Gate: vulnerabilities

Introduction

The “vulnerabilities” gate provides users the ability to use either a single or combination of triggers and attributes that match against vulnerability metadata to create policies for the vulnerabilities discovered in an image SBOM.

Note Currently, only the following Triggers are available for Source Repository Rule Sets:
- Denylist
- Package
- Stale Feed Data

Example Use-cases

Scenario 1

Goal: Create a rule that results in a STOP action for every critical vulnerability.

Example rule set configuration in Anchore Enterprise

Gate: vulnerabilities
Trigger: package
Required Parameters: package type = “all”
Optional Parameters: severity comparison = “=”, severity = “critical”
Recommendations (optional): “Remediation is required for critical vulnerabilities.”
Action: STOP

vulnerabilities1

Scenario 2

Goal: Create a rule that results in a STOP action for every vulnerability that is a part of CISA’s KEV list.

Example rule set configuration in Anchore Enterprise

Gate: vulnerabilities
Trigger: kev list
Recommendations (optional): “This vulnerability is part of CISA’s Known Exploited Vulnerability (KEV) catalogue. Remediation is required.”
Action: STOP

vulnerabilities2

Scenario 3

Goal: Create a rule that results in a WARN action for every critical vulnerability with a fix that will not be addressed by a vendor.

Example rule set configuration in Anchore Enterprise

Gate: vulnerabilities
Trigger: package
Required Parameters: package type = “all”
Optional Parameters: severity comparison = “=”, severity = “critical”, vendor only = “false”
Recommendations (optional): “Even though this is a critical vulnerability, the vendor indicates that a fix will not be addressed.”
Action: WARN

vulnerability3

Reference: vulnerabilities

Trigger NameDescriptionParameterDescriptionExample
packageTriggers if a found vulnerability in an image meets the comparison criteria.package_typeOnly trigger for specific package type.all
packageTriggers if a found vulnerability in an image meets the comparison criteria.severity_comparisonThe type of comparison to perform for severity evaluation.>
packageTriggers if a found vulnerability in an image meets the comparison criteria.severitySeverity to compare against.high
packageTriggers if a found vulnerability in an image meets the comparison criteria.cvss_v3_base_score_comparisonThe type of comparison to perform for CVSS v3 base score evaluation.>
packageTriggers if a found vulnerability in an image meets the comparison criteria.cvss_v3_base_scoreCVSS v3 base score to compare against.None
packageTriggers if a found vulnerability in an image meets the comparison criteria.cvss_v3_exploitability_score_comparisonThe type of comparison to perform for CVSS v3 exploitability sub score evaluation.>
packageTriggers if a found vulnerability in an image meets the comparison criteria.cvss_v3_exploitability_scoreCVSS v3 exploitability sub score to compare against.None
packageTriggers if a found vulnerability in an image meets the comparison criteria.cvss_v3_impact_score_comparisonThe type of comparison to perform for CVSS v3 impact sub score evaluation.>
packageTriggers if a found vulnerability in an image meets the comparison criteria.cvss_v3_impact_scoreCVSS v3 impact sub score to compare against.None
packageTriggers if a found vulnerability in an image meets the comparison criteria.fix_availableIf present, the fix availability for the vulnerability record must match the value of this parameter.true
packageTriggers if a found vulnerability in an image meets the comparison criteria.vendor_onlyIf True, an available fix for this CVE must not be explicitly marked as wont be addressed by the vendortrue
packageTriggers if a found vulnerability in an image meets the comparison criteria.max_days_since_creationA grace period, in days, for a vulnerability match to be present after which the vulnerability is a policy violation. Uses the date the match was first found for the given image.7
packageTriggers if a found vulnerability in an image meets the comparison criteria.max_days_since_fixIf provided (only evaluated when fix_available option is also set to true), the fix first observed time must be older than the days provided, to trigger.30
packageTriggers if a found vulnerability in an image meets the comparison criteria.vendor_cvss_v3_base_score_comparisonThe type of comparison to perform for vendor specified CVSS v3 base score evaluation.>
packageTriggers if a found vulnerability in an image meets the comparison criteria.vendor_cvss_v3_base_scoreVendor CVSS v3 base score to compare against.None
packageTriggers if a found vulnerability in an image meets the comparison criteria.vendor_cvss_v3_exploitability_score_comparisonThe type of comparison to perform for vendor specified CVSS v3 exploitability sub score evaluation.>
packageTriggers if a found vulnerability in an image meets the comparison criteria.vendor_cvss_v3_exploitability_scoreVendor CVSS v3 exploitability sub score to compare against.None
packageTriggers if a found vulnerability in an image meets the comparison criteria.vendor_cvss_v3_impact_score_comparisonThe type of comparison to perform for vendor specified CVSS v3 impact sub score evaluation.>
packageTriggers if a found vulnerability in an image meets the comparison criteria.vendor_cvss_v3_impact_scoreVendor CVSS v3 impact sub score to compare against.None
packageTriggers if a found vulnerability in an image meets the comparison criteria.package_path_excludeThe regex to evaluate against the package path to exclude vulnerabilities.test.jar
packageTriggers if a found vulnerability in an image meets the comparison criteria.inherited_from_baseIf true, only show vulns inherited from the base, if false than only show vulns not inherited from the base. Don’t specify to include vulns from the base image and the current image. See Base Images for more details.True
packageTriggers if a found vulnerability in an image meets the comparison criteria.epss scoreThe EPSS score to compare against.0.25
packageTriggers if a found vulnerability in an image meets the comparison criteria.epss_score_comparisonThe type of comparison to perform for EPSS base score evaluation.>
packageTriggers if a found vulnerability in an image meets the comparison criteria.epss percentileThe EPSS percentile to compare against.87
packageTriggers if a found vulnerability in an image meets the comparison criteria.epss percentile comparisonThe type of comparison to perform for EPSS percentile evaluation.>
denylistTriggers if any of a list of specified vulnerabilities has been detected in the image.vulnerability_idsList of vulnerability IDs, will cause the trigger to fire if any are detected.CVE-2019-1234
denylistTriggers if any of a list of specified vulnerabilities has been detected in the image.vendor_onlyIf set to True, discard matches against this vulnerability if vendor has marked as will not fix in the vulnerability record.True
stale_feed_dataTriggers if the CVE data is older than the window specified by the parameter MAXAGE (unit is number of days).max_days_since_syncFire the trigger if the last sync was more than this number of days ago.10
vulnerability_data_unavailableTriggers if vulnerability data is unavailable for the image’s distro packages such as rpms or dpkg. Non-OS packages like npms and java are not considered in this evaluationNoneNoneNone
kev_list_data_missingTriggers if the KEV list data has not been synced.NoneNoneNone
kev_listTriggers if any vulnerabilities are on the KEV list.NoneNoneNone
Last modified November 26, 2024