Feeds
Introduction
In this section, you’ll learn about the requirements for installing Anchore Enterprise Feeds and configuring its components. You can read more about how Feeds works in the feature overview.
Requirements
Network Ingress
Anchore Enterprise Feeds exposes a RESTful API by default on port 8228 however this port can be remapped.
The policy engine service(s) in your Anchore deployment will use this endpoint and API to get the latest updates aggregated into Anchore-specific formats.
Network Egress
Anchore Enterprise Feeds requires access to the upstream data feeds from supported Linux distributions and package registries. See Feeds Endpoints for the full list of the endpoints.
Database
Note
Important Note: The Feed service DB must be version PostgreSQL 13 or newer for 5.0.
See 5.0 Migration Guide for details.
Ruby Gems project publishes package data as a PostgreSQL dump. Enabling the gem driver in Anchore Enterprise Feeds will
increase the load on the PostgreSQL database used by the service. We recommend using a different PostgreSQL instance
for the gem driver to avoid load spikes and interruptions to the service. The database endpoint for the gem driver can
be configured using services.feeds.drivers.gem.db_connect parameter in config.yaml
Vulnerability Provider Configuration
Some of the vulnerability data providers will require additional configuration steps, like retrieving an API or token key from a provider.
GitHub Provider
The GitHub provider requires generation of a Personal Access Token (PAT) which is associated with a GitHub Account. To generate this token, the user will be required to log in to GitHub and use the following url: https://github.com/settings/tokens/new
There are no special permissions needed for the token, so there is no need to select any scopes. A note may be added as a reminder for what the token is being used. At the bottom of the tokens page, click the Generate token button which will show a new page displaying the generated token. Make sure you copy that token and use it to configure the GitHub provider, the token will only be seen once in the GitHub interface.
Use the new token in config.yaml in the feeds section: for all components of the deployment:
feeds:
...
github:
enabled: true
token: "****************************************"
It is also possible to set the token with the following environment variable: ANCHORE_ENTERPRISE_FEEDS_GITHUB_DRIVER_TOKEN.
Note that this is only valid when using the config.yaml provided in the image due to that file referencing them
explicitly as replacement values.
Microsoft Security Response Center (MSRC) Provider
The MSRC provider is not enabled by default so must be explicitly enabled in order to execute. This provider is required in order for Anchore to get data about vulnerabilities and fixes for Microsoft Windows and its associated KBs (patches).
For quickstart and deployments using docker-compose.yaml, find the
feedsservice definition and uncomment or add the following environment variables:services: ... feeds: ... environment: ... - ANCHORE_ENTERPRISE_FEEDS_MSRC_DRIVER_ENABLED=trueFor deployments using config.yaml, update the
feedsconfiguration section:services: ... feeds: ... drivers: msrc: enabled: true
Anchore Vulnerability Match Exclusion Provider
The Anchore Vulnerability Match Exclusion provider is available to users that meet specific license requirements. Please contact Anchore Support for details.
For quickstart and deployments using docker-compose.yaml, find the
feedsservice definition and uncomment or add the following environment variables:services: ... feeds: ... environment: ... - ANCHORE_ENTERPRISE_FEEDS_VULN_MATCH_EXCLUSION_DRIVER_ENABLED=trueFor deployments using config.yaml, update the
feedsconfiguration section:services: ... feeds: ... drivers: anchore_match_exclusion: enabled: true
Ubuntu Provider
The Ubuntu https endpoint is heavily throttled and can be seen as unreliable.
A configuration option is provided to switch the Ubuntu provider’s access to the git protocol endpoint instead.
This endpoint has improved reliability but is not validated or encrypted and uses a different port than https.
Please contact Anchore Support for additional details.
NVD Provider
There are now three configurations options for the NVD Provider.
NVD Direct Mode
The NVD provider uses the v2 NVD API.
It is recommended to pass an API key to avoid aggressive throttling done by NVD.
Request an API key via https://nvd.nist.gov/developers/request-an-api-key.
Use the new api key in config.yaml in the feeds section: for all components of the deployment:
services:
feeds:
drivers:
nvdv2:
enabled: true
api_key: "****************************************"
It is also possible to set the token with the following environment variable: ANCHORE_NVD_API_KEY.
Note that this is only valid when using the config.yaml provided in the image due to that file referencing them
explicitly as replacement values.
NVD Direct Mode with Anchore Enrichment
With this option, Anchore will provide additional CPE data on top of what NVD is providing.
This data is maintained in a GitHub repository. Your deployment will need access to GitHub for this configuration.
services:
feeds:
drivers:
nvdv2:
enabled: true
api_key: "****************************************"
overrides:
enabled: true
NVD Proxy Mode with Anchore Enrichment
With this option, Anchore produces the resulting workspace of the NVD Direct Mode with Anchore Enrichment and publishes it in https://enterprise.vunnel.feed.anchore.io. This allows users to consume the NVD Direct Mode with Anchore Enrichment data without needing access to GitHub.
services:
feeds:
drivers:
nvdv2:
enabled: true
import_results:
enabled: true
Vulnerability Annotation Provider Configuration
KEV List
The KEV List support in the v5.8.0 release is enabled by default in the Feeds Helm Chart.
If you do not wish to use the KEV List, you can disable it with two steps:
In the Enterprises extraEnvs, set
ANCHORE_FEEDS_DRIVER_VULN_ANNOTATIONS_ENABLED: "false"
In the Feeds extraEnvs, set
ANCHORE_FEEDS_DRIVER_KEV_ENABLED: "false"