Anchore Enterprise Feeds

Overview

Anchore Enterprise Feeds is an On-Premises service that supplies operating system and application eco-system vulnerability data and package data for consumption by the Anchore Policy Engine. The Policy Engine uses this data for finding vulnerabilities and evaluating policies. For more information about configuration of the Feeds Service see Feeds Overview.

Anchore maintains a public index of Grype databases built and published daily at https://toolbox-data.anchore.io/grype/databases/listing.json for use by all. However, this public database does not include all Anchore Enterprise sources. The Anchore Enterprise feed capability offers the following benefits over the publicly available pre-built grype databases:

  • Access to Enterprise-only vulnerability data, such as MSRC and the Anchore Exclusions Feed.
  • Provides a configuration option for running Anchore Enterprise in an Air-Gapped mode (see Air Gapped Configuration for more information).
  • Granular control and configuration over feed data due to On-Premises installation. Configure how often the data from external sources is synced, enable/disable individual data providers responsible for processing normalized data. Access to an Anchore-curated dataset for suppressing known false positive vulnerability matches

Design

Anchore Enterprise Feeds have three high-level components:

  • Drivers – Communicate with upstream sources and fetch data and normalize it for Anchore.
  • Database – Stores the current state of the normalized data for use by Anchore.
  • API – Serves the data to clients, supporting update-only fetches.

Drivers

A driver downloads raw data from an external source and normalizes it. Each driver outputs normalized data for one of the four feed types - (os) vulnerabilities, packages, nvd or third party feeds.

  • Drivers responsible for operating system package vulnerabilities gather raw data from the respective os resources listed below.
  • Package drivers process the official list of packages maintained by NPM and RubyGems organizations.
  • The nvdv2 driver processes CVEs from the NIST database, and supplies normalized data that is used for matching non-os packages such as Java, Python, NPM, GEM, NuGet.

All drivers except for the package drivers are enabled by default. The service has configuration toggles to enable/disable each driver individually and tuning driver specific settings.

DriverFeed TypeExternal Data Source
susevulnerabilitieshttps://www.suse.com/support/security/oval/
alpinevulnerabilitieshttps://secdb.alpinelinux.org
rhelvulnerabilitieshttps://access.redhat.com/hydra/rest/securitydata/cve.json https://www.redhat.com/security/data/oval/v2
debianvulnerabilitieshttps://security-tracker.debian.org/tracker/data/json https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/DSA/list
oraclevulnerabilitieshttps://linux.oracle.com/security/oval/com.oracle.elsa-all.xml.bz2
ubuntuvulnerabilitieshttps://launchpad.net/ubuntu-cve-tracker
amznvulnerabilitieshttps://alas.aws.amazon.com/AL2/alas.rss https://alas.aws.amazon.com/AL2022/alas.rss https://alas.aws.amazon.com/AL2023/alas.rss
gempackageshttps://s3-us-west-2.amazonaws.com/rubygems-dumps
npmpackageshttps://replicate.npmjs.com
githubgithubhttps://api.github.com/graphql
nvdnvdhttps://services.nvd.nist.gov/rest/json/cves/2.0 https://services.nvd.nist.gov/rest/json/cvehistory/2.0
msrcmicrosofthttps://api.msrc.microsoft.com/
anchore_match_exclusionsanchore:exclusionshttps://data.anchore-enterprise.com/providers/anchore/exclusions https://anchore-feed-service.s3.amazonaws.com/
wolfivulnerabilitieshttps://packages.wolfi.dev/os/security.json
chainguardvulnerabilitieshttps://packages.cgr.dev/chainguard/security.json
marinervulnerabilitieshttps://raw.githubusercontent.com/microsoft/CBL-MarinerVulnerabilityData/

The anchore_match_exclusions feed requires a specific license. Please contact Anchore Support for details.

Database

Normalized vulnerability and package data is persisted in the database. In addition, the execution state and updates to the data set are tracked in the database.

Configuration

See Feeds Configuration to read about installation requirements for an air-gapped deployment and optional configuration of drivers.

Last modified February 19, 2024