Anchore Enterprise Feeds

Attention

The Feed Service will be End-Of-Life in the future release of v5.9.0. v5.9.0 will be the last release to support running the feed service on-premises. Starting in v5.10.0 a new service will import feed data directly from Anchore every six (6) hours. It will also provide enhanced support for air-gapped deployments. This will reduce operational burden and allow for faster response to changes in upstream data providers. More information about this migration will be provided leading up to the release of v5.10.0.

Overview

Anchore Enterprise Feeds is an On-Premises service that supplies operating system and application eco-system vulnerability data for consumption by the Anchore Policy Engine. The Policy Engine uses this data for finding vulnerabilities and evaluating policies.

The Anchore Feed Service collects vulnerability and package data from the upstream sources and normalizes this data to be published as a Grype Database or “feeds” that your Anchore Enterprise deployment can then subscribe to. Anchore also maintains a public index of Grype databases built and published daily at https://toolbox-data.anchore.io/grype/databases/listing.json for use by all. However, this public database does not include all Anchore Enterprise sources. The Anchore Enterprise feed capability offers the following benefits over the publicly available pre-built grype databases:

Access to Enterprise-only vulnerability data, such as MSRC and the Anchore Exclusions Feed.
Provides a configuration option for running Anchore Enterprise in an Air-Gapped mode (see Air Gapped Configuration for more information).
Granular control and configuration over feed data due to On-Premises installation. Configure how often the data from external sources is synced, enable/disable individual data providers responsible for processing normalized data. Access to an Anchore-curated dataset for suppressing known false positive vulnerability matches

Design

Anchore Enterprise Feeds have three high-level components:

Drivers – Communicate with upstream sources and fetch data and normalize it for Anchore.
Database – Stores the current state of the normalized data for use by Anchore.
API – Serves the data to clients, supporting update-only fetches.

Drivers

A driver downloads raw data from an external source and normalizes it. Each driver outputs normalized data for one of the four feed types - (os) vulnerabilities, packages, nvd or third party feeds.

Drivers responsible for operating system package vulnerabilities gather raw data from the respective os resources listed below.
The nvdv2 driver processes CVEs from the NIST database, and supplies normalized data that is used for matching non-os packages such as Java, Python, NPM, GEM, NuGet.

All drivers are enabled by default. The service has configuration toggles to enable/disable each driver individually and tuning driver specific settings.

Vulnerability Drivers

Vulnerability drivers have the ability to run in two modes:

Direct Mode - where the drivers will directly contact the external data source (see table below for network access points that will be needed).
Proxy Mode - where the drivers import results produced by Feed Drivers managed by Anchore.
- In this mode, the only network access that is needed is to https://enterprise.vunnel.feed.anchore.io/.
- In this mode, the data is updated every six (6) hours.
- Proxy Mode is not available for MSRC and Anchore Exclusion Feeds Drivers.

Proxy Mode is now the default for all Anchore deployments. Should you wish to use Direct Mode, you will need to explicitly disable Proxy Mode in the values.yaml file of the feed’s helm chart (example below).

    extraEnv:
    - name: ANCHORE_ENTERPRISE_FEEDS_NVD_PROVIDER_IMPORT_RESULTS_ENABLED
      value: "false"
    - name: ANCHORE_ENTERPRISE_FEEDS_AMAZON_PROVIDER_IMPORT_RESULTS_ENABLED
      value: "false"
    - name: ANCHORE_ENTERPRISE_FEEDS_ALPINE_PROVIDER_IMPORT_RESULTS_ENABLED
      value: "false"
    - name: ANCHORE_ENTERPRISE_FEEDS_DEBIAN_PROVIDER_IMPORT_RESULTS_ENABLED
      value: "false"
    - name: ANCHORE_ENTERPRISE_FEEDS_ORACLE_PROVIDER_IMPORT_RESULTS_ENABLED
      value: "false"
    - name: ANCHORE_ENTERPRISE_FEEDS_UBUNTU_PROVIDER_IMPORT_RESULTS_ENABLED
      value: "false"
    - name: ANCHORE_ENTERPRISE_FEEDS_RHEL_PROVIDER_IMPORT_RESULTS_ENABLED
      value: "false"
    - name: ANCHORE_ENTERPRISE_FEEDS_MARINER_PROVIDER_IMPORT_RESULTS_ENABLED
      value: "false"
    - name: ANCHORE_ENTERPRISE_FEEDS_GITHUB_PROVIDER_IMPORT_RESULTS_ENABLED
      value: "false"
    - name: ANCHORE_ENTERPRISE_FEEDS_SLES_PROVIDER_IMPORT_RESULTS_ENABLED
      value: "false"
    - name: ANCHORE_ENTERPRISE_FEEDS_WOLFI_PROVIDER_IMPORT_RESULTS_ENABLED
      value: "false"
    - name: ANCHORE_ENTERPRISE_FEEDS_CHAINGUARD_PROVIDER_IMPORT_RESULTS_ENABLED
      value: "false"

Driver	Feed Type	Direct Mode External Data Source
suse	vulnerabilities	https://ftp.suse.com/pub/projects/security/oval/
alpine	vulnerabilities	https://secdb.alpinelinux.org
rhel	vulnerabilities	https://access.redhat.com/hydra/rest/securitydata/cve.json https://www.redhat.com/security/data/oval/v2
debian	vulnerabilities	https://security-tracker.debian.org/tracker/data/json https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/DSA/list
oracle	vulnerabilities	https://linux.oracle.com/security/oval/com.oracle.elsa-all.xml.bz2
ubuntu	vulnerabilities	git://git.launchpad.net/ubuntu-cve-tracker https://git.launchpad.net/ubuntu-cve-tracker
amzn	vulnerabilities	https://alas.aws.amazon.com/AL2/alas.rss https://alas.aws.amazon.com/AL2022/alas.rss https://alas.aws.amazon.com/AL2023/alas.rss
github	vulnerabilities	https://api.github.com/graphql
nvd	vulnerabilities	https://services.nvd.nist.gov/rest/json/cves/2.0 https://services.nvd.nist.gov/rest/json/cvehistory/2.0
msrc	vulnerabilities	https://api.msrc.microsoft.com/
anchore_match_exclusions	anchore:exclusions	https://data.anchore-enterprise.com/providers/anchore/exclusions https://anchore-feed-service.s3.amazonaws.com/
wolfi	vulnerabilities	https://packages.wolfi.dev/os/security.json
chainguard	vulnerabilities	https://packages.cgr.dev/chainguard/security.json
mariner	vulnerabilities	https://raw.githubusercontent.com/microsoft/CBL-MarinerVulnerabilityData/
kev	vulnerability_annotations	https://www.cisa.gov/sites/default/files/feeds

KEV with FIPS hosts

The KEV list is hosted by CISA with a non-FIPS compliant TLS configuration. As such the KEV data is not available when the Feed Service is running on a FIPS host.

Database

Normalized vulnerability is persisted in the database. In addition, the execution state and updates to the data set are tracked in the database.

Configuration

See Feeds Configuration to read about installation requirements for an air-gapped deployment and optional configuration of drivers.

Last modified September 16, 2024