Grype ignores pedigree ancestors components

[vanntile]

What happened:

When scanning the following minimal example SBOM, grype does not detect the single component's pedigree ancestor, and thus doesn't search for its vulnerabilities. However, when declaring it as a separate component, it does, so it's not a scanning issue.

What you expected to happen:

Pedigree ancestor components (at least) to be parsed/detected. This is important for declaring forks.

How to reproduce it (as minimally and precisely as possible):

{
  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "serialNumber": "urn:uuid:58add206-0731-11f1-a9d3-703217923a24",
  "version": 1,
  "components": [
    {
      "bom-ref": "pkg:golang/gitlab.acme.com/3rdparty/cryptofork@v0.37.0",
      "type": "library",
      "name": "gitlab.acme.com/3rdparty/cryptofork",
      "version": "v0.37.0",
      "cpe": "cpe:2.3:a:3rdparty:cryptofork:v0.37.0:*:*:*:*:*:*:*",
      "purl": "pkg:golang/gitlab.acme.com/3rdparty/cryptofork@v0.37.0",
      "pedigree": {
        "ancestors": [
          {
            "bom-ref": "pkg:golang/golang.org/x/crypto@v0.37.0",
            "type": "library",
            "name": "golang.org/x/crypto",
            "version": "v0.37.0",
            "cpe": "cpe:2.3:a:golang:crypto:v0.37.0:*:*:*:*:go:*:*",
            "purl": "pkg:golang/golang.org/x/crypto@v0.37.0"
          }
        ]
      }
    }
  ]
}

GRYPE_MATCH_GOLANG_USING_CPES=true GRYPE_PRETTY=true grype -vv --add-cpes-if-none -o table sbom:pedigree.cdx.json
...
[0000]  INFO found 0 vulnerability matches across 1 packages
[0000] DEBUG   ├── fixed: 0
[0000] DEBUG   ├── ignored: 0 (due to user-provided rule)
[0000] DEBUG   ├── dropped: 0 (due to hard-coded correction)
[0000] DEBUG   └── matched: 0
[0000] DEBUG       ├── unknown: 0
[0000] DEBUG       ├── negligible: 0
[0000] DEBUG       ├── low: 0
[0000] DEBUG       ├── medium: 0
[0000] DEBUG       ├── high: 0
[0000] DEBUG       └── critical: 0
[0000]  INFO found vulnerability matches time=3.68992ms

{
  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "serialNumber": "urn:uuid:58add206-0731-11f1-a9d3-703217923a24",
  "version": 1,
  "components": [
    {
      "bom-ref": "pkg:golang/gitlab.acme.com/3rdparty/cryptofork@v0.37.0",
      "type": "library",
      "name": "gitlab.acme.com/3rdparty/cryptofork",
      "version": "v0.37.0",
      "cpe": "cpe:2.3:a:3rdparty:cryptofork:v0.37.0:*:*:*:*:*:*:*",
      "purl": "pkg:golang/gitlab.acme.com/3rdparty/cryptofork@v0.37.0",
      "pedigree": {
        "ancestors": [
          {
            "bom-ref": "pkg:golang/golang.org/x/crypto@v0.37.0",
            "type": "library",
            "name": "golang.org/x/crypto",
            "version": "v0.37.0",
            "cpe": "cpe:2.3:a:golang:crypto:v0.37.0:*:*:*:*:go:*:*",
            "purl": "pkg:golang/golang.org/x/crypto@v0.37.0"
          }
        ]
      }
    },
    {
      "bom-ref": "pkg:golang/golang.org/x/crypto@v0.37.0",
      "type": "library",
      "name": "golang.org/x/crypto",
      "version": "v0.37.0",
      "cpe": "cpe:2.3:a:golang:crypto:v0.37.0:*:*:*:*:go:*:*",
      "purl": "pkg:golang/golang.org/x/crypto@v0.37.0"
    }
  ]
}

GRYPE_MATCH_GOLANG_USING_CPES=true GRYPE_PRETTY=true grype -vv --add-cpes-if-none -o table sbom:pedigree.cdx.json
...
[0000] DEBUG found 4 vulnerabilities package=pkg:golang/golang.org/x/crypto@v0.37.0
[0000]  INFO found 4 vulnerability matches across 2 packages
[0000] DEBUG   ├── fixed: 4
[0000] DEBUG   ├── ignored: 0 (due to user-provided rule)
[0000] DEBUG   ├── dropped: 0 (due to hard-coded correction)
[0000] DEBUG   └── matched: 4
[0000] DEBUG       ├── unknown: 0
[0000] DEBUG       ├── negligible: 0
[0000] DEBUG       ├── low: 0
[0000] DEBUG       ├── medium: 3
[0000] DEBUG       ├── high: 1
[0000] DEBUG       └── critical: 0
[0000]  INFO found vulnerability matches time=10.811351ms
NAME                 INSTALLED  FIXED IN  TYPE       VULNERABILITY        SEVERITY  EPSS           RISK
golang.org/x/crypto  v0.37.0    0.45.0    go-module  GHSA-j5w8-q4qc-rx2x  Medium    < 0.1% (24th)  < 0.1
golang.org/x/crypto  v0.37.0    0.43.0    go-module  CVE-2025-47913       High      < 0.1% (9th)   < 0.1
golang.org/x/crypto  v0.37.0    0.45.0    go-module  CVE-2025-47914       Medium    < 0.1% (4th)   < 0.1
golang.org/x/crypto  v0.37.0    0.45.0    go-module  GHSA-f6x5-jh6r-wrfv  Medium    < 0.1% (4th)   < 0.1

Anything else we need to know?:

Environment: Ubuntu 24.04

❯ grype version
Application:         grype
Version:             0.108.0
BuildDate:           2026-02-10T18:34:25Z
GitCommit:           425dd9cce9ebbb695bd7ca79d7e0eb22e2b4116a
GitDescription:      v0.108.0
Platform:            linux/amd64
GoVersion:           go1.25.6
Compiler:            gc
Syft Version:        v1.42.0
Supported DB Schema: 6

[wagoodman]

This sounds like it would be a syft enhancement with almost no grype changes. When we are decoding the package details, we should be persisting for RPMs and Debian packages the source package and sourcerpm fields, which automatically get converted in grype as upstream packages to be considered for vulnerability matching.

[vanntile]

we should be persisting for RPMs and Debian packages

Just to double-check, is this related to multiple package types & sources, as you meantioned RPMs/DEBs and my PoC example showed pkg:golang (Go ecosystem) packages?