> ## Documentation Index
> Fetch the complete documentation index at: https://anaconda.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Common Vulnerabilities and Exposures (CVEs)

export const Comments = ({children}) => {
  return <div class="my-4 px-5 py-4 overflow-hidden rounded-2xl flex gap-3 border border-zinc-500/20 bg-zinc-50/50 dark:border-zinc-500/30 dark:bg-zinc-500/10" data-callout-type="comments">
      <div class="w-4">
        <svg width="14" height="14" viewBox="0 0 640 640" fill="currentColor" xmlns="http://www.w3.org/2000/svg" class="w-5 h-5" aria-label="Comments">
            <path d="M320 112C434.9 112 528 205.1 528 320C528 434.9 434.9 528 320 528C205.1 528 112 434.9 112 320C112 205.1 205.1 112 320 112zM320 576C461.4 576 576 461.4 576 320C576 178.6 461.4 64 320 64C178.6 64 64 178.6 64 320C64 461.4 178.6 576 320 576zM280 400C266.7 400 256 410.7 256 424C256 437.3 266.7 448 280 448L360 448C373.3 448 384 437.3 384 424C384 410.7 373.3 400 360 400L352 400L352 312C352 298.7 341.3 288 328 288L280 288C266.7 288 256 298.7 256 312C256 325.3 266.7 336 280 336L304 336L304 400L280 400zM320 256C337.7 256 352 241.7 352 224C352 206.3 337.7 192 320 192C302.3 192 288 206.3 288 224C288 241.7 302.3 256 320 256z" />
        </svg>
      </div>
      <div class="text-sm prose min-w-0 w-full">
        {children}
      </div>
    </div>;
};

<Warning>
  CVE information is only available to customers on Business or Custom plans.
</Warning>

## What are CVEs?

CVEs are weaknesses in software that can be exploited to access sensitive information, such as credit card numbers or social security numbers. Because modern software is complex with its many layers, interdependencies, data inputs, and libraries, vulnerabilities tend to emerge over time. Knowing when and how the code you use is vulnerable to attacks is a powerful tool in allowing you to mitigate the potential for harm, and Anaconda provides you with everything you need to keep your pipeline secure.

## Why trust Anaconda?

Anaconda regularly pulls its CVE databases from the National Vulnerability Database (NVD) and the US National Institute of Standards and Technology (NIST) to minimize the risk of vulnerable software in our applications and web pages. Anaconda has an extensive and well-established process for curating CVEs, assessing whether or not <Tooltip tip="Software files and information about the software, such as its name, version, and description, bundled into a file that can be installed and managed by a package manager.">packages</Tooltip> Anaconda built are affected by any CVEs, determining which versions in our <Tooltip tip="Any storage location from which software or software assets, like packages, can be retrieved and installed on a local computer.">repository</Tooltip> are affected, and mitigating the vulnerability.

## Understanding CVEs

Here's what you need to know to make the right decisions regarding CVEs for your organization:

### Common Vulnerability Scoring System (CVSS)

Standards for determining the severity of a CVE have evolved over time. The [Common Vulnerability Scoring System (CVSS)](https://www.first.org/cvss/) is a mathematical method dating back to 1999 that grades the characteristics of a vulnerability. CVSS 2 was developed and launched in 2007. It was later updated to CVSS 3 in 2015 to offer a more comprehensive scoring method that accurately reflects the severity of vulnerability in the real world.

### CVE scores

Software developers refer to CVE databases and scores to minimize the risk of using vulnerable components (packages and binaries) in their applications or web pages. CVE scores and ratings fall into one of 5 categories:

<Frame>
  <img src="https://mintcdn.com/anaconda-29683c67/6fJRxAwYs9izUc34/images/cve_score_meter.png?fit=max&auto=format&n=6fJRxAwYs9izUc34&q=85&s=629e017c171b6b97b4f8f84d87c0af38" alt="CVE score meter showing severity levels" width="2167" height="1084" data-path="images/cve_score_meter.png" />
</Frame>

### CVE statuses

CVEs are assigned a status category as a result of the Anaconda curation process. CVE status categories include:

* **Reported**: The vulnerabilities identified in this package have been reported by NIST but not reviewed by the Anaconda team.
* **Active**: The vulnerabilities identified in this package are active and potentially exploitable.
* **Cleared**: The vulnerabilities identified in this package have been analyzed and determined not to be applicable.
* **Mitigated**: The vulnerabilities identified in this package have been proactively mitigated in this build through a code patch.
* **Disputed**: The vulnerabilities' legitimacy is disputed by upstream package maintainers or other community members.

## Viewing CVEs

<Note>
  * Not all CVEs present in a package apply to every file within that package.
  * Files can be associated with multiple CVEs.
</Note>

<Tabs>
  <Tab title="Channel CVEs">
    1. From the <Icon icon="network-wired" iconType="regular" /> **Channels** page, select a channel to view its packages.
    2. Click the **CVEs** tab to view a full list of CVEs present in the channel. A summary of how many CVEs are associated with packages in the channel and the CVEs' severity levels are displayed at the top.

           <Tip>
             Select a tile at the top of the list to filter CVEs by severity level. Only one severity level filter can be applied at a time.

             ***

             Use the navigation controls at the bottom to browse CVEs associated with packages in the channel.
           </Tip>

           <Frame>
             <img src="https://mintcdn.com/anaconda-29683c67/38V1XTpdo_dUNFXe/images/ap_cve_details_channel_view.png?fit=max&auto=format&n=38V1XTpdo_dUNFXe&q=85&s=3b8e468476ad0a7e2c1378b8520ab75e" alt="CVEs affecting a channel" width="1922" height="1082" data-path="images/ap_cve_details_channel_view.png" />
           </Frame>
  </Tab>

  <Tab title="Package CVEs">
    1. From the <Icon icon="network-wired" iconType="regular" /> **Channels** page, select a channel to view its packages.
    2. Select a package from the list.
    3. Click the **CVEs** tab to view a list of CVEs associated with the package. A summary of how many CVEs are associated with the package and their severity level is displayed at the top.

           <Tip>
             Select a tile at the top of the list to filter CVEs by severity level. Only one severity level filter can be applied at a time.

             ***

             Use the navigation controls at the bottom to browse CVEs associated with the package.
           </Tip>

           <Frame>
             <img src="https://mintcdn.com/anaconda-29683c67/38V1XTpdo_dUNFXe/images/ap_cve_details_package_view.png?fit=max&auto=format&n=38V1XTpdo_dUNFXe&q=85&s=d89600bc62bab163a2bb1455851c64ad" alt="CVEs affecting a package" width="1922" height="1082" data-path="images/ap_cve_details_package_view.png" />
           </Frame>
  </Tab>

  <Tab title="File CVEs">
    1. From the <Icon icon="network-wired" iconType="regular" /> **Channels** page, select a channel to view its packages.
    2. Select a package from the list.
    3. Click the CVE score displayed beside the package file to view a list of CVEs associated with the file.

           <Tip>
             Select the tiles at the top of the list to filter CVEs by score severity and status.

             ***

             Only one filter of each type can be applied at a time.
           </Tip>

           <Note>
             The `active` CVE status filter is applied by default.
           </Note>

           <Frame>
             <img src="https://mintcdn.com/anaconda-29683c67/38V1XTpdo_dUNFXe/images/ap_cve_details_file_view.png?fit=max&auto=format&n=38V1XTpdo_dUNFXe&q=85&s=2bd479807ab8217eee9fdf3004729b80" alt="CVEs affecting a package file" width="1920" height="1080" data-path="images/ap_cve_details_file_view.png" />
           </Frame>
  </Tab>
</Tabs>

<Tip>
  Search for a CVE by entering its name into the **Search cves** field. If no matches are returned, the CVE does not affect the channel/package/file.
</Tip>

## Viewing CVE information

Select a CVE from the Channel or Package **CVEs** lists to open the CVE Information panel. Here you can view a brief overview of the vulnerability with notes that were created during the Anaconda curation process, as well as its CVSS 2/CVSS 3 score metrics.

<Frame>
  <img src="https://mintcdn.com/anaconda-29683c67/38V1XTpdo_dUNFXe/images/ap_cve_info_panel.png?fit=max&auto=format&n=38V1XTpdo_dUNFXe&q=85&s=55dba083e523cc86f3c4dc7eeff5ac4b" alt="CVE information panel" width="1922" height="1082" data-path="images/ap_cve_info_panel.png" />
</Frame>

<Tip>
  Click <Icon icon="arrows-left-right-to-line" iconType="regular" /> to expand the CVE Information panel to full screen.
</Tip>

Click the **CVE Files** tab to view information for every occurrence of the CVE across all channels within the organization.

<Frame>
  <img src="https://mintcdn.com/anaconda-29683c67/38V1XTpdo_dUNFXe/images/ap_cve_files_list.png?fit=max&auto=format&n=38V1XTpdo_dUNFXe&q=85&s=6b22b573dc0f50ec841460f6befa0faa" alt="CVE files list" width="1922" height="1082" data-path="images/ap_cve_files_list.png" />
</Frame>

## Dealing with CVEs

CVEs can pose security risks to your <Tooltip tip="A self-contained, isolated space for installing and running software packages.">environments</Tooltip> and your organization. Understanding how to identify and mitigate these vulnerabilities is essential for maintaining secure systems. Packages can be associated with more than one CVE, and CVEs can be associated with multiple different packages, meaning that over time, maintaining an environment can sometimes turn into navigating a maze of dependencies, vulnerabilities, and package conflicts.

<AccordionGroup>
  <Accordion title="How can I tell if an environment is affected by a CVE?">
    You can scan your local environments for CVEs using `anaconda-audit`. For more information on obtaining `anaconda-audit`, see [Enabling environments](/anaconda-platform/cloud/user/environments#enabling-environments).

    If you are an administrator, you can instruct your members to register their environments with your organization. Once registered, all newly created environments will be logged, scanned for CVEs, and displayed in Anaconda Platform. For more information on registering environments with your organization, see [Enabling environments](/anaconda-platform/cloud/user/environments#enabling-environments).

    <Tip>
      Use `conda info --envs` to find your conda environments.
    </Tip>

    <Tabs>
      <Tab title="Scanning locally">
        Use `anaconda-audit` to scan a local environment.

        To scan an environment, open Anaconda Prompt (Terminal on macOS/Linux) and run the following command:

        ```sh theme={null}
        anaconda audit scan --name <ENV_NAME>
        ```

        <Comments>
          Replace \<ENV\_NAME> with the name of the environment you want to scan.
        </Comments>

        <Note>
          This command uses the default conda environment path prefix. If you have environments in non-default locations, you can use the `--prefix` flag to specify the path to the environment. For example:

          ```sh theme={null}
          anaconda audit scan --prefix /path/to/env/<ENV_NAME>
          ```

          <Comments>
            Replace \<ENV\_NAME> with the name of the environment you want to scan.
          </Comments>
        </Note>

        To scan an environment for a specific CVE:

        <Tabs>
          <Tab title="Windows">
            Open Anaconda Prompt and run the following command:

            ```sh theme={null}
            anaconda audit scan --prefix /path/to/env/<ENV_NAME> | findstr "<CVE_NAME>" 
            ```

            <Comments>
              Replace \<ENV\_NAME> with the name of the environment you want to scan.
              Replace \<CVE\_NAME> with the name of the CVE you want to check for.
            </Comments>
          </Tab>

          <Tab title="macOS/Linux">
            Open a terminal and run the following command:

            ```sh theme={null}
            anaconda audit scan --prefix /path/to/env/<ENV_NAME> | grep <CVE_NAME>
            ```

            <Comments>
              Replace \<ENV\_NAME> with the name of the environment you want to scan.
              Replace \<CVE\_NAME> with the name of the CVE you want to check for.
            </Comments>
          </Tab>
        </Tabs>

        The audit scan returns a list of environment packages, and displays the following information for each package:

        * Version number
        * Build number
        * Source channel
        * CVE curation status
        * CVSS score
        * CVE status

        A summary of the scan results is displayed at the end of the scan that shows a matrix of the number of CVEs and their statuses by severity level.

        <Frame>
          <img src="https://mintcdn.com/anaconda-29683c67/YGtija9HXl-k020Y/images/anaconda_audit_scan_summary.png?fit=max&auto=format&n=YGtija9HXl-k020Y&q=85&s=8ea8a8644d196185458c3289b522b2aa" alt="" width="1480" height="744" data-path="images/anaconda_audit_scan_summary.png" />
        </Frame>

        Scan results are color coded to help you identify the CVE severity, and a checkmark is displayed beside a CVE name to indicate that it has undergone Anaconda curation. CVEs that are stricken through have a status of cleared and are safe to use in your environment.
      </Tab>

      <Tab title="Scanning from your organization">
        Scan an environment that has been logged with an organization to get an updated list of CVEs associated with the packages in the environment:

        1. Select <Icon icon="laptop-code" iconType="regular" /> **Environments** from the left-hand navigation.
        2. Select the environment you want to scan from the list.
        3. Click <Icon icon="arrows-rotate" iconType="regular" /> **Update Scan**.

                   <Frame>
                     <img src="https://mintcdn.com/anaconda-29683c67/_ySrlu_mSpdr74u0/images/ap_env_scan_in_cloud.png?fit=max&auto=format&n=_ySrlu_mSpdr74u0&q=85&s=b1e200efb694726c7f02049b026fb532" alt="Update scan button" width="1922" height="953" data-path="images/ap_env_scan_in_cloud.png" />
                   </Frame>
      </Tab>
    </Tabs>
  </Accordion>

  <Accordion title="What actions can I take if I find a vulnerable package?">
    If you discover a package in your environment is associated with a CVE, you can:

    * **Upgrade the package**: Update to a newer version that has fixed the vulnerability.
    * **Downgrade the package**: If a previous version exists without the vulnerability, you can choose to downgrade. This may come with a loss of functionality, however. *Exercise caution when downgrading packages.*
    * **Remove the package**: If the package is not critical to your workflow, you can remove it.
    * **Contact your administrator**: If you're unsure about the best course of action, consult your organization's administrator.

    Administrators can also enforce security standards by [blocking environments](/anaconda-platform/cloud/admin/environments#blocking-environments) that contain critical vulnerabilities from use.
  </Accordion>

  <Accordion title="Upgrading my package created a dependency conflict!">
    Package dependency conflicts can occur when upgrading or downgrading a package to mitigate a vulnerability. For help managing dependency conflicts, see [Managing solver errors](/getting-started/working-with-conda/packages/solver-errors).
  </Accordion>
</AccordionGroup>