Anchore engine supports the ability to request a report that contains records of images that conform to some input criteria - this allows a user to generate reports of the form:

  • Given a vulnerability ID (CVE-1234-ABCD), generate a report of all images known to anchore-engine that software installed that is vulnerable to ID (CVE-1234-ABCD)
  • Given a package (packagename, packageversion), generate a report of all images with package (packagename) version (packageversion) installed


These reports are accessed using the 'query' operation of anchore-cli, and are available both in formatted form as well as JSON.  


For example, if there is a particular CVE of interest, (e.g. CVE-2017-16231), the command to see all images affected by this vulnerability would be:


# anchore-cli query images-by-vulnerability --vulnerability-id CVE-2017-16231
Full Tag                                        Severity          Package                           Package Type        Namespace              Digest                                                                         
docker.io/debian:experimental-20180426          Negligible        libpcre3-2:8.39-9                 dpkg                debian:unstable        sha256:e3b92669975e32cc47e9c4d24a8090e927f89378131beb28e527a0e8a8ad1e28        
docker.io/debian:oldstable-20180625             Negligible        libpcre3-2:8.35-3.3+deb8u4        dpkg                debian:8               sha256:b3e3485d02d400d1f8e348ae405a8b324d05d8c1e8ba86ba1f2b0864f91a6e45        
docker.io/debian:stable-backports               Negligible        libpcre3-2:8.39-3                 dpkg                debian:9               sha256:32e5fab53b50fe71b0f012c96327ebbce7f79d03ae028ab75e222109dde36808        
docker.io/debian:rc-buggy-20171009              Negligible        libpcre3-2:8.39-5                 dpkg                debian:unstable        sha256:827b0be8430a5bd6d838dee5cd0ad42b1c9d990f61c7dcd382224df65ef0ce97        
docker.io/debian:buster-20180213                Negligible        libpcre3-2:8.39-9                 dpkg                debian:unstable        sha256:fd07b293c6296665fdf8b559509792643321c684b958cee535aba72b03e6b222        
docker.io/debian:testing-20180831               Negligible        libpcre3-2:8.39-11                dpkg                debian:unstable        sha256:9eeee46e21bde90f7b6c315f83a05567bc4855df7dffc152875e8188fdf41ea3        
docker.io/debian:rc-buggy-20170723              Negligible        libpcre3-2:8.39-3                 dpkg                debian:unstable        sha256:174ce5b0ed929c79708a36691b113963ff93200e73516f9e11e5f2b36090caaa        
...
...
...


If instead, a user is interested to generate a report of all images that contain a known software package (e.g. package name 'libpcre3', version '2:8.39-3'), the command would be:


# anchore-cli query images-by-package --name libpcre3 --version 2:8.39-3
Full Tag                                      Package                  Package Type        Digest                                                                         
docker.io/debian:stable-backports             libpcre3-2:8.39-3        dpkg                sha256:32e5fab53b50fe71b0f012c96327ebbce7f79d03ae028ab75e222109dde36808        
docker.io/debian:rc-buggy-20170723            libpcre3-2:8.39-3        dpkg                sha256:174ce5b0ed929c79708a36691b113963ff93200e73516f9e11e5f2b36090caaa        
docker.io/debian:experimental-20170606        libpcre3-2:8.39-3        dpkg                sha256:bffefcb593f4125c80369fc00b5e01e92d41429b6002131581e69e62688bf5ce        
docker.io/debian:stretch-20170907             libpcre3-2:8.39-3        dpkg                sha256:2335c729b8a6764c52a3cbfe43d1450d5e782638c986d237ffc30ca33881c3e3        
docker.io/debian:9.1                          libpcre3-2:8.39-3        dpkg                sha256:2335c729b8a6764c52a3cbfe43d1450d5e782638c986d237ffc30ca33881c3e3        
docker.io/debian:stable-20171009              libpcre3-2:8.39-3        dpkg                sha256:aaa45de4ced0556fb03e3373c904a1e12f1ab7cf482d4c40ac86832bb695a6e6        
docker.io/debian:stretch-20171210             libpcre3-2:8.39-3        dpkg                sha256:02741df16aee1b81c4aaff4c48d75cc2c308bade918b22679df570c170feef7c        
docker.io/debian:rc-buggy-20170606            libpcre3-2:8.39-3        dpkg                sha256:f7e9e5a1c04139faadcd6514a9eff7d9ee76e49402569d925ec72e2f00f94924        
...
...
...


For any command, the '--json' parameter can be specified to instead retrieve the report in JSON format:


# anchore-cli --json query images-by-package --name libpcre3 --version 2:8.39-3 | more
{
    "images": [
        {
            "image": {
                "analyzed_at": "2018-10-25T00:55:00Z", 
                "imageDigest": "sha256:32e5fab53b50fe71b0f012c96327ebbce7f79d03ae028ab75e222109dde36808", 
                "imageId": "5ae1d0551bd217bab6907f78c8aa0c45408eeb1e33829097af30cf9546b11368", 
                "tag_history": [
                    {
                        "fulltag": "docker.io/debian:stable-backports", 
                        "registry": "docker.io", 
                        "repo": "debian", 
                        "tag": "stable-backports", 
                        "tag_detected_at": "2018-10-25T00:52:34Z"
                    }
                ]
            }, 
            "packages": [
                {
                    "name": "libpcre3", 
                    "type": "dpkg", 
                    "version": "2:8.39-3"
                }
            ]
        }, 
...
...
...


Other options can be specified to further filter the report results, which can be accessed using the '--help' option to any of the operation query subcommands (package type, vulnerability severity, vulnerability feed distro namespace, etc).