Open source software (OSS) powers the modern global economy and serves as the underpinning of almost every connected information technology system around the world. The benefit of OSS is undeniable and irresistable; without it developers would have to continuously recreate common application functionality like databases, message queues, and the like, for every single application they write. However, with hundreds of thousands of libraries and system packages created for different operating systems, written by millions of developers, there is a risk that comes with malicious actors looking to exploit vulnerabilities in OSS.
Organizations that depend on software to be successful (which is virtually all of them) have been spending a lot of effort on minimizing that risk through secure software supply chain initiatives. Secure software supply chain is shorthand for a framework they can use to build a trustworthy platform, a consistent build & package process, and distribute authentic, tamper-resistant provenance metadata.
However, packaging all open source software yourself, so you know exactly what code is in every container, is an expensive and tedious process. Most developers consume pre-built container images from DockerHub or Helm charts for Kubernetes environments, because that is the simplest way to use open source dependencies. The main problem with this is a lack of trust in where that content comes from. A JFrog research report reveals that nearly 20% of public repositories (almost three million of them!) actually hosted malicious content.
Whether organizations build their own software packages or consume them from sources like Docker Hub, vulnerabilities inevitably creep in making remediation and mean time to recovery (MTTR) that much more important. To accomplish that, organizations need complete visibility and control over what open source software components developers are using in their own environments and, more critically, what is running in production.
Tanzu Application Catalog (TAC) contains the largest and most up-to-date OSS catalog of container images and Helm charts available for customers. TAC gives you that transparency to keep one step ahead of attackers: all of the software includes comprehensive software bills of material (SBOMs) detailing the ingredients in every package, as well as CVE scans, Vulnerability Exploitability Exchange (VEX) documentation, in-toto attestations, and more; all signed using public key cryptography to prevent tampering.
Organizations with strong security postures create policies based on the information they get from TAC: licenses, signatures, attestation, Operating System, architecture, or any customization like TLS certificates can all be used in automated checks to ensure only trusted software is used. Tanzu Application Catalog allows companies to curate their own OSS catalog and to have it delivered directly to private registries. The TAC UI allows administrators and security teams to identify exactly which packages are in use across all the software in their catalog. When a new vulnerability is reported, they can check with one simple query which software is affected and which is fixed, drastically reducing the time it takes to remediate vulnerabilities in production that could have devastating consequences.
Syncing content and metadata into private air-gapped environments
Some Organizations have strict networking policies and all the content should be available in their internal networking. It is pretty popular to use a mirror approach for DockerHub or other popular registries, but that approach makes it possible for developers to copy & use any image without control.
Tanzu Application Catalog is designed such that you can easily use our open source tool charts-syncer to replicate your pre-curated catalog from one registry in a public environment to another registry in an offline or air-gapped environment. Using the charts-syncer tool makes it easier for developers to seamlessly consume TAC software in these environments because it not only copies the content, it also modifies the internal references used by the Helm charts to point to the internal registry links.
In addition to the containers, this tool also replicates the signatures and imports all the useful metadata available to be exposed and consumed behind the firewall:
-
- SBOMs
- Tamper-resistant provenance metadata
- Antivirus scans
- CVE scans
- VEX statements
Developers can consume those resources directly from the OCI registry, with no need to access the TAC UI.
Build an OSS portal with the Tanzu Application Catalog API
Many enterprises already have security systems such as continuous scanning processes configured internally. If you’re at one of these organizations, Tanzu Application Catalog’s API makes it simple to integrate your custom portals or third-party systems with your OSS catalog.
The API is available at https://developer.broadcom.com/xapis/application-catalog/latest/ and any customer can start using it to consume the same information that is available in the user interface.
In this first example, the screenshot shows the available Helm charts in a catalog. In the animation below, you can see that the API request returns the same data, including a list of applications filtered by Helm charts, and the latest release date, and the description of each app.
In this second example, we used the API to find detailed information for a particular Helm chart, including the dependent container images. As you can see, the API returns the versions and digest of those images exactly as displayed in the UI.
A third example shows how to get the SBOM in SPDX format and the VEX in CSAF format for a particular application. Tanzu Application Catalog delivers VEX documentation for all container images built with Photon OS as the base image. Our team will analyze new CVEs affecting the applications in Tanzu Application Catalog and will provide assessment details, vulnerability status, and applicable remediation actions as part of the VEX documentation.
By combining CSAF VEX documents with CVE scan results and SBoM reports provided by Tanzu Application Catalog, customers receive an assessment of their upstream vulnerabilities to help make well-informed, risk-based security decisions. The Tanzu Application Catalog API makes it possible to integrate this information into third party scanning tools so you can filter false positives in an automated way. This example uses the Trivy scanning tool to analyze the content of an SBOM, using the “--vex” option to display vulnerabilities with “affected” status and to skip “not-affected” CVEs.
The Tanzu Application Catalog API provides the capabilities for curating the catalog and consuming all the information. This opens the possibilities for integration with company portals and tools. Some examples:
-
- Trigger automation when there is an upstream version released: what fixes that version and to deploy automatically in your systems.
- Use the logos, descriptions, size, digest, architecture and usage instructions with the parameters of use for containers or Helm charts.
- Integrate SBOM and VEX with third-party security tooling.
Please reach out to the Tanzu Application Catalog team if you have questions to fit your use cases.
