RHSA to CVE Feed Changes for RHEL-Based Images
Starting in Enterprise 2.3.0, Anchore Enterprise uses the RedHat Security API for CVEs for vulnerability matches for RHEL, CentOS, and UBI images. This is a change from previous releases that utilized the API for Advisories (RHSAs) instead.
centos:* in the vulnerability feed for matches against RHEL-based distros such as CentOS and UBI.
Specifically, in Enterprise 2.2.x, all RHEL-based images (CentOS, RHEL, UBI) used data from the RedHat Security Advisories API. This data populated
centos:* groups of the
vulnerabilities feed, as seen when you run
anchore-cli system feeds list or via the UI’s
system page showing feed syncs.
Changed for Enterprise 2.3.0, RHEL-based images will match against a new feed source by default: data from the RedHat CVE API .
This new source populates the
rhel:* groups of the
vulnerabilities feed. The
centos:* groups are no longer used for matches by default.
Reason for Change
The CVE source provides the ability to match vulnerabilities that have not yet been fixed upstream or via backports by Redhat as well as information on vulnerabilities that will not be fixed. Both of these classes of vulnerability are not covered in the RHSA data because that data is generated by fix releases. Overall, the change gives better matches earlier in the vulnerability triage and fix process so you can make better decisions about issues that affect your images.
During upgrade Anchore will change the matching logic to transition images to use the new feed groups. This update involves:
Completed Automatically During DB Upgrade:
- Updating db schema to support new enable/disable flags for feeds and groups.
- Disabling the existing
centos:*feed groups from future syncs by setting the groups to disabled status.
- Updating the internal mappings for distros to use the new groups.
When the system starts, all RHEL/CentOS/UBI images will still have RHSA matches, but the centos:* groups will be disabled so no new updates arrive for those groups.
After upgrade, when the system is running the new version:
- Feed service will sync the new data from the source
- Policy engine syncs from feed service to get new data
- Once the
rhel:*groups sync in the policy engine, all RHEL/CentOS/UBI pre-upgrade analyzed images will now show both CVE and RHSA matches.
- Images analyzed after the upgrade will only match CVEs.
The output from a CLI feed listing should look roughly like (note the disabled centos groups and synced rhel groups:
[email protected] enterprise]$ anchore-cli system feeds list Feed Group LastSync RecordCount ... vulnerabilities centos:5(disabled) 2020-05-15T16:33:53.165136 1171 vulnerabilities centos:6(disabled) 2020-05-15T16:33:47.819467 1219 vulnerabilities centos:7(disabled) 2020-05-15T16:33:48.007930 1044 vulnerabilities centos:8(disabled) 2020-05-15T16:33:51.662811 255 ... vulnerabilities rhel:5 2020-05-15T22:23:56.300077 7237 vulnerabilities rhel:6 2020-05-15T22:23:55.343614 6833 vulnerabilities rhel:7 2020-05-15T22:23:56.040785 5893 vulnerabilities rhel:8 2020-05-15T22:23:56.561123 1472 ...
You can optionally flush the old RHSA matches by using the anchore-cli to delete the centos group data, which will remove the both the feed data and vulnerability matches for the RHSAs, leaving only the CVE matches.
To accomplish this, via the cli run:
[[email protected] enterprise]$ anchore-cli system feeds delete vulnerabilities --group centos:5 Group LastSync RecordCount centos:5(disabled) pending 0 [[email protected] enterprise]$ anchore-cli system feeds delete vulnerabilities --group centos:6 Group LastSync RecordCount centos:6(disabled) pending 0 [[email protected] enterprise]$ anchore-cli system feeds delete vulnerabilities --group centos:7 Group LastSync RecordCount centos:7(disabled) pending 0 [[email protected] enterprise]$ anchore-cli system feeds delete vulnerabilities --group centos:8 Group LastSync RecordCount centos:8(disabled) pending 0
Listing will now show:
[email protected] enterprise]$ anchore-cli system feeds list Feed Group LastSync RecordCount ... vulnerabilities centos:5(disabled) - 0 vulnerabilities centos:6(disabled) - 0 vulnerabilities centos:7(disabled) - 0 vulnerabilities centos:8(disabled) - 0 ... vulnerabilities rhel:5 2020-05-15T23:45:04.969330 7237 vulnerabilities rhel:6 2020-05-15T23:45:03.552281 6833 vulnerabilities rhel:7 2020-05-15T23:45:04.678325 5894 vulnerabilities rhel:8 2020-05-15T23:45:05.232375 1473 ...
At this point all RHSA matches for all images in the DB have also been removed, leaving only the CVE matches from the new RedHat CVE source.
Feed Service Driver Configuration
The new RHEL CVE feed is enabled in the feed service by default. No changes to configuration are necessary to enable it.
Policy Engine Configuration
No changes to the policy engine configuration are needed to enable the new data because it is delivered as new groups in the existing
which syncs all groups automatically.
If you need to restore the old behavior see the rollback guide
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.