Common Vulnerabilities and Exposures (CVEs)

This topic provides guidance on the following actions:

What are CVEs?

CVEs are weaknesses in software that can be exploited to access sensitive information, such as credit card numbers or social security numbers. Because modern software is complex with its many layers, interdependencies, data inputs, and libraries, vulnerabilities tend to emerge over time. Knowing when and how the code you use is vulnerable to attacks is a powerful tool in allowing you to mitigate the potential for harm, and Anaconda Business provides you with everything you need to keep your pipeline secure.

Why trust Anaconda?

Anaconda regularly pulls its CVE databases from the National Vulnerability Database (NVD) and the US National Institute of Standards and Technology (NIST) to minimize the risk of vulnerable software in our applications and web pages. Anaconda has an extensive and well-established process for curating CVEs, assessing whether or not packages Anaconda built are affected by any CVEs, determining which versions in our repository are affected, and mitigating the vulnerability.

Understanding CVEs

Here’s what you need to know to make the right decisions regarding CVEs for your organization:

Common Vulnerability Scoring System (CVSS)

Standards for determining the severity of a CVE have evolved over time. The Common Vulnerability Scoring System (CVSS) is a mathematical method dating back to 1999 that grades the characteristics of a vulnerability. CVSS 2 was developed and launched in 2007. It was later updated to CVSS 3 in 2015 to offer a more comprehensive scoring method that accurately reflects the severity of vulnerability in the real world.

CVE scores

Software developers refer to CVE databases and scores to minimize the risk of using vulnerable components (packages and binaries) in their applications or web pages. CVE scores and ratings fall into one of 5 categories:


CVE statuses

CVEs are assigned a status category as a result of the Anaconda curation process. CVE status categories include:

  • Reported - The vulnerabilities identified in this package have been reported by NIST but not reviewed by the Anaconda team.
  • Active - The vulnerabilities identified in this package are active and potentially exploitable.
  • Cleared - The vulnerabilities identified in this package have been analyzed and determined not to be applicable.
  • Mitigated - The vulnerabilities identified in this package have been proactively mitigated in this build through a code patch.
  • Disputed - The vulnerabilities’ legitimacy is disputed by upstream project maintainers or other community members.

Viewing CVEs in your channel

Applying a security policy to a channel controls which packages the channel can access. Packages associated with CVEs that do not meet your security requirements will not populate your channel.

  1. From the Channels page, select a channel to view the packages within that channel.

  2. You can see the number of CVEs a package contains under the CVE column.

  3. Select a channel with CVEs, then navigate to the CVEs tab. This tab shows which CVEs are found in the package, including the CVE name, description, and number of packages containing that CVE.

  4. Use the search bar to filter CVEs.