Add support for CleanStart OS vulnerability scanning

[cleanstart-community-admin]

Summary

Adds CleanStart OS as a supported distro type in Grype, enabling accurate vulnerability scanning of CleanStart-based container images using the CleanStart Security Advisories database.

Motivation

CleanStart OS container images were previously unrecognised by Grype — scans produced no vulnerability results and emitted distro-detection warnings. Users scanning CleanStart images had no way to detect known vulnerabilities in installed packages.

Changes

• Add Clnstrt distro type constant in grype/distro/type.go
• Add clnstrt and cleanstart to the IDMapping table — clnstrt is the current /etc/os-release identifier; cleanstart supports an in-progress upstream rename
• Add Clnstrt to the All distro slice
• Add Rolling: true OS specifier overrides for both identifiers in grype/db/v6/data.go — CleanStart is a rolling distro and does not pin versions
• Update the OSV transformer to map the CleanStart ecosystem to pkg.ApkPkg — CleanStart uses the APK package format
• Add testdata/os/clnstrt and testdata/os/cleanstart test fixtures
• Add test coverage in distro_test.go and type_test.go

Related

• feat: add Cleanstart OS vulnerability match labels vulnerability-match-labels#187 — ground-truth scan labels for CleanStart images, required by Anchore CI to validate this change

Type of change

• New feature (non-breaking change which adds functionality)

Checklist

• I have added unit tests that cover changed behavior
• I have tested my code in common scenarios and confirmed there are no regressions
• I have added comments to my code, particularly in hard-to-understand sections

[cleanstart-community-admin]

Hi @willmurphyscode

I’m following up on the status of PR #3294. Are there any updates or next steps for merging it, or anything needed from our side to help move it forward?

Thanks and regards
cleanstart-community-admin

[cleanstart-community-admin]

Hi @willmurphyscode

Just following up to check if there are any updates or anything needed from our side. Please let us know when you get a chance.

Thanks and regards,
cleanstart-community-admin

[willmurphyscode]

Hi @cleanstart-community-admin thanks for the ping!

I was expecting to see a vunnel PR but I don't see one. Vunnel is what actually pulls in your vulnerability data. Without that data, #3281 won't result in additional matching.

I'd also like some information about the product and the vulnerability feed semantics. For example, do you all publish information on vulns that are found and not yet patched, or only fixes? Is everything you publish in the same distro, or do you also publish fixes to language packages regardless of distro, e.g. fixes to Maven or PyPI packages that can be installed in any image?

For example, Ubuntu publishes CVEs that affect any of their packages, whether a fix is yet available or not. AlmaLinux publishes fixes, but we use Red Had disclosure data to search for vulnerabilities. Can you describe Clean Start vulnerability data in these terms?

Do you have any publicly available test artifacts? A common strategy other vendors have used is to push an old build of an image that has some CVEs that are fixed by CleanStart and some that aren't to a public Docker Hub repo.

Thanks!

[cleanstart-community-admin]

Hi @willmurphyscode, thanks for the detailed feedback!

Vunnel PR
We have now opened the vunnel PR here: anchore/vunnel#1191. Apologies for the delay.

Vulnerability feed semantics
CleanStart publishes advisories only for vulnerabilities that have a fix available in our package repository. We do not publish advisories for unpatched vulnerabilities. We track CVEs against our own package builds and publish an advisory only when a patched version exists in our APK repository.

All advisories are scoped to CleanStart OS packages (APK format). We do not publish advisories for language ecosystem packages (Maven, PyPI, npm, etc.) independent of distro. We are actively building out our vulnerability detection mechanism for CleanStart images and will be publishing advisories publicly on an ongoing basis.

Advisory format
Advisories are published in OSV format at github.com/cleanstart-dev/cleanstart-security-advisories and on osv.dev under the CleanStart ecosystem. Each advisory specifies the affected package, the vulnerable version range, and the fixed version.

Test artifacts
We are working on pushing a public test image to Docker Hub with packages intentionally pinned to vulnerable versions, where fixes are available in the CleanStart advisory database. We will update this PR once the image is available.

Related PRs

• add: Add support for CleanStart OS vulnerability data provider vunnel#1191 — CleanStart vulnerability data provider
• Add support for CleanStart OS vulnerability scanning #3281 — CleanStart distro type and OSV ecosystem support
• feat: add Cleanstart OS vulnerability match labels vulnerability-match-labels#187 — ground-truth scan labels for CleanStart images, required by Anchore CI

Thanks and let us know if you need anything else!

[cleanstart-community-admin]

Hi @willmurphyscode , following up with our test artifacts.

We have two public test images available that demonstrate CleanStart vulnerability scanning:

Vulnerable image (redis 7.4.5-r0 — below the fixed version):

docker pull ghcr.io/clnstrt/redis-test-old:latest

Patched image (redis 8.0.4-r0 — at the fixed version):

docker pull ghcr.io/clnstrt/redis-test-new:latest

Scanning the vulnerable image correctly identifies 34 vulnerability matches including critical CVEs with known fixes in the CleanStart advisory database. Scanning the patched image reduces the match count to 26, reflecting that advisories fixed at 8.0.4-r0 are no longer flagged while those targeting versions below 8.2.2-r0 remain.

This confirms the full pipeline is working — distro detection, advisory ingestion via vunnel, and version-based matching in grype.

Old - redis 7.4.5-r0

New - 8.0.4-r0

Let us know if you need anything else!