Secure your conda-forge packages with CVE association.
Introducing Conda-Forge CVE Association
Organizations often face a balancing act when it comes to leveraging open-source software and ensuring the security of their data science pipelines. Most security tools on the market are built for DevOps and languages such as JavaScript, and they generally don’t work well for Python.
As part of Anaconda’s commitment to continuously making open-source packages safe for commercial use, we’re excited to announce that common vulnerabilities and exposures (CVE) association for conda-forge packages is now available in limited release and will soon be generally available for customers of Anaconda’s security offerings.
As the curators and maintainers of the Anaconda repository, we are deeply familiar with the Python and R open-source ecosystem and compile all packages on our private infrastructure according to our own build-and-test standards. In addition to providing curated CVE data, we also provide tools like CVE association to help you keep vulnerable packages out of your open-source pipeline.
Coupled with the power of Anaconda’s CVE curation, conda-forge CVE association arms users with insight into the security of their conda-forge packages, empowering teams to make informed security decisions, better manage vulnerabilities within their supply chains, and ultimately gain more internal controls to minimize any security risks.
Keep reading to learn more about how Anaconda’s CVE curation and conda-forge CVE association work.
What does Anaconda’s CVE curation look like?
For packages in our repository, Anaconda manually curates National Institute for Standards and Technology (NIST) and National Vulnerability Database (NVD) CVEs. Anaconda’s dedicated curation team reviews flagged packages, verifies what software particular CVEs affect, and curates CVE statuses and scores. Anaconda’s curation empowers organizations to trust CVE scores and easily filter CVEs based on status and the Common Vulnerability Scoring System (CVSS), allowing only packages that pass internal security policies into workflows. Check out this resource on Anaconda’s CVE curation to learn more.
How does CVE association for conda-forge packages work?
You now have the ability to see which CVEs are associated with conda-forge packages that have been mirrored to your secure repository. This enables you to see CVEs that are reported to NIST, so that you can apply a policy to your conda-forge channel to filter out vulnerable packages and ensure supply chain security. With this additional insight into the security of conda-forge packages specifically, your team can remove any conda-forge packages that do not meet your organization’s standards for use.
Get Started With Anaconda and CVE Association
Anaconda’s CVE curation and association for conda-forge packages provide actionable and meaningful CVE reporting, so enterprise teams can optimize their open-source software usage and practitioners can focus on building models rather than IT administration concerns. Contact us today to learn more.
