Skip to content

Better documentation for schema #2569

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
enzofrnt opened this issue Mar 31, 2025 · 1 comment
Open

Better documentation for schema #2569

enzofrnt opened this issue Mar 31, 2025 · 1 comment
Labels
enhancement New feature or request
Milestone
Grype 1.0

Comments

@enzofrnt
Copy link

What would you like to be added:

Better documentation about the output of Grype.
Currently, there is no clear information about the structure or meaning of the output. We are left to interpret the returned content ourselves:

grype/README.md

Lines 239 to 262 in d9a2cd2

#### Basic Grype Vulnerability Data Shape
```json
{
"vulnerability": {
...
},
"relatedVulnerabilities": [
...
],
"matchDetails": [
...
],
"artifact": {
...
}
}
```
- **Vulnerability**: All information on the specific vulnerability that was directly matched on (e.g. ID, severity, CVSS score, fix information, links for more information)
- **RelatedVulnerabilities**: Information pertaining to vulnerabilities found to be related to the main reported vulnerability. Maybe the vulnerability we matched on was a GitHub Security Advisory, which has an upstream CVE (in the authoritative national vulnerability database). In these cases we list the upstream vulnerabilities here.
- **MatchDetails**: This section tries to explain what we searched for while looking for a match and exactly what details on the package and vulnerability that lead to a match.
- **Artifact**: This is a subset of the information that we know about the package (when compared to the [Syft](https://github.com/anchore/syft) json output, we summarize the metadata section).
This has information about where within the container image or directory we found the package, what kind of package it is, licensing info, pURLs, CPEs, etc.

This information is not sufficient to fully understand what Grype is returning.

Why is this needed:

This is needed because, in a cybersecurity environment, we must be certain of the data we're getting from tools like Grype.
Clear, reliable documentation is essential to ensure we can trust and correctly interpret the tool's output.

Additional context:

OSV Scanner handles this very well — just look at their documentation:
https://ossf.github.io/osv-schema/

Everything is explained, making it easy to understand and trust what we're getting from the tool — which is absolutely critical in a cybersecurity context.
Without this level of documentation, such tools can quickly become unreliable or even unusable.
@enzofrnt enzofrnt added the enhancement New feature or request label Mar 31, 2025
@kzantow kzantow added this to the Grype 1.0 milestone Mar 31, 2025
@kzantow
Copy link
Contributor

kzantow commented Mar 31, 2025

This is a good request. There's another issue open for providing a schema, since this is about documentation, I'm going to add this on as something we would like to tackle as part of the Grype 1.0 effort.

@kzantow kzantow moved this to Ready in OSS Mar 31, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
OSS
Status: Ready
Milestone
Grype 1.0
Development

No branches or pull requests
2 participants
@kzantow @enzofrnt