What happened:
Grype does not correctly recognize the version for Ruby gems having an aarch64 architecture suffix specified. Thus, it reports false positives whereas INSTALLED and FIXED IN should actually match.
Example:
NAME INSTALLED FIXED IN TYPE VULNERABILITY SEVERITY EPSS RISK
nokogiri 1.19.3-aarch64-linux-gnu 1.19.3 gem GHSA-c4rq-3m3g-8wgx High N/A N/A
nokogiri 1.19.3-aarch64-linux-musl 1.19.3 gem GHSA-c4rq-3m3g-8wgx High N/A N/A
nokogiri 1.19.3-aarch64-linux-gnu 1.19.3 gem GHSA-v2fc-qm4h-8hqv Medium N/A N/A
nokogiri 1.19.3-aarch64-linux-musl 1.19.3 gem GHSA-v2fc-qm4h-8hqv Medium N/A N/A
What you expected to happen:
Ruby gems having an aarch64 architecture suffix should be handled like the other architectures, i.e. the versions are correctly parsed when determining applicable vulnerabilities.
How to reproduce it (as minimally and precisely as possible):
Prepare a directory with two files.
Gemfile
# frozen_string_literal: true
source "https://rubygems.org"
# gem "rails"
gem "nokogiri", "~> 1.19"
Gemfile.lock
GEM
remote: https://rubygems.org/
specs:
nokogiri (1.19.3-aarch64-linux-gnu)
racc (~> 1.4)
nokogiri (1.19.3-aarch64-linux-musl)
racc (~> 1.4)
nokogiri (1.19.3-arm-linux-gnu)
racc (~> 1.4)
nokogiri (1.19.3-arm-linux-musl)
racc (~> 1.4)
nokogiri (1.19.3-arm64-darwin)
racc (~> 1.4)
nokogiri (1.19.3-x86_64-darwin)
racc (~> 1.4)
nokogiri (1.19.3-x86_64-linux-gnu)
racc (~> 1.4)
nokogiri (1.19.3-x86_64-linux-musl)
racc (~> 1.4)
racc (1.8.1)
PLATFORMS
aarch64-linux-gnu
aarch64-linux-musl
arm-linux-gnu
arm-linux-musl
arm64-darwin
x86_64-darwin
x86_64-linux-gnu
x86_64-linux-musl
DEPENDENCIES
nokogiri (~> 1.19)
BUNDLED WITH
2.6.9
Run grype like:
grype -v dir:.
Anything else we need to know?:
I believe this is just because at the time of #776, aarch64 was not included in the platforms list in grype/version/gem_version.go. Simply adding it to https://github.com/anchore/grype/blob/main/grype/version/gem_version.go#L286 solves the issue.
Environment:
grype version
Application: grype
Version: 0.112.0
BuildDate: 2026-05-01T18:14:09Z
GitCommit: Homebrew
GitDescription: [not provided]
Platform: darwin/arm64
GoVersion: go1.26.2
Compiler: gc
Syft Version: v1.44.0
Supported DB Schema: 6
- OS (e.g:
cat /etc/os-release or similar):
sw_vers
ProductName: macOS
ProductVersion: 26.4.1
BuildVersion: 25E253
Note: I've observed the same issue in Linux CIs.
What happened:
Grype does not correctly recognize the version for Ruby gems having an
aarch64architecture suffix specified. Thus, it reports false positives whereasINSTALLEDandFIXED INshould actually match.Example:
What you expected to happen:
Ruby gems having an
aarch64architecture suffix should be handled like the other architectures, i.e. the versions are correctly parsed when determining applicable vulnerabilities.How to reproduce it (as minimally and precisely as possible):
Prepare a directory with two files.
Gemfile
Gemfile.lock
Run grype like:
grype -v dir:.Anything else we need to know?:
I believe this is just because at the time of #776,
aarch64was not included in the platforms list ingrype/version/gem_version.go. Simply adding it to https://github.com/anchore/grype/blob/main/grype/version/gem_version.go#L286 solves the issue.Environment:
grype version:cat /etc/os-releaseor similar):Note: I've observed the same issue in Linux CIs.