November 14, 2023

What's new with Tanzu Application Catalog - Nov 2023

VMware Tanzu Application Catalog now comes with several exciting new features like VEX documentation, ARM support, and graphical SBOMs, to help customers better manage security risks and compliance in OSS. Learn all about them in this blog.

Welcome to another edition of What’s new with Tanzu Application Catalog.

Latest Product Upgrades

VMware Application Catalog is now VMware Tanzu Application Catalog

VMware Application Catalog has been renamed as VMware Tanzu Application Catalog. The name change's main objective is to strengthen the association and awareness that the product is part of the Tanzu portfolio of application delivery solutions. Please note that this name change will not have any direct impact on the usage, pricing, or functionality of the product; nor will this change have any impact on the virtual machine-related capabilities of the product. The product will continue to have virtual-machine-related capabilities.

VEX documentation, FIPS 140-2 compliance, verification in air-gapped environments, and more to help enterprises mitigate upstream vulnerabilities

To help our customers enhance their compliance posture and better address the security risks posed by open source software (OSS), we announced a number of new features and upgrades to Tanzu Application Catalog at VMware Explore Las Vegas. Learn in detail about all the new features and upgrades in this blog. If you are interested in learning more about VEX documentation, check out this blog and this demo video.

Avail ARM Support in Tanzu Application Catalog

So far, users of Tanzu Application Catalog have been able to get container images in the AMD64 format. However, from now on, the container images with Debian 11, Debian 12, Photon OS 4, or RedHat UBI 9 as the base OS image are shipped as multi-arch images, supporting ARM64 architecture as well as AMD64. This means that these container images can be deployed as ARM64 or AMD64, depending on the architecture of the platform on which they are deployed. The higher power efficiency and cost-reduction provided by ARM servers have made several enterprises invest in ARM. Such enterprises stand to benefit greatly from this update.

Consume SBOMs through an intuitive graphical view

The SPDX SBOMs provided by Tanzu Application Catalog are now made available in an intuitive graphical format as well, in addition to the already available JSON format. Note that SPDX SBOM comes with all three form factors (Helm charts, containers and virtual machines) supported by Tanzu Application Catalog.

To get this graphical view of an SBOM, follow the steps listed below after signing in to Tanzu Application Catalog.

  • Under My Applications tab, click on the Details button of the application whose SBOM is to be viewed
  • Then go to the Build Time Reports section and click on the Graph icon which appears next to the Download button of SBOM, as highlighted in the screenshot below.

A screenshot of a computer

Description automatically generated

  • Then you will be to see the graph view of the SBOM

A screenshot of a computer

Description automatically generated

Graph view of the SBOM of PostreSQL packaged by VMware with Photon OS 4.0 as the base OS image

Gain an overview of your exposure to upstream risks with CVE Summary

Every application in the catalog now has a corresponding CVE summary indicating the number of critical, high, medium, and low risk vulnerabilities. This can help customers better manage their risks and exposure to upstream vulnerabilities by selecting the base OS image and OSS apps that better align with their policies. To view the CVE summary, after signing in to Tanzu Application Catalog, go to the ‘Library’ section and click on ‘Details’ button corresponding to the application whose CVE summary you want to view.

Screenshot from Tanzu Application Catalog UI highlighting the CVE Summary of RabbitMQ packaged by VMware

Bitnami Vulnerability Database integrated with Trivy

To better enable vulnerability scanners detect vulnerabilities in Bitnami components, earlier this year we launched the Bitnami Vulnerability Database, a public CVE security feed available on GitHub with extensive information about the vulnerabilities on Bitnami components. Trivy becomes the first security scanner to consume the Bitnami Vulnerability Database. This enhancement was added as an experimental feature on Trivy v0.45.0. Read more in this blog.


New additions to the catalog

Base OS

We have added Debian 12 and deprecated Ubuntu 18 from the list of support base OS image. View the full list of support base OS images here.


As always, we have added several new applications to our catalog. To keep up with the increasing demand for ML/AI-related applications, we have focused on populating our catalog with more ML/AI-related apps. All newly added Helm charts, containers and Virtual machines are listed below.

Helm charts & containers
  • DeepSpeed (A deep learning software suite for empowering ChatGPT-like model training) - Container & Helm chart
  • OpenSearch (A scalable open-source solution for search, analytics, and observability) - Container & Helm chart
  • MLFlow (An open-source platform designed to manage the end-to-end machine learning lifecycle) Container & Helm chart
  • TensorFlow (An open-source machine learning framework for Python) - Container
  • Pinniped CLI (A command-line utility for interacting with Pinniped. Pinniped is an identity service provider for Kubernetes) - Container
  • Nats CLI (A command-line tool for interacting with NATS clusters. NATS is an open source, lightweight and high-performance messaging system) - Container
  • Notation (A CLI project to add signatures as standard items in the OCI registry ecosystem, and to build a set of simple tooling for signing and verifying these signatures) - Container
  • Kube RBAC Proxy (an HTTP proxy that can perform RBAC authorization against the Kubernetes API based on the SubjectAccessReview authorization resource) - Container
Virtual machines
  • Apache Flink (a framework and distributed processing engine for stateful computations over unbounded and bounded data streams) – Previously available only as Helm chart & container, now available as virtual machine as well.

You can browse through all applications available in the catalog here.

Educational Resources

Thought Leadership: Zero CVEs? Don’t Compromise Quality for Easy Compliance

There has been a lot of buzz around zero CVEs of late, which is understandable. But, at the same time, it's important to understand that the potential effects of this zero-CVE chatter could be detrimental. Our Staff Engineer Martin Perez shares his thoughts on how you can minimize CVEs and the harm they cause, while maintaining software quality, by following some sustainable practices in this blog.

Demo Video: Securing Software Supply Chain with Tanzu Application Platform and Tanzu Application Catalog

Watch our Staff Solution Engineer Eknath Reddy demonstrate how your developers working with Tanzu Application Platform can leverage Tanzu Application Catalog to mitigate the supply chain risks posed by OSS in this video. 

Whitepaper: Security Measures in Tanzu Application Catalog

There are several key security measures we have undertaken in Tanzu Application Catalog to ensure that our customers minimize security risks and achieve strict regulatory compliance while working with OSS. Learn all about them in this whitepaper.

Filter Tags

Tanzu VMware Tanzu Application Catalog Blog What's New Overview