Anaconda Team Edition 6.1.3: Easier management and curated CVEs
Aug 19, 2020By Team Anaconda
We are pleased to announce the release of Anaconda Team Edition 6.1.3, bringing enhanced functionality to our enterprise-grade repository and packages.
We have improved Team Edition to assure governance and security for all artifacts so that end-users can connect to “Trusted Versions” of the latest, most innovative packages and libraries from the open-source data science community and IT managers have improved tools for governance.
This release makes it easier to manage access to packages and libraries in order to meet your organization's open-source software licensing requirements. Advanced filtering is a key enhancement.
We also improved the reporting of common vulnerabilities and exposures (CVEs) to allow you to set and enforce open-source software use of only the artifacts that meet your security standards. The NIST Common Vulnerability Scoring System (CVSS) generates a numeric score for any identified package vulnerability to rate its severity. The superset of NIST-reported CVEs (or simply “uncurated” CVEs) are provided with the designation Reported. In addition, Anaconda curates many CVEs.
When we curate CVEs, Anaconda staff reviews each CVE as it relates to each package file, to weed out false positive and false negative vulnerabilities, and provide more fine-grained insight into whether a vulnerability is a legitimate concern for your organization by assigning one of four categories: Active, Cleared, Mitigated, and Disputed.
When there are multiple CVEs associated with a package, Anaconda Team Edition displays the highest CVSS score that has not been cleared, and filtering will be applied to that score. So, for example, if a package has a total of 5 associated CVEs:
- 8.1 Reported
- 7.4 Active, 4.4 Active
- 9.8 Cleared, 5.1 Cleared
The display will show an 8.1 Reported and the filtering will apply to that score. Although there is a 9.8 CVE in this case, the filtering will ignore that since it has been Cleared. If no CVE is found for a package or file, Anaconda Team Edition will display N/A.
You can find the full release notes for Anaconda Team Edition 6.1.3 here.
Learn more about CVEs here.