zhill
commented
5 years ago The tooling for this exists, just need to remove the 'id' as a required parameter for the GET /query/vulnerabilities request. That route already supports an _affectedpackage parameter to filter by package name.
Apart from the images-by-package and images-by-vulnerability queries that currently exist in the CLI tool, it would be awesome to have an "vulnerabilties-by-package" and corresponding API endpoint that would make it possible to query the vulnerability feed database directly. Something along the lines of
anchore-cli query vulnerabilities-by-package --name somepackage --version some.version.number
Output would ideally be a list of CVE's or similar identifiers that apply to the package the query refers to.
This would make it possible to perform checks locally even prior to building docker files that are to be pushed, either manually by running a CLI search or by building it into IDE plugins that can report vulnerable dependencies as soon as they're added to a project.