This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Feeds

Introduction

In this section, you’ll learn about the requirements for installing Anchore Enterprise Feeds and configuring its components. You can read more about how Feeds works in the feature overview.

Requirements

Network Ingress

Anchore Enterprise Feeds exposes a RESTful API by default on port 8228 however this port can be remapped.

The policy engine service(s) in your Anchore deployment will use this endpoint and API to get the latest updates aggregated into Anchore-specific formats.

Network Egress

Anchore Enterprise Feeds requires access to the upstream data feeds from supported Linux distributions and package registries. See Feeds Endpoints for the full list of the endpoints.

Database

Ruby Gems project publishes package data as a PostgreSQL dump. Enabling the gem driver in Anchore Enterprise Feeds will increase the load on the PostgreSQL database used by the service. We recommend using a different PostgreSQL instance for the gem driver to avoid load spikes and interruptions to the service. The database endpoint for the gem driver can be configured using services.feeds.drivers.gem.db_connect parameter in config.yaml

Vulnerability Provider Configuration

Some of the vulnerability data providers will require additional configuration steps, like retrieving an API or token key from a provider.

GitHub Provider

The GitHub provider requires generation of a Personal Access Token (PAT) which is associated with a GitHub Account. To generate this token, the user will be required to log in to GitHub and use the following url: https://github.com/settings/tokens/new

There are no special permissions needed for the token, so there is no need to select any scopes. A note may be added as a reminder for what the token is being used. At the bottom of the tokens page, click the Generate token button which will show a new page displaying the generated token. Make sure you copy that token and use it to configure the GitHub provider, the token will only be seen once in the GitHub interface.

Use the new token in config.yaml in the feeds section: for all components of the deployment:

  feeds:
      ...
      github:
        enabled: true
        token: "****************************************"

It is also possible to set the token with the following environment variable: ANCHORE_ENTERPRISE_FEEDS_GITHUB_DRIVER_TOKEN. Note that this is only valid when using the config.yaml provided in the image due to that file referencing them explicitly as replacement values.

Microsoft Security Response Center (MSRC) Provider

The MSRC provider is not enabled by default so must be explicitly enabled in order to execute. This provider is required in order for Anchore to get data about vulnerabilities and fixes for Microsoft Windows and its associated KBs (patches).

  • For quickstart and deployments using docker-compose.yaml, find the feeds service definition and uncomment or add the following environment variables:

    services:
      ...
      feeds:
      ...
        environment:
        ...
        - ANCHORE_ENTERPRISE_FEEDS_MSRC_DRIVER_ENABLED=true
    
  • For deployments using config.yaml, update the feeds configuration section:

    services:
      ...
      feeds:
      ...
        drivers:
          msrc:
            enabled: true
    

Anchore Vulnerability Match Exclusion Provider

The Anchore Vulnerability Match Exclusion provider is available to users that meet specific license requirements. Please contact Anchore Support for details.

  • For quickstart and deployments using docker-compose.yaml, find the feeds service definition and uncomment or add the following environment variables:

    services:
      ...
      feeds:
      ...
        environment:
        ...
        - ANCHORE_ENTERPRISE_FEEDS_VULN_MATCH_EXCLUSION_DRIVER_ENABLED=true
    
  • For deployments using config.yaml, update the feeds configuration section:

    services:
      ...
      feeds:
      ...
        drivers:
          anchore_match_exclusion:
            enabled: true
    

Ubuntu Provider

The Ubuntu https endpoint is heavily throttled and can be seen as unreliable.
A configuration option is provided to switch the Ubuntu provider’s access to the git protocol endpoint instead.
This endpoint has improved reliability but is not validated or encrypted and uses a different port than https. Please contact Anchore Support for additional details.

NVD Provider

The NVD provider uses the v2 NVD API and it is recommended passing an API key to avoid more aggressive throttling.
Request an API key via https://nvd.nist.gov/developers/request-an-api-key.

Use the new api key in config.yaml in the feeds section: for all components of the deployment:

  feeds:
      ...
      nvd:
        enabled: true
        api_key: "****************************************"

It is also possible to set the token with the following environment variable: ANCHORE_ENTERPRISE_FEEDS_NVD_PROVIDER_API_KEY. Note that this is only valid when using the config.yaml provided in the image due to that file referencing them explicitly as replacement values.

1 - Migrating Data Between On-Premises Anchore Enterprise Feeds Installations

The On-Premises Anchore Enterprise Feeds has two high level functions:

  • Gather vulnerability data from external sources, normalize and persist the data
  • Serve persisted normalized vulnerability data from via an API

These two high level functions are decoupled and can be executed independently of each other. This design allows the service to operate in a Read-Only mode and service API requests with the vulnerability data in the service’s database. It is used for running Anchore Enterprise in Air-Gapped mode

Warning: The following process deletes the database of the Read-Only installation. Ensure the database is not used by other services such as Anchore Engine

Start with the public network

  1. Install Anchore Enterprise Feeds in a public network with access to internet, see network requirements
  2. Start the service and use the tasks API to query the status of the FeedSyncTask that should have started
  3. Wait for the FeedSyncTask to complete and populate the database
  4. Stop the service
  5. Create a database dump using pg_dump tool pg_dump -h <public-network-db-hostname> -p 5432 -U postgres -Fc -v -f anchore-enterprise-feeds.dump postgres
  6. Copy it to a location where it can be restored from in the following steps

Next, switch to the private network where Anchore Engine is installed

  1. Install Anchore Enterprise Feeds in the private network alongside Anchore Engine, don’t start the service.

  2. Configure Read-Only mode by setting api_only: True property in the config.yaml

feeds:
  ...
  api_only: True
  ...
  1. Restore the database from the anchore-enterprise-feeds.dump file created in the previous section

pg_restore -h <private-network-db-hostname> -p 5432 -U postgres -C -d postgres anchore-enterprise-feeds.dump

  1. Start the service

Note: PostgreSQL version must be the same across both databases for the pg_dump and pg_restore utility to work correctly