grype pkg:golang/k8s.io/[email protected] does not show cve

[goatwu1993]

What happened:

grype 'pkg:golang/k8s.io/[email protected]' -vvv
[0000]  INFO grype version: 0.91.0
[0000] DEBUG config:
  log:
      quiet: false
      level: trace
      file: ""
  dev:
      profile: none
  output: []
  file: ""
  pretty: false
  distro: ""
  add-cpes-if-none: false
  output-template-file: ""
  check-for-app-update: true
  only-fixed: false
  only-notfixed: false
  ignore-states: ""
  platform: ""
  search:
      scope: squashed
      unindexed-archives: false
      indexed-archives: true
  ignore: []
  exclude: []
  external-sources:
      enable: false
      maven:
          search-upstream: true
          base-url: https://search.maven.org/solrsearch/select
          rate-limit: 300ms
  match:
      java:
          using-cpes: false
      jvm:
          using-cpes: true
      dotnet:
          using-cpes: false
      golang:
          using-cpes: false
          always-use-cpe-for-stdlib: true
          allow-main-module-pseudo-version-comparison: false
      javascript:
          using-cpes: false
      python:
          using-cpes: false
      ruby:
          using-cpes: false
      rust:
          using-cpes: false
      stock:
          using-cpes: true
  fail-on-severity: ""
  registry:
      insecure-skip-tls-verify: false
      insecure-use-http: false
      auth: []
      ca-cert: ""
  show-suppressed: false
  by-cve: false
  name: ""
  default-image-pull-source: ""
  vex-documents: []
  vex-add: []
  match-upstream-kernel-headers: false
  db:
      cache-dir: /Users/peter_wu/Library/Caches/grype/db
      update-url: https://grype.anchore.io/databases
      ca-cert: ""
      auto-update: true
      validate-by-hash-on-start: true
      validate-age: true
      max-allowed-built-age: 120h0m0s
      require-update-check: false
      update-available-timeout: 30s
      update-download-timeout: 5m0s
      max-update-check-frequency: 2h0m0s
  exp: {}
  dev:
      db:
          debug: false
[0000] DEBUG gathering packages
[0000] DEBUG loading DB
[0000] TRACE interpreting input as one or more PURLs input=pkg:golang/k8s.io/[email protected]
[0000] DEBUG checking for available database updates
[0000] DEBUG no new grype application update available
[0001] DEBUG existing database is older than candidate update, using update... candidate=2025-04-06T04:08:33Z delta=96h1m20s existing=2025-04-02T04:07:13Z
[0001] DEBUG database update available: DB(version=v6.0.2 built=2025-04-06T04:08:33Z)
[0001]  INFO downloading new vulnerability DB
[0026] DEBUG obtained vulnerability DB archive url=https://grype.anchore.io/databases/v6/vulnerability-db_v6.0.2_2025-04-06T01:29:53Z_1743912513.tar.zst?checksum=sha256%3A3cd724adf89aecf63a74ceeb0d5ec8cd16e301a28731979151aad2a4d1c7fc3e
[0026] DEBUG using writable DB statements path=/Users/peter_wu/Library/Caches/grype/grype-db-download2367606303/vulnerability.db
[0026] DEBUG applying DB migrations path=/Users/peter_wu/Library/Caches/grype/grype-db-download2367606303/vulnerability.db
[0066] TRACE captured DB digest digest=xxh64:883f3c778aecec75
[0068] DEBUG moved database directory to activate error=<nil> from=/Users/peter_wu/Library/Caches/grype/grype-db-download2367606303 to=/Users/peter_wu/Library/Caches/grype/db/6
[0068]  INFO updated vulnerability DB from=2025-04-02T04:07:13Z to=2025-04-06T04:08:33Z version=v6.0.2
[0068] TRACE DB rehydration not needed clientHydrationVersion=v6.0.2 currentClientVersion=v6.0.2 currentDBVersion=v6.0.2
[0068] TRACE finding matches against DB
[0068] TRACE adding matcher: deb
[0068] TRACE adding matcher: gem
[0068] TRACE adding matcher: python
[0068] TRACE adding matcher: dotnet
[0068] TRACE adding matcher: rpm
[0068] TRACE adding matcher: java-archive
[0068] TRACE adding matcher: jenkins-plugin
[0068] TRACE adding matcher: npm
[0068] TRACE adding matcher: apk
[0068] TRACE adding matcher: go-module
[0068] TRACE adding matcher: msrc-kb
[0068] TRACE adding matcher: portage
[0068] TRACE adding matcher: rust-crate
[0068] TRACE searching for vulnerability matches package=pkg:golang/k8s.io/[email protected]
[0068] TRACE fetched affected package record distro=none duration=1.452796ms pkg=package(name=ingress-nginx, ecosystem=go-module) records=0 vulns=any
[0068] TRACE attached blob values count=0 duration=302ns
[0068] TRACE attached blob values count=0 duration=50ns
[0068] TRACE fetching all provider records
[0068] TRACE finding matches against available VEX documents
[0068]  INFO found 0 vulnerability matches across 1 packages
[0068] DEBUG   ├── fixed: 0
[0068] DEBUG   ├── ignored: 0 (due to user-provided rule)
[0068] DEBUG   ├── dropped: 0 (due to hard-coded correction)
[0068] DEBUG   └── matched: 0
[0068] DEBUG       ├── unknown: 0
[0068] DEBUG       ├── negligible: 0
[0068] DEBUG       ├── low: 0
[0068] DEBUG       ├── medium: 0
[0068] DEBUG       ├── high: 0
[0068] DEBUG       └── critical: 0
[0068] TRACE fetching all provider records
[0068] TRACE worker stopped component=eventloop
[0068] TRACE signal exit component=eventloop
No vulnerabilities found

What you expected to happen:

CVE-2025-1974 found

How to reproduce it (as minimally and precisely as possible):

grype 'pkg:golang/k8s.io/[email protected]'

Anything else we need to know?:

Environment:

• Output of grype version:

Application:         grype
Version:             0.91.0
BuildDate:           2025-04-01T15:27:24Z
GitCommit:           Homebrew
GitDescription:      [not provided]
Platform:            darwin/amd64
GoVersion:           go1.24.1
Compiler:            gc
Syft Version:        v1.22.0
Supported DB Schema: 6

• OS (e.g: cat /etc/os-release or similar):

  macos amd64

[spiffcs]

Thanks @goatwu1993! It looks like we have a bug in the package construction from PURL in the search command that's not sending it to the correct query. Taking a look now and will tag a PR here when the fix is in!

[goatwu1993]

@spiffcs I create a pr which seems to fix the issue.