Why trust Anaconda?
Anaconda regularly pulls its CVE databases from the National Vulnerability Database (NVD) and the US National Institute of Standards and Technology (NIST) to minimize the risk of vulnerable software in our applications and web pages. Anaconda has an extensive and well-established process for curating CVEs, assessing whether or not Anaconda built are affected by any CVEs, determining which versions in our are affected, and mitigating the vulnerability.Understanding CVEs
Here’s what you need to know to make the right decisions regarding CVEs for your organization:Common Vulnerability Scoring System (CVSS)
Standards for determining the severity of a CVE have evolved systematically through multiple iterations. The Common Vulnerability Scoring System (CVSS), established in 1999, provides a standardized mathematical framework for quantifying vulnerability characteristics. Following its initial implementation, CVSS 2.0 was released in 2007, introducing a structured metric-based approach. The framework underwent significant refinement in 2015 with CVSS 3.0, which incorporated enhanced contextual factors to more accurately reflect real-world vulnerability impact. In 2023, CVSS 4.0 was released, providing a comprehensive redesign that addresses contemporary security challenges. This latest version implements an expanded nine-metric base scoring system. CVSS 4.0 also provides improved assessment capabilities for modern deployment architectures, including cloud environments, containerized applications, and supply chain dependencies.CVE scores
Software developers refer to CVE databases and scores to minimize the risk of using vulnerable components (packages and binaries) in their applications or web pages. CVE scores and ratings fall into one of 5 categories:
CVE curation
Each CVE undergoes a rigorous curation process that evaluates its impact on packages in our repository. Each curated package receives additional metadata detailing the nature of the CVE, a package signature, and a CVE status. A checkmark next to a CVE score indicates that the CVE has undergone curation.Because packages can be affected by multiple CVEs, a single curated CVE does not guarantee a package is fully secure. If multiple CVEs exist for a package, ensure that each CVE is either cleared, mitigated, or otherwise determined to be non-impactful.
CVE statuses
CVEs are assigned a status category as a result of the Anaconda curation process. CVE status categories include:- Reported: The vulnerabilities identified in this package have been reported by NIST but not reviewed by the Anaconda team.
- Active: The vulnerabilities identified in this package are active and potentially exploitable.
- Cleared: The vulnerabilities identified in this package have been analyzed and determined not to be applicable.
- Mitigated: The vulnerabilities identified in this package have been proactively mitigated in this build through a code patch.
- Disputed: The legitimacy of the vulnerabilities identified in this package is disputed by upstream project maintainers or other community members.
To view this information in Package Security Manager, click the information icon beside CVE Status in the or package views.
Viewing CVEs by channel
CVE views are only available to users whose role provides
Read
permissions for the CVE category.
Filtering channel CVEs
Apply filters to your channel’s CVEs tab by utilizing the fields at the top of the table columns. You can filter by:-
CVE Score
- Enter a number into the field to set the CVE Score threshold.
- Click the filter icon to open a dropdown menu and select an operator to use for the CVE Score threshold you entered. You can select Is greater than or equal to, or Is less than or equal to.
-
CVE Name
- If you know the name of the CVE you want to filter by, enter it in the search box. Only one CVE name can be entered at a time.
-
CVE Status
- You can filter CVEs by their Status using the # Packages column filter. Open the dropdown and select a CVE Status to filter the list of packages associated with the CVE to those that have the currently selected status.
Click the icon beside CVE Status to view more information about CVE statuses and what they mean.
More than one status can be selected at once. Click on the number in the column to view a list of packages associated with the CVE that have the currently selected status.

Downloading CVE reports
CVE reports provide a comprehensive list of CVEs associated with the packages in a channel in a.csv
file.
To download a CVE report, open the channel’s Channel Details page, open the Manage dropdown, and select Download CVE Report. A notification displays to confirm that the report has been initiated. If you have applied filters to the channel’s CVE list, the report will contain filtered results.
For example, if you want a report containing a list of all the packages that pass your security threshold of “CVE score less than or equal to 8.0”, but still have an active or reported CVE, enter 8 as the CVE Score, adjust the filter to less than or equal to, select the Active and Reported statuses in the # Packages column, and then download the report.

Once a report has been initiated, it must complete before another report can be generated.
Viewing CVEs by package
Every channel’s packages list displays a # CVEs column indicating how many CVEs are associated with each package in the channel.The packages list is the default view when you open a channel.
- CVE Score
- Select the filter icon to open the filter menu and select the operator you want to use for the CVE Score. You can select either greater than or equal to, or less than or equal to.
- CVE Name
- If you know the name of the CVE you want to filter by, enter it in the search box. Only one CVE name can be entered at a time.
- CVE Status
- You can filter CVEs by their Status using the # Packages column filter. Open the dropdown and select a CVE Status to view the number of packages associated with the CVE that have the currently selected status.
- Anaconda Curated Date
- Select a start and end date to filter CVEs by the date they were curated by Anaconda.
- Last Modified Date
- Select a start and end date to filter CVEs by the date they were last modified.
- Last Published Date
- Select a start and end date to filter CVEs by the date they were last published.

Hover your mouse pointer over the CVE Score to view the various CVSS version scores for the CVE.

Viewing CVE details
Click on a CVE from any page to view detailed information about the CVE and its dangers. You can view a list of package files associated with the CVE, its CVE Status, and which platforms the package applies to. Select a CVSS tab to view the CVSS version information, which includes exploitability and impact metrics, along with the publication date by NVD and the curation date by Anaconda (if applicable).

The CVSS4 tab is not visible for Package Security Manager versions 6.7.x and older. However, if a package has CVSS4 scoring information, it is still visible in older version of Package Security Manager in the package file’s metadata. For more information, see Viewing file metadata.

Searching for CVEs
You can search for CVEs using the search box at the top of the page. Open the filter dropdown menu, select CVEs, and then enter the name of the CVE you’re looking for in the search box.
Listing the latest CVEs
The latest CVEs are always listed on the dashboard. To view a complete list of CVEs, click Show all… at the bottom of the CVE column. From this view, CVEs are sorted by their Anaconda Curated date, followed by published CVEs that still require curation.
CVE notifications
Hundreds of new CVEs are received by NVD daily. Because of this, our CVE runs every four hours to keep itself, and you, up to date. CVE notifications provide administrators with alerts and updates regarding newly emerged CVEs or updated CVE scores that affect packages within a channel in Package Security Manager. Notifications are triggered based on a configurable CVE Score threshold. You can receive channel notifications for the following CVE events:- CVE score increase (based on set CVE Score)
- CVE score decrease (based on set CVE Score)
- CVE status change (active, cleared, mitigated)
7.0
, you will receive notifications whenever a package score increases to 7.0
or higher, or if a package score is reduced to 6.9
or lower.
You will also receive notifications if a package score that already exceeds your threshold increases further. For example, you will receive a notification if a package score of 7.1
increases to 7.8
.
To view a channel’s CVE notifications:
From the channel details page, select the CVE Notifications tab. Expand a notification to view the full details of the CVE changes.


The maximum range for the date filter is one year.
CVE implementation
CVEs have a dedicated channel in Package Security Manager. This channel pulls from the repo.anaconda.cloud repository, which is updated every four hours. Activating your license automatically creates a mirror of this channel that runs hourly to synchronize between the channel repository and the local database.Air-gapped networks receive up-to-date CVEs and packages during the initial installation of Package Security Manager, and can update at regular intervals as desired. CVEs are updated daily for air-gapped users, and packages are updated monthly. See Updating CVEs and packages on an air-gapped network.
Understanding CVE ingestion
The initial setup for CVEs in Package Security Manager is triggered during install, when you first enter a license—either from the UI or by making a call to the rest end point athttps://<FQDN>/api/system/license
. When that happens, Package Security Manager creates a channel called cve (https://<FQDN>/channels/cve
).
By default, only admin users can navigate to this channel (URL). For users to be able to access this channel, an admin user must assign the Manage permission for CVEs to users from the User Management dashboard.
cve_ingestor
, which mirrors all the cve metadata in https://api.anaconda.cloud/repo/anaconda-main
.

api.anaconda.cloud
. The SSL certificate that is used on api.anaconda.cloud
is signed by Let’s Encrypt. This is important to know because repo.anaconda.cloud
is signed by a different CA than repo.anaconda.com
.
Validating CVE mirrors
Until your mirrored packages are matched to CVEs, you will not see metadata for those CVEs. In some cases, though, even entering your license does not provide you with mirrored CVE metadata. However, you can verify the CVEs are present by going through the following steps:-
Navigate to your CVE view:
-
List your CVEs on the command line:
-
Use the rest end point with your admin user token:
-
As an alternate to step 3, you can use the rest end point with a bearer token, in case your user token doesn’t work:
Lack of internet access or proxy
Lack of internet access or proxy
Any setup that does not have internet access or is not routed through a proxy will result in a mirror failure. This is true even if the docker host is able to connect to the internet via a proxy setting.Solution: Ensure your proxy server is configured correctly.
Terminating proxy is replacing the certs
Terminating proxy is replacing the certs
A terminating proxy (transparent or explicit) or network device may be replacing the certs you’ve presented to Package Security Manager, which is using the default request CA bundle (Mozilla) and not the system store.Solution: Add your custom root CA to the requests library store.
Missing root CA certs
Missing root CA certs
This is especially troublesome for the Let’s Encrypt certs on the proxy.Solution: Even with a proper configuration, it is possible that the proxy itself need to be modified to validate the certificates on the other side of the connection.
Fixing CVE mirror failure during setup
If you work through the steps above and find that your channels still do not contain CVEs, try the following steps:-
Rename the CVE channel by navigating to the following path, clicking edit, and renaming the channel:
-
Get the bearer token:
-
Call put
https://<FQDN>/api/system/license
endpoint: -
Verify that the new CVE channel and mirror are created by navigating to your CVE view:
-
Verify that CVE data is now available. If it is, you can safely delete the old CVE channel by navigating to the following path and deleting the channel from the green Edit button’s dropdown options:
Updating CVEs and packages on an air-gapped network
Anaconda provides.zip
files through Amazon Web Services (AWS) Simple Storage Service (S3) buckets. You can download the files you need on a allowlisted workstation with access to the internet, then move the files to the air-gapped network. Your public IP address is initially allowlisted during installation of Package Security Manager. If you need to allowlist a new IP address, contact Anaconda technical support.
- Download the package and CVE files you want to update.
- Move the downloaded package and CVE files to their correct location within your file system.
Managing CVEs using the CLI
For information on managing your CVEs using the CLI, see Package Security Manager CLI.Managing CVEs using the API
You can also use the API to list and view details about CVEs. Access the API interface by opening a browser and navigating tohttp(s)://<FQDN>/swagger/ui
, replacing <FQDN>
with your Package Security Manager fully qualified domain name.
The following is a list of available endpoints you can use to list and view CVEs in Package Security Manager: