RHSA to CVE Feed Changes for RHEL-Based Images
Starting in Enterprise 2.3.0, Anchore Enterprise uses the RedHat Security API for CVEs for vulnerability matches for RHEL, CentOS, and UBI images. This is a change from previous releases that utilized the API for Advisories (RHSAs) instead.
What Changed
In short, rhel:*
replaces centos:*
in the vulnerability feed for matches against RHEL-based distros such as CentOS and UBI.
Specifically, in Enterprise 2.2.x, all RHEL-based images (CentOS, RHEL, UBI) used data from the RedHat Security Advisories API. This data populated
the centos:*
groups of the vulnerabilities
feed, as seen when you run anchore-cli system feeds list
or via the UI’s system
page showing feed syncs.
Changed for Enterprise 2.3.0, RHEL-based images will match against a new feed source by default: data from the RedHat CVE API .
This new source populates the rhel:*
groups of the vulnerabilities
feed. The centos:*
groups are no longer used for matches by default.
Reason for Change
The CVE source provides the ability to match vulnerabilities that have not yet been fixed upstream or via backports by Redhat as well as information on vulnerabilities that will not be fixed. Both of these classes of vulnerability are not covered in the RHSA data because that data is generated by fix releases. Overall, the change gives better matches earlier in the vulnerability triage and fix process so you can make better decisions about issues that affect your images.
Upgrade
During upgrade Anchore will change the matching logic to transition images to use the new feed groups. This update involves:
Completed Automatically During DB Upgrade:
- Updating db schema to support new enable/disable flags for feeds and groups.
- Disabling the existing
centos:*
feed groups from future syncs by setting the groups to disabled status. - Updating the internal mappings for distros to use the new groups.
When the system starts, all RHEL/CentOS/UBI images will still have RHSA matches, but the centos:* groups will be disabled so no new updates arrive for those groups.
After upgrade, when the system is running the new version:
- Feed service will sync the new data from the source
- Policy engine syncs from feed service to get new data
- Once the
rhel:*
groups sync in the policy engine, all RHEL/CentOS/UBI pre-upgrade analyzed images will now show both CVE and RHSA matches. - Images analyzed after the upgrade will only match CVEs.
The output from a CLI feed listing should look roughly like (note the disabled centos groups and synced rhel groups:
anchore@c4799ee0b36e enterprise]$ anchore-cli system feeds list
Feed Group LastSync RecordCount
...
vulnerabilities centos:5(disabled) 2020-05-15T16:33:53.165136 1171
vulnerabilities centos:6(disabled) 2020-05-15T16:33:47.819467 1219
vulnerabilities centos:7(disabled) 2020-05-15T16:33:48.007930 1044
vulnerabilities centos:8(disabled) 2020-05-15T16:33:51.662811 255
...
vulnerabilities rhel:5 2020-05-15T22:23:56.300077 7237
vulnerabilities rhel:6 2020-05-15T22:23:55.343614 6833
vulnerabilities rhel:7 2020-05-15T22:23:56.040785 5893
vulnerabilities rhel:8 2020-05-15T22:23:56.561123 1472
...
You can optionally flush the old RHSA matches by using the anchore-cli to delete the centos group data, which will remove the both the feed data and vulnerability matches for the RHSAs, leaving only the CVE matches.
To accomplish this, via the cli run:
[anchore@c4799ee0b36e enterprise]$ anchore-cli system feeds delete vulnerabilities --group centos:5
Group LastSync RecordCount
centos:5(disabled) pending 0
[anchore@c4799ee0b36e enterprise]$ anchore-cli system feeds delete vulnerabilities --group centos:6
Group LastSync RecordCount
centos:6(disabled) pending 0
[anchore@c4799ee0b36e enterprise]$ anchore-cli system feeds delete vulnerabilities --group centos:7
Group LastSync RecordCount
centos:7(disabled) pending 0
[anchore@c4799ee0b36e enterprise]$ anchore-cli system feeds delete vulnerabilities --group centos:8
Group LastSync RecordCount
centos:8(disabled) pending 0
Listing will now show:
anchore@c4799ee0b36e enterprise]$ anchore-cli system feeds list
Feed Group LastSync RecordCount
...
vulnerabilities centos:5(disabled) - 0
vulnerabilities centos:6(disabled) - 0
vulnerabilities centos:7(disabled) - 0
vulnerabilities centos:8(disabled) - 0
...
vulnerabilities rhel:5 2020-05-15T23:45:04.969330 7237
vulnerabilities rhel:6 2020-05-15T23:45:03.552281 6833
vulnerabilities rhel:7 2020-05-15T23:45:04.678325 5894
vulnerabilities rhel:8 2020-05-15T23:45:05.232375 1473
...
At this point all RHSA matches for all images in the DB have also been removed, leaving only the CVE matches from the new RedHat CVE source.
Feed Service Driver Configuration
The new RHEL CVE feed is enabled in the feed service by default. No changes to configuration are necessary to enable it.
Policy Engine Configuration
No changes to the policy engine configuration are needed to enable the new data because it is delivered as new groups in the existing vulnerabilities
feed,
which syncs all groups automatically.
Rolling Back
If you need to restore the old behavior see the rollback guide
Last modified September 30, 2024