VMware Application Catalog general FAQs

This section provides answers to general VMware Application Catalog questions.

How do I get started with VMware Application Catalog?

Customers can work with the VMware Application Catalog sales team to receive an invitation to use the service. These are the typical steps for onboarding and quickly use VMware Application Catalog:

Click on the invitation link, provide your VMware ID and select the CSP Organization to connect to the service.
Once the right CSP Org is connected to the service, select “Request a Catalog” within the product. A short guide will walk through the deployment format, operating system and application options.
The onboarding team will then receive the customer’s request and contact them once their catalog is configured and ready to be delivered.

Note
To learn more, see Get Started with VMware Application Catalog guide.

For further questions and inquires, contact VMware Application Catalog.

How is VMware Application Catalog delivered?

VMware Application Catalog is delivered via VMware’s Cloud Services Portal (CSP). Once an entitlement to the service is purchased, customers can log-in to CSP with their existing credentials and add the VMware Application Catalog tile to their list of CSP services. For more information on CSP, see User Guide.

How does the trial period work?

The VMware Application Catalog provides users with a free 90-day trial period. When this period is about to end, users will see the following message when accessing their VMware Application Catalog accounts: “Your trial is going to expire”. In that case, contact your VMware sales representative to learn more about how to subscribe to any of the available editions that you can purchase for your team.

What are the types of roles that can be assigned to use VMware Application Catalog?

There are two types of roles that can be assigned to use VMware Application Catalog:

App Catalog Admin: This role allows a user to manage the catalog and see all the information regarding it. A user with this role can create application requests and manage base images and registries.
App Catalog User: This role allows a user to see data through the catalog but not make any changes to it. They can’t perform application requests or manage registries and base images.

What does an open CVE mean?

Open CVEs are the ones that have not been fixed by the Linux Distribution maintainers because they did not work on that yet or they do not consider a critical issue. The VMware Application Catalog team is not able to fix those CVEs since those fixes depend directly on the distribution maintainers.

VMware Application Catalog’s images are based on various operating systems, including Debian, Photon, RedHat UBI, and Ubuntu. These CVEs exist in these distributions as well as other distributions which depend on them or use them.

How can I check if a container or chart includes an open CVE?

CVE information is available in the CVE Scan report for each VMware Application Catalog container image and virtual machine. To access this, navigate to a catalog, and click the “Details” link of the container image you wish to check. To check CVE information for a Helm chart, check the CVE Scan report for each of its dependent container images.

Does VMware Application Catalog release charts or containers that include fixable CVEs?

VMware Application Catalog containers and Helm charts do not include fixable CVEs.

How does VMware Application Catalog ensure that its containers and Helm charts do not include fixable CVEs?

To ensure that all VMware Application Catalog images include the latest security fixes, VMware Application Catalog implements the following policies:

VMware Application Catalog triggers a release of a new Helm chart when a new version of the main server or application is detected.

For example, if the system automatically detects a new version of MariaDB, the VMware Application Catalog pipeline automatically releases a new container with that version and also releases the corresponding Helm chart if it passes all tests. That way, VMware Application Catalog ensures that the application version released is always the latest stable one and has the latest security fixes.
VMware Application Catalog triggers a release of a new chart when a package that includes a fix for a CVE from the distribution in any of the containers that it includes is detected.

The system scans all our containers and releases new images daily with the latest available system packages. Once the pipeline detects there is a new package that fixes a CVE, our team triggers the release of a new Helm chart to point to the latest container images.
The VMware Application Catalog team monitors different CVE feeds - such as Heartbleed or Shellshock - to fix the most critical issues as soon as possible.

Once a critical issue is detected in any of the charts included in the VMware Application Catalog catalog, a new solution is released. VMware Application Catalog provide updates in less than 48 business hours.

Does VMware Application Catalog support CycloneDX format for viewing SBoM information?

Currently VMware Application Catalog supports SPDX format for SBoM but not CycloneDX. However, you can convert the existing SPDX format files to CycloneDX format files using Syft CLI. Once converted, the CycloneDX format files can be imported in Dependency-Track or any other tool to visualize information of that SBoM specific type.

How to convert SPDX file to CycloneDX file and use Dependency-Track to view information of SBoM?

What to do first

Ensure:

Syft is installed.
Dependency-Track is installed.

To convert SPDX file to CycloneDX file using Syft CLI:

Download the SPDX file from VMware Application Catalog UI:
- Log in to VMware Application Catalog.
- Select your organization.
- From the left navigation pane, go to “Applications” > “My Applications”.
- In the “My Applications” tab, from the list of all applications click the “DETAILS” button corresponding to the container image, Helm chart, or virtual machine, whose SBoM you need.
- In the Build Time Reports section, find and download the SBoM (SPDX) report to your PC. The report is a JSON-formatted file containing multiple sections. It can be read using any text editor or JSON-compatible client library, making it immediately usable in other applications.
- Open the Syft CLI and change to the directory where the SPDX file was downloaded.
- Run the command, for example,
```
syft convert apache.spdx -o cyclonedx-json=apache-cyclonedx.json
```
  The SPDX file is converted to a CycloneDX and will be available in the same folder where the SPDX file was downloaded.

To view SBoM information in Dependency-Track:

Log into Dependency-Track, click “Projects” > “Create Project” and create a new project.
Under “Project Name”, click the newly created project.
Click the “Components” tab.
Click “Upload SBOM” to import the CycloneDX file and view all the software components.
(Optional) Click the “Dependency graph” tab to view which dependencies are related to which software component.
(Optional) Click the “Audit vulnerability” tab to view all the software components which have a known vulnerability.

Note
Converting files from one format to other has a known limitation where specific license IDs could not be identified or linked in Dependency-Track UI.

What are the types of configurations available while adding new applications to your catalog?

There are two configurations available while adding new applications to your catalog:

Basic
Custom

This allows you to have a single private catalog containing both community edition of Bitnami Application Catalog and customized catalogs in your private repository with your VMware Application Catalog subscription. This also helps in having an even upgrade experience when moving from Bitnami Application Catalog to VMware Application Catalog.

For more information, see Configurations.

How is VMware Application Catalog continuously tested to be used in production environments?

VMware Application Catalog applications are verified across various combinations of Kubernetes versions, cloud platforms, and base OS distribution versions.

As a result, customers can be confident that the applications included in their catalogs are continuously tested and proven to be suitable for production environments reducing the risk of failure at deployment time.

One form factor, four verifications

Each VMware Application Catalog Helm chart distribution is verified in four different Kubernetes versions.

The entire VMware Application Catalog is also tested against major cloud platforms covering more than 90% of deployment scenarios. For more information, see Interoperability.

How frequently are VMware Application Catalog applications verified?

Container images

Container images are continuously triggered - and therefore verified - to ensure they include the latest dependencies and minimal CVEs.

Customers can opt to configure this period of time per namespace or per custom request.

Helm charts

A new Helm chart is triggered - and therefore verified - so long as it fulfills any of the following cases:

A new Helm chart is released in VMware Application Catalog
A new feature or fix for an existing application is merged to the catalog
A new upstream version of the main container or a security release of any of the secondary is available
A trigger is manually performed by the VMware Application Catalog team due, for example, to a critical security issue
Every 30 days if a new version of the chart was not released within that period

Are VMware Application Catalog multi-arch images verified?

Yes, in addition to the default AMD64 format, certain distributions and applications that also support ARM64 architecture were verified and found to run in major cloud platforms.

How can I check if a Helm chart is configured correctly to meet specific security requirements?

Customers can check if the Helm charts available in VMware Application Catalog library are security compliant based on: * Use in air-gapped environments * FIPS compliance * Containers are configured as non-root and the Helm chart is verified to run in OpenShift environments

Go to VMware Application Catalog and sign in using your VMware Account. After signing into VMware Application Catalog, from the left navigation page, click “Library”.

You can check the security requirements in one of the following ways:

Scroll down to the application you want to check. Tags displayed under the application name indicate the applicable security requirements.
Filter by “Security” from the list of filters displayed on the left-side of the page.
Select an application and click on the “Details” link. In the table that displays, the “Validation Platforms” column indicates the security requirements this chart has been verified against.
Once an application has been added to your catalog, go to “Application” from the left navigation pane. Click on the “Details” link and download the test-results.tar.gz file. If that Helm chart has been verified to meet any security requirements, the file name will indicate that condition.

Are VMware Application Catalog applications tested and verified for use in air-gapped environments?

Yes, the verification process involves testing at least two distribution versions on two different Kubernetes platforms to ensure compatibility in air-gapped environments.

To check if an application has been verified for use in air-gapped environments, see How can I check if a Helm chart is configured correctly to meet specific security requirements?.

Is VMware Application Catalog verified for FIPS compliance?

Yes, currently Photon OS distributions are verified to be compliant with AKS FIPS.

To check if an application has been verified for FIPS compliance, see How can I check if a Helm chart is configured correctly to meet specific security requirements?.

Is VMware Application Catalog verified to run on OpenShift?

Yes, as part of the verification process, certain distributions were verified and found to run on OpenShift, with a specific requirement for a non-root and random-UID configuration.

To check if a Helm chart works with non-root containers see How can I check if a Helm chart is configured correctly to meet specific security requirements?.