Last June we announced the VMware Tanzu Application Catalog Knowledge Graph giving you a snapshot of how secure your container images, Helm charts, and virtual machines are and what specific software components they are made of. In this latest release, we are introducing new Knowledge Graph capabilities that expand that information with insights about your global open source catalog.
Exploring your catalog packages. Log4j, are you there?
To improve catalog visibility, we have added a new Knowledge Graph section in the left sidebar. From the knowledge graph menu, the packages subsection will let you explore all the packages that your catalog of open source software includes. We’ve also added a search capability so you can find out if we have delivered a particular package inside the Helm charts, container images, or virtual machines that VMware Tanzu Application Catalog builds for you. So if, for example, you are interested in checking for log4j, you can now simply type the package details and search:
Clicking on a package now takes you to a global view of the package. From there you will be able to not only find any vulnerabilities in the package, see its licensing details, and check transitive dependencies, but also see which applications are shipping that package. This enables you to quickly assess the blast radius that any package has on your open source software dependencies.
Exploring Catalog Vulnerabilities
Tanzu Application Catalog’s knowledge graph also provides access to a global view of your catalog vulnerabilities. This enables you to explore all the different vulnerabilities that have been detected by VMware Tanzu Application Catalog’s continuous SBOM scanning.
From this new section, you can also search by vulnerability identifier to find out if the vulnerability is affecting your catalog or not. If the vulnerability is there, clicking on its identifier will take you to a new global view with detailed information about the vulnerability.
You can check the affected packages, identify the blast radius of the vulnerability, and find out whether there is a newer version of the application that mitigates the vulnerability. The knowledge graph section can help you make informed decisions on your upgrade path, while also helping to protect your systems and speed up your time to recovery.
For example, in the above screenshot we can find how a particular vulnerability is affecting the several Helm charts that are shipped with Milvus 2.4.6. You can see in the chart that there is a newer version, 2.4.7, that is not affected. This gives an immediate call to action to upgrade that application, since a version with the vulnerability fixed has already been released into the catalog.
Open Source Compliance Information at your Fingertips
Earlier this year we announced the Open Source Software Health Assessment, a freely available tool that will help you gain an in-depth understanding of your OSS dependencies and their impact on your security and compliance posture. This tool can be used to analyze your Kubernetes clusters, local folders, or repositories with Helm charts, YAML files and public container images stored in open repositories, such as DockerHub, or locally in private repositories.
At the core of the OSS Health Assessment is our collaboration with Kubescape, a tool by Armo that helps us gain better insights about our Helm charts’ compliance and security. Just like we did with the OSS Health Assessment, we have now integrated Kubescape with VMware Tanzu Application Catalog to provide you with these insights.
Now if you go to any Helm chart, you will get an instant view of its compliance chart with the most widely used security and compliance frameworks. Spoiler alert: VMware Tanzu Application Catalog Helm charts are famous for their security for a reason, scoring notably higher than the upstream versions and those from other suppliers.
Additionally, scrolling down on any Helm chart you will find the Kubescape report within the validation reports section. This includes all the detailed information and rules per security framework.
New Graph View Component
While it was already possible in the Tanzu Application Catalog UI to get a graphical view of the dependencies in your application releases, we’ve now given it a more prominent space along with all the other application release information. We’ve made the experience more straightforward so that you will now find this view alongside the vulnerabilities, packages, and assessment tabs for each application release.
More software knowledge graph goodness coming soon
The VMware Tanzu Application Catalog software knowledge graph is a powerful capability that will continue to deliver new product features over the next year, including integrations with Tanzu Platform. If you would like to understand the basics about Tanzu Application Catalog, check out the wealth of information on the Tanzu Application Catalog webpage and documentation.
We would love to know your thoughts and your feedback. So, please reach out to us, we will be more than happy to learn more about your ideas in this area. For more information about VMware Tanzu Application Catalog’s vulnerability management capabilities in this whitepaper - Enabling Efficient Vulnerability Management with VEX, SBoM & CVE Scan Results and read about how we help customers keep up with the latest SLSA compliance levels and the like here.