Capabilities

Summary of package analysis and vulnerability scanning capabilities across ecosystems

Capabilities describe the cross-cutting features available across Anchore’s tools:

Package analysis: What Syft can catalog from package manifests, lock files, and installed packages
Vulnerability scanning: What Grype can detect using vulnerability databases and matching rules

These capabilities are ecosystem-specific. For example, Python’s capabilities differ from Go’s, and Ubuntu’s capabilities differ from Alpine’s.

Default capabilities do not require to be online or have special configuration (other than having a vulnerability DB downloaded). Some capabilities may be conditionally supported, requiring additional configuration or online access to function.

Vulnerability scanning capabilities

Operating system support

Syft and Grype support several operating systems for package cataloging and vulnerability detection. The table below shows which OS versions are supported and where Grype’s vulnerability data comes from.

Operating System	Supported Versions	Vunnel Provider	Data Source
Alpine Linux	3.2+, edge	alpine	Alpine SecDB
Amazon Linux	2, 2022, 2023	amazon	Amazon Linux Security Center
Azure Linux	3.0	mariner	Microsoft CBL-Mariner OVAL
CentOS	5, 6, 7, 8	rhel	Red Hat Security Data API
Chainguard OS	rolling	chainguard	Chainguard Security
Debian	7 (wheezy), 8 (jessie), 9 (stretch), 10 (buster), 11 (bullseye), 12 (bookworm), 13 (trixie), 14, unstable	debian	Debian Security Tracker
Echo OS	rolling	echo	ECHO Security
CBL-Mariner	1.0, 2.0	mariner	Microsoft CBL-Mariner OVAL
MinimOS	rolling	minimos	MINIMOS Security
Oracle Linux	5, 6, 7, 8, 9, 10	oracle	Oracle Linux Security
Raspberry Pi OS	7 (wheezy), 8 (jessie), 9 (stretch), 10 (buster), 11 (bullseye), 12 (bookworm), 13 (trixie), 14, unstable	debian	Debian Security Tracker
Red Hat Enterprise Linux	5, 6, 7, 8, 9, 10 EUS: 5.9, 6.4+, 7, 8.1, 8.2, 8.4, 8.6, 8.8, 9	rhel	Red Hat Security Data API
Rocky Linux	5, 6, 7, 8, 9, 10	rhel	Red Hat Security Data API
SUSE Linux Enterprise Server	11, 12, 15	sles	SUSE Security OVAL
Ubuntu	12.04 (precise), 12.10 (quantal), 13.04 (raring), 14.04 (trusty), 14.10 (utopic), 15.04 (vivid), 15.10 (wily), 16.04 (xenial), 16.10 (yakkety), 17.04 (zesty), 17.10 (artful), 18.04 (bionic), 18.10 (cosmic), 19.04 (disco), 19.10 (eoan), 20.04 (focal), 20.10 (groovy), 21.04 (hirsute), 21.10 (impish), 22.04 (jammy), 22.10 (kinetic), 23.04 (lunar), 23.10 (mantic), 24.04 (noble), 24.10 (oracular), 25.04 (plucky), 25.10	ubuntu	Ubuntu CVE Tracker
Wolfi	rolling	wolfi	Wolfi Security

Data sources

Vulnerability data sources vary in the information they provide. Grype uses these capabilities when available to provide more accurate and comprehensive vulnerability detection:

Independent Disclosure: Whether the advisory discloses the vulnerability regardless of fix availability. Sources with this capability report vulnerabilities even when no fix is available yet.
Disclosure Date: Whether the data source provides the date when a vulnerability was first publicly disclosed. This helps you understand the timeline of vulnerability exposure.
Fix Versions: Whether the data source specifies which package versions contain fixes for a vulnerability. This allows Grype to determine if an installed package version is vulnerable or fixed.
Fix Date: Whether the advisory includes a date when the fix was made available. This helps you understand the timeline of vulnerability remediation.

Package analysis capabilities

The table below shows which ecosystems support package analysis and vulnerability scanning.

Ecosystem	Cataloger + Evidence	Licenses	Dependencies	Files
ALPM	alpm-db-cataloger `var/lib/pacman/local/**/desc`
APK	apk-db-cataloger `lib/apk/db/installed`
Binary	binary-classifier-cataloger arangodb-binary`arangosh` bash-binary`bash` busybox-binary`busybox` chrome-binary`chrome` consul-binary`consul` curl-binary`curl` dart-binary`dart` erlang-alpine-binary`beam.smp` erlang-binary`erlexec` erlang-library`liberts_internal.a` ffmpeg-binary`ffmpeg` ffmpeg-library`libav`, `libswresample` fluent-bit-binary`fluent-bit` gcc-binary`gcc` go-binary`go` go-binary-hint`VERSION` gzip-binary`gzip` haproxy-binary`haproxy` hashicorp-vault-binary`vault` haskell-cabal-binary`cabal` haskell-ghc-binary`ghc` haskell-stack-binary`stack` helm`helm` httpd-binary`httpd` java-binary`java` java-jdb-binary`jdb` jq-binary`jq` julia-binary`libjulia-internal.so` lighttpd-binary`lighttpd` mariadb-binary`{mariadb,mysql}` memcached-binary`memcached` mysql-binary`mysql` nginx-binary`nginx` nodejs-binary`node` openssl-binary`openssl` perl-binary`perl` php-composer-binary`composer` postgresql-binary`postgres` proftpd-binary`proftpd` pypy-binary-lib`libpypy.so` python-binary`python` python-binary-lib`libpython.so` redis-binary`redis-server` ruby-binary`ruby` rust-standard-library-linux`libstd-????????????????.so` rust-standard-library-macos`libstd-????????????????.dylib` sqlcipher-binary`sqlcipher` swipl-binary`swipl` traefik-binary`traefik` util-linux-binary`getopt` wordpress-cli-binary`wp` xtrabackup-binary`xtrabackup` xz-binary`xz` zstd-binary`zstd`
	elf-binary-package-cataloger `application/x-executable`, `application/x-mach-binary`, `application/x-elf`, `application/x-sharedlib`, `application/vnd.microsoft.portable-executable` (mimetype)
	pe-binary-package-cataloger `.dll`, `.exe`
Bitnami	bitnami-cataloger `/opt/bitnami/*/.spdx-.spdx`
C/C++	conan-cataloger `conan.lock`
	conan-cataloger `conanfile.txt`
	conan-info-cataloger `conaninfo.txt`
Conda	conda-meta-cataloger `conda-meta/*.json`
Dart	dart-pubspec-cataloger `pubspec.yml`, `pubspec.yaml`
Dart	dart-pubspec-lock-cataloger `pubspec.lock`
DPKG	deb-archive-cataloger `*.deb`
DPKG	dpkg-db-cataloger `lib/dpkg/status`, `lib/dpkg/status.d/`, `lib/opkg/info/.control`, `lib/opkg/status`
Elixir	elixir-mix-lock-cataloger `mix.lock`
Erlang	erlang-otp-application-cataloger `*.app`
Erlang	erlang-rebar-lock-cataloger `rebar.lock`
GitHub Actions	github-action-workflow-usage-cataloger `.github/workflows/.yaml`, `.github/workflows/.yml`
	github-actions-usage-cataloger `.github/actions//action.yml`, `.github/actions//action.yaml`
	github-actions-usage-cataloger `.github/workflows/.yaml`, `.github/workflows/.yml`
Go	go-module-binary-cataloger `application/x-executable`, `application/x-mach-binary`, `application/x-elf`, `application/x-sharedlib`, `application/vnd.microsoft.portable-executable`, `application/x-executable` (mimetype)
Go	go-module-file-cataloger `go.mod`
Haskell	haskell-cataloger `cabal.project.freeze`
	haskell-cataloger `stack.yaml.lock`
	haskell-cataloger `stack.yaml`
Homebrew	homebrew-cataloger `Cellar///.brew/.rb`, `Library/Taps///Formula/.rb`
Java	graalvm-native-image-cataloger `application/x-executable`, `application/x-mach-binary`, `application/x-elf`, `application/x-sharedlib`, `application/vnd.microsoft.portable-executable` (mimetype)
	java-archive-cataloger `.jar`, `.war`, `.ear`, `.par`, `.sar`, `.nar`, `.jpi`, `.hpi`, `.kar`, `.lpkg`
	java-archive-cataloger `*.zip`
	java-archive-cataloger `.tar`, `.tar.gz`, `.tgz`, `.tar.bz`, `.tar.bz2`, `.tbz`, `.tbz2`, `.tar.br`, `.tbr`, `.tar.lz4`, `.tlz4`, `.tar.sz`, `.tsz`, `.tar.xz`, `.txz`, `.tar.zst`, `.tzst`, `.tar.zstd`, `*.tzstd`
	java-gradle-lockfile-cataloger `gradle.lockfile*`
	java-jvm-cataloger `release`
	java-pom-cataloger `*pom.xml`
JavaScript	javascript-lock-cataloger `pnpm-lock.yaml`
	javascript-lock-cataloger `yarn.lock`
	javascript-lock-cataloger `package-lock.json`
	javascript-package-cataloger `package.json`
Linux	linux-kernel-cataloger `kernel`, `kernel-`, `vmlinux`, `vmlinux-`, `vmlinuz`, `vmlinuz-`, `lib/modules//.ko`
Lua	lua-rock-cataloger `*.rockspec`
.NET	dotnet-deps-binary-cataloger `.deps.json`, `.dll`, `*.exe`
	dotnet-deps-cataloger `*.deps.json`
	dotnet-packages-lock-cataloger `packages.lock.json`
	dotnet-portable-executable-cataloger `.dll`, `.exe`
Nix	nix-cataloger `nix/var/nix/db/db.sqlite`, `nix/store/`, `nix/store/.drv`
Nix	nix-store-cataloger `nix/store/`, `nix/store/.drv`
OCaml	opam-cataloger `*opam`
PHP	php-composer-installed-cataloger `installed.json`
	php-composer-lock-cataloger `composer.lock`
	php-interpreter-cataloger `php//.so`, `php-fpm`, `apache/*/libphp.so`
	php-pear-serialized-cataloger `php/.registry/*/.reg`
	php-pecl-serialized-cataloger `php/.registry/.channel./.reg`
Portage	portage-cataloger `var/db/pkg///CONTENTS`
Prolog	swipl-pack-cataloger `pack.pl`
Python	python-installed-package-cataloger `.egg-info`, `dist-info/METADATA`, `egg-info/PKG-INFO`, `DIST-INFO/METADATA`, `*EGG-INFO/PKG-INFO`
	python-package-cataloger `uv.lock`
	python-package-cataloger `setup.py`
	python-package-cataloger `Pipfile.lock`
	python-package-cataloger `poetry.lock`
	python-package-cataloger `requirements.txt`
R	r-package-cataloger `DESCRIPTION`
RPM	rpm-archive-cataloger `*.rpm`
	rpm-db-cataloger `var/lib/rpmmanifest/container-manifest-2`
	rpm-db-cataloger `{var/lib,usr/share,usr/lib/sysimage}/rpm/{Packages,Packages.db,rpmdb.sqlite}`
Ruby	ruby-gemfile-cataloger `Gemfile.lock`
	ruby-gemspec-cataloger `*.gemspec`
	ruby-installed-gemspec-cataloger `specifications/*/.gemspec`
Rust	cargo-auditable-binary-cataloger `application/x-executable`, `application/x-mach-binary`, `application/x-elf`, `application/x-sharedlib`, `application/vnd.microsoft.portable-executable`, `application/x-executable` (mimetype)
Rust	rust-cargo-lock-cataloger `Cargo.lock`
SBOM	sbom-cataloger `.syft.json`, `.bom.`, `.bom`, `bom`, `.sbom.`, `.sbom`, `sbom`, `.cdx.`, `.cdx`, `.spdx.`, `*.spdx`
Snap	snap-cataloger `snap/snapcraft.yaml`
	snap-cataloger `snap/manifest.yaml`
	snap-cataloger `doc/linux-modules-*/changelog.Debian.gz`
	snap-cataloger `usr/share/snappy/dpkg.yaml`
	snap-cataloger `meta/snap.yaml`
Swift	cocoapods-cataloger `Podfile.lock`
Swift	swift-package-manager-cataloger `Package.resolved`, `.package.resolved`
Terraform	terraform-lock-cataloger `.terraform.lock.hcl`
WordPress	wordpress-plugins-cataloger `wp-content/plugins//.php`

Legend

(empty) : Not supported

Dependencies

We describe Syft’s ability to capture dependency information in the following dimentions:

Depth: How far into the true dependency graph we are able to discover package nodes.
- direct: only captures dependencies explicitly declared by the project, but not necessarily dependencies of those dependencies
- transitive: all possible depths of dependencies are captured
Edges: Whether we are able to capture relationships between packages, and if so, describe the topology of those relationships.
- flat: we can capture the root package relative to all other dependencies, but are unaware of relationships between dependencies (a simple star topology, where all dependencies point to the root package)
- complete: all possible relationships between packages are captured (the full dependency graph)
Kinds: The types of dependencies we are able to capture.
- runtime: dependencies required for the package to function at runtime
- dev: dependencies required for development

Licenses

Indicates whether Syft can detect and catalog license information from package metadata. When supported, Syft extracts license declarations from package manifests, metadata files, or installed package databases.

Package manager features

Syft can extract various package manager metadata beyond basic package information:

Files: Whether Syft can catalog the list of files that are part of a package installation. This provides visibility into all files installed by the package manager.
Digests: Whether Syft can capture file checksums (digests/hashes) for individual files within a package. This enables integrity verification of installed files. Note: this is not necessarily the actual hash of the file, but instead the claims made by the package manager about those files. We capture actual file hashes in the files section of the SBOM.
Integrity Hash: Whether Syft can capture a single package-level integrity hash used by package managers to verify the package archive itself (for example, the https://go.dev/ref/mod#go-sum-files for go packages).

Next steps

Explore capabilities for specific ecosystems using the navigation menu
Learn about Syft package analysis
Learn about Grype vulnerability scanning