Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add published field in output #2489

Open
enzofrnt opened this issue Feb 27, 2025 · 2 comments
Open

Add published field in output #2489

enzofrnt opened this issue Feb 27, 2025 · 2 comments
Labels
enhancement New feature or request

Comments

@enzofrnt
Copy link

What would you like to be added?

It would be great and helpful to include the discovery date of vulnerabilities in the JSON output from Grype.

Why is this needed?

This feature is needed because some users may require information about when a vulnerability was first discovered. Knowing the discovery date can help in:

  • Assessing the urgency of mitigation based on how long the vulnerability has been known.
  • Prioritizing patches by understanding if a vulnerability is recent or has been around for a while.
  • Compliance and reporting, as some security frameworks require tracking the lifecycle of vulnerabilities.
  • Security audits, where teams need historical context on vulnerabilities affecting their systems.
@enzofrnt enzofrnt added the enhancement New feature or request label Feb 27, 2025
@willmurphyscode willmurphyscode moved this to Ready in OSS Mar 3, 2025
@willmurphyscode
Copy link
Contributor

The upcoming grype-db schema v6 will add these fields:

grype/grype/db/v6/models.go

Lines 161 to 167 in 5dc2d2e

PublishedDate *time.Time `gorm:"column:published_date;index"`
// ModifiedDate is the date the vulnerability record was last modified
ModifiedDate *time.Time `gorm:"column:modified_date;index"`
// WithdrawnDate is the date the vulnerability record was withdrawn
WithdrawnDate *time.Time `gorm:"column:withdrawn_date;index"`

So this work is now unblocked. After v6 is adopted, changes will be needed in anchore/vunnel and anchore/grype-db to ensure the field is populated. I'm marking this as ready, since it's able to be worked on today. When someone starts working on a particular Vunnel provider, please open an issue to in Vunnel for that provider and link it here.

@enzofrnt
Copy link
Author

enzofrnt commented Mar 5, 2025

Nice! Could you provide us with documentation about the schema, including version 6 and older ones?

Having access to proper documentation would help us accurately interpret the return values of Grype. Without this, every user is left to decipher Grype’s output on their own, which can lead to inconsistencies, misunderstandings, and potential misinterpretations of vulnerabilities.

In a cybersecurity-focused application like Grype, where precision and clarity are crucial, the absence of structured schema documentation can hinder effective usage. Providing official documentation would not only enhance user experience but also ensure that security professionals can rely on Grype’s output without ambiguity.

Would it be possible to make this available?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
OSS
Status: Ready
Milestone
No milestone
Development

No branches or pull requests
2 participants
@willmurphyscode @enzofrnt