As part of the release process for Anchore Enterprise the product is scanned with the current version of Anchore Enterprise and vulnerability findings are inspected. Serious findings will be remediated prior to the release, less serious or inconsequential findings will be justified in the attached spreadsheet.
Please keep in mind that these findings are from the time of release. It is possible additional vulnerabilities will be found in the future affecting the result of future scans.
Anchore Enterprise uses the Red Hat Universal Base Image as the foundation for the container images. Anchore defers to RedHat’s assessment of vulnerabilities in their base images. It is common for low severity vulnerabilities to be deprioritized by Red Hat. In some instances inconsequential vulnerabilities or false positives will be marked as “will not fix”. Red Hat has published a blog post regarding this process - Do all vulnerabilities really matter?
The security team at Anchore are always running assessments against the Anchore Enterprise images and that we fully acknowledge our known vulnerabilities. Please feel free to view this release vulnerability report attached to this knowledge base article.