Corrections
A correction is a rule that rewrites a package’s metadata at vulnerability-scan time. Anchore Enterprise’s analyzers generate a best-effort PURL and CPE for every package they find, but for some ecosystems — particularly Java archives that ship without a complete manifest — the guess does not match what vulnerability data uses to identify the same component. The result is either spurious matches or missed matches. A correction restates the package’s PURL, CPEs, or other fields so that subsequent scans match against the right vulnerability records.
For the broader context — how SBOM packages get matched against vulnerability data, and the synthetic-CPE fallback that handles unknown ecosystems — see How It Works.
Corrections apply only to packages discovered through container image analysis; they do not modify externally supplied SBOMs.
When to Add a Correction
A worked example: an Anchore Enterprise analysis of a Tomcat image surfaces the catalina.jar archive with this content:
{
"cpes": [
"cpe:2.3:a:apache:catalina:9.0.88:*:*:*:*:*:*:*"
],
"package": "catalina",
"purl": "pkg:maven/org.apache.tomcat-catalina/[email protected]",
"type": "JAVA-JAR",
"version": "9.0.88"
}
The CPE vendor/product (apache:catalina), the Maven group/artifact in the PURL (org.apache.tomcat-catalina/catalina), and the package name (catalina) all disagree with how the upstream advisory data describes Tomcat Catalina. Vulnerability matches against this package will be unreliable.
Add a Correction
Corrections are managed with anchorectl correction. The command supports both an inline form and a JSON-file form.
anchorectl correction add \
--description "Correct Tomcat Catalina package metadata" \
--type java \
--match package=catalina \
--replace cpes="cpe:2.3:a:apache:tomcat_catalina:{version}:*:*:*:*:*:*:*" \
--replace purl="pkg:maven/org.apache.tomcat/tomcat-catalina@{version}" \
--replace package="tomcat-catalina"
Or, the equivalent JSON body submitted directly:
anchorectl correction add -i correction.json
{
"description": "Correct Tomcat Catalina package metadata",
"type": "package",
"match": {
"type": "java",
"field_matches": [
{ "field_name": "package", "field_value": "catalina" }
]
},
"replace": [
{ "field_name": "cpes", "field_value": "cpe:2.3:a:apache:tomcat_catalina:{version}:*:*:*:*:*:*:*" },
{ "field_name": "purl", "field_value": "pkg:maven/org.apache.tomcat/tomcat-catalina@{version}" },
{ "field_name": "package", "field_value": "tomcat-catalina" }
]
}
Field reference:
description— free-text note describing the correction’s intent.type— the correction type. Onlypackageis supported.match.type— the package ecosystem to apply the correction to. In the inline form this is what the--typeflag sets; the correctiontypeis alwayspackage. Supported values are driven by the analyzers your deployment runs and currently includejava,gem,python,npm,os,go, andnuget. Runanchorectl image content --available-typesto list the valid content types on a given deployment.match.field_matches— one or more(field_name, field_value)pairs that select which packages this correction applies to.replace— the field/value pairs the correction will write. Forcpesandpurlonly, curly-brace templates like{version}are substituted from the matched package at scan time. If a templated field is missing on the package, the CPE component is replaced with*and the PURL replacement is skipped entirely.
Manage Corrections
anchorectl correction list
anchorectl correction get <correction-uuid>
anchorectl correction delete <correction-uuid>
Corrections are referenced by the UUID returned at creation. The same operations are available on the /corrections API — see the API browser for the full request and response schemas.
Verify a Correction
Corrections take effect at the next vulnerability scan. To confirm a correction is matching the way you intended, inspect the analyzed content for a representative image:
anchorectl image content -t java <image-digest> -o json
For the Tomcat Catalina example above, the corrected package content should show the rewritten CPE, PURL, and package name:
{
"cpes": [
"cpe:2.3:a:apache:tomcat_catalina:9.0.88:*:*:*:*:*:*:*"
],
"package": "tomcat-catalina",
"purl": "pkg:maven/org.apache.tomcat/[email protected]",
"type": "JAVA-JAR",
"version": "9.0.88"
}