Support Anchore "Vendor Only CVEs"
long-term
R
Retail Gibbon
Anchore has a toggle that lets users filter out vulnerabilities that the vendor disagrees with or does not intend to prioritize for remediation. We use this to prioritize engineering effort for fixes and also exclude vulnerabilities from gating regardless of their severity.
This is a toggle switch in the UI (see screenshot) and a parameter on the command line (
anchore image vulnerabilities --vendor-only
).The API uses a
vendor_only
parameter in the /images/{image_digest}/vuln/{vuln_type}
endpoint which can be set to "true" or "false". (API reference: https://docs.anchore.com/current/docs/api/v2/reference/)Log In
Pritesh Chandaliya
long-term
Good to know that you are not blocked. But at the end of this quarter (Oct) we will prioritize the work and Anchore is going to be one of the scanner we will be making enhancements, so I will revisit that time and let you know the exact ETA.
Thanks!
R
Retail Gibbon
Pritesh Chandaliya the issue is still present (we don't have the ability to toggle) even though we are okay with the default value
Pritesh Chandaliya
Retail Gibbon is this issue still present? Are you still blocked on this?
Pritesh Chandaliya
pending feedback
Retail Gibbon Can you please confirm if the ask is:
You should be able to pass the flag
--vendor-only
as part of the Anchore orchestration, using the additional CLI/API flags.Or your request is applicable for ingestion and data extraction mode, where you want us to filter the issues based on the flag on our side and consider them as part of the prioritization?
Thanks!
F
Fuzzy Woodpecker
Pritesh Chandaliya this is applicable for ingestion and data extraction mode please.
R
Retail Gibbon
Pritesh Chandaliya To be more specific this is a flag used in the API request when querying Anchore for vulnerabilities, which then get imported into Harness.