Vulnerability Scanners Produce Wildly Different Results Due to Hidden Assumptions

Executive Briefing

• Reveals 80.5% divergence between Grype and Trivy scanning identical container images, exposing scanner unreliability
• Explains how CPE and PURL identifier mismatches silently distort vulnerability matching across major databases like NVD and OSV
• Warns that SBOM generator choice affects scanner output significantly, with Syft vs Trivy generating a 66% difference in findings
• Advises security teams to audit toolchain pairings, understand CVSS score sources, and build suppression rule libraries
• Cautions that zero findings require interpretation, not celebration, as gaps may reflect scanner or metadata limitations