CVEs are weaknesses in software that can be exploited to access sensitive information, such as credit card numbers or social security numbers. Because modern software is complex with its many layers, interdependencies, data inputs, and libraries, vulnerabilities tend to emerge over time. Knowing when and how the code you use is vulnerable to attacks is a powerful tool in allowing you to mitigate the potential for harm, and Package Security Manager provides you with everything you need to keep your pipeline secure.

Why trust Anaconda?

Anaconda regularly pulls its CVE databases from the National Vulnerability Database (NVD) and the US National Institute of Standards and Technology (NIST) to minimize the risk of vulnerable software in our applications and web pages. Anaconda has an extensive and well-established process for curating CVEs, assessing whether or not packages Anaconda built are affected by any CVEs, determining which versions in our repository are affected, and mitigating the vulnerability.

Understanding CVEs

Here’s what you need to know to make the right decisions regarding CVEs for your organization:

Common Vulnerability Scoring System (CVSS)

Standards for determining the severity of a CVE have evolved over time. The Common Vulnerability Scoring System (CVSS) is a mathematical method dating back to 1999 that grades the characteristics of a vulnerability. CVSS 2 was developed and launched in 2007. It was later updated to CVSS 3 in 2015 to offer a more comprehensive scoring method that accurately reflects the severity of vulnerability in the real world.

CVE scores

Software developers refer to CVE databases and scores to minimize the risk of using vulnerable components (packages and binaries) in their applications or web pages. CVE scores and ratings fall into one of 5 categories:

CVE curation

Each CVE undergoes a rigorous curation process that evaluates its impact on packages in our repository and assigns it an appropriate status. A checkmark next to a CVE score indicates that the CVE has undergone curation.
Because packages can be affected by multiple CVEs, a single curated CVE does not guarantee a package is fully secure. If multiple CVEs exist for a package, ensure that each CVE is either cleared, mitigated, or otherwise determined to be non-impactful.

CVE statuses

CVEs are assigned a status category as a result of the Anaconda curation process. CVE status categories include:
  • Reported: The vulnerabilities identified in this package have been reported by NIST but not reviewed by the Anaconda team.
  • Active: The vulnerabilities identified in this package are active and potentially exploitable.
  • Cleared: The vulnerabilities identified in this package have been analyzed and determined not to be applicable.
  • Mitigated: The vulnerabilities identified in this package have been proactively mitigated in this build through a code patch.
  • Disputed: The vulnerabilities’ legitimacy is disputed by upstream project maintainers or other community members.
To view this information in Package Security Manager, click the information icon beside CVE Status in the channel or package views.

CVE implementation

CVEs have a dedicated channel in Package Security Manager. This channel pulls from the repo.anaconda.cloud repository, which is updated every four hours. Activating your license automatically creates a mirror of this channel that runs hourly to synchronize between the channel repository and the local database.
Air-gapped networks receive up-to-date CVEs and packages during the initial installation of Package Security Manager, and can update at regular intervals as desired. CVEs are updated daily for air-gapped users, and packages are updated monthly. See Updating CVEs and packages on an air-gapped network.

Viewing CVEs by channel

CVE views are only available to users whose role provides Read permissions for the CVE category.
To view all CVEs associated with a channel, open the channel’s page and select the CVEs tab. The number shown in the CVEs tab is the total number of CVEs associated with the packages contained in the channel. CVEs are listed alphanumerically by name and show how many packages in the channel are affected by each CVE.

Filtering channel CVEs

To apply filters to your channel’s CVEs tab, open the Filter CVE dropdown menu and enter parameters to filter CVEs, then click Filter CVEs at the bottom of the menu.
Applied filters persist once entered, and appear as buttons above the filtered list. You can remove filters one at a time, or select clear all to remove all filters.

Downloading CVE reports

To create and export a list of CVEs associated with a channel, open the channels page and select the CVE tab, then click CVE Report. This creates a .csv file containing details about the CVEs associated with the channel. If you have applied filters to the channel, the report will contain filtered results.
Once a report has been initiated, it must complete before another report can be generated.

Viewing CVEs by package

All packages have a CVE column to indicate how many CVEs are associated with them. Open a channel and select a package to view details regarding its associated CVEs.
Under the Files tab, you can see the affected versions of the package, which platform it applies to, the CVSS and CVE scores, CVE status, the number of associated CVEs for each package listed, mirror state, and date uploaded. You can also select the information icon to view CVE metadata.
The CVSS score column shows the highest score of the associated active and reported CVEs. If no active or reported CVEs are found, the highest score for cleared, disputed, or mitigated CVEs are displayed.

Viewing CVE details

Click on a CVE from any page to view detailed information about the CVE and its dangers. You can view its CVSS information, which includes exploitability and impact metrics, along with the publication date by NVD and the curation date by Anaconda (if applicable), or you can select the CVE Metadata tab to view Anaconda’s review of the CVE. The review contains references used to support the review and curate the CVE.

Searching for CVEs

You can search for CVEs using the search box at the top of the page. Open the filter dropdown menu, select CVEs, and then enter the name of the CVE you’re looking for in the search box.

Listing the latest CVEs

The latest CVEs are always listed on the dashboard. To view a complete list of CVEs, click Show all… at the bottom of the CVE column. From this view, CVEs are sorted by their Anaconda Curated date, followed by published CVEs that still require curation.

CVE notifications

Hundreds of new CVEs are received by NVD daily. Because of this, our CVE mirror runs every four hours to keep itself, and you, up to date. CVE notifications provide administrators with alerts and updates regarding newly emerged CVEs or updated CVE scores that affect packages within a channel in Package Security Manager. Notifications are triggered based on a configurable CVE Score threshold. You can receive channel notifications for the following CVE events:
  • CVE score increase (based on set CVE Score)
  • CVE score decrease (based on set CVE Score)
  • CVE status change (active, cleared, mitigated)
For example, if you enable notifications for CVE score increase and decrease, and set a CVE Score of 7.0, you will receive notifications whenever a package score increases to 7.0 or higher, or if a package score is reduced to 6.9 or lower. You will also receive notifications if a package score that already exceeds your threshold increases further. For example, you will receive a notification if a package score of 7.1 increases to 7.8. To view a channel’s CVE notifications: From the channel details page, select the CVE Notifications tab. Expand a notification to view the full details of the CVE changes.
Use the date filter to narrow your timeline to locate a specific change in your channel.
The maximum range for the date filter is one year.

Managing CVEs using the CLI

For information on managing your CVEs using the CLI, see Package Security Manager CLI.

Managing CVEs using the API

You can also use the API to list and view details about CVEs. Access the API interface by opening a browser and navigating to http(s)://<FQDN>/swagger/ui, replacing <FQDN> with your Package Security Manager fully qualified domain name. ​​The following is a list of available endpoints you can use to list and view CVEs in Package Security Manager:

Listing CVEs

GET /api/cves

Viewing CVE details

GET /api/cves/<CVE_ID>

Updating CVEs and packages on an air-gapped network

Anaconda provides .zip files through Amazon Web Services (AWS) Simple Storage Service (S3) buckets. You can download the files you need on a allowlisted workstation with access to the internet, then move the files to the air-gapped network. Your public IP address is initially allowlisted during installation of Package Security Manager. If you need to allowlist a new IP address, contact Anaconda technical support.
  1. Download the package and CVE files you want to update.
  2. Move the downloaded package and CVE files to their correct location within your file system.
The next time your mirror runs, your network will synchronize. You can start a mirror at any time if you want to synchronize immediately.