This section provides answers to general VMware Tanzu Application Catalog questions.
Customers can work with the VMware Tanzu Application Catalog sales team to receive an invitation to use the service. These are the typical steps for onboarding and quickly use VMware Tanzu Application Catalog:
NoteTo learn more, see Get Started with VMware Tanzu Application Catalog guide.
For further questions and inquires, contact VMware Tanzu Application Catalog.
VMware Tanzu Application Catalog is delivered via Tanzu Platform cloud services Portal (CSP). Once an entitlement to the service is purchased, customers can log-in to CSP with their existing credentials and add the Vmware Tanzu Application Catalog tile to their list of CSP services.
Yes, you can. If you require extra dependencies beyond those bundled with the Helm chart, you must add them separately during the catalog creation process. See the article Extra dependencies are considered additional active artifacts.
The VMware Tanzu Application Catalog provides users with a free 90-day trial period. When this period is about to end, users will see the following message when accessing their VMwawre Tanzu Application Catalog accounts: “Your trial is going to expire”. In that case, contact your VMware sales representative to learn more about how to subscribe to any of the available editions that you can purchase for your team.
There are two types of roles that can be assigned to use VMware Tanzu Application Catalog:
Open CVEs are the ones that have not been fixed by the Linux Distribution maintainers because they did not work on that yet or they do not consider a critical issue. The VMware Tanzu Application Catalog team is not able to fix those CVEs since those fixes depend directly on the distribution maintainers.
VMware Tanzu Application Catalog’s images are based on various operating systems, including Debian, Photon, RedHat UBI, and Ubuntu. These CVEs exist in these distributions as well as other distributions which depend on them or use them.
CVE information is available in the CVE Scan report for each VMware Tanzu Application Catalog container image and virtual machine. To access this, navigate to a catalog, and click the “Details” link of the container image you wish to check. To check CVE information for a Helm chart, check the CVE Scan report for each of its dependent container images.
The VMware Tanzu Application Catalog team has launched a public CVE security feed available on GitHub to better enable vulnerability scanners to detect vulnerabilities in the custom-build components included in the Bitnami packages.
Customers that use Trivy as the security scanner to detect vulnerabilities in their containers can check vulnerabilities in Bitnami components. Trivy integrates the Bitnami security feed since version v0.45.0.
The Bitnami CVE security feed is publicly available and it can be consumed by any security scanner that supports the Open Source Vulnerability Database (OSV) schema.
If your security scanner does not support the Bitnami CVE feed, contact your provider to request its integration. This will enable you to receive Bitnami component analysis in your vulnerability scanner results.
To learn more, see blog post announcement.
VMware Tanzu Application Catalog containers and Helm charts do not include fixable CVEs.
To ensure that all VMware Tanzu Application Catalog images include the latest security fixes, VMware Tanzu Application Catalog implements the following policies:
VMware Tanzu Application Catalog triggers a release of a new Helm chart when a new version of the main server or application is detected.
For example, if the system automatically detects a new version of MariaDB, the VMware Tanzu Application Catalog pipeline automatically releases a new container with that version and also releases the corresponding Helm chart if it passes all tests. That way, VMware Tanzu Application Catalog ensures that the application version released is always the latest stable one and has the latest security fixes.
VMware Tanzu Application Catalog triggers a release of a new chart when a package that includes a fix for a CVE from the distribution in any of the containers that it includes is detected.
The system scans all our containers and releases new images daily with the latest available system packages. Once the pipeline detects there is a new package that fixes a CVE, our team triggers the release of a new Helm chart to point to the latest container images.
The VMware Tanzu Application Catalog team monitors different CVE feeds - such as Heartbleed or Shellshock - to fix the most critical issues as soon as possible.
Once a critical issue is detected in any of the charts included in the VMware Tanzu Application Catalog, a new solution is released. VMware Tanzu Application Catalog provide updates in less than 48 business hours.
Currently VMware Tanzu Application Catalog supports SPDX format for SBoM but not CycloneDX. However, you can convert the existing SPDX format files to CycloneDX format files using Syft CLI. Once converted, the CycloneDX format files can be imported in Dependency-Track or any other tool to visualize information of that SBoM specific type.
Ensure:
To convert SPDX file to CycloneDX file using Syft CLI:
Download the SPDX file from VMware Tanzu Application Catalog UI:
In the “My Applications” tab, from the list of all applications click the “DETAILS” button corresponding to the container image, Helm chart, or virtual machine, whose SBoM you need.
In the Build Time Reports section, find and download the SBoM (SPDX) report to your PC. The report is a JSON-formatted file containing multiple sections. It can be read using any text editor or JSON-compatible client library, making it immediately usable in other applications.
Open the Syft CLI and change to the directory where the SPDX file was downloaded.
Run the command, for example,
syft convert apache.spdx -o cyclonedx-json=apache-cyclonedx.json
The SPDX file is converted to a CycloneDX and will be available in the same folder where the SPDX file was downloaded.
To view SBoM information in Dependency-Track:
Click “Upload SBoM” to import the CycloneDX file and view all the software components.
(Optional) Click the “Dependency graph” tab to view which dependencies are related to which software component.
NoteConverting files from one format to another has a known limitation where specific license IDs could not be identified or linked in the Dependency-Track UI.
VMware Tanzu Application Catalog allows users to process SBoM data and generate visual representations such as dependency graphs and hierarchical diagrams to represent the software components including third-party libraries, open-source components, and their interrelationships. This tool is available for containers, Helm charts, and VMs. Visualization tool helps to:
To view additional details on each software component:
VMware Tanzu Application Catalog gives the option of making post-built customizations at different levels: operating system (OS), language runtime, or application levels. To learn more, see this tutorial.
VMware Tanzu Application Catalog applications are verified across various combinations of Kubernetes versions, cloud platforms, and base OS distribution versions.
As a result, customers can be confident that the applications included in their catalogs are continuously tested and proven to be suitable for production environments reducing the risk of failure at deployment time.
One form factor, four verifications
Each VMware Tanzu Application Catalog Helm chart distribution is verified in four different Kubernetes versions.
The entire VMware Tanzu Application Catalog is also tested against major cloud platforms covering more than 90% of deployment scenarios. For more information, see Interoperability.
All container images, Helm charts, and virtual machines available in the catalog are continuously verified to ensure they include the latest dependencies and minimal CVEs.
New versions are only released after they meet specific conditions. This ensures that only relevant updates are delivered to customer registries.
Container images
A new container is triggered so long it fulfils any of the following cases:
Helm charts
A new Helm chart is triggered so long as it fulfills any of the following cases:
Virtual machines
A new VM is triggered so long it fulfils any of the following cases:
|>Note For additional information about the reasons for triggering the build, you can download a “Trigger information” report from the applications details page. See Reports.
Yes, in addition to the default AMD64 format, certain distributions and applications that also support ARM64 architecture were verified and found to run in major cloud platforms.
Yes, the verification process involves testing at least two distribution versions on two different Kubernetes platforms to ensure compatibility in air-gapped environments.
To check if an application has been verified for use in air-gapped environments, see How can I check if a Helm chart is configured correctly to meet specific security requirements?.
Yes, currently Photon OS distributions are verified to be compliant with a Kubernetes environment with a Kernel with FIPS mode enabled.
To check if an application has been verified for FIPS, see How can I check if a Helm chart is configured correctly to meet specific security requirements?.
Yes, as part of the verification process, certain distributions were verified and found to run on OpenShift, with a specific requirement for a non-root and random-UID configuration.
To check if a Helm chart works with non-root containers see How can I check if a Helm chart is configured correctly to meet specific security requirements?.
Customers can check if the Helm charts available in VMware Tanzu Application Catalog library are security compliant based on:
You can check the security requirements in one of the following ways:
Scroll down to the application you want to check. Tags displayed under the application name indicate the applicable security requirements.
Filter by “Security” from the list of filters displayed on the left-side of the page.
Select an application and click on the “Details” link. In the table that displays, the “Validation Platforms” column indicates the security requirements this chart has been verified against.
Once an application has been added to your catalog, go to “Application” from the left navigation pane. Click on the “Details” link and download the test-results.tar.gz file. If that Helm chart has been verified to meet any security requirements, the file name will indicate that condition.
Yes, VMware Tanzu Application Catalog produces provenance attestations for all the distributed assets, as the verifiable information about software artifacts describing where, when and how something was produced, that meets SLSA Build Level 3.
For more information, see SLSA Level 3.
VMware Tanzu Application Catalog delivers VEX documents in CSAF format for its Photon OS based container images (Photon OS 4 onwards) that are built by following the CISA recommendations referred to in the use case “3.2.3 Single Product, Single Version, Multiple Vulnerabilities, Multiple Statuses”. For more information, see VMware Tanzu Application Catalog and CISA recommendations.
Yes, VMware Tanzu Application Catalog Helm charts come with the Pod Security Admission controller enabled by default to enforce the Pod Security Standards. For more information, see Pod Security Standards in Kubernetes.
Bitnami application packages that are available through VMware Tanzu Application Catalog — containers, Helm charts, and OVAs — are built with best practices, kept up to date with the latest application versions, and go through extensive automated tests and verifications to run in their target platforms with the expected behavior and performance. Each application package comes ready to use, requiring no additional setup.
VMware Tanzu Application Catalog applications run through the following tests and validations:
Functional: Verifies that the application works as expected depending on functional requirements and specifications. These verifications are:
End-to-end testing: Verifies that the potential deployed software runs from end to end as expected. VMware Tanzu Application Catalog team uses Cypress as an E2E testing framework. In web applications, for example, these verifications include checks on login and logout actions, creation of posts, projects, tickets, plugin installation, and so on. Additionally, other actions are executed such as creating a database, make sure the database is replicated in a high-availability configuration, API queries, create events/topics and make sure they are received, actions in the CLI, and so on.
Persistence: Checks that the pod or image can be removed and the data is properly configured in an external volume.
To learn more about Bitnami functional tests, see blog post .
Additionally, to enforce the security of container images they are configured with a non-root user.
Apart from these validations, VMware Tanzu Application Catalog applications run through rigorous verifications against specific Kubernetes versions and platforms as well have been verified to use in air-gapped and OpenShift environments, and to be verified in FIPS environments. For more information, see How to check if a Helm chart is configured to meet specific security requirements, How is VMware Tanzu Application Catalog continuously tested to be used in production environments, and verification matrix to check the specific Kubernetes and cloud platforms the catalog is verified against.
VMware Tanzu Application Catalog, allows artifacts (container images, container image metadata bundles, helm chart, and helm chart metadata bundles) to be signed and verified by using either Sigstore Cosign or Notation. For instructions on how to verify VMware VMware Tanzu Application Catalog artifacts signatures, see tutorial.
Yes, VMware Tanzu Application Catalog supports multi-registry delivery allowing administrators to add the same application to several registries at the time of creating a catalog. This allows you to manage applications from different container image and Helm charts registries within the same catalog.
VMware Tanzu Application Catalog customers can check the vulnerability status for both containers and virtual machines, depending on the base image through a CVE summary accessible from the Library section for logged in users. Customers can also get the details from the reports delivered with each image. This information empowers them to make informed decisions regarding open-source security risks before creating their catalogs. Among these base images, VMware Tanzu Application Catalog provides container images based on Photon OS, known for minimal CVEs. For more information, see Mitigating Upstream CVE Risks without Compromising Quality.
To verify container and virtual machine base OS CVEs:
Sign in to VMware Tanzu Application Catalog and in the left navigation pane, click “Library”. A list of all the applications available on VMware Tanzu Application Catalog appears.
Click “Details” and the CVEs display as shown below.
Non-Advanced users can obtain registry credentials which allow you to access the registry and deploy the container images and Helm charts. For more information, see Obtain registry credentials in the Getting started with VMware Tanzu Application Catalog section.