Feeds

Introduction

In this section, you’ll learn about the requirements for installing Anchore Enterprise Feeds and configuring its components. You can read more about how Feeds works in the feature overview.

Requirements

Network Ingress

Anchore Enterprise Feeds exposes a RESTful API by default on port 8228 however this port can be remapped.

The policy engine service(s) in your Anchore deployment will use this endpoint and API to get the latest updates aggregated into Anchore-specific formats.

Network Egress

Anchore Enterprise Feeds requires access to the upstream data feeds from supported Linux distributions and package registries. See Feeds Endpoints for the full list of the endpoints.

Database

Note

Important Note: The Feed service DB must be version PostgreSQL 13 or newer for 5.0.

See 5.0 Preparation Guide for details.

Ruby Gems project publishes package data as a PostgreSQL dump. Enabling the gem driver in Anchore Enterprise Feeds will increase the load on the PostgreSQL database used by the service. We recommend using a different PostgreSQL instance for the gem driver to avoid load spikes and interruptions to the service. The database endpoint for the gem driver can be configured using services.feeds.drivers.gem.db_connect parameter in config.yaml

Vulnerability Provider Configuration

Some of the vulnerability data providers will require additional configuration steps, like retrieving an API or token key from a provider.

GitHub Provider

The GitHub provider requires generation of a Personal Access Token (PAT) which is associated with a GitHub Account. To generate this token, the user will be required to log in to GitHub and use the following url: https://github.com/settings/tokens/new

There are no special permissions needed for the token, so there is no need to select any scopes. A note may be added as a reminder for what the token is being used. At the bottom of the tokens page, click the Generate token button which will show a new page displaying the generated token. Make sure you copy that token and use it to configure the GitHub provider, the token will only be seen once in the GitHub interface.

Use the new token in config.yaml in the feeds section: for all components of the deployment:

  feeds:
      ...
      github:
        enabled: true
        token: "****************************************"

It is also possible to set the token with the following environment variable: ANCHORE_ENTERPRISE_FEEDS_GITHUB_DRIVER_TOKEN. Note that this is only valid when using the config.yaml provided in the image due to that file referencing them explicitly as replacement values.

Microsoft Security Response Center (MSRC) Provider

The MSRC provider is not enabled by default so must be explicitly enabled in order to execute. This provider is required in order for Anchore to get data about vulnerabilities and fixes for Microsoft Windows and its associated KBs (patches).

For quickstart and deployments using docker-compose.yaml, find the feeds service definition and uncomment or add the following environment variables:
```
services:
  ...
  feeds:
  ...
    environment:
    ...
    - ANCHORE_ENTERPRISE_FEEDS_MSRC_DRIVER_ENABLED=true
```

For deployments using config.yaml, update the feeds configuration section:

services:
  ...
  feeds:
  ...
    drivers:
      msrc:
        enabled: true

Anchore Vulnerability Match Exclusion Provider

The Anchore Vulnerability Match Exclusion provider is available to users that meet specific license requirements. Please contact Anchore Support for details.

For quickstart and deployments using docker-compose.yaml, find the feeds service definition and uncomment or add the following environment variables:

services:
  ...
  feeds:
  ...
    environment:
    ...
    - ANCHORE_ENTERPRISE_FEEDS_VULN_MATCH_EXCLUSION_DRIVER_ENABLED=true

For deployments using config.yaml, update the feeds configuration section:

services:
  ...
  feeds:
  ...
    drivers:
      anchore_match_exclusion:
        enabled: true

Ubuntu Provider

The Ubuntu https endpoint is heavily throttled and can be seen as unreliable.
A configuration option is provided to switch the Ubuntu provider’s access to the git protocol endpoint instead.
This endpoint has improved reliability but is not validated or encrypted and uses a different port than https. Please contact Anchore Support for additional details.

NVD Provider

The NVD provider uses the v2 NVD API and it is recommended passing an API key to avoid more aggressive throttling.
Request an API key via https://nvd.nist.gov/developers/request-an-api-key.

Use the new api key in config.yaml in the feeds section: for all components of the deployment:

  feeds:
      ...
      nvd:
        enabled: true
        api_key: "****************************************"

It is also possible to set the token with the following environment variable: ANCHORE_ENTERPRISE_FEEDS_NVD_PROVIDER_API_KEY. Note that this is only valid when using the config.yaml provided in the image due to that file referencing them explicitly as replacement values.

Last modified October 27, 2023