Common Vulnerabilities and Exposures (CVEs)#

Caution

CVE information is only available to Business or Enterprise tier customers.

What are CVEs?#

CVEs are weaknesses in software that can be exploited to access sensitive information, such as credit card numbers or social security numbers. Because modern software is complex with its many layers, interdependencies, data inputs, and libraries, vulnerabilities tend to emerge over time. Knowing when and how the code you use is vulnerable to attacks is a powerful tool in allowing you to mitigate the potential for harm, and Anaconda provides you with everything you need to keep your pipeline secure.

To learn more about CVEs and how Anaconda mitigates and manages them, watch the State of Data Science webinar.

Why trust Anaconda?#

Anaconda regularly pulls its CVE databases from the National Vulnerability Database (NVD) and the US National Institute of Standards and Technology (NIST) to minimize the risk of vulnerable software in our applications and web pages. Anaconda has an extensive and well-established process for curating CVEs, assessing whether or not packages Anaconda built are affected by any CVEs, determining which versions in our repository are affected, and mitigating the vulnerability.

Understanding CVEs#

Here’s what you need to know to make the right decisions regarding CVEs for your organization:

Common Vulnerability Scoring System (CVSS)#

Standards for determining the severity of a CVE have evolved over time. The Common Vulnerability Scoring System (CVSS) is a mathematical method dating back to 1999 that grades the characteristics of a vulnerability. CVSS 2 was developed and launched in 2007. It was later updated to CVSS 3 in 2015 to offer a more comprehensive scoring method that accurately reflects the severity of vulnerability in the real world.

CVE scores#

Software developers refer to CVE databases and scores to minimize the risk of using vulnerable components (packages and binaries) in their applications or web pages. CVE scores and ratings fall into one of 5 categories:

CVE statuses#

CVEs are assigned a status category as a result of the Anaconda curation process. CVE status categories include:

  • Reported - The vulnerabilities identified in this package have been reported by NIST but not reviewed by the Anaconda team.

  • Active - The vulnerabilities identified in this package are active and potentially exploitable.

  • Cleared - The vulnerabilities identified in this package have been analyzed and determined not to be applicable.

  • Mitigated - The vulnerabilities identified in this package have been proactively mitigated in this build through a code patch.

  • Disputed - The vulnerabilities’ legitimacy is disputed by upstream project maintainers or other community members.

Viewing CVEs#

Note

  • Not all CVEs present in a package apply to every file within that package.

  • Files can be associated with multiple CVEs.

  1. From the Channels page, select a channel to view its packages.

  2. Select the CVEs tab to view a full list of CVEs present in the channel. A summary of how many CVEs are associated with packages in the channel and the CVEs’ severity levels are displayed at the top.

    Tip

    Use the navigation controls at the bottom to browse CVEs associated with packages in the channel.

  1. From the Channels page, select a channel to view its packages.

  2. Select a package from the list.

  3. Select the CVEs tab to view a list of CVEs associated with the package. A summary of how many CVEs are associated with package and their severity level is displayed at the top.

    Tip

    Use the navigation controls at the bottom to browse CVEs associated with the package.

  1. From the Channels page, select a channel to view its packages.

  2. Select a package from the list.

  3. Click the CVE score displayed beside the package file to view a list of CVEs associated with the file.

  4. Use the filters at the top to adjust the displayed CVEs.

    Note

    The active filter is applied by default.

Tip

Search for a CVE by entering its name into the Search cves field. If no matches are returned, the CVE does not affect the channel/package/file.

Viewing CVE information#

Select a CVE from the Channel or Package CVEs lists to open the CVE Information panel. Here you can view a brief overview of the vulnerability with notes that were created during the Anaconda curation process, as well as its CVSS 2/CVSS 3 score metrics.

Tip

Click to expand the CVE Information panel to full screen.

Select the CVE Files tab to view information for every occurrence of the CVE across all channels within the organization.

On this page