viper/mapstructure/v2 v2.3.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
+github.com/go-viper/mapstructure/v2 v2.4.0 h1:EBsztssimR/CONLSZZ04E8qAkxNYq4Qp9LvH92wZUgs=
+github.com/go-viper/mapstructure/v2 v2.4.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
 github.com/gobwas/httphead v0.1.0/go.mod h1:O/RXo79gxV8G+RqlR/otEwx4Q36zl9rqC5u12GKvMCM=
 github.com/gobwas/pool v0.2.1/go.mod h1:q8bcK0KcYlCgd9e7WYLm9LpyS+YeLd8JVDW6WezmKEw=
 github.com/gobwas/ws v1.2.1/go.mod h1:hRKAFb8wOxFROYNsT1bqfWnhX+b5MFeJM9r2ZSwg/KY=
@@ -1192,8 +1192,8 @@ github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uG
 github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k=
 github.com/hashicorp/golang-lru/v2 v2.0.7/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM=
 github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
-github.com/hashicorp/hcl/v2 v2.23.0 h1:Fphj1/gCylPxHutVSEOf2fBOh1VE4AuLV7+kbJf3qos=
-github.com/hashicorp/hcl/v2 v2.23.0/go.mod h1:62ZYHrXgPoX8xBnzl8QzbWq4dyDsDtfCRgIq1rbJEvA=
+github.com/hashicorp/hcl/v2 v2.24.0 h1:2QJdZ454DSsYGoaE6QheQZjtKZSUs9Nh2izTWiwQxvE=
+github.com/hashicorp/hcl/v2 v2.24.0/go.mod h1:oGoO1FIQYfn/AgyOhlg9qLC6/nOJPX3qGbkZpYAcqfM=
 github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64=
 github.com/hashicorp/mdns v1.0.1/go.mod h1:4gW7WsVCke5TE7EPeYliwHlRUyBtfCwuFwuMg2DmyNY=
 github.com/hashicorp/mdns v1.0.4/go.mod h1:mtBihi+LeNXGtG8L9dX59gAEa12BDtBQSp4v/YAJqrc=
@@ -1611,8 +1611,8 @@ github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9dec
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 github.com/yuin/goldmark v1.4.1/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
-github.com/zclconf/go-cty v1.14.0 h1:/Xrd39K7DXbHzlisFP9c4pHao4yyf+/Ug9LEz+Y/yhc=
-github.com/zclconf/go-cty v1.14.0/go.mod h1:VvMs5i0vgZdhYawQNq5kePSpLAoz8u1xvZgrPIxfnZE=
+github.com/zclconf/go-cty v1.16.3 h1:osr++gw2T61A8KVYHoQiFbFd1Lh3JOCXc/jFLJXKTxk=
+github.com/zclconf/go-cty v1.16.3/go.mod h1:VvMs5i0vgZdhYawQNq5kePSpLAoz8u1xvZgrPIxfnZE=
 github.com/zclconf/go-cty-debug v0.0.0-20240509010212-0d6042c53940 h1:4r45xpDWB6ZMSMNJFMOjqrGHynW3DIBuR2H9j0ug+Mo=
 github.com/zclconf/go-cty-debug v0.0.0-20240509010212-0d6042c53940/go.mod h1:CmBdvvj3nqzfzJ6nTCIwDTPZ56aVGvDrmztiO5g3qrM=
 github.com/zeebo/assert v1.3.0/go.mod h1:Pq9JiuJQpG8JLJdtkwrJESF0Foym2/D9XMU5ciN/wJ0=

diff --git a/pkg/process/v5/transformers/os/test-fixtures/rhel-8-eus.json b/pkg/process/v5/transformers/os/test-fixtures/rhel-8-eus.json
@@ -0,0 +1,57 @@
+[
+  {
+    "Vulnerability": {
+      "CVSS": [
+        {
+          "base_metrics": {
+            "base_score": 8.8,
+            "base_severity": "High",
+            "exploitability_score": 2.8,
+            "impact_score": 5.9
+          },
+          "status": "verified",
+          "vector_string": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
+          "version": "3.1"
+        }
+      ],
+      "Description": "A flaw was found in Mozilla Firefox. A race condition can occur while running the nsDocShell destructor causing a use-after-free memory issue. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
+      "FixedIn": [
+        {
+          "Name": "firefox",
+          "NamespaceName": "rhel:8+eus",
+          "VendorAdvisory": {
+            "AdvisorySummary": [
+              {
+                "ID": "RHSA-2020:1341",
+                "Link": "https://access.redhat.com/errata/RHSA-2020:1341"
+              }
+            ],
+            "NoAdvisory": false
+          },
+          "Version": "0:68.6.1-1.el8_1",
+          "VersionFormat": "rpm"
+        },
+        {
+          "Name": "thunderbird",
+          "NamespaceName": "rhel:8+eus",
+          "VendorAdvisory": {
+            "AdvisorySummary": [
+              {
+                "ID": "RHSA-2020:1495",
+                "Link": "https://access.redhat.com/errata/RHSA-2020:1495"
+              }
+            ],
+            "NoAdvisory": false
+          },
+          "Version": "0:68.7.0-1.el8_1",
+          "VersionFormat": "rpm"
+        }
+      ],
+      "Link": "https://access.redhat.com/security/cve/CVE-2020-6819",
+      "Metadata": {},
+      "Name": "CVE-2020-6819",
+      "NamespaceName": "rhel:8+eus",
+      "Severity": "Critical"
+    }
+  }
+]
diff --git a/pkg/process/v5/transformers/os/transform.go b/pkg/process/v5/transformers/os/transform.go
@@ -31,6 +31,7 @@ func buildGrypeNamespace(group string) (namespace.Namespace, error) {
 
 	providerName := d.String()
 	distroName := d.String()
+	ver := feedGroupComponents[1]
 
 	switch d {
 	case distro.OracleLinux:
@@ -39,12 +40,17 @@ func buildGrypeNamespace(group string) (namespace.Namespace, error) {
 		providerName = "amazon"
 	case distro.Mariner, distro.Azure:
 		providerName = "mariner"
-		if strings.HasPrefix(feedGroupComponents[1], "3") {
+		if strings.HasPrefix(ver, "3") {
 			distroName = distro.Azure.String() // Mariner Linux 3 is known as "Azure Linux 3"
 		}
 	}
 
-	ns, err := namespace.FromString(fmt.Sprintf("%s:distro:%s:%s", providerName, distroName, feedGroupComponents[1]))
+	// distro channels are not supported in the grype v5 schema, so the records should be dropped entirely
+	if strings.Contains(ver, "+") {
+		return nil, nil
+	}
+
+	ns, err := namespace.FromString(fmt.Sprintf("%s:distro:%s:%s", providerName, distroName, ver))
 	if err != nil {
 		return nil, err
 	}
@@ -78,6 +84,10 @@ func Transform(vulnerability unmarshal.OSVulnerability) ([]data.Entry, error) {
 	if err != nil {
 		return nil, err
 	}
+	if grypeNamespace == nil {
+		// this is an enterprise feed group that does not have a corresponding grype namespace, so skip it
+		return nil, nil
+	}
 
 	entryNamespace := grypeNamespace.String()
 

diff --git a/pkg/process/v5/transformers/os/transform_test.go b/pkg/process/v5/transformers/os/transform_test.go
@@ -436,6 +436,12 @@ func TestParseVulnerabilitiesEntry(t *testing.T) {
 				},
 			},
 		},
+		{
+			name:       "RHEL EUS (ignore)",
+			numEntries: 1,
+			fixture:    "test-fixtures/rhel-8-eus.json",
+			// intentionally creates no vulnerabilities to write to the DB
+		},
 		{
 			name:       "Alpine",
 			numEntries: 1,

diff --git a/pkg/process/v6/transformers/os/transform.go b/pkg/process/v6/transformers/os/transform.go
@@ -67,7 +67,7 @@ func getAffectedPackages(vuln unmarshal.OSVulnerability) []grypeDB.AffectedPacka
 		}
 
 		aph := grypeDB.AffectedPackageHandle{
-			OperatingSystem: getOperatingSystem(group.osName, group.id, group.osVersion),
+			OperatingSystem: getOperatingSystem(group.osName, group.id, group.osVersion, group.osChannel),
 			Package:         getPackage(group),
 			BlobValue: &grypeDB.AffectedPackageBlob{
 				CVEs:       getAliases(vuln),
@@ -180,14 +180,15 @@ type groupIndex struct {
 	id        string
 	osName    string
 	osVersion string
+	osChannel string
 	hasModule bool
 	module    string
 	format    string
 }
 
 func groupFixedIns(vuln unmarshal.OSVulnerability) map[groupIndex][]unmarshal.OSFixedIn {
 	grouped := make(map[groupIndex][]unmarshal.OSFixedIn)
-	osName, osID, osVersion := getOSInfo(vuln.Vulnerability.NamespaceName)
+	oi := getOSInfo(vuln.Vulnerability.NamespaceName)
 
 	for _, fixedIn := range vuln.Vulnerability.FixedIn {
 		var mod string
@@ -196,9 +197,10 @@ func groupFixedIns(vuln unmarshal.OSVulnerability) map[groupIndex][]unmarshal.OS
 		}
 		g := groupIndex{
 			name:      fixedIn.Name,
-			id:        osID,
-			osName:    osName,
-			osVersion: osVersion,
+			id:        oi.id,
+			osName:    oi.name,
+			osVersion: oi.version,
+			osChannel: oi.channel,
 			hasModule: fixedIn.Module != nil,
 			module:    mod,
 			format:    fixedIn.VersionFormat,
@@ -232,12 +234,25 @@ func getPackage(group groupIndex) *grypeDB.Package {
 	}
 }
 
-func getOSInfo(group string) (string, string, string) {
+type osInfo struct {
+	name    string
+	id      string
+	version string
+	channel string
+}
+
+func getOSInfo(group string) osInfo {
 	// derived from enterprise feed groups, expected to be of the form {distro release ID}:{version}
 	feedGroupComponents := strings.Split(group, ":")
 
 	id := feedGroupComponents[0]
 	version := feedGroupComponents[1]
+	channel := ""
+	if strings.Contains(feedGroupComponents[1], "+") {
+		versionParts := strings.Split(feedGroupComponents[1], "+")
+		channel = versionParts[1]
+		version = versionParts[0]
+	}
 	if strings.ToLower(id) == "mariner" {
 		verFields := strings.Split(version, ".")
 		majorVersionStr := verFields[0]
@@ -249,7 +264,12 @@ func getOSInfo(group string) (string, string, string) {
 		}
 	}
 
-	return normalizeOsName(id), id, version
+	return osInfo{
+		name:    normalizeOsName(id),
+		id:      id,
+		version: version,
+		channel: channel,
+	}
 }
 
 func normalizeOsName(id string) string {
@@ -263,7 +283,7 @@ func normalizeOsName(id string) string {
 	return d.String()
 }
 
-func getOperatingSystem(osName, osID, osVersion string) *grypeDB.OperatingSystem {
+func getOperatingSystem(osName, osID, osVersion, channel string) *grypeDB.OperatingSystem {
 	if osName == "" || osVersion == "" {
 		return nil
 	}
@@ -288,6 +308,7 @@ func getOperatingSystem(osName, osID, osVersion string) *grypeDB.OperatingSystem
 		MajorVersion: majorVersion,
 		MinorVersion: minorVersion,
 		LabelVersion: labelVersion,
+		Channel:      channel,
 		Codename:     codename.LookupOS(osName, majorVersion, minorVersion),
 	}
 }