Source URL: https://anchore.com/blog/time-to-take-another-look-at-grype-a-year-of-major-improvements/
Source: Anchore
Title: Time to Take Another Look at Grype: A Year of Major Improvements
Feedly Summary: If you last tried Grype a year ago and haven’t checked back recently, you’re in for some pleasant surprises. The past twelve months have significantly improved the accuracy and performance of our open source vulnerability scanner. Whether you’re dealing with false positives, slow database updates, or wanting deeper insights into your vulnerability data, Grype has […]
The post Time to Take Another Look at Grype: A Year of Major Improvements appeared first on Anchore.
AI Summary and Description: Yes
**Summary:** The text discusses significant improvements to Grype, an open-source vulnerability scanner. Major advancements include reduced false positives, improved database architecture, integration of contextual databases like KEV and EPSS, and enhanced search capabilities which collectively impact vulnerability management positively. This information is vital for security professionals focusing on software and cloud security.
**Detailed Description:**
The text highlights several key improvements made over the past year to Grype, an open-source vulnerability scanner, that enhance its effectiveness in identifying and managing vulnerabilities in software applications. Here are the notable advancements:
– **Reduction of False Positives:**
– Transition from relying on the Common Platform Enumeration (CPE) to prioritize the GitHub Advisory Database.
– Up to 80% reduction in false positives, particularly improving results for Java applications.
– Cleaner scan results lead to more actionable remediation efforts.
– **Database Architecture Revamp:**
– Upgrade from database schema v5 to v6, resulting in a significantly smaller download size (69% reduction) and improved on-disk database size (44% smaller).
– Faster updates for Continuous Integration/Continuous Deployment (CI/CD) pipelines, which is crucial for efficiency in modern development workflows.
– **Enhanced Vulnerability Context:**
– Integration of the CISA Known Exploited Vulnerabilities (KEV) and Exploit Prediction Scoring System (EPSS) databases.
– Introduction of a calculated “Risk” value for vulnerabilities, allowing security teams to focus on those that are actively exploited or have a high chance of exploitation.
– **Improved Database Search Functionality:**
– New capabilities allowing users to query the Grype database directly, enhancing transparency in understanding vulnerability data.
– Support for validating coverage in compliance reporting and aiding in security research.
– **Wider Ecosystem Coverage:**
– Expanded package detection capabilities and enhanced language support for various platforms, including improvements to .NET, Java, and Python.
– Better support for scanning container environments, making Grype a more comprehensive tool in assessing software security.
– **Streamlined Configuration Management:**
– Introduction of hierarchical configuration profiles, allowing better management of scanning policies across different environments and projects.
– Now supports Package URL (PURL) scanning, allowing targeted vulnerability checks.
– **Optimized Performance:**
– Improvements in vulnerability matching and reduced memory consumption for better performance, especially critical when working with large container images.
– **Community Engagement:**
– Encouragement for user involvement in further development through contributions and engagement in community discussions.
– Grype’s evolution aims to transform security scanning into a beneficial addition to software development rather than a hindrance.
In conclusion, Grype has made substantial strides in its performance and usability for security scanning, offering security and compliance professionals a more efficient way to manage vulnerabilities in their software supply chain. The continuous enhancements promise a better user experience and higher security assurance, making it a worthwhile tool for current and potential users.