This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Anchore Enterprise Application Groups

Anchore Enterprise lets you model your versioned applications to create a comprehensive view of the vulnerability and security health of the projects your teams are building across the breadth of your Software Delivery Lifecycle.

By grouping related components into applications, and updating those components across application versions as projects grow and change, you can get a holistic view of the current and historic security health of the applications from development through built image artifacts.

The typical flow is:

  • An application will be created for each project that you want to track.
  • Versions will be created both for the current in-development version and for previous versions.
  • Artifacts will be grouped together under those application versions.

Applications, application versions, and artifact associations can be managed via either the applications API or AnchoreCTL.

1 - Application Components

Applications

Applications are the top-level building block in this hierarchical view, containing artifacts like packages or image artifacts. Applications can represent any project your teams deliver. Applications have user-specified name and description fields to describe them. Applications are expected to be long-lived constructs, typically with multiple versions added over time.

Application Versions

Each application is associated with one or more application versions. Application versions track the specific grouping of artifacts that comprise a product version. They have one directly user-editable field called version_name which reflects the name of the product’s application version. This field has no special constraints on it, so you can use it to reflect the versioning scheme or schemes for your projects.

Each application, on creation, automatically has one application version created for it, named “HEAD”. “HEAD” is a special version meant to track the in-development version of your product through its release. A typical flow is that, as your CI jobs build new versions of your software, they will add new versions of your source and image artifacts to Anchore Enterprise and associate them with your HEAD application version. On release, you update your “HEAD” version to reflect the actual name of your release (for example, “v1.0.0”), and then create a new “HEAD” version to track development on the next version of your project. Any application version, including the “HEAD” version, can be deleted if needed.

Application versions, rather than applications, are directly associated with artifacts from sources and images. As your project grows and evolves, the packages and package versions associated with it will naturally change and advance over time. Associating them with application versions (rather than directly with applications) allows older application versions to maintain their associations with the older packages that compose them. This allows for historical review auditing and comparison across versions.

Associating Artifacts with Application Versions

An artifact is a generic term that encompasses any SDLC artifact that can be associated with an application version. Currently, that includes sources and images. The application API has endpoints (and AnchoreCTL has subcommands) to manage the associations between application versions and artifacts.

One important distinction is that these endpoints and commands are operating on the association between artifacts and application versions, not on the artifacts themselves. A source or image must already be added to Anchore Enterprise before it can be associated with an application. Similarly, removing the association with an application version does not remove the artifact from Anchore Enterprise. It can later be re-associated with the application version, or another application version.

Application Version software bill of materials (SBOM)

Once an application version has artifacts associated with it, users can generate an application version SBOM, which aggregates the SBOMs for all of the artifacts associated with the application version.

Application Version Vulnerabilities

Users can generate a list of vulnerabilities within an application version. This will be an aggregate of all vulnerabilities found within the artifacts associated with the specific application version.

2 - Application Features with the Anchore Enterprise GUI

Anchore Enterprise lets you use the UI to see a summary of the applications available from source repositories. You can perform an analysis of the application and artifact data.

Additionally, you can set your policies and mappings for a source repository, similar to how you set them up for images.

3 - Application Management - Anchore API

Use the Anchore API to manage your applications. For more information about using Anchore APIs via Swagger, see: Using the Anchore API.

The API application workflow would be like the following.

Create an Application

Create an application by POSTing the JSON in the block below to http://<host:port>/v2/applications/.

{
   "name": "Application name",
   "description": "Application description"
}

Note: Creating an application will also create an application version named HEAD, used to track the in-development version.

GET the List of All Applications

GET the list of all applications from ​​http://<host:port>/v2/applications/.

Add the include_versions=true flag to include all application versions under each application in the API response.

GET a Single Application

GET a single application by adding the application_id to the GET command. For example: http://<host:port>/v2/applications/<application_id>/.

Add the include_versions=true flag to include all application versions under each application in the API response.

Update an Existing Application

PUT the following to http://<host:port>/v2/applications/<application_id>/ to update an existing application, such as changing the name and description.

{
   "name": "Updated application name",
   "description": "Updated application description"
}

Remove a Specified Application

Send a DELETE to http://<host:port>/v2/applications/<application_id>/ to remove the specified application.

3.1 - Application Version Management - Anchore API

Use the Anchore API to manage your application versions. For more information about using Anchore APIs via Swagger, see: Using the Anchore API.

The API application workflow would be like the following.

Create an Application Version

To use the Anchore API to create an application version that is associated with an already-existing application, POST the JSON in the block below to http://<host:port>/v2/applications/<application_id>/versions/.

{
   "version_name": "v1.0.0"
}

GET the List of All Application Versions

GET the list of all application versions for the application from http://<host:port>/v2/applications/<application_id>/ versions.

GET a Single Application Version

GET a specific application version from http://<host:port>/v2/applications/<application_id>/versions/<application_version_id>.

Update an Existing Application

To update the name of an existing application version, PUT the following to http://<host:port>/v2/applications/<application_id>/versions/<application_version_id>

{
    "version_name": "v1.0.1"
}

Remove a Specified Application Version

To delete an application version, Send a DELETE to http://<host:port>/v2/applications/<application_id>/versions/<application_version_id>.

3.2 - Associate Artifacts with Application Versions - Anchore API

Add an Artifact Association

The following commands require source or image artifacts to already be added to the Anchore Enterprise instance before they can be associated with the application version.

Note: Keep track of the uuid of the sources, and the digest of the images that you will add to the application version. These are the values used to associate each artifact with the application version.

The response body for each artifact association request will contain an artifact_association_metadata block with an association_id field in it. This field uniquely identifies the association between the artifact and the application version, and is used in requests to remove the association.

Associate a Source Artifact

To associate a source artifact, POST the following body to http://<host:port>/v2/applications/<application_id>/versions/<application_version_id>/artifacts.

Note the fields specific to source artifacts in contrast to the image artifact in the next example.

{
    "artifact_type": "source",
    "artifact_keys": {
        "uuid": "<source uuid>"
    }
}

Associate an Image Artifact

To associate an image artifact, POST the following body to http://<host:port>/v2/applications/<application_id>/versions/<application_version_id>/artifacts.

Note the fields specific to image artifacts in contrast to the source artifact in the previous example.

{
    "artifact_type": "image",
    "artifact_keys": {
        "image_digest": "<image_digest>"
    }
}

List All Associated Artifacts

Each artifact in the response body will contain an artifact_association_metadata block with an association_id field in it. This field uniquely identifies the association between the artifact and the application version, and is used in requests to remove the association.

List All Artifacts Associated with an Application Version

To list all artifacts associated with an application version, GET http://<host:port>/v2/applications/<application_id>/versions/<application_version_id>/artifacts.

Filter the Results by Artifact Type

To filter the results by artifact type, add the artifact_types=<source,image> query parameter.

Remove an Artifact Association

Send a DELETE request to http://<host:port>/v2/applications/<application_id>/versions/<application_version_id>/artifacts/<association_id>.

3.3 - Application Version Operations - Anchore API

Users can perform queries against specific versions of an application.

SBOM for a specific Application Version

Using the application API to generate a combined software bill of materials (SBOM) for all artifacts within an application version. This lets you easily archive the components, or provide them to others for verification process compliance requirements. The data structure metadata for the application and application version, along with the SBOMs for each artifact associated with the application version.

Download a Combined SBOM

To download a combined SBOM, GET the application version SBOM from http://<host:port>/v2/applications/<application_id>/versions/<application_version_id>/sboms/native-json.

To filter the results by artifact type, add the artifact_types=<source,image> query parameter.

Vulnerabilities for a specific Application Version

Using the application API, a user can generate a combined list of vulnerabilities found among all artifacts within an application version. This allows easier vulnerability management for any Application Version.

Get a Combined Vulnerabilities List

http://<host:port>/v2/applications/<application_id>/versions/<application_version_id>/vulnerabilities.

Optional query parameter of will_not_fix=<true | false> is provided. When true, the results will include any vulnerabilities that the vendor of an image distribution either disagrees with or does not intend to prioritize for remediation

4 - Application Management - AnchoreCTL

Use AnchoreCTL to manage your applications. The AnchoreCTL application workflow would be like the following.

Create a Named Application

Use AnchoreCTL to create a named application. For example: anchorectl application add <name> --description <description>

Note: Creating an application will also create an application version named HEAD, used to track the in-development version.

List All Applications

Use the AnchoreCTL to list all applications. For example: anchorectl application list.

Request an Individual Application

Request an individual application from Anchore via AnchoreCTL to view details about it. For example: anchorectl application get <application_name>.

Update and Change Properties of an Existing Application

Update and change the properties of an existing application via AnchoreCTL.

For example, change the application name and description as follows: anchorectl application update <application_name> --name <new_name> --description <new_description>.

Remove an Application

Use AnchoreCTL to delete applications. This lets you remove applications that are no longer useful or important to you. For example: anchorectl application delete <application_name>

4.1 - Application Version management - AnchoreCTL

Use AnchoreCTL to manage your application versions.

The AnchoreCTL application workflow would be like the following.

Create and Store Versions of your Application

Use AnchoreCTL to create and store versions of your applications. Versioning is useful for audit compliance and reporting. Use the following AnchoreCTL command to create a version:

anchorectl application version add <application-name>@<version-name>

List All Application Versions

Use AnchoreCTL to list all application versions that are associated with an application.

anchorectl application version list <application_name>

Update Application Version Properties

Use AnchoreCTL to update application version properties for an existing application in Anchore.

anchorectl application version update <application-name>@<version-name> --name <new_version_name>

Request a Specific Application Version

Use AnchoreCTL to request a specific version of an application to view its details. The following example shows the AnchoreCTL command to request a version:

anchorectl application version get <application-name>@<version-name>

Remove Application Version

Use AnchoreCTL to delete application versions. This lets you remove application versions that are no longer useful or important to you.

anchorectl application version delete <application-name>@<version-name>

4.2 - Get an Application Version SBOM - AnchoreCTL

Run the anchorectl application version sbom <application_id> <application_version_id> -o json command to download a combined software bill of materials (SBOM) for all components and supply-chain elements of an application. This lets you easily archive the components, or provide them to others for verification process compliance requirements. The data structure includes the version and version metadata for the application version, along with the SBOMs for each associated artifact.

To filter the results by artifact type, add the argument –-type <source,image> to the end of the command.

4.3 - Associate Artifacts with Application Versions - AnchoreCTL

Add an Artifact Association

The following commands require source or image artifacts to already be added to the Anchore Enterprise instance before they can be associated with the application version.

Note: Keep track of the uuid of the sources, and the digest of the images that you will add to the application version. These are the values used to associate each artifact with the application version.

The response body for each artifact association request will contain an artifact_association_metadata block with an association_id field in it. This field uniquely identifies the association between the artifact and the application version.

Associate a Source Artifact

To associate a source artifact: anchorectl application artifact add <application-name>@<version-name> source <source_uuid>

Associate an Image Artifact

To associate an image artifact: anchorectl application artifact add <application-name>@<version-name> image <image_digest>

List All Associated Artifacts

To list all artifacts associated with an application version: anchorectl application artifact list <application-name>@<version-name>

To filter the results by artifact type, add the argument --type <source,image> to the end of the command.

Remove an Artifact Association

Get the association_id of one of the associated artifacts and run the following command: anchorectl application artifact remove <application-name>@<version-name> <artifact_id>