This repo contains labeled vulnerability-package match pairs for select container images. These labels are used as a ground truth for evaluating the performance of vulnerability scanner tools (such as grype). The label data structure is governed by the artifact.LabelEntry from yardstick, the tool used to create these labels.
SBOMs for images with labels are stored as artifacts within the ghcr.io/anchore/vml-sbom/* container registry for convenience.
To see this data in action see test/quality in the grype repo.