Common Vulnerabilities and Exposures (CVEs)#

What are CVEs?#

CVEs are weaknesses in software that can be exploited to access sensitive information, such as credit card numbers or social security numbers. Because modern software is complex with its many layers, interdependencies, data inputs, and libraries, vulnerabilities tend to emerge over time. Knowing when and how the code you use is vulnerable to attacks is a powerful tool in allowing you to mitigate the potential for harm, and Anaconda provides you with everything you need to keep your pipeline secure.

To learn more about CVEs and how Anaconda mitigates and manages them, watch the State of Data Science webinar.

Why trust Anaconda?#

Anaconda regularly pulls its CVE databases from the National Vulnerability Database (NVD) and the US National Institute of Standards and Technology (NIST) to minimize the risk of vulnerable software in our applications and web pages. Anaconda has an extensive and well-established process for curating CVEs, assessing whether or not packages Anaconda built are affected by any CVEs, determining which versions in our repository are affected, and mitigating the vulnerability.

Understanding CVEs#

Here’s what you need to know to make the right decisions regarding CVEs for your organization:

Common Vulnerability Scoring System (CVSS)#

Standards for determining the severity of a CVE have evolved over time. The Common Vulnerability Scoring System (CVSS) is a mathematical method dating back to 1999 that grades the characteristics of a vulnerability. CVSS 2 was developed and launched in 2007. It was later updated to CVSS 3 in 2015 to offer a more comprehensive scoring method that accurately reflects the severity of vulnerability in the real world.

CVE scores#

Software developers refer to CVE databases and scores to minimize the risk of using vulnerable components (packages and binaries) in their applications or web pages. CVE scores and ratings fall into one of 5 categories:

CVE statuses#

CVEs are assigned a status category as a result of the Anaconda curation process. CVE status categories include:

  • Reported - The vulnerabilities identified in this package have been reported by NIST but not reviewed by the Anaconda team.

  • Active - The vulnerabilities identified in this package are active and potentially exploitable.

  • Cleared - The vulnerabilities identified in this package have been analyzed and determined not to be applicable.

  • Mitigated - The vulnerabilities identified in this package have been proactively mitigated in this build through a code patch.

  • Disputed - The vulnerabilities’ legitimacy is disputed by upstream project maintainers or other community members.

Viewing channel CVE information#

From the channel details page, click the CVEs tab to view a full list of CVEs present in the channel.

Click on any CVE to view its CVSS 2 and/or CVSS 3 metrics, and a brief overview of the vulnerability with notes that were created during the Anaconda curation process.

Click the number next to the CVE to view a full list of packages in the channel that are affected by it.

Tip

Click the expand icon to view the CVE info in full screen.

Searching for CVEs in a channel#

From the channel details page, click the CVEs tab, then search for a CVE by entering its name into the Filter field. If no matches are returned, the CVE does not affect the channel.

Viewing package CVE information#

From the package details page, click on the CVEs tab to view a full list of CVEs that affect the package.

Click on any CVE to view its CVSS 2 and/or CVSS 3 metrics, and a brief overview of the vulnerability with notes that were created during the Anaconda curation process.

Click the number next to the CVE to view a full list of packages in the channel that are affected by it.

Searching for CVEs in a package#

From the package details page, click the CVEs tab, then search for a CVE by entering its name into the Filter field. If no matches are returned, the CVE does not affect the package.

Viewing file CVE information#

From the package details page, click on a file’s CVE score to view all of the CVEs associated with the file. The score displayed in the CVE column is the highest active or reported CVE score for the file.

Note

  • Not all CVEs present in a package apply to every file within that package.

  • Files can be associated with multiple CVEs.

Each CVE displays its score, status, and a brief overview of the vulnerability with notes that were created during the Anaconda curation process.