This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Compare Against a Base Image

Anchore Enterprise can compare an image’s findings against those of its base image, so developers can focus on issues introduced by their own changes and filter out noise inherited from a platform team’s golden image. The feature is available for both policy evaluations and vulnerability scans, and is exposed via the API and the Enterprise UI.

For an overview of how base images are identified and the selection rules Anchore Enterprise applies, see Images.

How It Works

Both the policy-check API and the vulnerabilities API accept an optional base_digest query parameter. When supplied, each finding in the response carries an inherited_from_base field:

  • true — the finding is present in the base image.
  • false — the finding is unique to this image.
  • null — no comparison was performed (no base_digest was supplied).

As of Anchore Enterprise v5.7.0, base_digest=auto instructs the deployment to select the base image automatically using the ancestry rules described in the Images concept page.

Compare Policy Checks

The policy-check API uses the same policy and tag to evaluate both images, which keeps the comparison fair.

curl -X GET -u {username:password} "http://{servername:port}/v2/images/sha256:xyz/check?tag=p/q:r&base_digest=sha256:abc"

Example response excerpt:

{
    "image_digest": "sha256:xyz",
    "evaluated_tag": "p/q:r",
    "evaluations": [
        {
            "comparison_image_digest": "sha256:abc",
            "details": {
                "findings": [
                    {
                        "trigger_id": "41cb7cdf04850e33a11f80c42bf660b3",
                        "gate": "dockerfile",
                        "trigger": "instruction",
                        "message": "Dockerfile directive 'HEALTHCHECK' not found, matching condition 'not_exists' check",
                        "action": "warn",
                        "policy_id": "48e6f7d6-1765-11e8-b5f9-8b6f228548b6",
                        "recommendation": "",
                        "rule_id": "312d9e41-1c05-4e2f-ad89-b7d34b0855bb",
                        "allowlisted": false,
                        "allowlist_match": null,
                        "inherited_from_base": true
                    },
                    {
                        "trigger_id": "CVE-2019-5435+curl",
                        "gate": "vulnerabilities",
                        "trigger": "package",
                        "message": "MEDIUM Vulnerability found in os package type (APKG) - curl (CVE-2019-5435 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5435)",
                        "action": "warn",
                        "policy_id": "48e6f7d6-1765-11e8-b5f9-8b6f228548b6",
                        "recommendation": "",
                        "rule_id": "6b5c14e7-a6f7-48cc-99d2-959273a2c6fa",
                        "allowlisted": false,
                        "allowlist_match": null,
                        "inherited_from_base": false
                    }
                ]
            }
        }
    ]
}

In the example above:

  • The missing HEALTHCHECK directive is flagged on both images, so inherited_from_base is true.
  • The CVE-2019-5435 finding on curl is only present in the evaluated image, so inherited_from_base is false.

Compare Vulnerabilities

The vulnerabilities API also accepts base_digest, tagging each matched vulnerability with inherited_from_base.

curl -X GET -u {username:password} "http://{servername:port}/v2/images/sha256:xyz/vuln/all?base_digest=sha256:abc"

Example response excerpt:

{
  "base_digest": "sha256:abc",
  "image_digest": "sha256:xyz",
  "vulnerability_type": "all",
  "vulnerabilities": [
    {
      "feed": "vulnerabilities",
      "feed_group": "alpine:3.12",
      "fix": "7.62.0-r0",
      "inherited_from_base": true,
      "nvd_data": [
        {
          "cvss_v2": {
            "base_score": 6.4,
            "exploitability_score": 10.0,
            "impact_score": 4.9
          },
          "cvss_v3": {
            "base_score": 9.1,
            "exploitability_score": 3.9,
            "impact_score": 5.2
          },
          "id": "CVE-2018-16842"
        }
      ],
      "package": "libcurl-7.61.1-r3",
      "package_name": "libcurl",
      "package_path": "pkgdb",
      "package_type": "APKG",
      "package_version": "7.61.1-r3",
      "severity": "Medium",
      "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16842",
      "vendor_data": [],
      "vuln": "CVE-2018-16842"
    },
    {
      "feed": "vulnerabilities",
      "feed_group": "alpine:3.12",
      "fix": "2.4.46-r0",
      "inherited_from_base": false,
      "nvd_data": [
        {
          "cvss_v2": {
            "base_score": 5.0,
            "exploitability_score": 10.0,
            "impact_score": 2.9
          },
          "cvss_v3": {
            "base_score": 7.5,
            "exploitability_score": 3.9,
            "impact_score": 3.6
          },
          "id": "CVE-2020-9490"
        }
      ],
      "package": "apache2-2.4.43-r0",
      "package_name": "apache2",
      "package_path": "pkgdb",
      "package_type": "APKG",
      "package_version": "2.4.43-r0",
      "severity": "Medium",
      "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9490",
      "vendor_data": [],
      "vuln": "CVE-2020-9490"
    }
  ]
}

In the example above:

  • CVE-2018-16842 affects libcurl-7.61.1-r3 in both images, so inherited_from_base is true.
  • CVE-2020-9490 affects apache2-2.4.43-r0 only in the evaluated image, so inherited_from_base is false.

Where the Comparison Is Used

Beyond the direct API calls, base-image information is consumed in several places:

  • The Ancestry Policy Gate uses the same base-image rules.
  • Reports use the base image to calculate the “Inherited From Base” column on vulnerability findings.
  • The Enterprise UI displays the resolved base image and uses it for policy evaluations and vulnerability scans.