This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Corrections

A correction is a rule that rewrites a package’s metadata at vulnerability-scan time. Anchore Enterprise’s analyzers generate a best-effort PURL and CPE for every package they find, but for some ecosystems — particularly Java archives that ship without a complete manifest — the guess does not match what vulnerability data uses to identify the same component. The result is either spurious matches or missed matches. A correction restates the package’s PURL, CPEs, or other fields so that subsequent scans match against the right vulnerability records.

For the broader context — how SBOM packages get matched against vulnerability data, and the synthetic-CPE fallback that handles unknown ecosystems — see How It Works.

Corrections apply only to packages discovered through container image analysis; they do not modify externally supplied SBOMs.

When to Add a Correction

A worked example: an Anchore Enterprise analysis of a Tomcat image surfaces the catalina.jar archive with this content:

{
  "cpes": [
    "cpe:2.3:a:apache:catalina:9.0.88:*:*:*:*:*:*:*"
  ],
  "package": "catalina",
  "purl": "pkg:maven/org.apache.tomcat-catalina/[email protected]",
  "type": "JAVA-JAR",
  "version": "9.0.88"
}

The CPE vendor/product (apache:catalina), the Maven group/artifact in the PURL (org.apache.tomcat-catalina/catalina), and the package name (catalina) all disagree with how the upstream advisory data describes Tomcat Catalina. Vulnerability matches against this package will be unreliable.

Add a Correction

Corrections are managed with anchorectl correction. The command supports both an inline form and a JSON-file form.

anchorectl correction add \
  --description "Correct Tomcat Catalina package metadata" \
  --type java \
  --match package=catalina \
  --replace cpes="cpe:2.3:a:apache:tomcat_catalina:{version}:*:*:*:*:*:*:*" \
  --replace purl="pkg:maven/org.apache.tomcat/tomcat-catalina@{version}" \
  --replace package="tomcat-catalina"

Or, the equivalent JSON body submitted directly:

anchorectl correction add -i correction.json
{
  "description": "Correct Tomcat Catalina package metadata",
  "type": "package",
  "match": {
    "type": "java",
    "field_matches": [
      { "field_name": "package", "field_value": "catalina" }
    ]
  },
  "replace": [
    { "field_name": "cpes", "field_value": "cpe:2.3:a:apache:tomcat_catalina:{version}:*:*:*:*:*:*:*" },
    { "field_name": "purl", "field_value": "pkg:maven/org.apache.tomcat/tomcat-catalina@{version}" },
    { "field_name": "package", "field_value": "tomcat-catalina" }
  ]
}

Field reference:

  • description — free-text note describing the correction’s intent.
  • type — the correction type. Only package is supported.
  • match.type — the package ecosystem to apply the correction to. In the inline form this is what the --type flag sets; the correction type is always package. Supported values are driven by the analyzers your deployment runs and currently include java, gem, python, npm, os, go, and nuget. Run anchorectl image content --available-types to list the valid content types on a given deployment.
  • match.field_matches — one or more (field_name, field_value) pairs that select which packages this correction applies to.
  • replace — the field/value pairs the correction will write. For cpes and purl only, curly-brace templates like {version} are substituted from the matched package at scan time. If a templated field is missing on the package, the CPE component is replaced with * and the PURL replacement is skipped entirely.

Manage Corrections

anchorectl correction list
anchorectl correction get <correction-uuid>
anchorectl correction delete <correction-uuid>

Corrections are referenced by the UUID returned at creation. The same operations are available on the /corrections API — see the API browser for the full request and response schemas.

Verify a Correction

Corrections take effect at the next vulnerability scan. To confirm a correction is matching the way you intended, inspect the analyzed content for a representative image:

anchorectl image content -t java <image-digest> -o json

For the Tomcat Catalina example above, the corrected package content should show the rewritten CPE, PURL, and package name:

{
  "cpes": [
    "cpe:2.3:a:apache:tomcat_catalina:9.0.88:*:*:*:*:*:*:*"
  ],
  "package": "tomcat-catalina",
  "purl": "pkg:maven/org.apache.tomcat/[email protected]",
  "type": "JAVA-JAR",
  "version": "9.0.88"
}