RHSA to CVE Feed Changes for RHEL-Based Images

Starting in Enterprise 2.3.0, Anchore Enterprise uses the RedHat Security API for CVEs for vulnerability matches for RHEL, CentOS, and UBI images. This is a change from previous releases that utilized the API for Advisories (RHSAs) instead.

What Changed

In short, rhel:* replaces centos:* in the vulnerability feed for matches against RHEL-based distros such as CentOS and UBI.

Specifically, in Enterprise 2.2.x, all RHEL-based images (CentOS, RHEL, UBI) used data from the RedHat Security Advisories API. This data populated the centos:* groups of the vulnerabilities feed, as seen when you run anchore-cli system feeds list or via the UI’s system page showing feed syncs.

Changed for Enterprise 2.3.0, RHEL-based images will match against a new feed source by default: data from the RedHat CVE API . This new source populates the rhel:* groups of the vulnerabilities feed. The centos:* groups are no longer used for matches by default.

Reason for Change

The CVE source provides the ability to match vulnerabilities that have not yet been fixed upstream or via backports by Redhat as well as information on vulnerabilities that will not be fixed. Both of these classes of vulnerability are not covered in the RHSA data because that data is generated by fix releases. Overall, the change gives better matches earlier in the vulnerability triage and fix process so you can make better decisions about issues that affect your images.

Upgrade

During upgrade Anchore will change the matching logic to transition images to use the new feed groups. This update involves:

Completed Automatically During DB Upgrade:

  1. Updating db schema to support new enable/disable flags for feeds and groups.
  2. Disabling the existing centos:* feed groups from future syncs by setting the groups to disabled status.
  3. Updating the internal mappings for distros to use the new groups.

When the system starts, all RHEL/CentOS/UBI images will still have RHSA matches, but the centos:* groups will be disabled so no new updates arrive for those groups.

After upgrade, when the system is running the new version:

  1. Feed service will sync the new data from the source
  2. Policy engine syncs from feed service to get new data
  3. Once the rhel:* groups sync in the policy engine, all RHEL/CentOS/UBI pre-upgrade analyzed images will now show both CVE and RHSA matches.
  4. Images analyzed after the upgrade will only match CVEs.

The output from a CLI feed listing should look roughly like (note the disabled centos groups and synced rhel groups:

[email protected] enterprise]$ anchore-cli system feeds list
Feed                   Group                     LastSync                          RecordCount        
...               
vulnerabilities        centos:5(disabled)        2020-05-15T16:33:53.165136        1171               
vulnerabilities        centos:6(disabled)        2020-05-15T16:33:47.819467        1219               
vulnerabilities        centos:7(disabled)        2020-05-15T16:33:48.007930        1044               
vulnerabilities        centos:8(disabled)        2020-05-15T16:33:51.662811        255                
...                
vulnerabilities        rhel:5                    2020-05-15T22:23:56.300077        7237               
vulnerabilities        rhel:6                    2020-05-15T22:23:55.343614        6833               
vulnerabilities        rhel:7                    2020-05-15T22:23:56.040785        5893               
vulnerabilities        rhel:8                    2020-05-15T22:23:56.561123        1472               
...             

You can optionally flush the old RHSA matches by using the anchore-cli to delete the centos group data, which will remove the both the feed data and vulnerability matches for the RHSAs, leaving only the CVE matches.

To accomplish this, via the cli run:

[[email protected] enterprise]$ anchore-cli system feeds delete vulnerabilities --group centos:5
Group                     LastSync        RecordCount        
centos:5(disabled)        pending         0                  

[[email protected] enterprise]$ anchore-cli system feeds delete vulnerabilities --group centos:6
Group                     LastSync        RecordCount        
centos:6(disabled)        pending         0                  

[[email protected] enterprise]$ anchore-cli system feeds delete vulnerabilities --group centos:7
Group                     LastSync        RecordCount        
centos:7(disabled)        pending         0                  

[[email protected] enterprise]$ anchore-cli system feeds delete vulnerabilities --group centos:8
Group                     LastSync        RecordCount        
centos:8(disabled)        pending         0                  

Listing will now show:

[email protected] enterprise]$ anchore-cli system feeds list
Feed                   Group                     LastSync                          RecordCount        
...                
vulnerabilities        centos:5(disabled)        -                                 0                  
vulnerabilities        centos:6(disabled)        -                                 0                  
vulnerabilities        centos:7(disabled)        -                                 0                  
vulnerabilities        centos:8(disabled)        -                                 0                  
...                
vulnerabilities        rhel:5                    2020-05-15T23:45:04.969330        7237               
vulnerabilities        rhel:6                    2020-05-15T23:45:03.552281        6833               
vulnerabilities        rhel:7                    2020-05-15T23:45:04.678325        5894               
vulnerabilities        rhel:8                    2020-05-15T23:45:05.232375        1473               
...      

At this point all RHSA matches for all images in the DB have also been removed, leaving only the CVE matches from the new RedHat CVE source.

Feed Service Driver Configuration

The new RHEL CVE feed is enabled in the feed service by default. No changes to configuration are necessary to enable it.

Policy Engine Configuration

No changes to the policy engine configuration are needed to enable the new data because it is delivered as new groups in the existing vulnerabilities feed, which syncs all groups automatically.

Rolling Back

If you need to restore the old behavior see the rollback guide