Skip to content

Add rootio provider for 🌱 Root CVE feed #3166

New issue
New issue
Open
Open
Add rootio provider for 🌱 Root CVE feed#3166
Assignees
willmurphyscode
Labels
enhancementNew feature or request
@chait-slim

Description

@chait-slim
chait-slim
opened on Jan 15, 2026

What would you like to be added:
Adds a new provider that fetches vulnerability data from Root.io's OSV feed and transforms it for use with grype-db.

Why is this needed:
Allow any consumer of Root packages or images to correctly categorize affected and unaffected packages

Additional context:
Root Integration Proposal
Root operates as a transparent vulnerability patch provider that strongly embraces the open source philosophy. Rather than creating a proprietary ecosystem, Root functions as a supplementary provider that enhances existing open source distributions like Alpine, Debian, and Ubuntu. All of Root's patch development, testing methodologies, and vulnerability research are conducted with full transparency, and the company actively contributes back to the broader security community. This provider-first approach ensures that Root's patches complement rather than compete with official distribution maintainers, supporting the collaborative nature of open source security while providing additional coverage for time-sensitive vulnerabilities.

We are proposing a partnership that would enable Grype to optionally surface Root's vulnerability patches as a supplementary fix source alongside official distribution patches. Under this collaboration, when scanning container images or filesystems, Grype could provide visibility into Root's curated vulnerability fixes through a dedicated rootio:* namespace in the vulnerability database. This would help users discover when Root has developed patches for vulnerabilities that may not yet have official distribution fixes, offering additional remediation options within their existing security workflows. This foundational work demonstrates how Root's security patches could potentially be surfaced through Grype's scanning workflow while maintaining clear attribution and avoiding any conflicts with official distribution data, pending acceptance and refinement by the Grype maintainers.

Metadata

Metadata

Assignees

Labels

enhancementNew feature or request

Type

No type

Projects

OSS

Status

In Progress

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions