Question about grype results

[phyzical]

Hey cool idea.

i was giving it a go and am trying to run it before pushing to oci and i was able to get this going via

#!/bin/bash
IMAGE_TAG=$1
SNYK_TOKEN=$2

echo "Started scanning images"

echo "Running snyk image scan"
SNYK_TOKEN=${SNYK_TOKEN} snyk container test --app-vulns --json-file-output=${TMPDIR}/${IMAGE_TAG}-report_snyk.json  ${IMAGE_TAG}

echo "Running trivy image scan"
trivy image --scanners vuln --format json --output ${TMPDIR}/${IMAGE_TAG}-report_trivy.json ${IMAGE_TAG}

echo "Running grype image scan"
grype --add-cpes-if-none -s AllLayers -o json --file ${TMPDIR}/${IMAGE_TAG}-report_grype.json ${IMAGE_TAG} 

echo "importing"
IMAGE_SHA=$(docker images --no-trunc --quiet ${IMAGE_TAG})
vimp import --source ${IMAGE_TAG}@${IMAGE_SHA} --file ${TMPDIR}/${IMAGE_TAG}-report_snyk.json
vimp import --source ${IMAGE_TAG}@${IMAGE_SHA} --file ${TMPDIR}/${IMAGE_TAG}-report_grype.json 
vimp import --source ${IMAGE_TAG}@${IMAGE_SHA} --file ${TMPDIR}/${IMAGE_TAG}-report_trivy.json 

vimp query --image ${IMAGE_TAG}@${IMAGE_SHA} 

echo "Finished scanning images"
vulnerabilities=$(vimp query --image ${IMAGE_TAG}@${IMAGE_SHA} | jq '.exposures|length')
if [[ $vulnerabilities -gt 0 ]]; then
    echo "Found $vulnerabilities vulnerabilities"
    exit 1;
fi

my question is when i see the output of grype i see it detects issues but these dont see to end up in the combined dump?

Is it just that there is additional filtering occurring somewhere and most of these are things we probably dont care about? or is this a bug.

Looking at the source i see it should scream at me aslong as the items have the keys "vulnerabilities" and "artifacts". which the first couple i checked did.

I tried the example image (redis) and i do see results for grype in the combined result.

I also tried an image on my registry (a simple vimp import --image) and grype behaved the same as my force local attempt which makes me think there's just some sort of filtering going on i'm not understanding

Thanks!